CCNA Dev AWS Services Questions

75 of 518 questions · Page 1/7 · Dev AWS Services topic · Answers revealed

1
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway REST API and several Lambda functions. The developer wants to enable X-Ray tracing to debug performance issues. What is the MINIMUM set of actions required to enable X-Ray tracing for the entire application?

A.Enable X-Ray tracing on each Lambda function individually and deploy the X-Ray daemon as a Lambda layer.
B.Enable X-Ray tracing only on the API Gateway stage and configure the Lambda functions to forward traces.
C.Deploy the X-Ray daemon as a sidecar container on each Lambda function.
D.Add Tracing: Active to the Globals section of the SAM template and attach the AWSXRayDaemonWriteAccess managed policy to the Lambda execution role.
AnswerD

This enables X-Ray for all functions and API Gateway, and the policy allows the Lambda function to send traces.

Why this answer

Option A is correct. In AWS SAM, you can enable X-Ray globally by setting Tracing: Active in the Globals section, and the Lambda execution role needs the AWSXRayDaemonWriteAccess managed policy. Option B is wrong because enabling tracing on each function individually is more work but still achieves the goal, but the question asks for MINIMUM.

Option C is wrong because API Gateway tracing alone does not trace Lambda. Option D is wrong because deploying the X-Ray daemon is not required for Lambda functions; the managed policy includes the daemon.

2
MCQmedium

A developer is using Amazon S3 to store application logs. The logs are generated every hour and must be retained for 90 days. After 90 days, the logs should be deleted automatically. Which S3 lifecycle policy should the developer configure?

A.Expire objects after 30 days.
B.Transition objects to Amazon S3 Glacier after 90 days.
C.Expire objects after 90 days.
D.Transition objects to S3 Standard-IA after 30 days and expire after 90 days.
AnswerC

Expiration deletes objects after the specified days.

Why this answer

Option B is correct because an expiration action after 90 days will delete the objects. Option A (transition to Glacier after 90 days) does not delete. Option C (expire after 30 days) deletes too early.

Option D (transition to S3 Standard-IA and expire after 90 days) is valid but unnecessary; a single expiration action is simpler.

3
MCQmedium

A developer is building a serverless application using AWS Lambda to process images uploaded to an S3 bucket. The Lambda function needs to resize the image and store the result in another S3 bucket. The developer notices that the Lambda function fails intermittently with timeout errors for large images. What is the MOST efficient solution to resolve this issue?

A.Increase the Lambda function timeout and memory allocation to accommodate larger images.
B.Limit the S3 event notification to only trigger for images smaller than 5 MB.
C.Refactor the Lambda function to use multi-threading for parallel processing of image chunks.
D.Use AWS Step Functions to orchestrate the image processing in smaller steps.
AnswerA

Increasing timeout and memory provides more execution time and CPU power to process large images within the Lambda limits.

Why this answer

The correct answer is B. Increasing the Lambda timeout and memory allows the function to handle larger images. Option A is wrong because Lambda does not support multi-threading by default and would not help with a single large image.

Option C is wrong because Step Functions add complexity without addressing the root cause. Option D is wrong because larger images do not cause concurrent execution limits to be reached; the issue is timeout.

4
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API must support different HTTP methods (GET, POST, PUT, DELETE) for the same resource path. The developer wants to define the API in a single Lambda function that can handle all methods without additional mapping configuration. Which Lambda integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.AWS service integration
D.HTTP integration
AnswerA

Correct. With Lambda proxy integration, API Gateway sends the entire request to the Lambda function, and the function can inspect the HTTP method to handle different operations.

Why this answer

Lambda proxy integration (option A) is correct because it allows a single Lambda function to handle all HTTP methods (GET, POST, PUT, DELETE) for the same resource path without additional mapping configuration. In this integration type, API Gateway passes the entire client request (method, headers, query parameters, body) as a JSON event to the Lambda function, and the function must return a response in a specific format that includes status code, headers, and body. This eliminates the need for manual mapping templates or method-specific configurations.

Exam trap

The trap here is that candidates often confuse Lambda custom integration with Lambda proxy integration, thinking that custom integration provides more control, but they overlook that proxy integration is specifically designed to handle multiple HTTP methods without additional mapping configuration.

How to eliminate wrong answers

Option B (Lambda custom integration) is wrong because it requires explicit mapping templates to transform the client request into the Lambda function's input format and to transform the Lambda response back to the HTTP response, which adds configuration overhead and does not support handling all methods in a single function without additional mapping. Option C (AWS service integration) is wrong because it is designed to integrate API Gateway directly with other AWS services (e.g., DynamoDB, SQS) without invoking a Lambda function, and it does not support routing multiple HTTP methods to a single Lambda function. Option D (HTTP integration) is wrong because it is used to proxy requests to an external HTTP endpoint, not to a Lambda function, and it requires mapping templates or VPC link configurations, making it unsuitable for a serverless Lambda-based API.

5
MCQmedium

A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences occasional throttling on the Lambda function during peak traffic. The developer needs to reduce the number of throttling errors without changing the Lambda function code. Which solution should the developer implement?

A.Increase the Lambda function timeout.
B.Increase the DynamoDB read capacity units.
C.Configure reserved concurrency on the Lambda function.
D.Enable API Gateway caching.
AnswerC

Reserved concurrency guarantees a set number of concurrent executions, reducing throttling.

Why this answer

Option C is correct because enabling reserved concurrency on the Lambda function ensures a set number of concurrent executions are available, preventing throttling due to account-level limits. Option A (increase DynamoDB read capacity) does not affect Lambda throttling. Option B (enable API Gateway caching) helps with API responses but not Lambda invocation throttling.

Option D (increase Lambda timeout) does not affect concurrency limits.

6
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application needs to store large JSON documents (up to 1 MB) and retrieve them by a primary key. The documents are updated frequently. Which DynamoDB feature should the developer consider to optimize performance and cost for storing and retrieving these large items?

A.Use Amazon S3 to store the documents and store only the S3 key in DynamoDB.
B.Enable DynamoDB Accelerator (DAX) to cache the large items.
C.Use DynamoDB Transactions to atomically update the items.
D.Enable DynamoDB Streams to capture changes to the items.
AnswerA

This is the recommended approach for items exceeding the 400 KB DynamoDB item size limit.

Why this answer

Option A is correct because DynamoDB has a 400 KB item size limit, so storing large JSON documents (up to 1 MB) directly in DynamoDB is not possible. By storing the documents in Amazon S3 (which supports objects up to 5 TB) and keeping only the S3 object key in DynamoDB, the developer can efficiently retrieve the document via the primary key while avoiding DynamoDB's size constraint. This pattern also reduces DynamoDB read/write capacity unit consumption, lowering cost for frequently updated large items.

Exam trap

The trap here is that candidates assume DynamoDB can handle any size of data because it is a NoSQL database, but they overlook the explicit 400 KB item size limit, making the S3 integration pattern the only viable solution for documents up to 1 MB.

How to eliminate wrong answers

Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that speeds up reads but does not change the 400 KB item size limit; large items cannot be stored in DynamoDB at all, so caching them is irrelevant. Option C is wrong because DynamoDB Transactions provide ACID guarantees for multi-item operations but do not address the item size limit or optimize storage/retrieval of large documents. Option D is wrong because DynamoDB Streams capture item-level changes for event-driven processing, but they do not help with storing or retrieving large items that exceed the 400 KB limit.

7
MCQmedium

The above IAM policy is attached to an IAM role used by a Lambda function. The function tries to scan the table 'MyTable' but receives an AccessDenied error. What is the MOST likely cause?

A.The DynamoDB table does not exist.
B.The IAM role is not attached to the Lambda function.
C.The resource ARN is incorrect.
D.The policy does not include the 'dynamodb:Scan' action.
AnswerD

Correct: Scan is not allowed.

Why this answer

Option B is correct because the policy does not include 'dynamodb:Scan' action. Option A is wrong because the resource ARN is correct. Option C is wrong because table exists.

Option D is wrong because the role is attached.

8
MCQmedium

A developer is troubleshooting an AWS Lambda function that occasionally fails with a timeout error. The function makes HTTP requests to external APIs. The function's current timeout setting is 30 seconds. The developer wants to implement a solution that reduces the chance of timeouts without increasing the Lambda timeout. Which approach should the developer take?

A.Configure the Lambda function to be invoked asynchronously.
B.Implement retry logic with exponential backoff in the Lambda function code.
C.Enable provisioned concurrency on the Lambda function.
D.Increase the Lambda function timeout to 5 minutes.
AnswerB

Retries with backoff help manage transient failures, reducing timeouts.

Why this answer

Option A is correct because implementing retry logic with exponential backoff allows the function to handle transient failures without timing out. Option B (increase timeout) contradicts the requirement. Option C (provisioned concurrency) addresses cold starts, not timeouts.

Option D (async invocation) does not change the execution time.

9
Multi-Selecteasy

A company is using Amazon S3 to store sensitive data. The security team requires that all data be encrypted at rest. The developer must implement a solution that uses server-side encryption with AWS KMS managed keys (SSE-KMS). Which TWO steps are required to meet this requirement? (Choose TWO.)

