CCNA Dev AWS Services Questions

75 of 518 questions · Page 4/7 · Dev AWS Services topic · Answers revealed

226
MCQmedium

A developer is using Amazon S3 to host a static website. The website uses JavaScript to fetch data from an API Gateway endpoint. Users report that the website loads but API calls fail with HTTP 403 errors. The developer checks the S3 bucket policy and finds it allows public read access. What is the most likely cause?

A.The S3 bucket policy blocks access from the API Gateway domain.
B.The S3 bucket is not configured for static website hosting.
C.The API Gateway API key is not included in the JavaScript code.
D.The S3 bucket does not have CORS configuration to allow cross-origin requests from the API Gateway domain.
AnswerD

CORS is required for browser-based cross-origin requests.

Why this answer

S3 static website hosting does not support CORS by default. Option C is correct. Option A is incorrect because S3 bucket policy allows read.

Option B is incorrect if bucket policy is correct. Option D is incorrect because authentication is not required for public content.

227
MCQmedium

A company is using Amazon S3 to store sensitive documents. The security team requires that all data be encrypted at rest using AWS KMS with a Customer Managed Key (CMK). The developer enabled default encryption on the S3 bucket with the CMK. However, some PUT requests are failing with 'Access Denied'. What is the MOST likely cause?

A.The S3 bucket's object ownership is set to BucketOwnerPreferred.
B.The KMS key policy does not grant the IAM user/role permissions to use the key.
C.The KMS key is in a different AWS Region than the S3 bucket.
D.The S3 bucket policy denies PutObject without encryption.
AnswerB

To use KMS encryption, the caller must have kms:GenerateDataKey permissions on the key.

Why this answer

Option B is correct because KMS key policies can restrict access to the key. Option A is wrong because S3 bucket policy affects S3 actions, not KMS. Option C is wrong because KMS keys are regional and cross-region access fails.

Option D is wrong because object ownership doesn't affect KMS permissions.

228
MCQmedium

Refer to the exhibit. An IAM policy statement is attached to an AWS Lambda function's execution role. The function needs to invoke another Lambda function named 'my-function'. However, the invocation fails with an access denied error. What is the most likely cause?

A.The action should be 'lambda:*' to allow all Lambda actions.
B.The Lambda function has a timeout set too low.
C.The resource ARN is missing the function name.
D.The policy is attached to the wrong IAM role.
AnswerD

If the execution role does not have this policy, invocation fails.

Why this answer

The policy allows lambda:InvokeFunction on the specific function ARN. Option B is correct because the resource ARN includes the function name, so it should work. Option A is incorrect because the ARN is correct.

Option C is incorrect because the action is allowed. Option D is incorrect because the error is access denied, not a timeout.

229
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is timing out. The function is configured with a 3-second timeout. Which of the following could cause the function to timeout? (Choose THREE.)

Select 3 answers
A.The function's reserved concurrency is set to 0.
B.The function has a dead-letter queue configured.
C.The function is configured to access a VPC without a NAT gateway.
D.The function experiences a cold start.
E.The function's deployment package is larger than 50 MB.
AnswersA, C, D

Reserved concurrency of 0 prevents the function from scaling, causing throttling.

Why this answer

Options A, B, and E are correct. Option A is correct because cold starts add latency. Option B is correct because a VPC with no NAT gateway can cause network timeouts.

Option C is wrong because a larger function size does not cause timeouts directly. Option D is wrong because DLQ is for async invocation failures, not timeouts. Option E is correct because hitting Lambda concurrency limits causes throttling, which can lead to timeout errors if the function waits.

230
MCQeasy

A developer wants to invoke an AWS Lambda function every hour to perform a maintenance task. Which AWS service should be used to schedule the invocation?

A.Amazon Simple Queue Service (SQS)
B.AWS Step Functions
C.Amazon CloudWatch Events (EventBridge)
D.Amazon Simple Notification Service (SNS)
AnswerC

EventBridge can trigger Lambda on a schedule.

Why this answer

Amazon CloudWatch Events (now Amazon EventBridge) can schedule Lambda invocations. Option C is correct. Option A (SQS) is for message queues.

Option B (SNS) is for notifications. Option D (Step Functions) is for workflows, not simple scheduling.

231
MCQeasy

A developer is building a serverless application and wants to invoke an AWS Lambda function every hour to perform a cleanup task. Which AWS service should the developer use to schedule the invocation?

A.AWS Step Functions
B.Amazon SNS
C.Amazon SQS
D.Amazon EventBridge (CloudWatch Events)
AnswerD

EventBridge can create rules to invoke Lambda functions on a schedule.

Why this answer

The correct answer is B. Amazon CloudWatch Events (now Amazon EventBridge) can schedule events to trigger Lambda functions at specified intervals. Option A is wrong because SQS is a message queue, not a scheduler.

Option C is wrong because Step Functions orchestrates workflows but does not schedule invocations directly. Option D is wrong because SNS is a notification service.

232
MCQhard

A company is using AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails with the error 'The overall deployment failed because too many individual instances failed to deploy.' The CodeDeploy agent logs show that the BeforeInstall lifecycle event script returned a non-zero exit code. What is the MOST likely cause of this issue?

A.The application revision is missing from the S3 bucket.
B.The BeforeInstall script has a bug that causes it to exit with a non-zero status.
C.The IAM instance profile does not have permissions to call CodeDeploy APIs.
D.The CodeDeploy agent is not running on the instances.
AnswerB

Lifecycle event scripts must exit with zero to indicate success; a non-zero exit indicates failure.

