CCNA Dev AWS Services Questions

75 of 518 questions · Page 2/7 · Dev AWS Services topic · Answers revealed

76
MCQeasy

A developer wants to deploy a containerized application on AWS. The application requires persistent storage that can be accessed by multiple containers running on different EC2 instances. Which AWS service should the developer use?

A.Amazon Elastic File System (EFS)
B.Amazon Elastic Block Store (EBS)
C.Amazon Simple Storage Service (S3)
D.Amazon DynamoDB
AnswerA

EFS is a scalable file system that can be mounted on multiple EC2 instances concurrently.

Why this answer

Option B is correct because Amazon EFS provides shared file storage for multiple EC2 instances. Option A is wrong because EBS volumes can only be attached to one instance. Option C is wrong because S3 is object storage.

Option D is wrong because DynamoDB is a NoSQL database.

77
MCQhard

A company has a monolithic application running on an EC2 instance that needs to be migrated to a microservices architecture on AWS. The development team wants to use AWS services to handle service discovery, configuration management, and secrets management. Which combination of AWS services should the team use?

A.Use Amazon ECS Service Discovery for service discovery, AWS Config for configuration, and AWS Systems Manager Parameter Store for secrets.
B.Use AWS Cloud Map for service discovery, AWS AppConfig for configuration, and AWS Secrets Manager for secrets.
C.Use AWS Cloud Map for service discovery, AWS Systems Manager Parameter Store for configuration, and AWS Secrets Manager for secrets.
D.Use AWS Service Discovery for service discovery, EC2 Image Builder for configuration, and AWS Key Management Service (KMS) for secrets.
AnswerB

Cloud Map for service discovery, AppConfig for config, Secrets Manager for secrets.

Why this answer

Option C is correct because AWS Cloud Map provides service discovery, AWS AppConfig manages application configuration, and AWS Secrets Manager securely stores secrets. Option A uses Systems Manager Parameter Store for configuration, but AppConfig is more feature-rich for config management. Option B uses Service Discovery (AWS Cloud Map) but EC2 Image Builder is for creating AMIs, not config.

Option D uses ECS Service Discovery (part of Cloud Map) but Config is for resource compliance, not configuration management.

78
MCQeasy

A developer is building a microservices application that processes event messages from multiple sources. The application requires at-least-once delivery, but message ordering is not important. Which Amazon SQS queue type should the developer use?

A.Standard queue
B.FIFO queue
C.Dead-letter queue
D.Delay queue
AnswerA

Standard queues offer at-least-once delivery and high throughput without ordering guarantees, fitting the requirement.

Why this answer

Amazon SQS Standard queues provide at-least-once delivery and best-effort ordering, making them ideal for microservices that can tolerate duplicate messages and do not require strict message sequencing. Since the application processes events from multiple sources and message ordering is not important, a Standard queue meets the requirements without the throughput limitations of FIFO queues.

Exam trap

The trap here is that candidates often confuse the 'at-least-once' delivery requirement with the need for ordering, leading them to choose FIFO queues, but the question explicitly states ordering is not important, making Standard queues the correct and more performant choice.

How to eliminate wrong answers

Option B is wrong because FIFO queues guarantee exactly-once processing and strict message ordering, which are unnecessary here and would impose a throughput limit of 3,000 transactions per second (with batching) or 300 without, adding cost and complexity. Option C is wrong because a dead-letter queue is not a primary queue type for receiving messages; it is a secondary queue used to capture messages that fail processing after a specified number of receive attempts. Option D is wrong because a delay queue is not a distinct queue type but a feature of Standard or FIFO queues that introduces an initial message delay (up to 15 minutes), which does not address the core requirement of at-least-once delivery.

79
MCQhard

A developer is using AWS CodePipeline to deploy a serverless application. The pipeline has a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). The developer wants to automatically roll back the deployment if the CloudFormation stack update fails. Which configuration should be used?

A.Add a stack policy to the CloudFormation stack to prevent updates.
B.Set the deployment to use AWS CodeDeploy and enable rollback.
C.Configure a manual approval action in the pipeline to trigger a rollback.
D.Configure the CloudFormation stack to roll back on failure using the RollbackConfiguration.
AnswerD

CloudFormation can automatically roll back a failed update.

Why this answer

Correct: D. CloudFormation stack updates can automatically roll back on failure if the stack's RollbackConfiguration is set. CodePipeline does not automatically roll back; it stops on failure.

Option A is wrong because CodePipeline does not have a built-in rollback action. Option B is wrong because CodeDeploy is for EC2/ECS, not CloudFormation. Option C is wrong because the stack policy does not control rollback behavior.

80
MCQhard

A developer creates the CloudFormation stack with the template above. After the stack is created, messages that are not processed after 5 receives are moved to the DLQ. However, the developer notices that the RedrivePolicy references a queue ARN that is hardcoded. What is the best practice to avoid this hardcoded ARN?

A.Use Ref to reference the DLQ's QueueName and construct the ARN.
B.Use Fn::Sub to substitute the queue name into a hardcoded ARN template.
C.Use Fn::ImportValue to import the DLQ ARN from another stack.
D.Use Fn::GetAtt with "Arn" attribute on the DLQ resource.
AnswerD

Fn::GetAtt can retrieve the Arn attribute of a queue resource.

Why this answer

Option D is correct because using Fn::GetAtt to retrieve the ARN of the DLQ resource within the same template avoids hardcoding. Option A is wrong because Fn::ImportValue is for cross-stack references, not needed here. Option B is wrong because Ref returns the queue URL, not the ARN.

Option C is wrong because Fn::Sub is a string substitution function, but you still need to reference the resource attribute correctly.

81
MCQmedium

A developer runs the query shown in the exhibit on a DynamoDB table named 'Orders' and gets an error. What is the MOST likely cause?

A.The expression attribute values are incorrectly formatted
B.The table's partition key is not named 'OrderID'
C.The table does not exist
D.The query needs to use a sort key
AnswerB

The key condition expression must use the partition key attribute.

Why this answer

The Query operation requires a partition key; the error indicates that OrderID is not the partition key. Option B is correct.

82
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS MySQL database. Recently, the application started experiencing frequent database connection timeouts. The development team discovered that the application is not closing database connections properly, leading to exhausted database connections. The team wants a solution that does not require code changes. Which option should they choose?

A.Configure Amazon RDS Proxy in front of the RDS instance and update the application to connect through the proxy.
B.Enable Multi-AZ on the RDS instance to handle failover and reduce connection timeouts.
C.Migrate the database to Amazon Aurora and enable Auto Scaling for read replicas.
D.Increase the max_connections parameter in the RDS parameter group to allow more concurrent connections.
AnswerA

RDS Proxy maintains a pool of connections to the database, reducing the number of open connections and preventing exhaustion.

Why this answer

Option A is correct. RDS Proxy manages connection pooling and reduces the number of open connections to the database, thus preventing connection exhaustion without code changes. Option B is wrong because increasing the max_connections setting only postpones the problem and may cause resource contention.

Option C is wrong because Multi-AZ is for high availability, not connection management. Option D is wrong because switching to Aurora with Auto Scaling does not address the connection leak issue and requires migration effort.

83
MCQmedium

A company is using Amazon API Gateway to expose a REST API. The API must authenticate requests using an external OAuth 2.0 provider. Which API Gateway feature should be used?

A.IAM authorization
B.Resource policy
C.Lambda authorizer
D.Amazon Cognito User Pools
AnswerC

A Lambda authorizer can validate OAuth tokens from any provider.

Why this answer

Option C is correct because API Gateway supports custom authorizers that can validate OAuth tokens. Option A is wrong because IAM auth is for AWS credentials. Option B is wrong because Cognito User Pools can be used but the question specifies external provider.

Option D is wrong because Lambda authorizer is the custom authorizer type.

84
MCQhard

A company has a microservices architecture running on Amazon ECS with Fargate. Each service exposes an API through an Application Load Balancer (ALB). The development team needs to implement canary deployments for one of the services. What is the MOST efficient way to achieve this?

A.Create two ECS services behind the same ALB, each with a different task definition, and use sticky sessions.
B.Use Amazon Route 53 weighted routing policies to distribute traffic between two ALBs.
C.Configure the ALB to use weighted target groups, each pointing to a different task set of the same ECS service.
D.Use AWS CodeDeploy with an ECS blue/green deployment configuration that supports canary traffic shifting.
AnswerC

ALB weighted target groups allow precise traffic splitting between task sets, enabling canary deployments easily.

Why this answer

Option D is correct because using the ALB weighted target groups feature allows directing a percentage of traffic to a new task set, enabling canary deployments without additional infrastructure. Option A is wrong because CodeDeploy can perform canary deployments with ECS, but it requires additional setup and is not as direct as ALB weighted target groups. Option B is wrong because multiple ECS services would require a separate ALB or complex routing.

Option C is wrong because Route 53 cannot route based on percentage for canary deployments without complex health checks and DNS propagation delays.

85
Multi-Selecthard

Which THREE actions should a developer take to secure an AWS Lambda function that processes sensitive data? (Choose 3.)