Select 2 answers
A.Grant the IAM role used by the application the kms:GenerateDataKey permission for the KMS key.
B.Set the default encryption on the S3 bucket to SSE-KMS and disable the option to override it.
C.Set the x-amz-sse header to 'aws:kms' when uploading objects.
D.Enable default encryption on the S3 bucket with SSE-S3.
E.Configure an S3 bucket policy that denies PutObject requests if the request does not include the x-amz-server-side-encryption header.
AnswersA, E

To use SSE-KMS, the caller needs permission to generate data keys.

Why this answer

Options B and D are correct. Option B: The bucket policy must deny uploads without the x-amz-server-side-encryption header. Option D: The IAM role must have kms:GenerateDataKey permission.

Option A is wrong because the header is 'x-amz-server-side-encryption' not 'x-amz-sse'. Option C is wrong because SSE-S3 uses Amazon S3 managed keys, not KMS. Option E is wrong because the default encryption setting can be overridden by individual PUT requests.

10
MCQeasy

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload a file to s3://my-bucket/confidential/report.pdf. What will happen?

A.The upload fails because the Deny statement overrides the Allow.
B.The upload succeeds because the Deny statement applies only to the bucket, not the user.
C.The upload fails because the policy does not allow PutObject on that path.
D.The upload succeeds because the Allow statement grants PutObject.
AnswerA

Explicit Deny overrides any Allow.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the confidential prefix, overriding the Allow. Option A is wrong because the Deny takes precedence. Option C is wrong because the Deny applies to the specific path.

Option D is wrong because the Deny applies to the user.

11
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application writes log files to /var/log/app/. The operations team wants to stream these logs to Amazon CloudWatch Logs for monitoring and alerting. The developer configures the Elastic Beanstalk environment to include a .ebextensions configuration file that sets up the CloudWatch Logs agent. The configuration file specifies the log group and the log stream prefix. After deploying the updated environment, the logs are not appearing in CloudWatch Logs. The developer checks the EC2 instance and confirms that the CloudWatch Logs agent is running and the configuration file is present in /etc/awslogs/. What is the most likely reason the logs are not being sent?

A.The CloudWatch Logs agent configuration file does not specify the correct log file path or the log files do not exist.
B.The CloudWatch Logs agent does not have read permissions on the /var/log/app/ directory.
C.The .ebextensions configuration file is not executed because it is in the wrong directory.
D.The IAM instance profile does not have the necessary permissions to write to CloudWatch Logs.
AnswerA

Correct: If the path is wrong or files are missing, the agent will not send logs.

Why this answer

Option D is correct because the CloudWatch Logs agent configuration must specify the path to the log files. If the path is incorrect or the log files are not being written, the agent will not send logs. Option A is incorrect because the agent runs as root; permissions to read /var/log/app/ are typically fine.

Option B is incorrect because CloudWatch Logs does not require IAM roles to be attached to the instance profile; the instance profile must have proper permissions, but that's separate. Option C is incorrect because the agent configuration can be in the .ebextensions file, and that is a valid method.

12
MCQmedium

Refer to the exhibit. A developer attached the IAM policy to a Lambda function's execution role. The function reads items from a DynamoDB table that uses AWS KMS customer managed key (CMK) for encryption at rest. When the function tries to read an item, it receives an access denied error. What is the cause?

A.The DynamoDB table is not encrypted with a KMS key.
B.The policy allows kms:Decrypt on all resources but the CMK key policy may not grant access.
C.The policy does not allow dynamodb:GetItem on the table.
D.The DynamoDB table does not exist.
AnswerB

Even if IAM allows, the key policy must also allow the role.

Why this answer

The function needs kms:Decrypt permission on the specific key. Option C is correct. Option A is wrong because the actions are allowed.

Option B is wrong because the key is specific. Option D is wrong because DynamoDB encryption uses KMS.

13
MCQmedium

A Lambda function receives events from EventBridge. The developer wants failed invocations to be retried and then stored for later analysis if retries are exhausted. Which configuration should be used?

A.Enable API Gateway access logging
B.Configure EventBridge retry policy and a dead-letter queue
C.Increase reserved concurrency to zero
D.Store events in CloudFormation outputs
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because EventBridge supports a configurable retry policy (with a maximum event age up to 24 hours and up to 185 retries by default) and can route events that exceed the retry limit to an Amazon SQS dead-letter queue (DLQ). This ensures failed invocations are retried automatically and, if all retries are exhausted, the event is stored durably in the DLQ for later analysis or reprocessing.

Exam trap

The trap here is that candidates may confuse the Lambda function's own DLQ configuration (which applies to synchronous and asynchronous invocations) with EventBridge's rule-level retry policy and DLQ, but EventBridge manages retries and DLQ delivery independently of the Lambda service's built-in retry mechanism.

How to eliminate wrong answers

Option A is wrong because API Gateway access logging captures HTTP request/response data for REST or HTTP APIs, not Lambda invocation failures from EventBridge, and it does not provide retry or dead-letter storage. Option C is wrong because setting reserved concurrency to zero would prevent the Lambda function from executing at all, causing every invocation to fail immediately without retries or storage. Option D is wrong because CloudFormation outputs are used to export stack resource information (e.g., ARNs, endpoints) for cross-stack references, not for storing event data or handling failed invocations.

14
Multi-Selectmedium

Which TWO AWS services can be used to decouple components of a microservices architecture?

Select 2 answers
A.Amazon Route 53
B.Amazon EventBridge
C.Elastic Load Balancing
D.Amazon CloudWatch
E.Amazon SQS
AnswersB, E

EventBridge enables event-driven architectures, decoupling producers from consumers.

Why this answer

Options A and E are correct. SQS provides message queuing for asynchronous communication. EventBridge enables event-driven decoupling.

Option B is wrong because ELB is for load balancing, not decoupling. Option C is wrong because CloudWatch is for monitoring. Option D is wrong because Route 53 is DNS.

15
MCQhard

A developer invoked a Lambda function using the AWS CLI. The response includes 'FunctionError': 'Handled'. What does this indicate?

A.The function threw an exception that was caught by the code.
B.The function timed out.
C.The function executed successfully without any errors.
D.The function experienced an unhandled runtime error.
AnswerA

'Handled' indicates the function threw an error that was caught.

Why this answer

Option C is correct because 'Handled' means the function was invoked but threw an exception that was caught by the Lambda runtime, indicating the code threw an error that was handled (e.g., a custom error). Option A is wrong because successful invocation returns 'StatusCode': 200 without FunctionError. Option B is wrong because 'Unhandled' indicates an unhandled error.

Option D is wrong because a timeout would be 'Unhandled'.

16
MCQmedium

A developer is building a serverless application using AWS SAM. The application includes an Amazon API Gateway endpoint with a Lambda function that processes user uploads. The developer wants to enable API caching in the development stage to speed up repeated requests, but disable caching in the production stage. What is the most efficient way to achieve this?

A.Configure caching in the SAM template using the CacheClusterEnabled property and use CloudFormation conditions to enable it only in the dev stage.
B.Create two separate SAM templates, one for dev with caching and one for prod without.
C.Enable caching in the API Gateway console after each deployment for the dev stage.
D.Use a custom CloudFormation resource to toggle caching based on a parameter.
AnswerA

Using conditions is the most efficient approach. The SAM template can include a condition that evaluates to true for the dev stage, enabling caching.

Why this answer

Option A is correct because AWS SAM extends AWS CloudFormation, allowing you to use CloudFormation conditions to conditionally enable the `CacheClusterEnabled` property on the `AWS::ApiGateway::Stage` resource. By defining a condition that evaluates to true only for the dev stage (e.g., based on a parameter like `StageName`), you can enable caching in dev and disable it in prod within a single SAM template, avoiding duplication and manual steps.

Exam trap

The trap here is that candidates may think caching must be configured per-deployment manually (Option C) or that separate templates are required (Option B), missing the power of CloudFormation conditions to conditionally enable features within a single SAM template.

How to eliminate wrong answers

Option B is wrong because creating two separate SAM templates introduces unnecessary duplication and maintenance overhead; the same effect can be achieved with a single template using CloudFormation conditions, which is more efficient. Option C is wrong because manually enabling caching in the API Gateway console after each deployment is error-prone, not repeatable, and violates infrastructure-as-code best practices; it also requires post-deployment steps that can be forgotten. Option D is wrong because using a custom CloudFormation resource to toggle caching is overly complex and introduces additional Lambda functions or custom logic when the native `CacheClusterEnabled` property combined with conditions already provides a straightforward, built-in solution.

17
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores user session data in an Amazon ElastiCache for Redis cluster. Recently, users have been experiencing intermittent session timeouts and data loss. The developer examines the application logs and finds errors indicating that the Redis cluster is returning 'READONLY You can't write against a read-only replica.' The ElastiCache cluster is configured as a Redis replication group with one primary and two replicas. The application's connection code uses the primary endpoint. What is the most likely cause of this issue?

A.The ElastiCache cluster has been scaled down to a single node, causing the primary to become unavailable.
B.A failover event occurred, and the application is still trying to write to the old primary node, which is now a replica.
C.The ElastiCache security group is blocking write traffic to the primary endpoint.
D.The Redis cluster mode is enabled, and the application is not using the correct cluster endpoint.
AnswerB

Correct: After failover, the old primary becomes a replica and rejects writes.