Why this answer

Option A is correct because a non-zero exit code from a lifecycle event script causes the deployment to fail on that instance. Option B is incorrect because if the agent were not running, the deployment would not even start. Option C is incorrect because a missing application revision would cause a different error.

Option D is incorrect because IAM permissions issues would prevent the agent from downloading the revision, not cause a script to fail.

233
MCQmedium

A developer is building a RESTful API using Amazon API Gateway and Lambda. The API should support CORS for a specific origin (https://example.com) and allow only GET and POST methods. Which configuration in the OPTIONS method response will satisfy these requirements?

A.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Methods: GET,POST
B.Access-Control-Allow-Origin: *, Access-Control-Allow-Methods: GET,POST,OPTIONS
C.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Methods: GET,POST,OPTIONS
D.Access-Control-Allow-Origin: https://example.com, Access-Control-Allow-Headers: Content-Type
AnswerA

This configuration returns the specific origin and allowed methods, which is sufficient for the preflight request.

Why this answer

Option A is correct because the OPTIONS method response must include the `Access-Control-Allow-Origin` header set to the specific origin `https://example.com` to restrict CORS access, and the `Access-Control-Allow-Methods` header must list only the allowed HTTP methods (`GET,POST`). The OPTIONS method itself is a preflight request and does not need to be listed in the allowed methods; it is automatically handled by the browser. This configuration satisfies the requirement of supporting CORS for a single origin and only GET and POST methods.

Exam trap

The trap here is that candidates often mistakenly include `OPTIONS` in the `Access-Control-Allow-Methods` header, thinking it must be listed because the preflight request uses that method, but the correct behavior is to only list the actual HTTP methods (GET, POST) that the API supports for the main request.

How to eliminate wrong answers

Option B is wrong because it uses a wildcard origin (`*`), which does not satisfy the requirement for a specific origin (`https://example.com`), and it incorrectly includes `OPTIONS` in the allowed methods list, which is unnecessary and could cause confusion. Option C is wrong because it includes `OPTIONS` in the `Access-Control-Allow-Methods` header; the OPTIONS method is the preflight request itself and should not be listed as an allowed method in the response. Option D is wrong because it specifies `Access-Control-Allow-Headers` instead of `Access-Control-Allow-Methods`, and it omits the required `Access-Control-Allow-Methods` header entirely, so the browser would not know which HTTP methods are permitted.

234
MCQeasy

A developer is creating a CI/CD pipeline for a serverless application using AWS CodePipeline. The application consists of an AWS Lambda function, an Amazon API Gateway REST API, and an Amazon DynamoDB table. Which action should the developer take to automate the deployment of the API Gateway updates?

A.Use AWS Lambda to update the API Gateway configuration.
B.Store the API Gateway Swagger file in Amazon S3 and trigger a deployment.
C.Use AWS CloudFormation to define and deploy the API Gateway.
D.Use AWS CodeBuild to compile and deploy the API Gateway configuration.
AnswerC

CloudFormation provides infrastructure as code and automated deployments.

Why this answer

Option B is correct because AWS CloudFormation can deploy and update API Gateway as part of infrastructure as code. Option A is wrong because Lambda only updates function code. Option C is wrong because CodeBuild builds artifacts, doesn't deploy API Gateway directly.

Option D is wrong because S3 doesn't deploy API Gateway.

235
MCQmedium

A developer is deploying a web application on AWS Elastic Beanstalk. The application requires a fixed IP address for outbound traffic to a third-party API. What is the MOST cost-effective solution?

A.Launch the environment in a VPC with a NAT Gateway in a public subnet.
B.Attach an Internet Gateway to the VPC.
C.Use a VPC endpoint for the third-party API.
D.Assign an Elastic IP to each EC2 instance.
AnswerA

NAT Gateway provides a fixed public IP for outbound traffic.

Why this answer

Option A is correct because a NAT Gateway in a public subnet provides a fixed public IP for outbound traffic from EC2 instances in private subnets. Option B is wrong because an Internet Gateway does not provide a fixed IP. Option C is wrong because Elastic IPs attached to instances are not managed by Elastic Beanstalk easily.

Option D is wrong because a VPC endpoint is for private connectivity to AWS services, not third-party APIs.

236
MCQeasy

A developer is writing an AWS Lambda function that processes messages from an Amazon SQS queue. The function should process each message at least once, but duplicates are acceptable. The function is triggered by a Lambda event source mapping. If the function returns an error, what happens to the message?

A.The message is sent to a dead-letter queue (DLQ).
B.The message is deleted from the queue to prevent duplicate processing.
C.Lambda automatically retries the function with a 1-minute delay.
D.The message remains in the queue and becomes visible after the visibility timeout expires.
AnswerD

Lambda does not delete the message; it becomes visible again for reprocessing.

Why this answer

Option B is correct because with Lambda event source mapping, if the function fails, the message is not deleted from the queue and becomes visible again after the visibility timeout. Option A is wrong because DLQ is not automatically configured. Option C is wrong because Lambda does not automatically retry with a delay; the SQS visibility timeout controls retry.

Option D is wrong because the message is not deleted; it remains in the queue.

237
MCQmedium

A developer is building a mobile backend using Amazon API Gateway and AWS Lambda. The API has a single endpoint that accepts POST requests with a JSON payload and stores the data in an Amazon DynamoDB table. The developer wants to implement caching to reduce latency and costs. The data is user-specific and should not be shared between users. The developer configures API Gateway caching with a TTL of 300 seconds. After testing, the developer notices that users are seeing other users' data. What should the developer do to fix this issue?