Select 3 answers
A.Store configuration values in Lambda environment variables.
B.Attach an IAM role with least privilege permissions.
C.Enable encryption of environment variables using AWS KMS.
D.Run the Lambda function inside a VPC.
E.Enable AWS CloudTrail for the Lambda function.
AnswersA, C, D

Environment variables avoid hardcoding secrets in code.

Why this answer

A, C, and E are correct. Using environment variables for configuration (A) avoids hardcoding secrets. Encrypting environment variables with KMS (C) protects them at rest.

Using a VPC (E) isolates the function. Option B (IAM roles) is already required for permissions, not an additional action. Option D (CloudTrail) is for auditing, not direct security of the function.

86
Multi-Selectmedium

Which THREE statements are true about AWS Lambda concurrency and scaling?

Select 3 answers
A.Provisioned concurrency can be used to reduce cold start latency.
B.Lambda automatically scales concurrency based on the number of incoming requests.
C.Lambda has a burst concurrency limit of 500-3000 per region.
D.Reserved concurrency guarantees a minimum number of concurrent executions.
E.Lambda's concurrency limit is per function and cannot be increased.
AnswersA, B, C

Provisioned concurrency pre-initializes environments to handle requests immediately.

Why this answer

Options A, C, and E are correct. Lambda scales by creating new instances up to the reserved concurrency limit. Provisioned concurrency keeps instances warm.

The burst concurrency limit applies per region. Option B is wrong because reserved concurrency limits max concurrency, not guarantees. Option D is wrong because provisioned concurrency does not reduce cold starts for unreserved instances.

87
MCQeasy

A developer needs to store a large number of binary files (e.g., images) that are accessed infrequently but must be retrievable within minutes. The storage solution should be cost-effective. Which Amazon S3 storage class is MOST suitable?

A.S3 Intelligent-Tiering
B.S3 One Zone-Infrequent Access
C.S3 Glacier Instant Retrieval
D.S3 Standard
AnswerC

Low-cost storage for infrequently accessed data with instant retrieval.

Why this answer

Option C is correct because S3 Glacier Instant Retrieval is for long-lived, rarely accessed data that requires millisecond retrieval, but with a retrieval cost. Option A is wrong because S3 Standard is for frequently accessed data. Option B is wrong because S3 Intelligent-Tiering is for unknown or changing access patterns.

Option D is wrong because S3 One Zone-IA is for infrequent access but less durable.

88
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effect when the user tries to upload an object to s3://example-bucket/secret/file.txt?

A.The upload fails because the Deny statement explicitly denies access to the secret/ prefix.
B.The upload fails only if the user is not the bucket owner.
C.The upload succeeds because the Deny statement does not match the specific action.
D.The upload succeeds because the Allow statement grants s3:PutObject on the bucket.
AnswerA

Explicit Deny always overrides Allow.

Why this answer

Correct: D. The Deny statement explicitly denies all s3 actions on the secret/ prefix. Even though the Allow statement allows PutObject on the bucket, the explicit Deny overrides it.

Option A is wrong because Deny takes precedence. Option B is wrong because it's denied. Option C is wrong because the Deny is not conditional.

89
MCQeasy

A developer needs to store application configuration data (key-value pairs) that can be accessed by multiple microservices running on EC2 instances. The configuration data changes infrequently but must be retrievable with low latency. Which AWS service should the developer use?

A.AWS Systems Manager Parameter Store
B.AWS AppConfig
C.Amazon S3
D.Amazon DynamoDB
AnswerB

AppConfig is purpose-built for application configuration, providing validation, deployment, and low-latency retrieval.

Why this answer

The correct answer is B. AWS AppConfig is designed to manage application configuration data and supports feature flags and dynamic configuration. Option A is wrong because Systems Manager Parameter Store is also suitable but AppConfig is more specialized for this use case.

However, according to best practices, AppConfig is the recommended service for application configuration. Option C is wrong because DynamoDB is a database, not a configuration store. Option D is wrong because S3 is object storage with higher latency.

90
MCQhard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.' The developer wants to identify the specific error on a failed instance. Which AWS CLI command should the developer use?

A.aws deploy get-deployment
B.aws deploy get-deployment-instance
C.aws deploy list-deployments
D.aws deploy list-deployment-instances
AnswerB

Correct: Provides detailed status and error for a specific instance.

Why this answer

Option D is correct because 'aws deploy get-deployment-instance' provides detailed information about a specific instance deployment. Option A is wrong because 'list-deployment-instances' only lists IDs. Option B is wrong because 'get-deployment' gives overall deployment info.

Option C is wrong because 'list-deployments' lists deployments.

91
MCQeasy

A developer is writing an AWS Lambda function in Python that needs to download a file from Amazon S3, process it, and upload the result to a different S3 bucket. The function currently runs within the default 3-second timeout, but the developer expects the file size to increase. What is the MOST cost-effective way to handle the increase in processing time?

A.Increase the Lambda function's timeout to a value higher than the expected processing time.
B.Increase the Lambda function's timeout to 15 minutes.
C.Use Lambda provisioned concurrency to keep the function warm.
D.Refactor the code to use AWS Step Functions to orchestrate the processing.
AnswerA

Increasing the timeout is simple and cost-effective.

Why this answer

Option C is correct because increasing the Lambda timeout is the simplest and most cost-effective way to handle longer processing times. Option A is wrong because Step Functions add cost and complexity. Option B is wrong because Lambda functions cannot run longer than 15 minutes.

Option D is wrong because provisioned concurrency is for reducing cold starts, not for extending timeout.

92
MCQmedium

A company has a Node.js application running on an EC2 instance. The application needs to store session state. The developer wants to ensure high availability and scalability by storing session data externally. Which AWS service is BEST suited for this purpose?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon ElastiCache for Redis
D.Amazon RDS for MySQL
AnswerC

Redis is commonly used for session caching due to its speed and support for data expiration.

Why this answer

Option B is correct because ElastiCache for Redis provides an in-memory data store that is ideal for session management, offering low latency and high throughput. Option A is wrong because S3 is for object storage, not low-latency session storage. Option C is wrong because RDS is a relational database, which is slower for session data.

Option D is wrong because DynamoDB is a NoSQL database but is not as fast as in-memory caching for session state.

93
MCQhard

A company uses Amazon API Gateway with a Lambda authorizer to control access to its APIs. The Lambda authorizer returns an IAM policy that grants access to the API. Recently, the company noticed that some API calls are being throttled due to high latency from the authorizer. What is the MOST effective way to reduce latency?

A.Enable caching for the Lambda authorizer responses.
B.Use a custom authorizer instead of a Lambda authorizer.
C.Reduce the TTL of the authorizer cache.
D.Increase the memory allocated to the Lambda authorizer function.
AnswerA

Caching avoids invoking the authorizer for every request.

Why this answer

Option B is correct because enabling caching for the authorizer allows API Gateway to reuse the policy for subsequent requests within the TTL. Option A is wrong because increasing Lambda memory may reduce latency but not as effectively as caching. Option C is wrong because using a custom authorizer with a simple response does not address latency.

Option D is wrong because reducing the TTL would increase calls to the authorizer, increasing latency.

94
MCQeasy

A company uses AWS CodeCommit and wants to automatically trigger a build in AWS CodePipeline when code is pushed to the master branch. Which action should be taken?

A.Configure a CloudWatch Events rule to start the pipeline on repository changes
B.Add a webhook in CodeCommit to directly invoke CodePipeline
C.Set up a scheduled pipeline that polls CodeCommit every minute
D.Use an S3 trigger to start the pipeline when code is uploaded
AnswerA

CloudWatch Events triggers the pipeline on push events.

Why this answer

CodePipeline can use a CloudWatch Events rule to detect changes in CodeCommit and start the pipeline. Option A is correct.

95
MCQmedium

A developer is building a serverless application using AWS SAM that includes an API Gateway REST API and a Lambda function. The developer wants to pass environment variables to the Lambda function based on the deployment stage (dev/prod). The stage name is provided as a SAM parameter. How should the developer define this in the SAM template?

A.Define a SAM Parameter for the stage name, and reference it in the Lambda function's Environment property
B.Use the Globals section of the SAM template to set environment variables
C.Hard-code the environment variables with different values in the template
D.Use an AWS Systems Manager Parameter Store parameter and reference it in the function
AnswerA

SAM Parameters are the standard way to inject deployment-time values. You can reference the parameter directly in the Environment.Variables section to set variables like STAGE.

Why this answer

Option A is correct because AWS SAM allows you to define parameters (e.g., StageName) and reference them directly in the Lambda function's Environment property using CloudFormation intrinsic functions like !Ref. This enables dynamic injection of environment variables based on the deployment stage without modifying the template structure, aligning with Infrastructure as Code best practices for multi-environment deployments.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Parameter Store (Option D) for dynamic values, missing that SAM parameters are the simplest native mechanism for stage-specific environment variables without external service dependencies.

How to eliminate wrong answers

Option B is wrong because the Globals section sets default values for all functions in the template, but it cannot dynamically vary environment variables per deployment stage without additional logic like conditions or parameters, making it unsuitable for stage-specific values. Option C is wrong because hard-coding environment variables for each stage would require maintaining separate templates or manual edits, violating the principle of reusable, parameterized templates and increasing error risk. Option D is wrong because while AWS Systems Manager Parameter Store can store values, referencing it directly in the function does not inherently tie the value to the SAM deployment stage; you would still need a parameter or mapping to select the correct Parameter Store path per stage, making Option A more straightforward.