Why this answer

Option A is correct because a failover event may have promoted one of the replicas to become the new primary. The application might have cached the old primary endpoint IP, or the DNS TTL could cause the application to still connect to the old primary (now a replica). Writing to a replica results in the READONLY error.

Option B is incorrect because ElastiCache does not automatically scale down. Option C is incorrect because ElastiCache cluster mode is for sharding, not primary-replica. Option D is incorrect because security groups block connections entirely, not cause intermittent writes.

18
MCQhard

A developer is building a serverless application using AWS Lambda that processes messages from an Amazon SQS queue. The queue receives about 100 messages per second, and each message takes about 30 seconds to process. The Lambda function is configured with a reserved concurrency of 10. The developer notices that messages are frequently being sent to the dead-letter queue (DLQ) after three failed processing attempts. The Lambda function's execution role has the necessary permissions to read from the SQS queue and write to the DLQ. The SQS queue's visibility timeout is set to 60 seconds, and the Lambda function's timeout is set to 60 seconds. What is the most likely cause of the messages being sent to the DLQ?

A.The SQS queue is not configured to use long polling, causing the Lambda function to receive empty responses and waste time.
B.The reserved concurrency of 10 is too low to handle the incoming message rate, causing messages to be repeatedly retried until they exceed the maxReceiveCount.
C.The Lambda function timeout is too short for the processing time required.
D.The DLQ is incorrectly configured to receive all failed messages after the first attempt.
AnswerB

Correct: Low concurrency leads to processing delays and retries.

Why this answer

Option C is correct because the Lambda function's reserved concurrency of 10 limits the number of concurrent executions. With 100 messages per second and 30 seconds processing time, each invocation can process only 10 messages at a time (since concurrency is 10), so messages accumulate. The SQS queue's visibility timeout of 60 seconds means that if a message is not processed within 60 seconds, it becomes visible again and can be retried.

However, with high volume and low concurrency, messages may be repeatedly retrieved but not processed in time, leading to three failed attempts and then sent to DLQ. Option A is incorrect because the DLQ configuration does not cause reprocessing. Option B is incorrect because 60-second timeout is ample for 30-second processing.

Option D is incorrect because batch processing is optional and not required.

19
MCQeasy

A developer is building a serverless application that uses Amazon DynamoDB. The application needs to retrieve an item by its primary key frequently. Which DynamoDB API call should the developer use to achieve the lowest latency?

A.Scan
B.Query
C.GetItem
D.BatchGetItem
AnswerC

GetItem directly retrieves an item by its primary key. It is the most efficient operation for a single item lookup, providing the lowest latency and consuming the least read capacity.

Why this answer

The GetItem API call is the most efficient way to retrieve a single item by its primary key in DynamoDB, as it directly accesses the item using the hash key (and optionally the sort key) with consistent, single-digit millisecond latency. Unlike Scan or Query, GetItem does not need to evaluate any conditions or filter through other items, making it the lowest-latency option for this specific use case.

Exam trap

The trap here is that candidates often confuse Query with GetItem, assuming Query is always faster because it uses a key condition, but Query still requires evaluating the sort key and can return multiple items, whereas GetItem is the only API optimized for a single-item primary key lookup.

How to eliminate wrong answers

Option A is wrong because Scan reads every item in the table or index and then filters out the results, which incurs high latency and consumes significant read capacity, especially on large tables. Option B is wrong because Query retrieves all items with a given partition key value and can return multiple items, requiring additional processing and potentially higher latency than a direct key-based lookup. Option D is wrong because BatchGetItem is designed for retrieving multiple items in a single operation, but it adds overhead for batching and may return partial results, making it slower than GetItem for a single item retrieval.

20
MCQeasy

The above CLI output shows the versioning status of an S3 bucket. A developer wants to enable MFA Delete on the bucket. What should the developer do?

A.Use the aws s3api put-bucket-acl command with MFA token.
B.Use the aws s3api put-bucket-versioning command with the --mfa parameter.
C.Enable Object Lock on the bucket, which automatically enables MFA Delete.
D.Use the aws s3api put-bucket-policy command to require MFA.
AnswerB

Correct: MFA Delete requires the --mfa parameter.

Why this answer

Option A is correct because the 'aws s3api put-bucket-versioning' command with MFA is required to enable MFA Delete. Option B is wrong because 's3api put-bucket-versioning' is the correct command. Option C is wrong because 's3api put-bucket-versioning' can enable MFA Delete without locking.

Option D is wrong because 's3api put-bucket-versioning' is the right command.

21
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The developer wants to create a custom resource that runs a Lambda function during stack creation and update. What must the developer do to ensure the custom resource works correctly?

A.The Lambda function must send a response to an S3 pre-signed URL.
B.The Lambda function must be defined in the same CloudFormation template.
C.The Lambda function must return a JSON object with the desired output.
D.The Lambda function must be written in Python.
AnswerA

Custom resources require the function to respond to the pre-signed URL.

Why this answer

Option D is correct because the Lambda function must send a response to the pre-signed S3 URL to signal completion. Option A is wrong because the function does not need to return a value directly. Option B is wrong because the function can be in any language.

Option C is wrong because the function can be in the same template or referenced by ARN.

22
MCQmedium

A developer is building a REST API using Amazon API Gateway and wants to validate the incoming request body against a JSON schema before passing the request to the backend Lambda function. Which API Gateway feature should the developer use?

A.Request validation
B.Mapping templates
C.Integration request
D.Stage variables
AnswerA

Correct. Request validation uses a JSON schema to validate the request body and parameters.

Why this answer

API Gateway's request validation feature allows you to define a JSON schema (using JSON Schema Draft 4) for the request body and automatically reject requests that do not conform before they reach the backend. This offloads validation from the Lambda function, reducing cold start overhead and ensuring only valid payloads are processed. The developer can configure this in the API Gateway console or via the OpenAPI specification.

Exam trap

The trap here is that candidates often confuse request validation with mapping templates, assuming that mapping templates can validate the request body, but mapping templates only transform data and do not enforce schema constraints.

How to eliminate wrong answers

Option B is wrong because mapping templates transform the request body or parameters into a different format (e.g., from JSON to XML) for the backend, but they do not perform schema-based validation. Option C is wrong because the integration request defines how API Gateway passes the request to the backend (e.g., HTTP method, headers, query strings) and can include mapping templates, but it does not natively validate the request body against a JSON schema. Option D is wrong because stage variables are key-value pairs used to configure deployment stages (e.g., Lambda function aliases, endpoint URLs) and have no role in request body validation.

23
Drag & Dropmedium

Drag and drop the steps to create a Lambda function that processes S3 events in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up permissions, then code, create function, configure trigger, and test.

24
MCQeasy

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The developer wants to ensure that the new version is stable before routing all traffic to it. The developer has already published version 1 and version 2 of the function. The developer wants to send 10% of the traffic to version 2 and 90% to version 1. The developer then plans to gradually increase the traffic to version 2. Which approach should the developer use?

A.Use the Lambda function's versioning feature to set the traffic weight directly on the function.
B.Create a Lambda alias named 'prod' and update the alias's routing configuration to send 10% traffic to version 2 and 90% to version 1.
C.Configure the API Gateway endpoint to route 10% of requests to version 2 and 90% to version 1.
D.Create a new alias and assign the traffic weights to the versions in the alias configuration.
AnswerB

Lambda aliases support weighted routing for canary deployments.

Why this answer

Option B is correct because Lambda aliases support traffic shifting via weighted routing. Option A is incorrect because Lambda function versions do not support traffic weights directly. Option C is incorrect because there is no built-in feature to configure traffic distribution on the function itself.

Option D is incorrect because API Gateway endpoint configuration doesn't handle Lambda traffic shifting.

25
MCQmedium

Refer to the exhibit. A developer ran the AWS CLI command to invoke a Lambda function. The response indicates an error. What should the developer do to see the error details?

A.Decode the LogResult value from base64 to see the logs.
B.Check CloudWatch Logs for the function's log group.
C.Increase the Lambda function timeout to avoid the error.
D.Read the output.txt file for the error message.
AnswerA

The LogResult field contains the last 4 KB of logs encoded in base64.

Why this answer

Option A is correct because the LogResult contains base64-encoded logs. Option B is wrong because the logs are not automatically in CloudWatch. Option C is wrong because the LogResult is base64, not plain text.

Option D is wrong because the error is Unhandled, not a timeout.

26
MCQmedium

A developer must locally test a SAM-based Lambda function with an API event before deployment. Which tool command family is designed for this?

A.AWS SAM CLI local invoke/start-api
B.AWS Shield Advanced CLI
C.AWS Organizations policy simulator
D.Amazon Inspector SBOM export
AnswerA

Correct for the stated requirement.

Why this answer

The AWS SAM CLI provides the `local invoke` and `local start-api` commands specifically for testing Lambda functions locally with simulated API Gateway events before deployment. `sam local start-api` creates a local HTTP server that mimics API Gateway, allowing developers to send requests to their Lambda functions as if they were deployed, while `sam local invoke` directly invokes the function with a specified event payload. This is the only tool family designed for local testing of SAM-based Lambda functions with API events.