A.Enable cache key parameters in API Gateway, such as the Authorization header.
B.Store cached responses in DynamoDB and retrieve them based on user ID.
C.Use Lambda@Edge to cache responses at the CloudFront level.
D.Disable API Gateway caching and use DynamoDB Accelerator (DAX) instead.
AnswerA

Cache keys ensure that responses are cached per user by including user-specific headers.

Why this answer

Option C is correct because enabling cache keys for headers like Authorization ensures cached responses are per-user. Option A is wrong because disabling caching removes benefits. Option B is wrong because DynamoDB is for storage, not caching.

Option D is wrong because Lambda@Edge is for CloudFront, not API Gateway caching.

238
Multi-Selecteasy

A developer is building a serverless application that uses Amazon S3 for static website hosting and AWS Lambda for dynamic API calls. The developer wants to enable logging of all API requests. Which TWO services can be used to log API requests? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon S3 server access logs
E.Amazon Route 53 logs
AnswersA, B

Can capture API Gateway execution logs.

Why this answer

Options B and D are correct. B: Amazon CloudWatch Logs can capture API Gateway logs. D: AWS CloudTrail logs API calls for auditing.

Option A is wrong because S3 server access logs log S3 requests, not API calls. Option C is wrong because VPC Flow Logs log network traffic. Option E is wrong because Route 53 logs DNS queries.

239
MCQhard

A developer is deploying a microservices architecture on Amazon ECS using Fargate launch type. The services need to communicate with each other. The developer wants to use service discovery so that services can find each other by name. Which AWS service should the developer use?

A.Amazon Route 53 private hosted zones
B.Amazon ECR
C.Application Load Balancer
D.AWS Cloud Map
AnswerD

Cloud Map is integrated with ECS and provides service discovery.

Why this answer

Option B is correct because AWS Cloud Map is a service discovery service that allows you to register and discover services by name. Option A is wrong because Route 53 is for DNS resolution but not designed for dynamic service discovery in ECS. Option C is wrong because ELB is for load balancing, not service discovery.

Option D is wrong because ECR is a container registry.

240
Multi-Selecteasy

A developer is using AWS CodePipeline to automate the deployment of a web application. The pipeline has a source stage that pulls code from an Amazon S3 bucket. Which TWO actions can the developer take to automatically trigger the pipeline when new code is uploaded to the S3 bucket?

Select 2 answers
A.Configure an Amazon SQS queue to poll the S3 bucket for new objects and invoke the pipeline.
B.Configure an S3 event notification that sends to an Amazon SNS topic, which triggers an AWS Lambda function that starts the pipeline.
C.Configure an Amazon CloudWatch Events rule that detects S3 object creation events and triggers the pipeline.
D.Use an AWS Lambda function that periodically checks the S3 bucket for new objects.
E.Use AWS CodeStar to automatically detect changes in the S3 bucket.
AnswersB, C

This is a valid custom trigger mechanism.

Why this answer

Option A (S3 event notification to SNS, which triggers Lambda to start the pipeline) and Option B (CloudWatch Events rule for S3 PUT operations) are both valid. Option C (SQS polling) is not automatic. Option D (CodeStar) is not a trigger.

Option E (manual) is not automatic.

241
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function asynchronously. What does the response indicate?

A.The function executed successfully and returned output.
B.The invocation was denied due to insufficient permissions.
C.The function was invoked synchronously and returned an error.
D.The function invocation was accepted but the function failed to execute successfully.
AnswerD

202 with FunctionError indicates asynchronous invocation failure.

Why this answer

Correct: D. The StatusCode 202 indicates the invocation was accepted. However, the FunctionError set to 'Unhandled' means the function invocation failed and the error was not handled by the function's error handling (e.g., a caught exception or DLQ).

Option A is wrong because 202 does not mean success. Option B is wrong because 202 means accepted, not denied. Option C is wrong because the invocation type is Event (async), not synchronous.

242
Multi-Selectmedium

A developer is implementing a solution to store application logs from multiple EC2 instances. The logs must be stored in a centralized location for analysis. Which services can the developer use to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.Amazon Kinesis Data Analytics
D.Amazon DynamoDB
E.Amazon S3
AnswersA, E

CloudWatch Logs can collect and store logs from EC2 instances.

Why this answer

Option A is correct because CloudWatch Logs can aggregate logs from EC2 instances via the CloudWatch agent. Option C is correct because S3 can store log files as a centralized repository. Option B is wrong because CloudTrail is for API activity, not application logs.

Option D is wrong because DynamoDB is not optimized for log storage. Option E is wrong because Kinesis Data Analytics processes streams, not stores logs.

243
MCQeasy

A developer is storing application configuration data in DynamoDB. The data is frequently accessed by partition key, and items are small (less than 1KB). The read traffic is consistent and predictable. Which read capacity mode is most cost-effective for this workload?

A.On-demand
B.Provisioned with auto scaling
C.Provisioned with reserved capacity
D.Provisioned with fixed capacity
AnswerD

Fixed provisioned read capacity is the most cost-effective for consistent, predictable workloads because you pay a lower hourly rate for the capacity you configure.

Why this answer

Provisioned with fixed capacity is the most cost-effective option for this workload because the read traffic is consistent and predictable, and items are small (less than 1KB). With fixed provisioned capacity, you pay a flat hourly rate for a set number of read capacity units (RCUs), avoiding the per-request premium of on-demand mode or the overhead of auto scaling. Since the workload does not require elasticity, fixed capacity minimizes cost while ensuring sufficient throughput.