96
MCQmedium

A company is using AWS Lambda functions behind an Amazon API Gateway REST API. Users report intermittent 503 errors. The Lambda function code appears correct. Which action is MOST likely to resolve the issue?

A.Increase the Lambda function memory allocation.
B.Increase the Lambda function timeout.
C.Request a service quota increase for Lambda concurrent executions.
D.Increase the API Gateway throttling limits.
AnswerC

Lambda concurrent execution limits cause 503 errors when exceeded.

Why this answer

Option D is correct because Lambda concurrent execution limits can cause throttling, leading to 503 errors. Increasing the limit provides more capacity. Option A is wrong because Lambda timeout errors cause 504, not 503.

Option B is wrong because API Gateway throttling (default 10,000 rps) is usually not the cause at low rates. Option C is wrong because memory increase helps performance but not concurrency limits.

97
Multi-Selectmedium

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The application experiences occasional throttling on DynamoDB writes. The developer wants to implement a retry mechanism with exponential backoff. Which THREE steps should the developer take?

Select 3 answers
A.Use Amazon SQS to buffer write requests to DynamoDB.
B.Configure a dead-letter queue (DLQ) for the Lambda function to capture failed events.
C.Increase the DynamoDB table's provisioned write capacity.
D.Use the AWS SDK's built-in retry behavior which includes exponential backoff.
E.Implement custom retry logic in the Lambda function with exponential backoff.
AnswersB, D, E

DLQ stores events that failed after retries.

Why this answer

Option A, B, and D are correct. The AWS SDK automatically retries with exponential backoff (A). The developer can also implement custom retry logic (B).

DLQ helps capture failed events (D). Option C (reserved capacity) does not implement retry. Option E (SQS) is not needed for this scenario.

98
Multi-Selecthard

Which THREE steps are required to set up cross-account access for an Amazon S3 bucket? (Choose THREE.)

Select 3 answers
A.Configure the bucket ACL to allow the other account
B.Create an IAM role in the source account that the other account can assume
C.Set up a VPC endpoint for S3
D.Add a bucket policy that allows the other account to access the bucket
E.Grant the IAM user in the other account the necessary S3 permissions
AnswersB, D, E

Cross-account role allows temporary access.

Why this answer

Options A, B, and D are correct. The bucket policy must grant access to the other account's user or role. The user in the other account must have permissions via IAM.

The IAM role in the source account can be used for cross-account access. Option C is wrong because ACLs are legacy and not recommended. Option E is wrong because VPC endpoint is for network connectivity, not cross-account access.

99
MCQhard

A developer is using AWS X-Ray to trace a serverless application. The application uses an AWS Lambda function to query a DynamoDB table. The trace shows that the DynamoDB subsegment takes a significant portion of the total response time. The developer wants to reduce the DynamoDB query latency. Which service should the developer integrate with the Lambda function to achieve the lowest latency for repeated read queries?

A.DynamoDB Accelerator (DAX)
B.Amazon ElastiCache for Redis
C.DynamoDB Global Tables
D.DynamoDB Streams
AnswerA

Correct. DAX is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x read performance improvement by caching frequently accessed data.

Why this answer

DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x read performance improvement by reducing response times from milliseconds to microseconds for repeated read queries. By integrating DAX with the Lambda function, the developer can cache the results of frequent DynamoDB queries directly in memory, bypassing the read capacity units and the underlying storage engine, which directly addresses the latency bottleneck shown in the X-Ray trace.

Exam trap

The trap here is that candidates often choose ElastiCache for Redis because it is a well-known caching solution, but they overlook that DAX is purpose-built for DynamoDB and provides lower latency with zero application-level cache management, making it the correct choice for reducing DynamoDB query latency in a serverless application.

How to eliminate wrong answers

Option B (Amazon ElastiCache for Redis) is wrong because it is a general-purpose caching solution that requires the developer to manually manage cache invalidation, data synchronization, and application-level logic to keep the cache consistent with DynamoDB, adding complexity and potential latency overhead compared to DAX's native DynamoDB integration. Option C (DynamoDB Global Tables) is wrong because it is designed for multi-region replication and disaster recovery, not for reducing read latency within a single region; it actually increases write latency due to cross-region replication and does not cache repeated read queries. Option D (DynamoDB Streams) is wrong because it captures a time-ordered sequence of item-level changes in a DynamoDB table for event-driven processing (e.g., triggering Lambda functions), but it does not provide any caching or read acceleration functionality.

100
MCQmedium

A developer is building a serverless application using AWS Lambda to process events from an Amazon SQS queue. The Lambda function is CPU-bound and currently experiences timeouts. What is the MOST cost-effective way to reduce execution time?

A.Increase the SQS batch window size
B.Switch the Lambda runtime from Python to Node.js
C.Increase the Lambda function's memory allocation
D.Enable Provisioned Concurrency for the function
AnswerC

More memory provides more CPU, speeding up CPU-bound tasks.

Why this answer

Option C is correct because increasing the Lambda memory allocation also increases allocated CPU, which directly helps CPU-bound functions. Option A is wrong because increasing batch size does not help CPU-bound tasks. Option B is wrong because Provisioned Concurrency does not reduce execution time.

Option D is wrong because changing to a different runtime may not address the CPU limitation.

101
MCQmedium

A development team is using AWS CodeBuild to compile and test their code. They want to store build artifacts in an Amazon S3 bucket. The buildspec.yml file includes an artifacts section. Which configuration correctly specifies the output artifacts?

A.artifacts: files: - '**/*' discard-paths: no
B.artifacts: base-directory: 'build' files: '**/*'
C.artifacts: file: '**/*' discard-paths: no
D.artifacts: path: '**/*' discard-paths: false
AnswerA

This is the correct syntax for specifying build artifacts in buildspec.yml.

Why this answer

Option B is correct because the artifacts section in buildspec.yml uses the 'files' key (not 'file') to specify which files are build artifacts. Option A is wrong because 'file' is not a valid key. Option C is wrong because 'path' is not a key in the artifacts section; it's a property of the 'files' list.

Option D is wrong because 'base-directory' is misspelled and the structure is incorrect.

102
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The developer wants to enable caching for API responses to reduce latency and cost. Which step is REQUIRED to enable caching?

A.Enable caching in the Lambda function code
B.Set the TTL in the API Gateway method request integration
C.Create a cache cluster in API Gateway for the stage
D.Use Amazon ElastiCache and modify the Lambda function to check cache
AnswerC

You must enable caching at the API Gateway stage level and specify cache size.

Why this answer

To enable API Gateway caching, you must create a cache cluster on the stage level, which incurs additional cost. Option B is correct.

103
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function needs to read and write items to a DynamoDB table. What is the BEST way to securely provide the Lambda function with the necessary AWS credentials?

A.Store the AWS access key and secret key in the Lambda environment variables.
B.Create an IAM role with DynamoDB permissions and attach it to the Lambda function.
C.Create an IAM user with programmatic access and store the credentials in the Lambda code.
D.Use the Lambda function's default full admin access provided by AWS.
AnswerB

Lambda assumes the IAM role to obtain temporary credentials; this is secure and follows least privilege.

Why this answer

Option C is correct because the best practice is to attach an IAM role to the Lambda function with the required permissions. This avoids hardcoding credentials. Option A is incorrect because storing credentials in environment variables is not secure.

Option B is incorrect because Lambda does not use access keys in IAM users; it uses roles. Option D is incorrect because the Lambda function should have least privilege, not full admin access.

104
MCQhard

A developer is building a real-time chat application using Amazon API Gateway WebSockets and AWS Lambda. The developer notices that messages are sometimes delivered out of order. What should the developer do to ensure ordered message delivery?

A.Increase the Lambda function's memory allocation
B.Use API Gateway's built-in message ordering feature
C.Set the 'sequenceNumber' property in the WebSocket message
D.Use an Amazon SQS FIFO queue to buffer messages before processing
AnswerD

FIFO queues preserve order.

Why this answer

WebSocket connections are stateful; using a FIFO queue ensures ordering. Option C is correct.

105
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The developer needs to pass a list of security group IDs to an EC2 instance launch configuration. The security groups are created in another stack. How should the developer obtain the security group IDs?

A.Use Fn::GetAtt to retrieve the IDs from the other stack's resources.
B.Use Fn::ImportValue to import the exported outputs from the other stack.
C.Use a nested stack to include the security group resources in the same template.
D.Use Fn::Ref to reference the security group IDs directly.
AnswerB

ImportValue is designed for cross-stack references.

Why this answer

Option C is correct because Fn::ImportValue imports exported outputs from another stack. Option A is wrong because Fn::GetAtt only works within the same stack. Option B is wrong because Fn::Ref returns a single value.

Option D is wrong because nested stacks are more complex.

106
Multi-Selecteasy

A developer needs to implement a serverless API using Amazon API Gateway and AWS Lambda. The API should support CORS (Cross-Origin Resource Sharing) to allow requests from a web application hosted on a different domain. Which TWO configurations are required? (Choose TWO.)