Exam trap

The trap here is that candidates may confuse the AWS SAM CLI with other AWS CLI tools or services, mistakenly thinking that general-purpose CLI commands or unrelated security tools can perform local Lambda testing with API events.

How to eliminate wrong answers

Option B is wrong because AWS Shield Advanced CLI is a tool for managing DDoS protection services, not for testing Lambda functions or API events locally. Option C is wrong because AWS Organizations policy simulator is used to test IAM and SCP policies for multi-account environments, not for local Lambda or API Gateway testing. Option D is wrong because Amazon Inspector SBOM export is used to generate a software bill of materials for vulnerability assessment, not for testing Lambda functions or API events.

27
MCQmedium

An API Gateway REST API invokes Lambda synchronously. Clients receive 502 responses after a deployment, but Lambda logs show a successful business operation. What is the most likely issue?

A.The Lambda execution role lacks dynamodb:PutItem
B.The Lambda proxy integration response format is invalid
C.The API cache TTL is too short
D.The API stage has X-Ray tracing enabled
AnswerB

Correct for the stated requirement.

Why this answer

Lambda proxy integration requires the response to be in a specific JSON format: `{"statusCode": ..., "headers": ..., "body": ...}`. If the Lambda function returns a plain string or an object missing these keys, API Gateway cannot map it to an HTTP response, resulting in a 502 Internal Server Error. The successful business operation in logs confirms the Lambda code ran correctly, but the malformed response format causes the gateway error.

Exam trap

The trap here is that candidates see 'successful business operation' in logs and assume the Lambda is fine, overlooking that API Gateway proxy integration enforces a strict response contract, not just any valid return value.

How to eliminate wrong answers

Option A is wrong because a missing `dynamodb:PutItem` permission would cause a 403 Forbidden or 500 error from Lambda, not a 502, and the logs would show an access denied exception, not a successful operation. Option C is wrong because API cache TTL affects cached responses and latency, not the response format or 502 errors; a short TTL would cause more frequent cache misses, not gateway errors. Option D is wrong because enabling X-Ray tracing adds tracing headers and logs but does not alter the response format or cause 502 errors; it is purely a monitoring feature.

28
MCQeasy

A developer needs to store configuration parameters securely for a Lambda function. The parameters include database credentials and API keys. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.Amazon DynamoDB with encryption
D.Amazon S3 with server-side encryption
AnswerB

Secrets Manager is purpose-built for storing and rotating secrets securely.

Why this answer

Option C is correct because Secrets Manager is designed to securely store secrets. Option A is wrong because SSM Parameter Store can be used but Secrets Manager is better for automated rotation. Option B is wrong because S3 is not secure for secrets.

Option D is wrong because DynamoDB is not secure by default.

29
MCQhard

A company is using AWS CodePipeline to automate their CI/CD pipeline. The pipeline includes a stage that runs a set of integration tests using AWS CodeBuild. The tests require access to a database running on a private subnet in a VPC. The CodeBuild project is configured to use a managed compute image. How can the CodeBuild project access the database?

A.Place the CodeBuild project in a public subnet and use a NAT gateway to route traffic to the private subnet.
B.Configure the CodeBuild project to use a custom VPC with the appropriate subnet and security group.
C.Set up a VPC peering connection between the CodeBuild VPC and the database VPC.
D.Create a VPC endpoint for the database service and attach it to the CodeBuild project.
AnswerB

CodeBuild supports launching in a VPC, allowing access to resources in that VPC.

Why this answer

Option B is correct because by setting the CodeBuild project to use a custom VPC, it can be configured with a subnet and security group that allow access to the private database. Option A is wrong because a NAT gateway would require the CodeBuild project to be in a public subnet, not private. Option C is wrong because VPC peering is unnecessary; CodeBuild can be launched directly in the VPC.

Option D is wrong because a VPC endpoint is for accessing AWS services privately, not for general network access.

30
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is invoked by an Amazon S3 bucket notification. The function processes new objects but sometimes fails because the object is not fully written before Lambda reads it. Which TWO actions can the developer take to fix this?

Select 2 answers
A.Implement a retry mechanism in the Lambda function to check object existence before processing.
B.Use S3 Transfer Acceleration.
C.Configure the S3 event notification to trigger only when objects with a specific suffix are created.
D.Use an Amazon SQS queue to buffer the S3 events.
E.Increase the Lambda function timeout.
AnswersA, C

Retry handles eventual consistency.

Why this answer

Option A (S3 event notification with suffix) is correct because it can target specific file types that are written last. Option D (Retry logic) is correct because it handles eventual consistency. Option B is wrong because SQS doesn't solve the write-in-progress issue.

Option C is wrong because it doesn't help. Option E is wrong because it doesn't address the timing.

31
MCQeasy

A developer needs to securely store database credentials for a Lambda function. The credentials must be automatically rotated every 30 days. Which service should be used?

A.AWS Key Management Service (KMS)
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.AWS CloudHSM
AnswerB

Secrets Manager provides automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because Parameter Store does not automatically rotate credentials. Option C is wrong because KMS is for encryption keys, not credential storage.

Option D is wrong because CloudHSM is for hardware security modules.

32
Multi-Selecteasy

A developer is building a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. Which TWO AWS services can be used for service discovery?

Select 2 answers
A.Amazon ECR
B.AWS Cloud Map
C.Elastic Load Balancing
D.AWS Systems Manager Parameter Store
E.Amazon Route 53
AnswersB, E

Cloud Map is designed for service discovery.

Why this answer

Options B and D are correct. AWS Cloud Map is a service discovery service that can be used to register and discover services. Amazon Route 53 can also be used for service discovery by using private hosted zones and health checks.

Option A is incorrect because ELB is for load balancing, not service discovery. Option C is incorrect because ECR is for container images. Option E is incorrect because Systems Manager Parameter Store is for configuration, not discovery.

33
MCQmedium

A company is running a monolithic application on an EC2 instance. The application currently stores session state in local memory on the instance. The company plans to scale the application horizontally by adding more instances behind a load balancer. What change is required to ensure that session state is preserved across requests?

A.Store session data in Amazon S3 and retrieve it on each request.
B.Increase the EC2 instance size to handle more sessions per instance.
C.Use Amazon ElastiCache to store session state externally.
D.Use an Amazon RDS database to store session state.
AnswerC

ElastiCache provides a fast, in-memory session store that can be accessed by all instances.

Why this answer

The correct answer is D. Using ElastiCache (Redis or Memcached) provides a centralized, scalable session store accessible from all instances. Option A is wrong because S3 is not designed for low-latency session storage.

Option B is wrong because RDS is a relational database, which can work but is not optimized for session storage. Option C is wrong because increasing instance size does not enable session sharing across instances.

34
MCQhard

An organization has a Lambda function that processes messages from an Amazon SQS queue. The function is configured with a reserved concurrency of 5. The SQS queue has a visibility timeout of 30 seconds. The Lambda function takes an average of 45 seconds to process each message. What is the likely behavior of this setup?

A.The Lambda function will be throttled due to reserved concurrency.
B.The Lambda function will process messages successfully with no issues.
C.Messages will be processed multiple times because they become visible again before the function completes.
D.The Lambda function will automatically increase its processing speed.
AnswerC

Visibility timeout expires, making messages visible again.

Why this answer

Option C is correct because the Lambda function takes longer than the visibility timeout, causing messages to become visible again before processing completes. This leads to duplicate processing. Option A is wrong because Lambda will still process the message even if it takes longer.

Option B is wrong because the reserved concurrency limit may cause throttling but not duplication. Option D is wrong because messages are not deleted until the function completes, so they become visible again.

35
Multi-Selecteasy

A developer is building a REST API using API Gateway and Lambda. The API must be secured using a Lambda authorizer. Which THREE steps are necessary to implement the Lambda authorizer? (Choose THREE.)

Select 3 answers
A.Configure the API Gateway method to use the Lambda authorizer.
B.Return a JSON Web Token (JWT) from the authorizer function.
C.Create a Lambda function that validates the token and returns an IAM policy.
D.Grant API Gateway permission to invoke the Lambda authorizer function.
E.Generate an API key and distribute it to clients.
AnswersA, C, D

Associate the authorizer with the API method.

Why this answer

Option A, B, and D are correct. Option C is wrong because API key is not required for Lambda authorizer. Option E is wrong because the authorizer returns an IAM policy, not a token.

36
MCQhard

A developer is designing a serverless application that processes user-uploaded images. The images are uploaded to an S3 bucket, which triggers a Lambda function to create a thumbnail and store metadata in DynamoDB. The thumbnail creation is CPU-intensive and can take up to 10 seconds. The developer wants to minimize costs and ensure that the thumbnail is created as soon as possible. Which approach should the developer choose?

A.Use AWS Step Functions to orchestrate the Lambda function and DynamoDB update.
B.Use an ECS Fargate task to process the images, triggered by S3 events.
C.Use S3 event notifications to directly invoke the Lambda function.
D.Use an SQS queue between S3 and Lambda to buffer requests.
AnswerC

Direct invocation is the simplest, with minimal latency and cost.