Exam trap

The trap here is that candidates often choose on-demand mode (Option A) thinking it is always simpler or more cost-effective, but for consistent, predictable workloads, provisioned fixed capacity is significantly cheaper because it avoids the per-request premium of on-demand pricing.

How to eliminate wrong answers

Option A is wrong because on-demand capacity mode charges per request (per RCU consumed) at a higher rate than provisioned capacity, making it more expensive for consistent, predictable workloads. Option B is wrong because provisioned with auto scaling adds unnecessary complexity and cost (e.g., scaling events may temporarily increase capacity) when the traffic is already predictable and does not require dynamic adjustments. Option C is wrong because reserved capacity is not a DynamoDB pricing model; DynamoDB offers reserved capacity for provisioned throughput via Reserved Capacity pricing (pre-purchasing RCUs at a discount), but the option is misleadingly named and not a standard read capacity mode—fixed provisioned capacity is the correct term for this scenario.

244
MCQhard

A service publishes order events to SNS. Several consumers need different filtered subsets of events without changing publisher code. What should the developer configure?

A.Separate AWS accounts for each consumer
B.Lambda code that discards unwanted events after invocation
C.SNS subscription filter policies
D.SQS long polling only
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because SNS subscription filter policies allow each consumer to define a JSON policy on their subscription that selectively delivers only messages matching specified attributes (e.g., event type, region). This enables multiple consumers to receive different filtered subsets of the same SNS topic without modifying the publisher's code, as the filtering happens server-side at the SNS service level.

Exam trap

The trap here is that candidates often confuse client-side filtering (Option B) with server-side filtering, or assume that SQS long polling (Option D) can filter messages, when in fact SNS subscription filter policies are the only native AWS mechanism for server-side message subsetting without publisher changes.

How to eliminate wrong answers

Option A is wrong because separate AWS accounts do not provide message filtering; they would require duplicating the SNS topic and publisher logic across accounts, adding complexity without solving the subset requirement. Option B is wrong because discarding unwanted events in Lambda after invocation wastes compute resources and incurs unnecessary costs, as the Lambda function is still triggered for every message, defeating the purpose of server-side filtering. Option D is wrong because SQS long polling only controls how often the consumer polls for messages, not which messages are delivered; it does not filter message content or attributes.

245
MCQeasy

A developer is building a serverless REST API using Amazon API Gateway and AWS Lambda. The API will be consumed by a web application hosted on a different domain. The developer needs to enable Cross-Origin Resource Sharing (CORS) for all HTTP methods. What is the most efficient way to achieve this?

A.Enable CORS on the API Gateway resource using the 'Enable CORS' feature in the API Gateway console, which adds the OPTIONS method and appropriate headers.
B.In the Lambda function code, add the 'Access-Control-Allow-Origin' header to every response.
C.Configure Amazon CloudFront in front of API Gateway to handle CORS.
D.Set a bucket policy on the S3 bucket that hosts the web application to allow cross-origin requests.
AnswerA

API Gateway's built-in CORS feature automatically configures the OPTIONS method and adds the necessary headers (Access-Control-Allow-Origin, etc.) to the method responses and integration responses.

Why this answer

Option A is correct because API Gateway's 'Enable CORS' feature automatically creates an OPTIONS method for the selected resource and configures the necessary response headers (e.g., Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers) to handle preflight requests. This is the most efficient approach as it centralizes CORS configuration at the API Gateway layer, eliminating the need for manual header management in Lambda or additional infrastructure.

Exam trap

The trap here is that candidates assume adding CORS headers only in the Lambda function code is sufficient, overlooking the mandatory preflight OPTIONS request that API Gateway must handle separately.

How to eliminate wrong answers

Option B is wrong because while adding headers in Lambda is necessary for the actual response, it does not handle the preflight OPTIONS request that browsers send before cross-origin requests; without a proper OPTIONS response, CORS will fail. Option C is wrong because CloudFront does not natively handle CORS preflight requests; it can pass through headers but still requires the origin (API Gateway) to be properly configured for CORS, making it an unnecessary extra layer. Option D is wrong because S3 bucket policies control access to S3 objects, not API Gateway endpoints; CORS for the API must be configured on the API Gateway resource itself, not on the web application's hosting bucket.

246
MCQhard

A developer is building an application that uses Amazon DynamoDB as a data store. The application reads the same item frequently but writes rarely. The developer wants to reduce read costs. Which DynamoDB feature should the developer use?

A.DynamoDB Accelerator (DAX)
B.DynamoDB Global Tables
C.DynamoDB Auto Scaling
D.Time to Live (TTL)
AnswerA

Caches reads, reducing the number of read capacity units consumed.

Why this answer

Option B is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read costs for frequently accessed items. Option A is wrong because auto scaling adjusts capacity, not cost per read. Option C is wrong because TTL is for automatic deletion.

Option D is wrong because Global Tables are for multi-region replication, not cost reduction.

247
MCQhard

A company runs a containerized application on Amazon ECS using the Fargate launch type. The application needs to store temporary data that must persist across container restarts but does not need to be shared across multiple tasks. The data should be automatically deleted when the task stops. Which storage option should the developer use?

A.Attach an Amazon EBS volume to the task.
B.Use the ephemeral storage provided by Fargate.
C.Mount an Amazon EFS file system to the container.
D.Create a Docker volume using the 'tmpfs' driver.
AnswerB

Fargate provides ephemeral storage that is deleted when the task stops, but persists across container restarts within the same task.