Select 2 answers
A.Create a custom domain name for the API Gateway and configure the web application to use it.
B.Enable CORS on the API Gateway resource and methods.
C.Disable CORS on the API Gateway and set the Access-Control-Allow-Origin header in the Lambda function.
D.Configure an OPTIONS method in API Gateway and return appropriate CORS headers from the Lambda function.
E.Modify the Lambda function to include the Access-Control-Allow-Origin header in all responses.
AnswersB, D

API Gateway can be configured to return the required CORS headers automatically.

Why this answer

Options A and B are correct. Option A: API Gateway must return CORS headers. Option B: The Lambda function must handle the OPTIONS method.

Option C is wrong because CORS is not disabled by default; it must be explicitly enabled. Option D is wrong because the Lambda function does not need to return CORS headers; API Gateway adds them. Option E is wrong because custom domain is not related to CORS.

107
MCQmedium

A developer is creating a REST API using Amazon API Gateway and multiple AWS Lambda functions for different endpoints. The API must support CORS for a web application hosted on a different domain. The developer is using Lambda proxy integration. Which configuration is required to enable CORS?

A.Enable CORS in API Gateway and configure the Lambda functions to return the required CORS headers.
B.Configure API Gateway to return CORS headers and Lambda functions can ignore CORS.
C.Configure Lambda functions to return CORS headers and API Gateway will pass them through automatically.
D.Use a Lambda@Edge function at Amazon CloudFront to add CORS headers.
AnswerA

Enabling CORS in API Gateway generates an OPTIONS method and configures headers for non-proxy integrations, but for proxy integrations, the Lambda must also return the headers. Both steps are needed to ensure full CORS support.

Why this answer

With Lambda proxy integration in API Gateway, the entire request and response are passed through to the Lambda function, which must return the HTTP response including status code, headers, and body. To enable CORS, the Lambda function must include the required CORS headers (e.g., Access-Control-Allow-Origin) in its response. While API Gateway can be configured to add CORS headers for non-proxy integrations, with proxy integration the Lambda function is solely responsible for returning all headers.

Exam trap

The trap here is that candidates assume API Gateway's CORS configuration works universally, but with Lambda proxy integration, the Lambda function has full control over the response headers, making API Gateway's CORS settings ineffective.

How to eliminate wrong answers

Option B is wrong because with Lambda proxy integration, API Gateway cannot independently add CORS headers; the Lambda function controls the entire response. Option C is wrong because API Gateway does not automatically pass through headers from the Lambda function; the Lambda function must explicitly return them in the response object. Option D is wrong because Lambda@Edge is used with CloudFront for edge processing, not for API Gateway CORS configuration, and it would add unnecessary complexity and latency.

108
Multi-Selecthard

A developer is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to send messages to all connected clients. Which THREE actions are required to implement this functionality? (Choose THREE.)

Select 3 answers
A.Store the WebSocket URL in the Lambda function environment variables.
B.Use the API Gateway callback URL to post messages to a specific connection.
C.Grant the Lambda function IAM permission to execute the execute-api:ManageConnections action.
D.Store the connection IDs in an Amazon DynamoDB table for later retrieval.
E.Extract the connection ID from the event object when a client connects.
AnswersB, C, E

The callback URL is in the format https://api-id.execute-api.region.amazonaws.com/@connections/{connectionId}.

Why this answer

Options A, B, and D are correct. Option A: The Lambda function needs the execute-api:ManageConnections permission to post to connections. Option B: The callback URL is used to send messages to clients.

Option D: The connection ID is obtained from the event object. Option C is wrong because the WebSocket URL is not needed for posting; the callback URL is derived from the API endpoint. Option E is wrong because DynamoDB is not required for sending messages; it's optional for persistence.

109
MCQeasy

A developer is building a serverless web application using AWS Lambda and Amazon DynamoDB. The application needs to perform complex aggregations on data stored in DynamoDB. Which AWS service should the developer use to perform these aggregations efficiently without reading all the data into Lambda?

A.AWS Glue
B.Amazon EMR
C.DynamoDB Streams with AWS Lambda
D.Amazon Redshift
AnswerC

DynamoDB Streams capture changes and can trigger Lambda to update aggregated results in near real-time without scanning the full table.

Why this answer

Option C is correct because DynamoDB Streams captures item-level changes in near real-time and can trigger a Lambda function to perform incremental aggregations without scanning the entire table. This pattern avoids reading all data into Lambda, making it efficient for continuous aggregation workloads.

Exam trap

The trap here is that candidates may choose AWS Glue or Amazon EMR because they associate 'complex aggregations' with big data tools, overlooking that DynamoDB Streams with Lambda provides a serverless, incremental aggregation pattern that avoids full table scans.

How to eliminate wrong answers

Option A is wrong because AWS Glue is a serverless ETL service designed for batch data processing and cataloging, not for real-time aggregations triggered by DynamoDB changes. Option B is wrong because Amazon EMR is a big data platform for running Apache Spark, Hadoop, or Hive clusters, which is overkill and not serverless for simple aggregations on DynamoDB data. Option D is wrong because Amazon Redshift is a petabyte-scale data warehouse for SQL analytics, not a service for performing aggregations directly on DynamoDB data without moving it first.

110
MCQmedium

A developer is building a serverless application using AWS Lambda to process files uploaded to an S3 bucket. The files are encrypted with S3 server-side encryption using AWS KMS (SSE-KMS). The Lambda function needs to read the files and store metadata in DynamoDB. Which IAM policy statement should be attached to the Lambda execution role to allow it to decrypt the objects?

A.{"Effect":"Allow","Action":["kms:Encrypt"],"Resource":"*"}
B.{"Effect":"Allow","Action":["kms:Decrypt"],"Resource":"arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"}
C.{"Effect":"Allow","Action":["kms:GenerateDataKey"],"Resource":"*"}
D.{"Effect":"Allow","Action":["s3:GetObject"],"Resource":"arn:aws:s3:::my-bucket/*"}
AnswerB

Decrypt is required to decrypt objects encrypted with SSE-KMS.

Why this answer

Option C is correct because the Lambda function needs kms:Decrypt permission for the specific KMS key used for S3 SSE-KMS encryption. Option A is wrong because s3:GetObject without kms:Decrypt would fail if the object is encrypted with SSE-KMS. Option B is wrong because kms:GenerateDataKey is used for client-side encryption, not decryption.

Option D is wrong because kms:Encrypt is for encryption, not decryption.

111
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function. The output shows StatusCode 200 and no FunctionError. However, the application that depends on this function's output is not working correctly. What should the developer check next?

A.Check the Lambda function's CloudWatch Logs for any errors or unexpected output.
B.Check the IAM role attached to the Lambda function for insufficient permissions.
C.Check the payload format against the function's expected input.
D.Check the Lambda function's memory and timeout configuration.
AnswerA

CloudWatch Logs contain the function's output and any debug information.

Why this answer

A StatusCode 200 indicates that Lambda accepted the invocation and ran the function without a runtime error. However, the function might have a logical error, incorrect business logic, or might be returning unexpected data. The developer should check the function's logs in CloudWatch Logs to see the actual output and any debug messages.

The payload format might also be incorrect, but the invocation succeeded technically. The function's memory or timeout settings might cause issues but would typically result in an error. The IAM role might be insufficient but would show an error in logs.

112
Multi-Selecteasy

Which TWO AWS services can be used to decouple microservices in a distributed application? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch
B.Elastic Load Balancer (ELB)
C.Amazon Simple Notification Service (SNS)
D.Amazon Simple Queue Service (SQS)
E.Amazon Route 53
AnswersC, D

Pub/sub decoupling.

Why this answer

Options B and C are correct. Amazon SQS provides message queuing for decoupling. Amazon SNS enables pub/sub messaging.

Option A is wrong because ELB is for load balancing traffic to a single service. Option D is wrong because CloudWatch is for monitoring. Option E is wrong because Route 53 is DNS.

113
MCQeasy

A developer is building a RESTful API using Amazon API Gateway. The API experiences high traffic spikes, and many requests are for the same data (e.g., a product catalog). The developer wants to reduce the load on the backend Lambda functions and improve response times for repeated requests. Which feature should the developer enable?

A.Enable API Gateway caching and set a TTL.
B.Use CloudFront with the API Gateway as an origin.
C.Enable throttling on the API Gateway usage plan.
D.Use a DynamoDB Accelerator (DAX) cluster for the backend database.
AnswerA

API Gateway caching stores responses for a specified TTL. Repeated requests for the same resource and parameters are served from the cache, reducing backend load and improving response times.

Why this answer

API Gateway caching stores responses from backend Lambda functions for a configurable time-to-live (TTL). When a request for the same data (e.g., a product catalog) arrives within the TTL period, API Gateway serves the cached response directly, reducing the number of invocations to the Lambda function and improving response latency. This directly addresses the need to reduce load on the backend and improve response times for repeated requests.

Exam trap

The trap here is that candidates often confuse API Gateway caching with CloudFront caching, thinking that CloudFront alone reduces backend load, but CloudFront caches at the edge and still forwards cache misses to API Gateway, which then invokes Lambda; only API Gateway caching directly reduces Lambda invocations for repeated requests.