Why this answer

Option C is correct because Lambda can handle CPU-intensive tasks, and using the S3 event to directly trigger Lambda is the simplest and most cost-effective approach. Option A is incorrect because Step Functions add cost and complexity. Option B is incorrect because SQS introduces latency and cost.

Option D is incorrect because ECS requires provisioning and management, increasing complexity and cost compared to Lambda.

37
MCQeasy

A developer is setting up an S3 bucket to trigger an AWS Lambda function when a new object is created. After configuring the event notification, the Lambda function is not invoked. The developer checks the Lambda resource-based policy, which is shown in the exhibit. What is the issue?

A.The policy is missing a condition that specifies the S3 bucket ARN.
B.The Action is incorrect; it should be 'lambda:Invoke' instead of 'lambda:InvokeFunction'.
C.The principal is incorrect; it should be the S3 bucket ARN.
D.The policy is missing the 'Version' field.
AnswerA

To allow S3 to invoke the function, the policy should include a condition like 'ArnLike' with the bucket ARN to prevent other buckets from triggering the function.

Why this answer

The correct answer is C. The policy is missing a 'Version' and 'Id' field, but more importantly, S3 requires the source account ID in the policy. However, the policy is valid syntax but lacks the 'Condition' block that includes the bucket name or account ID.

Actually, the typical issue is that the policy is missing the 'Service' principal specification. The correct answer is that the Principal should be 's3.amazonaws.com' but the policy is missing the 'SourceAccount' condition. However, the most common mistake is that the policy is missing the 'SourceArn' condition.

Given the options, C is correct because the policy must include a condition to restrict which bucket can invoke the function.

38
Multi-Selecthard

A company is running a containerized application on Amazon ECS with Fargate. The application needs to process messages from an Amazon SQS queue. The developer must ensure that the application can scale out based on the queue depth. Which THREE steps should the developer take to implement this? (Choose THREE.)

Select 3 answers
A.Configure DynamoDB auto scaling for the application's table to handle increased load.
B.Configure an ECS Service Auto Scaling target tracking policy using the SQS queue's ApproximateNumberOfMessagesVisible metric.
C.Implement the application to delete messages from the queue after successful processing.
D.Grant the ECS task IAM role permission to poll and delete messages from the SQS queue.
E.Register the ECS tasks with an Application Load Balancer target group to distribute messages.
AnswersB, C, D

This scaling policy adjusts the number of tasks based on queue depth.

Why this answer

Options B, D, and E are correct. Option B: The task role needs permission to poll SQS. Option D: ECS Service Auto Scaling with a target tracking policy using SQS queue depth as a metric.

Option E: The application should delete messages after processing to avoid reprocessing. Option A is wrong because read capacity is for DynamoDB, not SQS. Option C is wrong because Fargate tasks are not registered with an ALB target group; they are launched by ECS service.

39
Multi-Selecthard

A developer is using Amazon S3 to store sensitive data. The compliance team requires that all objects be encrypted at rest using server-side encryption with a customer-managed key (SSE-KMS). Which THREE steps must the developer take to enforce this requirement? (Choose THREE.)

Select 3 answers
A.Create an AWS KMS customer-managed key.
B.Configure the bucket ACL to require encryption.
C.Add a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
D.Enable S3 default encryption with SSE-S3.
E.Set the bucket's default encryption to SSE-KMS using the customer-managed key.
AnswersA, C, E

A customer-managed key is required for SSE-KMS.

Why this answer

Options A, C, and D are correct. Using a KMS key for encryption ensures SSE-KMS; bucket policies can deny writes without the correct encryption header; default encryption enforces SSE-KMS. Option B is wrong because S3 does not automatically encrypt with SSE-KMS without configuration.

Option E is wrong because bucket ACLs do not control encryption.

40
MCQhard

A developer is building a serverless application that uses AWS Step Functions to orchestrate multiple AWS Lambda functions. The workflow involves three steps: validate input, process data, and store results. The developer notices that the workflow occasionally fails due to transient errors in the process data step. The developer wants to implement error handling so that the workflow retries the process data step up to three times with an exponential backoff. Additionally, if all retries fail, the workflow should send a notification to an Amazon SNS topic and transition to a failure state. The developer has defined the state machine in Amazon States Language (ASL). How should the developer configure the state machine?

A.Write custom retry logic inside the Lambda function code and catch exceptions there.
B.Modify the IAM execution role to allow the state machine to call SNS and then use a ResultPath to handle errors.
C.In the process data state definition, add a Retry field with MaxAttempts: 3 and BackoffRate: 2, and add a Catch field that transitions to a failure state and sends an SNS notification.
D.Add a Retry field at the workflow level and a Catch field at the workflow level.
AnswerC

This correctly implements retry with exponential backoff and a fallback on failure.

Why this answer

Option B is correct because you can define Retry and Catch within a state. Retry specifies the retry behavior, and Catch specifies what to do after retries are exhausted. Option A is incorrect because you cannot define Retry and Catch at the workflow level; they must be per state.

Option C is incorrect because you should modify the state definition, not the execution role. Option D is incorrect because you can handle this within the state machine without Lambda code changes.

41
MCQmedium

A developer is debugging an AWS Lambda function that processes messages from an Amazon SQS queue. The function is failing with an error when processing certain messages. The developer wants to isolate the failed messages for later analysis without losing them. What should the developer do?

A.Publish the failed messages to an SNS topic for later processing.
B.Log the error and delete the message from the queue.
C.Increase the visibility timeout of the SQS queue.
D.Configure a dead-letter queue (DLQ) for the SQS queue.
AnswerD

DLQ captures failed messages after retries.

Why this answer

Option C is correct because a dead-letter queue (DLQ) on the SQS queue will capture messages that cannot be processed, allowing the function to continue processing other messages. Option A (increase visibility timeout) does not isolate failed messages. Option B (log and ignore) loses the messages.

Option D (use SNS) is not a standard pattern for this issue.

42
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda to process images uploaded to an S3 bucket. The Lambda function needs to resize each image and store the result in another S3 bucket. Which TWO actions should the developer take to ensure the function can access the S3 buckets securely?

Select 2 answers
A.Create an IAM execution role for the Lambda function with permissions to read from the source bucket and write to the destination bucket.
B.Configure a bucket policy on the destination S3 bucket that grants the Lambda execution role s3:PutObject permission.
C.Store the AWS access key and secret key in the Lambda environment variables.
D.Assign an IAM user to the Lambda function and embed the user's access key in the function code.
E.Attach an IAM instance profile to the Lambda function.
AnswersA, B

Lambda functions require an execution role to access AWS resources.

Why this answer

Option A is correct because Lambda functions need an execution role with permissions. Option D is correct because S3 bucket policies can grant access to the Lambda function's execution role. Option B is incorrect because Lambda functions do not use IAM users.

Option C is incorrect because EC2 instance profiles are for EC2, not Lambda. Option E is incorrect because Lambda does not use access keys directly.

43
MCQhard

A developer is deploying a Node.js application on AWS Lambda. The function uses the 'axios' library to call an external API. After deployment, the function times out after 3 seconds. The external API response time is normally under 500 ms. What should the developer do to resolve this issue?

A.Increase the Lambda function timeout to 10 seconds.
B.Increase the Lambda function reserved concurrency.
C.Remove the Lambda function from the VPC.
D.Increase the Lambda function memory to 1024 MB.
AnswerA

Default timeout is 3 seconds; external API may occasionally take longer.

Why this answer

Option A is correct because Lambda's default timeout is 3 seconds; increasing it allows the function to wait for the API response. Option B is wrong because it affects concurrency, not timeout. Option C is wrong because Lambda always runs in a VPC if configured; not using a VPC does not fix timeout.

Option D is wrong because increasing memory does not affect timeout.

44
MCQeasy

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a source stage that uses Amazon S3. The developer updates a file in the S3 bucket, but the pipeline does not start automatically. What is the MOST likely cause?

A.The IAM role for CodePipeline does not have s3:GetObject permission.
B.The pipeline is configured to use polling instead of event-based triggers.
C.Amazon S3 versioning is not enabled on the bucket.
D.AWS CloudTrail is not enabled.
AnswerC

CodePipeline uses S3 event notifications which require versioning.

Why this answer

Option A is correct because S3 source actions require versioning enabled to detect changes. Option B is wrong because CloudTrail is not required. Option C is wrong because polling is not the default method.

Option D is wrong because IAM permissions are separate from the detection mechanism.

45
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application needs to store and retrieve session data. The session data has a TTL of 30 minutes. Which DynamoDB feature should the developer use to automatically delete expired items?

A.Use DynamoDB Streams to capture expired items and trigger a Lambda function for deletion.
B.Use DynamoDB Time to Live (TTL) to set an expiry time attribute that DynamoDB automatically deletes when the TTL is reached.
C.Use DynamoDB Global Tables to replicate data to another region and then set a TTL on the replica.
D.Use DynamoDB Accelerator (DAX) to cache the data and expire it based on a cache TTL.
AnswerB

DynamoDB TTL automatically deletes items after the specified expiry timestamp without any additional cost or custom code. This is the best option for automatic expiration of session data.

Why this answer

DynamoDB Time to Live (TTL) is the correct feature because it allows you to define a per-item timestamp attribute. When that timestamp is reached, DynamoDB automatically deletes the item without any additional cost or custom code. This directly meets the requirement to automatically delete expired session data after 30 minutes.