Why this answer

Amazon EFS is a shared file system and persists beyond task lifecycle; not suitable for temporary data. Fargate ephemeral storage is temporary and deleted when the task stops, but it is not persistent across restarts. EBS volumes are not supported with Fargate.

A Docker volume using the 'tmpfs' driver is memory-backed and not persistent.

248
MCQhard

A developer is deploying a web application on Amazon EKS. The application needs to read configuration data from an Amazon S3 bucket at startup. The developer wants to ensure that the configuration is securely accessed without embedding AWS credentials in the application code. Which solution should the developer use?

A.Use IAM roles for service accounts (IRSA) to assign an IAM role to the pod.
B.Store the AWS credentials in AWS Secrets Manager and retrieve them at startup.
C.Assign an IAM instance profile to the EC2 instances running the EKS nodes.
D.Embed the AWS access key and secret key in a Kubernetes ConfigMap.
AnswerA

IRSA allows pods to assume IAM roles securely.

Why this answer

IAM roles for service accounts (IRSA) allow Kubernetes pods to assume IAM roles. The developer can create an IAM role with an S3 read policy and associate it with a Kubernetes service account. The pod then uses that service account to access S3.

This avoids hardcoded credentials. The other options either expose credentials or are not best practice: AWS Secrets Manager stores secrets but not directly for S3 access; environment variables in a ConfigMap can contain credentials but that is insecure; IAM instance profile is for EC2 instances, not for EKS pods directly (though there are workarounds, IRSA is the recommended approach).

249
MCQeasy

A developer needs to store application configuration settings that may change at runtime and wants to avoid redeploying the application. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS Secrets Manager
C.Amazon DynamoDB
D.AWS AppConfig
AnswerD

AppConfig enables dynamic configuration updates with validation and staged rollouts.

Why this answer

Option A is correct because AWS AppConfig is designed to manage application configuration and allow dynamic updates without redeployment. Option B is wrong because Secrets Manager is for secrets, not general config. Option C is wrong because SSM Parameter Store can store config but lacks advanced features like validation and staged rollouts.

Option D is wrong because DynamoDB is a database, not purpose-built for config management.

250
MCQhard

A company runs a critical application on AWS Lambda that processes real-time data from Kinesis Data Streams. The function is idempotent, but occasionally duplicate records are processed due to retries. The company wants to ensure exactly-once processing. Which approach should the developer implement?

A.Use an SQS FIFO queue between Kinesis and Lambda.
B.Use a DynamoDB table to store processed record IDs and perform deduplication in the Lambda function.
C.Enable Lambda reserved concurrency to limit retries.
D.Reduce the batch size in the event source mapping.
AnswerB

This provides exactly-once semantics.

Why this answer

Option C is correct because using a DynamoDB table to track record IDs allows deduplication. Option A is incorrect because Lambda does not provide built-in deduplication. Option B is incorrect because SQS FIFO does not integrate with Kinesis directly.

Option D is incorrect because reducing batch size does not prevent duplicates from retries.

251
MCQmedium

A developer is using AWS CodePipeline to automate deployments. The pipeline has a manual approval action that requires a developer to approve before deploying to production. The developer wants to receive an email notification when an approval action is pending. Which AWS service should be used to send the notification?

A.Amazon Simple Email Service (SES)
B.AWS Lambda
C.Amazon Simple Notification Service (SNS)
D.Amazon CloudWatch Logs
AnswerC

SNS can send email notifications when pipeline state changes occur.

Why this answer

Option A is correct because Amazon SNS can send email notifications when integrated with CloudWatch Events (now Amazon EventBridge) for CodePipeline state changes. Option B is wrong because SES is for sending transactional emails, but not directly integrated with CodePipeline. Option C is wrong because CloudWatch Logs is for log storage.

Option D is wrong because Lambda can be used but is not the simplest service for just sending email notifications.

252
Multi-Selecteasy

A developer is using AWS Step Functions to orchestrate a workflow. The developer wants to handle errors and retries for a task. Which TWO fields can be used in a state definition to configure error handling? (Choose TWO.)

Select 2 answers
A.Retry
B.Catch
C.FailureState
D.ErrorOutput
E.ErrorAction
AnswersA, B

Retry defines how many times and how long to wait before retrying.

Why this answer

Option A is correct because the Retry field specifies retry policies for errors. Option C is correct because the Catch field defines fallback states when a retry is exhausted or not configured. Option B is wrong because ErrorOutput is not a valid field.

Option D is wrong because ErrorAction is not a standard field. Option E is wrong because FailureState is not a valid field; the correct field is Catch.

253
MCQhard

An application running on Amazon ECS Fargate uses a DynamoDB table with on-demand capacity. The table has a partition key of 'userId' and a sort key of 'timestamp'. During peak hours, some requests experience throttling errors. The application performs updates to existing items using 'UpdateItem' with ConditionExpression to ensure the 'status' attribute is 'active'. Which design change will BEST reduce throttling?

A.Implement DynamoDB Accelerator (DAX) to cache frequent items.
B.Use 'TransactWriteItems' instead of 'UpdateItem' for atomic updates.
C.Change the table to provisioned capacity and increase read capacity units.
D.Create a global secondary index with the same partition key and a different sort key.
AnswerA

DAX reduces read load on the table, freeing capacity for writes.

Why this answer

Option D is correct because using DynamoDB Accelerator (DAX) can reduce throttling by offloading read requests from the table, allowing on-demand capacity to handle write-heavy workloads. Option A is wrong because increasing read capacity is not applicable to on-demand tables. Option B is wrong because 'UpdateItem' with ConditionExpression already performs atomic updates.