How to eliminate wrong answers

Option B is wrong because CloudFront with API Gateway as an origin adds a CDN layer that caches responses at edge locations, but it does not reduce the load on the backend Lambda functions for repeated requests to the same API endpoint; it primarily improves latency for geographically distributed users and can still forward requests to API Gateway, which then invokes Lambda. Option C is wrong because enabling throttling on the API Gateway usage plan limits the rate of requests to protect the backend from being overwhelmed, but it does not cache responses or improve response times for repeated requests; it may actually reject or delay requests. Option D is wrong because using a DynamoDB Accelerator (DAX) cluster caches database queries at the data layer, but the problem is about reducing load on Lambda functions and improving response times for API requests, not about optimizing database access; DAX does not cache API responses or reduce Lambda invocations.

114
MCQmedium

A company is using AWS CodePipeline to automate its CI/CD pipeline. The pipeline has a build stage that uses AWS CodeBuild. The developer wants to run unit tests and only proceed to the deploy stage if the tests pass. Which configuration should the developer use to achieve this?

A.Configure a manual approval step before the deploy stage.
B.Configure Amazon CloudWatch alarms to stop the pipeline if tests fail.
C.Configure the build stage to run tests and fail the build if tests fail; CodePipeline will automatically stop.
D.Configure AWS Lambda to invoke a function that checks test results and manually stops the pipeline.
AnswerC

Tests in the build stage can fail the build, preventing deployment.

Why this answer

CodeBuild can be configured with a buildspec file that defines phases, including a 'post_build' phase for running tests. If the tests fail, CodeBuild returns a non-zero exit code, causing the build to fail. CodePipeline will then stop and not proceed to the deploy stage.

The developer can also use a 'test' action in CodePipeline with a test provider like CodeBuild. The other options either don't stop the pipeline or are not automated.

115
MCQmedium

The developer runs a scan on the DynamoDB table 'orders' with a filter expression to find items with order_status equal to 'SHIPPED'. The output shows ScannedCount of 10000 but Count of 0. Which statement is correct?

A.The scan retrieved 10,000 items from the table, but none matched the filter condition.
B.The scan only returned items that matched the filter, so there are no items with status SHIPPED.
C.The filter expression syntax is incorrect, causing the scan to return zero items.
D.The scan applied the filter before reading items, so only matching items were scanned.
AnswerA

Filter expressions are applied after the scan, so all items were scanned but filtered out.

Why this answer

Option A is correct because filter expressions are applied after the scan retrieves the items, so all 10,000 items were scanned but none matched the filter. Option B is wrong because the scan returns up to 1 MB of data, not a fixed number of items, and the filter is applied after. Option C is wrong because the filter expression is syntactically correct.

Option D is wrong because the filter expression is applied after scanning, not before.

116
MCQmedium

A developer is deploying an application using AWS Elastic Beanstalk. The application reads and writes data to an Amazon RDS database. The developer wants to ensure that database credentials are not stored in the application code or configuration files. What should the developer do?

A.Store the credentials as environment properties in the Elastic Beanstalk environment configuration.
B.Encrypt the credentials and store them in an Amazon S3 bucket. Have the application download them at startup.
C.Use AWS Secrets Manager to store the credentials and retrieve them in the application code.
D.Store the credentials in a separate configuration file and include it in the application source bundle.
AnswerA

Elastic Beanstalk supports storing environment properties that are injected into the application at runtime.

Why this answer

Option D is correct because Elastic Beanstalk can pass environment properties securely by storing them in the EB environment configuration, and they can be retrieved at runtime. Option A is wrong because hardcoding in environment variables in the EB console is not secure; they can be seen in the console. Option B is wrong because storing credentials in S3 and downloading them adds complexity and potential exposure.

Option C is wrong because Secrets Manager is a good practice, but Elastic Beanstalk can inject secrets as environment properties without custom code.

117
MCQeasy

A developer wants to store session state data for a web application running on multiple EC2 instances behind an Application Load Balancer. The data is ephemeral and should not persist if an instance is terminated. Which storage option should the developer use?

A.Amazon ElastiCache
B.Amazon RDS
C.Amazon S3
D.Amazon EFS
AnswerA

Correct. ElastiCache provides an in-memory cache that is ephemeral (by default) and can be shared across all EC2 instances, making it ideal for session state in a distributed environment.

Why this answer

Amazon ElastiCache is the correct choice because it provides an in-memory caching service (e.g., Redis or Memcached) that is ideal for storing ephemeral session state data. The data is stored in memory, not on disk, so it is automatically lost when an EC2 instance is terminated, matching the requirement that session data should not persist. Additionally, ElastiCache is designed for low-latency access, making it suitable for session state that must be quickly read and written by multiple instances behind an Application Load Balancer.

Exam trap

The trap here is that candidates often choose Amazon EFS because it is shared storage accessible by multiple EC2 instances, but they overlook the explicit requirement that data must be ephemeral and not persist after instance termination, which EFS violates by design.

How to eliminate wrong answers

Option B (Amazon RDS) is wrong because RDS is a relational database service that stores data persistently on disk, which contradicts the requirement that session data should be ephemeral and not survive instance termination; it also introduces unnecessary overhead and latency for transient session state. Option C (Amazon S3) is wrong because S3 is an object storage service designed for durable, persistent storage of unstructured data, not for low-latency, ephemeral session state; its eventual consistency model and higher latency make it unsuitable for real-time session management. Option D (Amazon EFS) is wrong because EFS is a shared file system that provides persistent, durable storage across multiple EC2 instances, meaning data would survive instance termination, which directly violates the requirement that session data should not persist.

118
MCQhard

A company is deploying a containerized application on Amazon ECS with Fargate launch type. The application needs to store sensitive configuration data such as database passwords. The developer must ensure that the secrets are encrypted at rest and in transit, and that they are rotated automatically. Which solution should the developer use?

A.Store secrets in AWS Secrets Manager and enable automatic rotation.
B.Store secrets in AWS Systems Manager Parameter Store with a secure string parameter encrypted using AWS KMS.
C.Store secrets in an encrypted S3 bucket and retrieve them in the task definition.
D.Store secrets in AWS Secrets Manager and use a Lambda function to rotate the secrets.
AnswerD

Secrets Manager supports automatic rotation with built-in or custom Lambda rotation.

Why this answer

Option D is correct because AWS Secrets Manager provides automatic rotation, encryption at rest, and integration with ECS for secure retrieval. Option A (Parameter Store with KMS) does not support automatic rotation. Option B (Secrets Manager with Lambda rotation) is essentially correct but the Lambda function is needed for custom rotation; however, Secrets Manager can manage rotation automatically with built-in rotation for AWS services.

Option C (EC2 Systems Manager) is not for secrets management.

119
MCQeasy

Refer to the exhibit. A developer invokes a Lambda function using the AWS CLI. The response shows StatusCode 200 and FunctionError: Unhandled. What does this indicate?

A.The Lambda function threw an exception that was not caught by the code.
B.The Lambda function timed out before completing.
C.The Lambda function executed successfully without errors.
D.The AWS CLI failed to invoke the function due to permissions.
AnswerA

Unhandled error means an exception was thrown.

Why this answer

FunctionError: Unhandled means the function threw an exception. Option C is correct. Option A is wrong because StatusCode 200 indicates invocation succeeded but function failed.

Option B is wrong because function did execute. Option D is wrong because response is not an error from CLI.

120
MCQhard

A developer is building a REST API using Amazon API Gateway with a Lambda integration. The API must validate that the 'Authorization' header contains a valid JWT token before invoking the backend. Which approach provides the LOWEST latency for token validation?

A.Use a VPC Link to connect to a private server for validation.
B.Validate the token inside the Lambda function integrated with the API.
C.Use API Gateway request validation to check the header format.
D.Use a Lambda authorizer (formerly custom authorizer) on the API Gateway.
AnswerD

Lambda authorizer caches the policy, minimizing latency for subsequent requests.

Why this answer

Option A is correct because using a Lambda authorizer caches the policy and reduces latency for subsequent requests. Option B is wrong because request validation only checks format, not token validity. Option C is wrong because it adds a separate validation step in the integration.

Option D is wrong because VPC Link is for private integrations, not token validation.

121
MCQeasy

A developer needs to access a DynamoDB table from a Lambda function. The Lambda function is in the same AWS account as the DynamoDB table. What is the most secure way to grant the Lambda function access to the DynamoDB table?

A.Use the AWS account root user credentials.
B.Store the AWS access key and secret access key in the Lambda environment variables.
C.Create an IAM role with a policy that grants DynamoDB access and assign it as the Lambda execution role.
D.Use a resource-based policy on the DynamoDB table to allow the Lambda function.
AnswerC

This is the secure and standard way to grant permissions.

Why this answer

Option C is correct because the Lambda execution role is an IAM role that the Lambda function assumes at runtime. Attaching an IAM policy to this role with the necessary DynamoDB permissions is the best practice for granting permissions.

122
MCQmedium

A company runs a containerized web application on Amazon ECS using Fargate. The application needs to store files in Amazon S3. The developer wants to follow the principle of least privilege for the ECS task IAM role. Which IAM policy should be attached to the task role?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::example-bucket/*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::example-bucket/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:PutObject"],"Resource":"arn:aws:s3:::example-bucket/*"}]}
AnswerC

Only PutObject is needed to upload files; minimal permissions.