Exam trap

The trap here is that candidates may think DynamoDB Streams can be used to detect expired items, but TTL deletions do not generate stream events, so a custom deletion mechanism would require a separate scan or query, which is inefficient and not automatic.

How to eliminate wrong answers

Option A is wrong because DynamoDB Streams capture item changes but do not trigger on TTL expirations; using a Lambda function to scan and delete expired items would be inefficient and incur unnecessary costs. Option C is wrong because Global Tables replicate data across regions for high availability and disaster recovery, not for automatic deletion based on TTL. Option D is wrong because DAX is an in-memory cache that improves read performance but does not provide automatic deletion of expired items in the underlying DynamoDB table.

46
MCQmedium

A developer is designing a system where an S3 bucket receives uploads, and each upload triggers a Lambda function to process the file. The processed output is stored in another S3 bucket. The developer notices that sometimes the same file is processed multiple times. How can this be prevented?

A.Make the Lambda function idempotent by checking if the object has already been processed using a DynamoDB table.
B.Use an SQS FIFO queue as the event destination and enable content-based deduplication.
C.Enable S3 bucket replication to another bucket and trigger Lambda from the replica.
D.Enable S3 bucket versioning and use 's3:ObjectCreated:Put' events.
AnswerA

Idempotency ensures that duplicate events do not cause duplicate processing.

Why this answer

Option C is correct because enabling S3 event notifications with the 'S3:ObjectCreated:*' event type and ensuring the Lambda function is idempotent (e.g., using the object key as a unique identifier) prevents duplicate processing. Option A is wrong because S3 does not have a deduplication feature for events. Option B is wrong because SQS FIFO queues can deduplicate messages, but S3 event notifications do not support FIFO queues.

Option D is wrong because versioning does not prevent duplicate events.

47
Multi-Selectmedium

A developer is building a RESTful API using AWS Lambda and Amazon API Gateway. The API will be accessed by external customers. The developer needs to implement authentication and authorization. Which THREE steps should the developer take to secure the API? (Choose three.)

Select 3 answers
A.Use Amazon Cognito user pools for user authentication and to generate JWT tokens.
B.Configure the API to use AWS IAM roles for authentication by passing the role ARN in the request.
C.Create a Lambda authorizer that validates a JWT token from a third-party identity provider.
D.Enable Amazon Cognito as an authorizer in the API Gateway method request settings.
E.Attach a resource policy to the API Gateway that allows only specific IAM users.
AnswersA, C, D

Correct: Cognito user pools handle authentication.

Why this answer

Option A is correct because API Gateway can use a Lambda authorizer to validate custom tokens. Option B is correct because Amazon Cognito can manage user sign-up/sign-in and issue JWT tokens. Option D is correct because API Gateway can integrate with Cognito to validate tokens.

Option C is incorrect because IAM roles are for internal AWS services, not external users. Option E is incorrect because resource policies are for cross-account access, not user authentication.

48
Multi-Selecteasy

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The application processes user uploads stored in an S3 bucket. The developer needs to ensure that the Lambda function can read objects from the S3 bucket. Which TWO steps should the developer take to meet this requirement? (Choose two.)

Select 2 answers
A.Set the S3 bucket's object-level permissions to allow the Lambda function.
B.Use AWS Key Management Service (KMS) to grant the Lambda function access to the S3 bucket.
C.Add a bucket policy on the S3 bucket that grants access to the Lambda function's execution role.
D.Attach an IAM policy to the Lambda execution role with permissions for s3:GetObject.
E.Create an IAM user with S3 read permissions and configure the Lambda function to assume that user.
AnswersC, D

Correct: The bucket policy must allow the Lambda role.

Why this answer

Option A is correct because the Lambda execution role must have an IAM policy granting s3:GetObject permission. Option C is correct because the S3 bucket policy must explicitly allow the Lambda function's execution role to access the objects. Option B is incorrect because Lambda functions use an execution role, not an IAM user.

Option D is incorrect because S3 bucket policies are evaluated at the bucket level, not the object level. Option E is incorrect because KMS is not required for S3 access unless encryption is involved.

49
MCQhard

A developer is deploying a microservices architecture on Amazon ECS with Fargate. The services need to communicate with each other using service discovery. The developer wants to use AWS Cloud Map for service discovery. Which configuration is required for the services to register and discover each other?

A.Create an Application Load Balancer and register each service as a target group.
B.Create a VPC endpoint for each service.
C.Configure Security Groups to allow traffic between services.
D.Create a Cloud Map namespace and service; then configure ECS tasks to register with the service.
AnswerD

Cloud Map provides service discovery via DNS or API.

Why this answer

Option C is correct because Cloud Map requires a namespace (either HTTP or DNS) and service resources. The ECS tasks use the Cloud Map API or DNS queries to discover services. Option A is wrong because ALB is for load balancing, not service discovery.

Option B is wrong because VPC endpoints are for private connectivity to AWS services. Option D is wrong because Security Groups are for firewall rules, not discovery.

50
MCQeasy

A developer is writing an AWS Lambda function that processes files uploaded to an S3 bucket. The function should only be triggered when a new object is created in a specific subfolder (e.g., /uploads/). Which S3 event notification configuration should the developer use?

A.Configure the event notification with a prefix filter set to 'uploads/' and event type 's3:ObjectCreated:*'.
B.Configure a single event notification for all objects and filter on the prefix inside the Lambda function.
C.Configure the event notification using object tags to filter events.
D.Use AWS CloudTrail to detect S3 PutObject events and trigger Lambda.
AnswerA

This ensures only objects created under the 'uploads/' prefix trigger the Lambda function, minimizing unnecessary invocations.

Why this answer

Option A is correct because S3 event notifications support prefix filtering, which allows you to specify a key prefix (e.g., 'uploads/') so that only object creation events in that subfolder trigger the Lambda function. By setting the event type to 's3:ObjectCreated:*', the function responds to all object creation operations (PUT, POST, Copy, etc.) within the filtered path, meeting the requirement precisely without unnecessary invocations.

Exam trap

The trap here is that candidates might think filtering inside the Lambda function is acceptable (Option B), but AWS best practice and the exam emphasize configuring filtering at the event source to minimize invocations and follow the principle of least privilege for triggers.

How to eliminate wrong answers

Option B is wrong because filtering on the prefix inside the Lambda function would still cause the function to be invoked for every object created in the bucket, leading to unnecessary executions and increased costs; S3 event notifications support prefix filtering natively, so this should be configured at the event source level. Option C is wrong because S3 event notifications do not support filtering by object tags; tag-based filtering is not a feature of S3 event notifications, and tags are not evaluated during event generation. Option D is wrong because AWS CloudTrail is not designed for real-time event-driven triggers; it logs API calls with a delay and is intended for auditing, not for invoking Lambda functions in response to S3 object creation events.

51
MCQmedium

A developer attaches the IAM policy shown to a user. The user attempts to upload an object to example-bucket using the AWS CLI with the command: `aws s3 cp file.txt s3://example-bucket/`. The upload fails. What is the MOST likely reason?

A.The user does not have permission to perform s3:PutObject on the bucket.
B.The bucket policy overrides the IAM policy and denies the request.
C.The resource ARN does not include the bucket itself.
D.The user did not specify server-side encryption in the request.
AnswerD

The condition requires SSE with AES256.

Why this answer

Option B is correct because the policy requires the `x-amz-server-side-encryption` header to be set to AES256, but the CLI command does not specify SSE. Option A is wrong because the action is allowed. Option C is wrong because the resource allows all objects.

Option D is wrong because the bucket policy is not shown.

52
Multi-Selectmedium

Which TWO AWS services can be used to store and retrieve application configuration data in a serverless application? (Choose two.)

Select 2 answers
A.Amazon S3
B.AWS CloudFormation
C.AWS AppConfig
D.AWS Secrets Manager
E.Amazon DynamoDB
AnswersC, E

AppConfig is a service for managing application configuration.

Why this answer

AWS AppConfig is designed for application configuration. Amazon DynamoDB is a NoSQL database that can store configuration data. AWS Systems Manager Parameter Store also stores configuration, but it is not listed as an option (it's a valid service but not in the list).

AWS CloudFormation is for infrastructure provisioning. Amazon S3 is object storage, not optimized for configuration. AWS Secrets Manager is for secrets, not general configuration.

53
MCQhard

The above command invokes a Lambda function. The response includes 'FunctionError': 'Handled'. What does this indicate?

A.The function threw an exception that was caught and returned as an error.
B.The function had a permission error.
C.The function executed successfully.
D.The function timed out.
AnswerA

Correct: 'Handled' means the error was handled by the code.

Why this answer

Option C is correct because 'Handled' means the function threw an exception that was caught by the code (e.g., in a try-catch block) and returned an error response. Option A is wrong because 'Handled' does not mean the function succeeded. Option B is wrong because a timeout would be 'Unhandled'.

Option D is wrong because permission errors would result in 403.

54
MCQhard

A developer is debugging a Lambda function that is triggered by an S3 event. The function is supposed to process images and store metadata in DynamoDB. However, the function times out after 3 seconds for large images. The function's timeout is currently set to 5 seconds. What should the developer do to resolve the issue without increasing the timeout?