Option C is wrong because sparse indexes do not help with throttling.

254
MCQeasy

A developer is building a web application that requires user authentication. The application will run on Amazon EC2 instances behind an Application Load Balancer. The developer wants to offload authentication to a managed service that supports social login providers. Which AWS service should the developer use?

A.AWS Identity and Access Management (IAM)
B.Amazon Cognito
C.AWS Directory Service
D.AWS Single Sign-On
AnswerB

Cognito offers user pools for sign-up/sign-in and supports social identity providers, making it ideal for offloading authentication.

Why this answer

Amazon Cognito is the correct choice because it is a fully managed identity service designed for web and mobile applications, providing user authentication, authorization, and support for social login providers (e.g., Google, Facebook, Amazon) via OAuth 2.0 and OpenID Connect. It offloads the entire authentication workflow from the EC2 instances and ALB, integrating seamlessly with the ALB's authentication action to validate tokens before traffic reaches the application.

Exam trap

The trap here is that candidates often confuse IAM's role-based access control with user authentication, overlooking that IAM cannot handle social login providers or external user identity federation for customer-facing apps.

How to eliminate wrong answers

Option A is wrong because AWS IAM is for managing AWS service access and permissions for users and roles, not for external user authentication with social login providers; it lacks built-in support for social identity federation. Option C is wrong because AWS Directory Service provides managed Microsoft Active Directory or LDAP-based directories for enterprise identity, which does not natively support social login providers like Google or Facebook. Option D is wrong because AWS Single Sign-On (now AWS IAM Identity Center) is designed for workforce identity and SSO across AWS accounts and business applications, not for customer-facing web app authentication with social logins.

255
MCQmedium

The exhibit shows an IAM policy attached to a user. The user reports being unable to upload files to S3 bucket 'my-bucket'. What is the MOST likely cause?

A.The user needs s3:PutObjectAcl permission
B.The bucket policy denies the upload
C.The policy does not allow s3:ListBucket
D.The user does not have s3:GetObject permission
AnswerB

A bucket policy can override IAM permissions.

Why this answer

The PutObject action requires s3:PutObject permission, which is granted. However, the bucket may have a bucket policy that denies the upload. Option D is correct.

256
MCQmedium

A developer is using Amazon DynamoDB as the data store for a serverless application. The application experiences high read traffic, and the developer wants to reduce latency. The data is not frequently updated. Which DynamoDB feature should the developer use?

A.DynamoDB Auto Scaling
B.DynamoDB Global Tables
C.DynamoDB Accelerator (DAX)
D.DynamoDB Time to Live (TTL)
AnswerC

DAX provides in-memory caching for low-latency reads.

Why this answer

Option A is correct because DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency. Option B is wrong because Global Tables are for multi-region replication, not caching. Option C is wrong because TTL is for data expiration.

Option D is wrong because auto scaling adjusts throughput, not latency.

257
MCQmedium

A company uses AWS Lambda to process incoming messages from an Amazon SQS queue. The Lambda function sometimes fails with a timeout error when the queue has a large backlog. What is the MOST efficient way to increase throughput without causing duplicate processing?

A.Increase the batch size in the event source mapping.
B.Increase the visibility timeout of the SQS queue.
C.Decrease the batch size in the event source mapping.
D.Increase the reserved concurrency of the Lambda function.
AnswerA

Increasing batch size allows more messages per invocation, directly improving throughput.

Why this answer

Option D is correct because increasing the batch size allows the function to retrieve more messages per invocation, improving throughput. Option A is wrong because increasing reserved concurrency alone may not help if the function is throttled due to concurrency limits; also, without adjusting batch size, each invocation still processes the same number of messages. Option B is wrong because decreasing the batch size reduces throughput.

Option C is wrong because increasing visibility timeout may help with retries but does not directly increase throughput.

258
Multi-Selecthard

A Lambda function processes a batch of SQS messages. Which two configurations reduce duplicate or failed-message impact?

Select 2 answers
A.Set visibility timeout to zero
B.Use a visibility timeout longer than expected processing time
C.Disable the dead-letter queue
D.Configure a dead-letter queue and partial batch response where appropriate
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because a visibility timeout longer than the expected processing time prevents other consumers from reprocessing a message while it is still being handled, reducing duplicates. Option D is correct because a dead-letter queue captures messages that repeatedly fail processing, allowing analysis and preventing them from blocking the queue, while partial batch response enables the function to return a list of failed message IDs so that only those messages become visible again, reducing reprocessing of successful ones.

Exam trap

The trap here is that candidates often think setting visibility timeout to zero or disabling the DLQ simplifies processing, but in reality, these actions increase duplicate or failed-message impact by removing mechanisms that control reprocessing and isolate problematic messages.

259
MCQhard

A developer is using AWS CodeDeploy to deploy a new version of an application to an Auto Scaling group. The deployment fails because the new instances do not pass the health check. The developer wants to automatically roll back the deployment if the health check fails. Which CodeDeploy setting should be configured?

A.Set the deployment configuration to AllAtOnce to speed up the process.
B.Configure a lifecycle hook to terminate failing instances.
C.Use a blue/green deployment strategy instead of in-place.
D.Enable automatic rollback in the deployment group configuration.
AnswerD

Automatic rollback will revert to the last known good revision when health checks fail.

Why this answer

Option B is correct because CodeDeploy can automatically roll back a deployment when a deployment fails or when a CloudWatch alarm is triggered. Configuring automatic rollback on deployment failure is the direct solution.