Why this answer

Option B is correct because the policy grants only the necessary S3 actions (PutObject) on the specific bucket. Option A is wrong because it grants all S3 actions. Option C is wrong because it grants s3:* which is too broad.

Option D is wrong because it grants read-only access, not write.

123
MCQmedium

A developer is building a system that reads messages from an Amazon SQS queue, processes them, and stores results in an Amazon DynamoDB table. The developer wants to use a managed service to coordinate the processing steps, including error handling and retry logic, without provisioning any servers. Which AWS service should the developer use?

A.AWS Step Functions
B.Amazon Simple Workflow Service (SWF)
C.AWS Glue
D.Amazon MQ
AnswerA

Step Functions can orchestrate multiple services, integrate with SQS and DynamoDB, and provide built-in error handling and retry policies.

Why this answer

AWS Step Functions is a serverless orchestration service that lets you coordinate multiple AWS services into a workflow. It directly supports error handling, retry logic, and conditional branching, making it ideal for managing the processing steps of messages from SQS through to DynamoDB without provisioning any servers.

Exam trap

The trap here is that candidates confuse Amazon MQ (a message broker) with a workflow orchestrator, or mistakenly think SWF is the correct choice because it was historically used for workflow coordination, but Step Functions is the modern, serverless, and fully managed alternative that directly integrates with SQS and DynamoDB.

How to eliminate wrong answers

Option B is wrong because Amazon Simple Workflow Service (SWF) is a legacy workflow service that requires you to manage workers (deciders and activity workers) and does not natively integrate with SQS or DynamoDB as seamlessly as Step Functions; it also lacks the built-in retry and error-handling patterns of Step Functions. Option C is wrong because AWS Glue is a serverless ETL service designed for data preparation and transformation, not for orchestrating message processing workflows with SQS and DynamoDB. Option D is wrong because Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ, not a workflow orchestration service; it provides message queuing but does not handle coordination, error handling, or retry logic across processing steps.

124
Multi-Selecteasy

A developer is using Amazon API Gateway to expose a Lambda function as a REST API. The API should only be accessible from a specific VPC. Which TWO steps are required to achieve this? (Choose TWO.)

Select 2 answers
A.Create a VPC endpoint for API Gateway.
B.Attach a resource policy to the API Gateway API that denies access unless the request originates from the VPC.
C.Use an API key that is only known within the VPC.
D.Configure the Lambda function to be VPC-enabled.
E.Create a VPC endpoint for Lambda.
AnswersA, B

A VPC endpoint allows API Gateway to be accessed privately from within the VPC.

Why this answer

Option B is correct because a resource policy on API Gateway can restrict access to a VPC. Option E is correct because a VPC endpoint for API Gateway allows API Gateway to receive traffic from the VPC privately. Option A is wrong because Lambda VPC configuration is for the function's access to VPC resources, not for API Gateway.

Option C is wrong because a VPC endpoint for Lambda is not needed for API Gateway access. Option D is wrong because an API key is for authentication, not network restriction.

125
MCQeasy

A developer needs to store session state for a web application running on multiple EC2 instances behind an Application Load Balancer. Which AWS service should the developer use for a fully managed, highly available session store?

A.Amazon RDS
B.Amazon S3
C.Amazon DynamoDB
D.Amazon ElastiCache
AnswerD

ElastiCache provides low-latency, managed caching for session state.

Why this answer

Option B is correct because ElastiCache (Memcached or Redis) is a managed in-memory cache suitable for session state. Option A is wrong because S3 is not designed for low-latency session storage. Option C is wrong because DynamoDB can be used but is not as fast for session state.

Option D is wrong because RDS adds latency and cost for session data.

126
MCQeasy

A developer is writing an AWS Lambda function that needs to read a secret from AWS Secrets Manager. The function is written in Python. What is the BEST practice for retrieving the secret?

A.Use AWS Systems Manager Parameter Store to store the secret.
B.Retrieve the secret inside the handler function every time it is invoked.
C.Store the secret in an environment variable.
D.Retrieve the secret outside the handler function and cache it in a global variable.
AnswerD

Caching outside the handler reduces latency and cost.

Why this answer

Option C is correct because caching the secret outside the handler reduces latency and cost. Option A is wrong because it does not cache. Option B is wrong because environment variables are not secure for secrets.

Option D is wrong because SSM Parameter Store is not the best practice for secrets; Secrets Manager is preferred.

127
MCQmedium

A developer is building a serverless application that uses an Amazon SQS FIFO queue to process orders. The orders must be processed exactly once and in the order they are received. The developer uses an AWS Lambda function as the consumer. Despite using a FIFO queue, the developer notices that some orders are being processed more than once. What is the most likely cause of this behavior?

A.The Lambda function is not deleting messages from the queue after successful processing, so they become visible again after the visibility timeout.
B.The Lambda function is configured with a batch size greater than 1, causing multiple messages to be processed at once and some to be duplicated.
C.The SQS queue has a message retention period set too low, causing messages to be deleted automatically and re-queued.
D.The Lambda function's execution role does not have permission to delete messages from the queue.
AnswerA

If the function does not delete the message from the queue, the message reappears after the visibility timeout expires, causing duplicate processing. FIFO queues do not automatically remove messages; the consumer must explicitly delete them.

Why this answer

The most likely cause is that the Lambda function is not deleting messages from the SQS FIFO queue after successful processing. By default, Lambda does not automatically delete messages; it relies on the function code to call the `DeleteMessage` API. If the function fails to delete a message, it remains in the queue and becomes visible again after the visibility timeout expires, leading to duplicate processing even though the queue is FIFO.

Exam trap

The trap here is that candidates assume FIFO queues guarantee exactly-once processing automatically, but they actually guarantee exactly-once delivery to the consumer, not exactly-once processing—the consumer must still delete the message to prevent reprocessing.

How to eliminate wrong answers

Option B is wrong because increasing the batch size in a FIFO queue does not cause message duplication; Lambda processes messages in batches but still deletes them individually after successful processing, and FIFO ordering is preserved within each batch. Option C is wrong because a low message retention period causes messages to be deleted permanently, not re-queued; it does not cause duplicate processing. Option D is wrong because if the Lambda execution role lacked permission to delete messages, the function would fail to delete them, but this would result in repeated processing after the visibility timeout—however, the question asks for the most likely cause, and the absence of delete logic in the code is a more common oversight than missing IAM permissions, which would typically raise an error.

128
MCQhard

A developer attached the above IAM policy to an IAM user. The user reports being denied access to objects in the S3 bucket 'my-bucket' from an IP address in the 10.0.0.0/24 range. What is the MOST likely cause?

A.The Resource ARN is missing the bucket name.
B.The bucket policy also denies access.
C.The IP address range 10.0.0.0/24 is a private range not seen by S3.
D.The condition should use 'aws:VpcSourceIp' instead.
AnswerC

S3 sees the public IP of the client or the VPC endpoint IP, not the private IP.

Why this answer

Option B is correct because IAM policies use the key 'aws:SourceIp' for source IP conditions, but the policy uses 'IpAddress' which is incorrect; the correct condition key is 'IpAddress' but the operator 'IpAddress' is valid. However, the condition key should be 'aws:SourceIp' (the key used in the policy is correct). Actually, the issue is that IAM policies cannot restrict based on source IP for S3 actions in all cases; S3 bucket policies support it, but IAM user policies also support 'aws:SourceIp'.

The problem is that the IP address range 10.0.0.0/24 is a private IP range. S3 does not see the private IP of the client when accessed from within a VPC; it sees the public IP or VPC endpoint IP. Therefore, the condition never matches, causing denial.

Option B is correct because private IPs are not seen by S3.

129
MCQmedium

A developer is running a web application on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The application needs to store user session state that must be available across all instances. The session data is small and temporary but must survive individual instance failures. Which AWS service should the developer use to store this session state?

A.Store session state in an Amazon ElastiCache cluster
B.Store session state in the /tmp directory of each EC2 instance
C.Use an Amazon SQS queue to persist session data
D.Store session state in an Amazon S3 bucket
AnswerA

ElastiCache provides a managed in-memory cache that is shared across instances. It is ideal for session state because it is fast and can replicate data for high availability.

Why this answer

Amazon ElastiCache (e.g., using Redis or Memcached) provides a centralized, in-memory data store that is external to the EC2 instances. This allows all instances behind the ALB to read and write the same session state, ensuring consistency across the fleet. Because the data is stored in a managed cluster, it survives individual instance failures and is ideal for small, temporary session data that requires low-latency access.

Exam trap

The trap here is that candidates often confuse 'survive instance failures' with 'persistent storage' and choose S3 or SQS, overlooking that session state requires low-latency, in-memory access with automatic expiry, which only ElastiCache provides among the options.

How to eliminate wrong answers

Option B is wrong because storing session state in the /tmp directory of each EC2 instance is ephemeral—data is lost if the instance terminates or fails, and it is not shared across instances, breaking the requirement for cross-instance availability. Option C is wrong because Amazon SQS is a message queue service designed for decoupling and asynchronous communication, not for storing session state; it lacks the low-latency, key-value lookup capabilities needed for session management. Option D is wrong because Amazon S3 is an object storage service with higher latency and no built-in support for fast, atomic read/write operations on small session data, making it unsuitable for real-time session state storage.