A.Increase the Lambda function's memory allocation to improve performance.
B.Increase the Lambda function's timeout to 15 minutes.
C.Use multipart upload or stream processing to handle the image in chunks.
D.Offload the processing to an Amazon SQS queue and process asynchronously.
AnswerC

Streaming or chunking can reduce memory usage and processing time.

Why this answer

Correct: B. The function times out because it processes the image synchronously. By using S3 Multipart upload or processing in chunks, the function can handle large images faster.

Option A is wrong because increasing memory may help but does not address the timeout issue directly. Option C is wrong because increasing timeout is not allowed per the condition. Option D is wrong because SQS does not speed up processing.

55
MCQhard

A company runs a microservices application on Amazon ECS with Fargate. Each service has its own task definition and uses service discovery via AWS Cloud Map. Recently, one service is failing to connect to another service using the service discovery endpoint. The developer verified that both services are running and the security groups allow traffic. What is the most likely cause of the connectivity issue?

A.The service discovery namespace is of type private but the DNS records are not being created.
B.The task definitions are not using the awsvpc network mode.
C.The service discovery namespace is of type public and the services are in a private subnet.
D.The VPC does not have an internet gateway attached.
AnswerA

If DNS records are missing, service discovery fails.

Why this answer

Service discovery namespace must be of type 'private' for ECS tasks to resolve. Option C identifies this. Option A is incorrect because Fargate tasks use awsvpc network mode by default.

Option B is incorrect because ECS service discovery works within VPC. Option D is incorrect because Cloud Map does not require an internet gateway for private namespaces.

56
MCQeasy

A developer is building a RESTful API that allows clients to query a database and retrieve results. The backend logic is implemented in AWS Lambda, which queries an Amazon DynamoDB table. The developer wants to expose the API over HTTPS and manage authentication and throttling. Which AWS service should the developer use to create and manage the API endpoints?

A.Application Load Balancer
B.Amazon API Gateway
C.AWS CloudFront
D.Amazon S3
AnswerB

API Gateway provides a fully managed API frontend with HTTPS, authentication, throttling, and integration with Lambda and DynamoDB.

Why this answer

Amazon API Gateway is the correct choice because it is a fully managed service that enables developers to create, publish, maintain, monitor, and secure RESTful APIs at any scale. It directly supports HTTPS endpoints, integrates natively with AWS Lambda for backend logic, and provides built-in features for authentication (e.g., IAM, Cognito, Lambda authorizers) and throttling (usage plans and rate limits). This makes it the ideal service for exposing a Lambda-backed DynamoDB query as a secure, managed API.

Exam trap

The trap here is that candidates may confuse an Application Load Balancer with API Gateway because both can invoke Lambda functions, but ALB lacks API management features like authentication, throttling, and API key validation, which are explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer operates at Layer 7 of the OSI model and distributes traffic to targets like Lambda functions, but it does not provide API management features such as authentication, throttling, or API key validation; it is designed for load balancing, not for creating and managing RESTful API endpoints. Option C is wrong because AWS CloudFront is a content delivery network (CDN) that caches and accelerates content delivery, but it does not natively create API endpoints or manage authentication and throttling for a RESTful API; it can be placed in front of API Gateway but is not a substitute for it. Option D is wrong because Amazon S3 is an object storage service that can host static websites and serve content over HTTPS, but it cannot execute backend logic like querying a DynamoDB table, nor does it provide authentication or throttling for API requests; it is not designed for dynamic API endpoints.

57
MCQeasy

An organization uses AWS CodeCommit for source control and AWS CodeBuild for building a Java application. The build process needs to run integration tests that require a MySQL database. The team wants to ensure the database is provisioned only during the build and cleaned up afterward to minimize costs. What is the most efficient solution?

A.Provision a small RDS MySQL instance and keep it running for the build process.
B.Use AWS CloudFormation to create an RDS instance at the start of the build and delete it at the end.
C.Use a Docker container running MySQL within the CodeBuild environment.
D.Use Amazon DynamoDB as a substitute for MySQL for the integration tests.
AnswerC

This provides an ephemeral database that is created and destroyed with the build.

Why this answer

Option C is correct. Using AWS CodeBuild's local custom image with Docker Compose allows running a MySQL container as part of the build, which is ephemeral and cost-effective. Option A is wrong because provisioned RDS instances incur costs even when not in use.

Option B is wrong because DynamoDB is not a relational database and may not support the same SQL queries. Option D is wrong because creating and destroying RDS instances in every build is slow and may hit API rate limits.

58
MCQmedium

A company uses Amazon API Gateway to expose a REST API backed by AWS Lambda. The API is experiencing high latency. The developer suspects cold starts are contributing to the latency. Which action would be MOST effective in reducing cold start latency?

A.Increase the memory allocation of the Lambda function.
B.Place the Lambda function in a VPC to improve network latency.
C.Enable Lambda@Edge to cache responses.
D.Increase the function timeout to 15 minutes.
AnswerA

More memory reduces cold start time.

Why this answer

Option C is correct because using a larger memory configuration can reduce cold start time by providing more CPU resources. Option A is wrong because provisioned concurrency reduces cold starts but does not involve Lambda@Edge. Option B is wrong because using VPC can increase cold starts.

Option D is wrong because increasing timeout does not affect cold start performance.

59
MCQhard

A developer is using AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance. The developer wants to ensure that the DB instance is not accidentally deleted when the stack is updated. Which property should be set on the DB instance resource?

A.UpdateReplacePolicy: Retain
B.DeletionPolicy: Delete
C.DeletionPolicy: Retain
D.DependsOn: SomeOtherResource
AnswerC

Retains the resource even if the stack is deleted.

Why this answer

Option D is correct because DeletionPolicy: Retain prevents the DB instance from being deleted when the stack is deleted or the resource is removed from the stack. Option A is wrong because UpdateReplacePolicy handles replacement updates, not deletion. Option B is wrong because DependsOn does not prevent deletion.

Option C is wrong because DeletionPolicy: Delete is the default and does not prevent deletion.

60
MCQeasy

A company is using AWS CodePipeline to automate deployments. The pipeline has a source stage that retrieves code from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The build stage is failing intermittently with errors related to missing dependencies. What should a developer do to ensure the build environment has all required dependencies?

A.Configure environment variables in CodePipeline to set dependency paths.
B.Manually install dependencies on the CodeBuild build server each time.
C.Use AWS CodeCommit as the source repository instead of S3.
D.Create a custom buildspec.yml file in the source code that installs the dependencies in the install phase.
AnswerD

Automates dependency installation.

Why this answer

Option C is correct because a custom buildspec.yml can install dependencies in the install phase. Option A is wrong because CodePipeline does not manage environment variables for CodeBuild. Option B is wrong because it's not efficient to install manually.

Option D is wrong because CodeCommit is a different source.

61
MCQhard

A developer is running a Lambda function that uses the 'requests' library. The error shown in the exhibit occurs when invoking the function. Which step should the developer take to fix this?

A.Change the Lambda runtime to Python 3.9 which includes requests
B.Package the 'requests' library with the Lambda deployment package
C.Use the 'urllib' library instead of 'requests'
D.Install the 'requests' library using pip in the Lambda console
AnswerB

Include dependencies in a .zip file or use Lambda layers.

Why this answer

The requests library is not included in the Lambda runtime; it must be packaged with the deployment package. Option C is correct.

62
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to s3://my-bucket/confidential/report.pdf. What is the outcome?

A.The upload succeeds because the Allow statement grants s3:PutObject on the bucket.
B.The upload fails because there is no Allow statement for the confidential prefix.
C.The upload fails because the Deny statement explicitly denies access to the confidential prefix.
D.The upload fails because the policy is malformed.
AnswerC

Explicit Deny always overrides any Allow.

Why this answer

Option B is correct because the Deny statement explicitly denies all s3 actions on the confidential prefix, and explicit Deny overrides any Allow. Option A is wrong because the Deny overrides the Allow. Option C is wrong because there is no explicit Allow for that prefix.

Option D is wrong because the policy applies.

63
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session state in an S3 bucket. Users report that after logging in, they are sometimes redirected to the login page again on subsequent requests. What is the MOST likely cause?

A.S3 is not a suitable store for session state due to its eventual consistency and higher latency.
B.The EC2 instances do not have internet access to reach S3.
C.The ALB does not have sticky sessions enabled.
D.The application is not scaling properly, causing session loss.
AnswerA

Correct: S3 is not designed for high-frequency session reads/writes.

Why this answer

Option C is correct because S3 is not designed for low-latency session state access and is eventually consistent, leading to lost writes. A managed service like ElastiCache or DynamoDB is better. Option A is wrong because ALB supports sticky sessions.

Option B is wrong because S3 can be accessed from EC2. Option D is wrong because scaling alone does not cause session loss if storage is properly configured.

64
MCQmedium

A company uses Amazon API Gateway with a Lambda authorizer to secure its APIs. The authorizer must verify a JWT token from a third-party identity provider. The team notices that the authorizer is called on every API request, causing additional latency. How can the team reduce the number of authorizer invocations?