260
MCQeasy

A developer is designing a REST API using Amazon API Gateway that experiences high traffic with many repeated requests for the same data. The developer wants to reduce backend load and improve response times. Which feature should the developer enable on the API Gateway method?

A.Enable API Gateway caching
B.Implement caching in the Lambda function using a local cache
C.Use an Amazon ElastiCache Redis cluster and modify the Lambda function to check the cache first
D.Place an Amazon CloudFront distribution in front of API Gateway
AnswerA

API Gateway caching caches the responses from the backend integration for a set TTL, significantly reducing the number of identical requests reaching the backend.

Why this answer

API Gateway caching stores responses from backend endpoints for a configurable Time-to-Live (TTL). When a request for the same data arrives, API Gateway serves the cached response directly without invoking the backend, reducing load and improving latency. This is the most straightforward and managed solution for repeated requests at the API layer.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing a distributed cache like ElastiCache or a CDN like CloudFront, when the simplest and most cost-effective managed service (API Gateway caching) directly addresses the requirement at the API layer.

How to eliminate wrong answers

Option B is wrong because implementing a local cache inside a Lambda function is ephemeral and not shared across concurrent invocations, so it cannot reduce backend load for repeated requests from different clients. Option C is wrong because while ElastiCache Redis can cache data, it requires additional code in the Lambda function to check the cache first, adding complexity and latency compared to API Gateway's built-in caching. Option D is wrong because CloudFront caches content at the edge, but it does not reduce backend load for API Gateway itself unless combined with API Gateway caching; CloudFront alone still forwards cache misses to API Gateway, which then invokes the backend.

261
Multi-Selectmedium

A developer is designing a highly available application using Amazon SQS and AWS Lambda. Which TWO strategies should the developer implement to ensure that messages are processed at least once? (Choose TWO.)

Select 2 answers
A.Configure a Dead Letter Queue (DLQ) to capture failed messages.
B.Enable long polling on the SQS queue.
C.Use a FIFO queue to ensure exactly-once processing.
D.Set the SQS queue's visibility timeout to be greater than the Lambda function's timeout.
E.Use the SQS DeleteMessage API inside the Lambda function only after successful processing.
AnswersD, E

If the function times out, the message becomes visible again, ensuring retry.

Why this answer

Options A and D are correct. Option A ensures at-least-once processing because after the visibility timeout, the message becomes visible again if not deleted. Option D ensures the function deletes the message only after successful processing.

Option B is wrong because long polling reduces empty responses but doesn't guarantee processing. Option C is wrong because DLQ is for failed messages. Option E is wrong because FIFO ensures exactly-once, not at-least-once.

262
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access an S3 bucket to read a configuration file. What is the best way to provide the Lambda function with the bucket name?

A.Hardcode the bucket name in the Lambda function code.
B.Store the bucket name in an environment variable for the Lambda function.
C.Read the bucket name from a text file stored in the same bucket.
D.Use a KMS key to encrypt the bucket name and decrypt it in the function.
AnswerB

Environment variables are the standard way to pass configuration to Lambda, promoting separation of code and configuration.

Why this answer

Option B is correct because AWS Lambda environment variables provide a secure, configurable, and decoupled way to pass the S3 bucket name to the function without hardcoding it in the code. This follows the principle of infrastructure as code and allows the same function code to be reused across different environments (e.g., dev, staging, prod) by simply changing the environment variable value. Environment variables are encrypted at rest by default using AWS KMS, ensuring the bucket name is not exposed in plaintext within the code repository.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing KMS encryption (Option D) or the circular dependency of reading from the same bucket (Option C), when the simplest and most secure approach—environment variables—is the correct answer for decoupling configuration from code.

How to eliminate wrong answers

Option A is wrong because hardcoding the bucket name in the Lambda function code violates the separation of configuration from code, making the function environment-specific and requiring code changes to point to a different bucket. Option C is wrong because reading the bucket name from a text file stored in the same bucket creates a circular dependency: the function needs the bucket name to access the bucket, but it must first read the file from the bucket to get the name, which is impossible without prior knowledge of the bucket. Option D is wrong because using a KMS key to encrypt the bucket name and decrypt it in the function adds unnecessary complexity and overhead; environment variables are already encrypted at rest by default, and the bucket name is not sensitive data that requires custom encryption—this approach does not solve the configuration problem.

263
MCQeasy

A developer runs the command above. The output.txt file is empty. What could be the reason?

A.The payload is not valid JSON.
B.The Lambda function did not return any output.
C.The Lambda function timed out.
D.The function name is incorrect.
AnswerB

Lambda returns the handler's response; if no return, output is empty.

Why this answer

Option C is correct because by default, Lambda returns only the response if the function is invoked synchronously and the output goes to output.txt; if the function returns nothing or errors, output.txt may be empty. Option A is wrong because a non-existent function returns a 404. Option B is wrong because incorrect payload may cause error but still output to stderr.

Option D is wrong because Lambda invocation with --payload does not need an explicit return; empty output means the function returned nothing.

264
MCQmedium

A company has a legacy application that generates log files on an EC2 instance. The developer needs to stream these log files to Amazon CloudWatch Logs in real time. The developer installed the CloudWatch agent on the EC2 instance and configured it to monitor the log files. However, the logs are not appearing in CloudWatch Logs. The developer checks the agent status and sees that the agent is running. What is the most likely cause of this issue?