130
Matchingmedium

Match each AWS security feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Temporary permissions for services

Stateful firewall for EC2

Web application firewall

DDoS protection

SSL/TLS certificate management

Why these pairings

Security is a key domain in the DVA-C02 exam.

131
MCQmedium

A company runs a production web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic across multiple EC2 instances in an Auto Scaling group. The application uses an Amazon Aurora MySQL database. The operations team reports that the application is experiencing intermittent latency spikes, especially during peak hours. Investigation reveals that the database CPU utilization is consistently above 80% and there are many slow queries. The developer is asked to improve database performance without changing the application code. Which solution should the developer implement?

A.Implement an Amazon RDS Proxy in front of the Aurora cluster to manage database connections efficiently.
B.Use Amazon ElastiCache to cache frequently accessed data.
C.Increase the desired capacity of the Auto Scaling group to add more EC2 instances.
D.Upgrade the Aurora instance to a larger instance type.
AnswerA

RDS Proxy reduces connection overhead and improves performance.

Why this answer

Option A is correct because adding an RDS Proxy reduces connection management overhead and can improve latency. Option B is wrong because scaling EC2 instances does not help database performance. Option C is wrong because ElastiCache requires application changes.

Option D is wrong because increasing instance size helps but may be costly and not address connection pooling.

132
Multi-Selectmedium

Which TWO actions can improve the performance of an Amazon DynamoDB table that experiences frequent throttling due to hot partitions? (Choose TWO.)

Select 2 answers
A.Disable auto scaling to provision fixed capacity
B.Enable DynamoDB Accelerator (DAX) for caching
C.Increase the read capacity units (RCUs) of the table
D.Add a random suffix to the partition key values
E.Use a global secondary index (GSI) with a different partition key
AnswersB, D

Reduces read load on the table, mitigating throttling.

Why this answer

Options B and D are correct. Adding a random prefix to the partition key distributes writes across partitions. Using DynamoDB Accelerator (DAX) reduces read load.

Option A is wrong because increasing read capacity does not solve hot partition issue. Option C is wrong because global secondary indexes do not reduce throttling on the base table. Option E is wrong because disabling auto scaling may worsen throttling.

133
Multi-Selecthard

A developer is deploying a serverless application using the AWS Serverless Application Model (SAM). The application includes an API Gateway REST API and a Lambda function. The developer wants to enable access logging for the API Gateway. Which THREE resources or configurations are required? (Choose THREE.)

Select 3 answers
A.A stage with access logging enabled in the API Gateway.
B.A Lambda function that processes the access logs.
C.An IAM role that grants API Gateway permission to write to CloudWatch Logs.
D.An Amazon CloudWatch Logs log group.
E.An IAM role for the Lambda function with logs:PutLogEvents permission.
AnswersA, C, D

Access logging is configured per stage.

Why this answer

Options A, B, and D are correct. Option A sets up a log group. Option B configures the IAM role for API Gateway to write logs.

Option D enables access logging. Option C is not required because Lambda function logs are separate. Option E is not required because Lambda execution role is for Lambda, not API Gateway logging.

134
MCQmedium

A developer is writing a Lambda function that processes events from an Amazon S3 bucket. The function needs to access a DynamoDB table to store metadata about the S3 objects. Which of the following is the MOST efficient way to initialize the DynamoDB client in the Lambda function?

A.Store the DynamoDB table name as a global variable and create the client inside the handler.
B.Use a static variable inside the handler to cache the DynamoDB client.
C.Create the DynamoDB client inside the Lambda handler function every invocation.
D.Create the DynamoDB client outside the Lambda handler function, in the global scope.
AnswerD

This allows the client to be reused across invocations, reducing cold start latency.

Why this answer

Option B is correct because initializing the DynamoDB client outside the handler allows it to be reused across invocations, improving performance. Option A is incorrect because creating a new client for each invocation adds overhead. Option C is incorrect because using a global variable for the table name is fine, but the client should be initialized outside.

Option D is incorrect because using a static variable in Java achieves the same effect as initializing outside the handler.

135
MCQeasy

A developer needs to store application logs in a highly available and durable storage service. The logs must be retained for 7 years for compliance purposes. The logs are accessed infrequently after the first 30 days. Which storage solution is MOST cost-effective?

A.Amazon S3 Intelligent-Tiering
B.Amazon S3 Glacier Deep Archive
C.Amazon S3 One Zone-Infrequent Access
D.Amazon S3 Standard
AnswerB

Lowest cost for archival storage with infrequent access.

Why this answer

S3 Glacier Deep Archive is the lowest cost for long-term archival with retrieval times of 12 hours. S3 Standard is expensive for long retention. S3 Intelligent-Tiering automatically moves to lower cost tiers, but still incurs monitoring fees.

S3 One Zone-Infrequent Access is not highly available across AZs.

136
Multi-Selecteasy

A developer is designing a serverless application using AWS Lambda. The function needs to process messages from an Amazon SQS queue. The developer wants to configure the Lambda function to be triggered by the SQS queue. Which TWO actions are required? (Choose TWO.)

Select 2 answers
A.Attach an IAM execution role to Lambda with permission to receive messages from SQS.
B.Configure a resource-based policy on the SQS queue to allow Lambda invocation.
C.Create an event source mapping in Lambda to poll the SQS queue.
D.Set up a dead-letter queue for failed messages.
E.Place the Lambda function in a VPC to access the SQS queue.
AnswersA, C

Correct: Lambda needs permission to poll the queue.

Why this answer

B and D are correct. The Lambda function needs an event source mapping (B) and the execution role needs permissions to poll the queue (D). Option A is wrong because SQS does not need a resource-based policy for the same account.

Option C is wrong because DLQ is optional. Option E is wrong because VPC is not required.

137
Multi-Selecthard

A developer is using AWS Secrets Manager to rotate database credentials. The rotation Lambda function fails with an error. Which THREE steps should the developer take to troubleshoot? (Choose THREE.)

Select 3 answers
A.Check VPC Flow Logs for the Lambda function's ENI.
B.Verify that the Lambda function has network access to the database.
C.Ensure the KMS key used to encrypt the secret is rotated.
D.Verify that the Lambda function's IAM role has permission to update the secret.
E.Check the CloudWatch Logs for the Lambda function.
AnswersB, D, E

If the database is in a VPC, Lambda needs VPC access.

Why this answer

Options A, B, and D are correct. CloudWatch Logs shows error details; IAM permissions are often the cause; network connectivity is required for Lambda to reach the database. Option C is wrong because KMS key rotation is not related.

Option E is wrong because VPC flow logs show network traffic but not Lambda errors.

138
MCQhard

A developer is designing a serverless application that processes images uploaded to an S3 bucket. Each image must be resized and then stored in a different S3 bucket. The process must be asynchronous and fault-tolerant. Which AWS service should trigger the Lambda function?

A.Amazon S3 Event Notifications
B.Amazon SQS
C.Amazon API Gateway
D.AWS Step Functions
AnswerA

S3 can directly invoke Lambda asynchronously on object creation.

Why this answer

Option D is correct because S3 Event Notifications can trigger Lambda asynchronously and support retry. Option A is wrong because API Gateway is for synchronous requests. Option B is wrong because Step Functions is an orchestrator, not a trigger.

Option C is wrong because SQS requires a Lambda function to poll; S3 does not directly send to SQS.

139
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application needs to store session state. The developer wants to ensure that session data is not lost if an EC2 instance is terminated. Which solution should the developer implement?

A.Store session data in an Amazon EBS volume.
B.Store session data in an Amazon S3 bucket.
C.Store session data in the instance store.
D.Store session data in an Amazon ElastiCache cluster.
AnswerD

ElastiCache provides persistent, low-latency session storage.

Why this answer

Option D is correct because ElastiCache provides a managed, external cache for session state that persists independently of EC2 instances. Option A is wrong because instance store is ephemeral. Option B is wrong because EBS is tied to the instance and is lost on termination if not configured for persistence.

Option C is wrong because S3 is not optimized for low-latency session storage.

140
MCQhard

A developer is using Amazon DynamoDB to store session data for a web application. The application reads and writes a single item per user session. The traffic pattern shows occasional spikes. The developer wants to minimize read and write costs. Which DynamoDB capacity mode should the developer choose?

A.Reserved capacity
B.On-demand capacity
C.Provisioned capacity with manual scaling
D.Provisioned capacity with auto scaling
AnswerB

Pay-per-request, handles spikes without throttling.

Why this answer

Option D is correct because on-demand capacity handles spikes automatically and is cost-effective for unpredictable traffic. Option A is wrong because provisioned capacity requires manual scaling and may throttle during spikes. Option B is wrong because reserved capacity is for predictable workloads.

Option C is wrong because auto scaling adds latency and cost during scaling.

141
MCQmedium

A developer is using Amazon DynamoDB as the data store for a web application. The application experiences frequent throttling errors. Which action can reduce throttling without changing the application code?

A.Add a secondary index
B.Decrease the provisioned write capacity
C.Enable DynamoDB Auto Scaling
D.Increase the provisioned read capacity only
AnswerC

Auto scaling adjusts capacity automatically based on traffic patterns.