A.Use Amazon CloudFront to cache the API responses.
B.Configure the Lambda authorizer to return a cached policy using the 'methodArn' and 'principalId' combination.
C.Enable API Gateway caching and set a TTL of 300 seconds.
D.Remove the Lambda authorizer and use IAM roles for authorization.
AnswerB

Lambda authorizer supports caching based on the token.

Why this answer

Option C is correct because enabling token caching in the Lambda authorizer reduces invocations. Option A is wrong because the TTL in API Gateway caching is for response caching, not authorizer caching. Option B is wrong because caching in CloudFront is for content, not authorization.

Option D is wrong because the Lambda authorizer is the intended mechanism; removing it would bypass security.

65
MCQmedium

A company runs a microservices architecture on Amazon ECS with Fargate. The application experiences intermittent high latency. The operations team wants to trace requests across services and identify bottlenecks. Which AWS service should be used?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.AWS X-Ray
D.Amazon CloudWatch Metrics
AnswerC

Designed for tracing and analyzing distributed applications.

Why this answer

Option B is correct because AWS X-Ray provides end-to-end tracing for distributed applications. Option A is wrong because CloudWatch Logs only collects logs, not traces. Option C is wrong because CloudWatch Metrics provides aggregated metrics but not request-level traces.

Option D is wrong because VPC Flow Logs capture network metadata but not application-level tracing.

66
Multi-Selectmedium

Which TWO actions should a developer take to improve the security of an AWS Lambda function that processes sensitive data?

Select 2 answers
A.Use a dead-letter queue (DLQ) for failed invocations
B.Encrypt environment variables using AWS KMS
C.Grant the Lambda function full access to all S3 buckets
D.Run the Lambda function inside a VPC
E.Store secrets in the Lambda function code
AnswersB, D

Protects sensitive data at rest.

Why this answer

Encrypt environment variables with KMS and use a VPC to isolate the function. Options A and C are correct.

67
MCQmedium

Refer to the exhibit. A developer invoked a Lambda function and received the response shown. What does the response indicate?

A.The function was not invoked due to a permissions error.
B.The function executed successfully but did not return any logs.
C.The invocation timed out.
D.The function was invoked but returned an error.
AnswerD

FunctionError indicates an unhandled error in the function.

Why this answer

Option B is correct because the FunctionError field is 'Unhandled' and the response contains an error object, indicating a function error. Option A is wrong because the StatusCode is 200, not 4xx or 5xx. Option C is wrong because the invocation succeeded but the function failed.

Option D is wrong because LogResult is empty, but that's not the reason.

68
Multi-Selecthard

Which TWO of the following are required to enable cross-origin resource sharing (CORS) for an API hosted on Amazon API Gateway? (Choose two.)

Select 2 answers
A.Modify the Lambda function to return CORS headers in the response
B.Configure Amazon CloudFront to add CORS headers
C.Add an OPTIONS method to the API Gateway resource and configure it to return the required CORS headers
D.Configure an S3 bucket CORS policy
E.Enable CORS on the API Gateway resource and deploy the API
AnswersC, E

The OPTIONS method handles preflight requests.

Why this answer

Correct: A and D. To enable CORS, you must enable CORS on the API Gateway resource (which adds the required headers) and configure the OPTIONS method to respond to preflight requests. Option B is wrong because Lambda functions do not need to return CORS headers if API Gateway handles it.

Option C is wrong because CloudFront does not enable CORS for API Gateway. Option E is wrong because S3 CORS configuration is for S3, not API Gateway.

69
Multi-Selectmedium

A company is using AWS CodePipeline to automate deployments. The pipeline has a source stage that retrieves code from an S3 bucket, a build stage using CodeBuild, and a deploy stage using CodeDeploy. The build stage sometimes fails due to intermittent network issues. Which TWO actions would make the pipeline more resilient to such failures?

Select 1 answer
A.Enable retry on the build stage to automatically attempt the build again on failure.
B.Store build artifacts in a different S3 bucket.
C.Add a manual approval stage before the build stage.
D.Configure the build stage to run multiple build actions in parallel.
E.Use a different source repository, such as CodeCommit.
AnswersA

Retry can handle transient failures.

Why this answer

Enabling retry on the build stage allows the pipeline to automatically retry on failure. Configuring a manual approval stage does not help with automated retries. Using a different source does not address build failures.

Splitting into multiple actions adds complexity, not resilience. Storing artifacts in different bucket is not relevant.

70
Multi-Selectmedium

A developer is deploying a new version of an AWS Lambda function using the AWS CLI. The function is currently active and handling traffic. The developer wants to gradually shift traffic to the new version and rollback if errors increase. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Configure the alias to route a percentage of traffic to the new version and the rest to the current version.
B.Create a new version of the Lambda function.
C.Invoke the Lambda function with the new version using the AWS SDK.
D.Update the alias to route 100% of traffic to the new version.
E.Use AWS CodeDeploy to create a deployment group for the Lambda function.
AnswersA, B

This enables canary deployments.

Why this answer

Lambda aliases can route traffic. Option A and C are correct. Option B is wrong because weights sum to 100.

Option D is wrong because CodeDeploy can manage traffic shifting but not directly via CLI. Option E is wrong because SDK is not needed.

71
MCQmedium

A developer is deploying a Lambda function that processes messages from an SQS queue. The queue has a batch size of 10. To optimize cost and performance, the developer wants to minimize the number of Lambda invocations while ensuring that all messages are processed within the SQS visibility timeout. Which configuration should the developer use?

A.Set the Lambda function timeout to less than the SQS visibility timeout.
B.Increase the SQS visibility timeout to 5 minutes and set Lambda timeout to 5 minutes.
C.Configure the Lambda function to process messages asynchronously.
D.Set the Lambda reserved concurrency to 1 to limit concurrent executions.
AnswerA

This ensures messages are processed before becoming visible again, reducing duplicate invocations.

Why this answer

Option D is correct because setting the Lambda function timeout to be less than the SQS visibility timeout ensures that the function can process messages and delete them before they become visible again, preventing duplicate processing. A batch size of 10 already allows up to 10 messages per invocation.

72
MCQhard

A developer is using AWS CodePipeline to automate CI/CD. The pipeline has a Source stage (CodeCommit), a Build stage (CodeBuild), and a Deploy stage (CodeDeploy). The Build stage runs tests and packages the application. The developer notices that the Deploy stage is triggered even when the Build stage fails. How can the developer prevent deployment on build failure?

A.Set a transition between Build and Deploy stages that only allows successful builds.
B.Add a manual approval action before Deploy stage.
C.Add a CloudWatch Events rule to trigger a Lambda function that stops the pipeline on build failure.
D.Configure the Build stage with 'On failure: Abort' in the pipeline settings.
AnswerD

Aborting the pipeline on failure stops further stages.

Why this answer

CodePipeline transitions automatically unless a stage fails. Option A is correct because setting 'On failure: Abort' will stop the pipeline. Option B is incorrect because notifications do not prevent transition.

Option C is incorrect because transitions are between stages, not within. Option D is incorrect because manual approval is not automatic.

73
MCQmedium

A developer needs to securely store database credentials for a Lambda function that accesses an Amazon RDS instance. The credentials must be automatically rotated every 30 days. Which AWS service should be used?

A.AWS IAM Roles for Lambda
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager provides automatic rotation and fine-grained access control.

Why this answer

AWS Secrets Manager supports automatic rotation of secrets and integrates with Lambda and RDS. Option B is correct.

74
MCQhard

A developer is building a serverless application that processes images uploaded to an S3 bucket. The bucket triggers a Lambda function that creates a thumbnail and stores it in another S3 bucket. The developer notices that the Lambda function is invoked multiple times for the same object, causing duplicate thumbnails. What is the MOST likely cause?

A.S3 event notifications are eventually consistent and may deliver duplicates.
B.The Lambda function is configured with a DLQ that causes retries.
C.The Lambda function is idempotent and should handle duplicates.
D.The S3 bucket has multiple event notifications that trigger the same Lambda function.
AnswerD

Multiple notifications (e.g., for different event types) can cause the same function to be invoked for the same object.

Why this answer

Option D is correct because if S3 event notifications are misconfigured (e.g., both PutObject and PutObjectAcl events trigger the same function), the function runs multiple times. Option A is wrong because Lambda provides at-least-once execution, but duplicates are not typical unless triggered multiple times. Option B is wrong because S3 does not send duplicate events; the issue is multiple triggers.

Option C is wrong because concurrent Lambda executions would not cause duplicates; each invocation processes a unique event.

75
Multi-Selectmedium

Which THREE actions can be performed using AWS Lambda and Amazon S3 event notifications? (Choose three.)

Select 3 answers
A.Resize an image when a new image is uploaded to an S3 bucket.
B.Generate a pre-signed URL for an object.
C.Scan an uploaded file for viruses.
D.Enable versioning on the S3 bucket.
E.Transcode a video when a new video file is created.
AnswersA, C, E

Lambda can process image on upload.

Why this answer

Options A, B, and C are correct. S3 event notifications can trigger Lambda on PUT, POST, DELETE, etc. Option D (pre-signed URL generation) is not an event; it's a client action.

Option E (versioning) is a bucket property, not triggered by events.

Page 1 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.