Why this answer

Option D is correct because enabling auto scaling adjusts capacity based on traffic. Option A is wrong because indexes don't affect throttling. Option B is wrong because decreasing capacity would worsen throttling.

Option C is wrong because increasing read capacity only partially helps.

142
MCQhard

A Step Functions workflow calls three independent Lambda functions and should continue only after all results are available. Which state pattern should be used?

A.Choice state
B.Wait state
C.Parallel state
D.Fail state
AnswerC

Correct for the stated requirement.

Why this answer

The Parallel state in AWS Step Functions is designed to execute multiple branches of work concurrently and then aggregate their outputs into a single array. This is exactly what is needed when three independent Lambda functions must all complete before the workflow continues, as the Parallel state waits for all branches to finish before proceeding to the next state.

Exam trap

The trap here is that candidates may confuse the Parallel state with the Map state, but the Map state is for processing items in an array with the same logic, not for running distinct independent tasks.

How to eliminate wrong answers

Option A is wrong because a Choice state is used for conditional branching based on input data, not for executing multiple tasks concurrently. Option B is wrong because a Wait state only introduces a delay in the workflow and does not execute or coordinate multiple Lambda functions. Option D is wrong because a Fail state is used to stop the execution and mark it as failed, not to run parallel tasks.

143
MCQmedium

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API must support request validation, request throttling, and API keys. Which API Gateway feature should the developer use to enforce a daily request limit for each API key?

A.Usage plans
B.API keys
C.Throttling settings at the method level
D.AWS WAF
AnswerA

Correct. Usage plans let you define quotas and throttling limits for each API key.

Why this answer

Usage plans in API Gateway allow you to set throttling and quota limits per API key, enabling daily request limits for each key. This feature is specifically designed to control usage by associating API keys with a plan that defines rate limits and quotas, such as a daily request cap. Option A is correct because it directly addresses the requirement to enforce a daily request limit per API key.

Exam trap

The trap here is that candidates often confuse API keys with usage plans, thinking that simply enabling API keys automatically enforces throttling or quotas, but API keys alone provide no rate limiting without a usage plan.

How to eliminate wrong answers

Option B is wrong because API keys alone are just identifiers used to authenticate requests; they do not enforce any throttling or quota limits. Option C is wrong because throttling settings at the method level apply globally to all requests for that method, not per API key, and cannot enforce a daily limit per key. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a feature for managing API usage quotas or throttling per API key.

144
Multi-Selectmedium

A company is using Amazon S3 to store sensitive documents. They must encrypt all objects at rest. Which TWO methods can be used to enforce server-side encryption? (Choose TWO.)

Select 2 answers
A.Set a bucket policy that denies PutObject if x-amz-server-side-encryption header is not present.
B.Enable default encryption on the S3 bucket.
C.Attach an IAM policy that denies all S3 actions unless encryption is specified.
D.Configure an SQS queue policy to require encryption.
E.Use client-side encryption before uploading objects.
AnswersA, B

Bucket policies can enforce encryption headers.

Why this answer

Option C is correct because S3 Bucket Policies can deny uploads without encryption headers. Option D is correct because S3 default encryption can be configured to automatically encrypt objects. Option A is wrong because client-side encryption is different from server-side.

Option B is wrong because S3 does not support SQS policies for encryption. Option E is wrong because IAM policies can control permissions but not enforce encryption on uploads.

145
MCQeasy

A developer is creating a CloudFormation template to deploy an Amazon S3 bucket. The developer wants the bucket to be deleted automatically when the CloudFormation stack is deleted. What should the developer specify in the template?

A.Set the DeletionPolicy attribute to Delete.
B.Specify a unique bucket name to avoid conflicts.
C.Use the DependsOn attribute to specify the bucket depends on the stack.
D.Set the DeletionPolicy attribute to Retain.
AnswerA

Delete causes the bucket to be deleted when the stack is deleted.

Why this answer

Option C is correct because setting the DeletionPolicy attribute to Delete ensures the bucket is deleted when the stack is deleted. Option A is wrong because the default is to retain the bucket. Option B is wrong because DependsOn does not affect deletion.

Option D is wrong because the bucket name is not related to deletion behavior.

146
MCQeasy

A developer is using AWS Lambda to process events from an Amazon Kinesis stream. The function has been failing with 'ProvisionedThroughputExceededException' errors when writing to a DynamoDB table. What should the developer do to resolve this issue?

A.Decrease the batch size of the Kinesis event source mapping.
B.Implement retry logic with exponential backoff in the Lambda function.
C.Increase the number of shards in the Kinesis stream.
D.Increase the memory allocated to the Lambda function.
AnswerB

Exponential backoff is the standard way to handle ProvisionedThroughputExceededException.

Why this answer

Option C is correct because implementing a retry mechanism with exponential backoff is the recommended approach to handle throttling errors from DynamoDB. Option A is wrong because increasing Lambda memory does not affect DynamoDB throughput. Option B is wrong because decreasing batch size may reduce the number of writes per invocation, but does not handle throttling directly; exponential backoff is more effective.

Option D is wrong because changing the Kinesis stream's shard count does not affect DynamoDB throughput.

147
MCQhard

Refer to the exhibit. A developer deploys this CloudFormation stack. The Lambda function is triggered by SQS messages. However, the function fails to process messages. What is the MOST likely cause?

A.The SQS queue event source mapping is not configured correctly.
B.The batch size of 10 exceeds the maximum allowed batch size.
C.The Lambda function code has a syntax error.
D.The Lambda function's execution role does not have permissions to poll from SQS.
AnswerD

The role lacks SQS permissions like ReceiveMessage and DeleteMessage.

Why this answer

Correct: A. The Lambda execution role only has the AWSLambdaBasicExecutionRole policy, which grants permissions to write logs to CloudWatch. However, the Lambda function needs permission to poll and delete messages from SQS.

The missing policy is AWSLambdaSQSQueueExecutionRole or a custom policy with sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes. Option B is wrong because the SQS event source mapping is correctly defined. Option C is wrong because the function code is valid.

Option D is wrong because the batch size of 10 is valid.

148
MCQhard

A Lambda function processes messages from an SQS queue. The function occasionally fails due to network timeouts when calling an external API. The developer wants to retry failed messages automatically. What should the developer do?

A.Enable SQS redrive policy to automatically retry after a failure.
B.Configure a dead-letter queue on the Lambda function to capture failed events.
C.Configure a dead-letter queue for the SQS queue and set the Lambda function's maximum retries to 2.
D.Increase the Lambda function's timeout to 15 minutes.
AnswerC

SQS DLQ stores messages that fail after retries, and Lambda retries can be configured.

Why this answer

Option D is correct because configuring a dead-letter queue (DLQ) for the SQS queue allows messages that exceed the maximum retries to be stored for later analysis, while the Lambda function's retry behavior handles transient failures. Option A is wrong because increasing the Lambda timeout may help but does not provide automatic retries. Option B is wrong because SQS does not have a built-in retry mechanism; Lambda retries are separate.

Option C is wrong because DLQ on Lambda captures only events that Lambda cannot process, but the best practice is to use SQS DLQ.

149
MCQeasy

A developer is deploying a web application using AWS Elastic Beanstalk. The application requires a relational database. The developer wants the database to be automatically created and configured as part of the Elastic Beanstalk environment. Which approach should they use?

A.Use Amazon DynamoDB as the database and configure it in the Elastic Beanstalk environment.
B.Create an RDS database manually and configure the application to connect to it using environment properties.
C.Embed a SQLite database file in the application deployment package.
D.Configure the Elastic Beanstalk environment to include an RDS database instance.
AnswerD

Elastic Beanstalk supports creating an RDS instance as a linked resource within the environment.

Why this answer

Option A is correct. Elastic Beanstalk can provision an RDS database as part of the environment using the AWS::ElasticBeanstalk::Environment resource with a linked RDS instance. Option B is wrong because manually creating an RDS instance outside of Elastic Beanstalk does not integrate with environment management.

Option C is wrong because DynamoDB is NoSQL, not relational. Option D is wrong because adding a database to the application code as a file-based database like SQLite is not suitable for production and does not scale.

150
Multi-Selecteasy

A developer is building a serverless application using AWS Lambda. The Lambda function needs to access a VPC to connect to an RDS database. Which TWO resources must the developer configure to allow the Lambda function to access the VPC?

Select 2 answers
A.A NAT gateway in the VPC.
B.A security group that allows inbound/outbound traffic to the RDS database.
C.VPC subnet IDs for the Lambda function.
D.An IAM role with permissions to access RDS.
E.An internet gateway attached to the VPC.
AnswersB, C

Security group acts as a firewall to control traffic between Lambda and RDS.

Why this answer

Options B and D are correct. Option B: Lambda functions must be configured with a VPC subnet to be placed in the VPC. Option D: A security group must be attached to the Lambda function to control traffic.

Option A is incorrect because an internet gateway is not needed for private VPC access. Option C is incorrect because a NAT gateway is for outbound internet access, not for accessing RDS within the VPC. Option E is incorrect because an IAM role is for permissions, not network connectivity.

← PreviousPage 2 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.