A.The log file format is not compatible with the CloudWatch agent.
B.The EC2 instance is in a private subnet without internet access.
C.The EC2 instance does not have an IAM role with the necessary CloudWatch Logs permissions.
D.The CloudWatch agent configuration file does not specify an existing log group.
AnswerC

The CloudWatch agent requires permissions such as logs:PutLogEvents, logs:CreateLogStream, and logs:DescribeLogStreams.

Why this answer

Option A is correct because the CloudWatch agent needs an IAM role with permissions to put log events. Option B is wrong because the agent does not need internet access if using VPC endpoints. Option C is wrong because the agent configuration file does not require a log group to exist beforehand; it can create it.

Option D is wrong because the agent can handle various log formats; format mismatch would not prevent logs from appearing, but they might be parsed incorrectly.

265
MCQeasy

A developer is building a RESTful API using AWS Lambda and Amazon API Gateway. The API needs to support HTTP methods GET, POST, and DELETE. The developer wants to minimize code and operational overhead. Which API Gateway integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.HTTP integration
D.Mock integration
AnswerA

Lambda proxy integration minimizes code and overhead by passing the full request to Lambda.

Why this answer

Lambda proxy integration is the simplest and most common approach. It passes the entire request to the Lambda function, which handles routing and response formatting, minimizing code and overhead. Custom integration requires mapping templates, HTTP integration forwards to an HTTP endpoint, and mock integration is for testing.

266
MCQmedium

A Lambda function needs temporary scratch space larger than the default while processing images. Which setting should be adjusted?

A.Reserved concurrency
B.Ephemeral storage size for /tmp
C.Function URL auth type
D.Dead-letter queue target
AnswerB

Correct for the stated requirement.

Why this answer

Lambda functions have a default /tmp storage of 512 MB, which is insufficient for large image processing tasks. Adjusting the ephemeral storage size (up to 10,240 MB) provides the necessary scratch space for temporary files, such as intermediate image buffers or resized outputs, without requiring external storage like EFS.

Exam trap

The trap here is that candidates confuse ephemeral storage with memory allocation or external storage services, assuming that increasing the function's memory or using S3 will solve the scratch space issue, when the /tmp directory is the only directly configurable scratch space within the Lambda execution environment.

How to eliminate wrong answers

Option A is wrong because reserved concurrency controls the maximum number of concurrent executions for a function, not storage capacity. Option C is wrong because the function URL auth type (e.g., AWS_IAM or NONE) determines authentication for HTTP invocations, not storage. Option D is wrong because a dead-letter queue target (e.g., SQS or SNS) is used for capturing failed asynchronous invocations, not for providing scratch space.

267
MCQhard

A company runs a microservices architecture on Amazon ECS with Fargate. Each service exposes an HTTP API and needs to be accessible only from the company's internal network via a VPN. The services are deployed in private subnets. What is the MOST secure and scalable way to expose these services?

A.Create a VPC Endpoint service powered by PrivateLink and a Network Load Balancer in front of the services.
B.Place an Application Load Balancer in public subnets and point to the services' target groups.
C.Use a NAT Gateway to allow inbound traffic from the VPN to the services.
D.Use an Internet Gateway and route traffic from the VPN to the services.
AnswerA

PrivateLink allows private connectivity via NLB without internet exposure.

Why this answer

Correct: D. AWS PrivateLink with a Network Load Balancer allows you to expose services privately within your VPC without internet access. Option A is wrong because ALB in public subnets exposes services to the internet.

Option B is wrong because Internet Gateway is for public access. Option C is wrong because NAT Gateway is for outbound traffic, not inbound.

268
MCQeasy

A developer needs to deploy a containerized application on AWS. The application requires persistent storage for stateful data. Which AWS compute service should the developer choose?

A.Amazon ECS with Fargate
B.AWS Elastic Beanstalk
C.Amazon EKS with Fargate
D.AWS Lambda
AnswerA

Supports persistent storage using EFS or bind mounts.

Why this answer

Option B is correct because Amazon ECS with Fargate supports persistent storage via EFS or bind mounts. Option A is wrong because AWS Lambda is stateless and ephemeral. Option C is wrong because AWS Elastic Beanstalk is for web apps, not containers.

Option D is wrong because Amazon EKS also supports persistent storage, but it is more complex; ECS with Fargate is simpler and supports persistent storage.

269
MCQmedium

A company is building a serverless application using AWS Lambda to process user uploads to Amazon S3. The Lambda function needs to access a DynamoDB table to store metadata. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Store IAM user access keys in the Lambda function's environment variables.
B.Use a resource-based policy on the DynamoDB table to allow the Lambda function's ARN.
C.Create an IAM role with a policy that grants DynamoDB access and attach it to the Lambda function.
D.Hardcode the DynamoDB credentials in the Lambda function code.
AnswerC

Using an IAM role is the secure way to grant permissions to Lambda functions.

Why this answer

Option B is correct because attaching an IAM role to the Lambda function with the least privilege permissions is the AWS best practice for granting permissions to AWS services. Option A is wrong because storing access keys in environment variables is insecure. Option C is wrong because resource-based policies are for granting cross-account access, not for Lambda's own permissions.

Option D is wrong because hardcoding credentials is a security risk.

270
MCQeasy

A developer needs to send large files (up to 5 GB) from a web application to Amazon S3. The application runs on EC2 instances. Which approach is MOST efficient and reliable?

A.Save the file to EC2 instance store and then copy to S3.
B.Upload the file as a single S3 PutObject operation.
C.Use S3 multipart upload to upload the file in parts.
D.Use S3 Transfer Acceleration to upload the file.
AnswerC

Multipart upload improves throughput and allows retrying failed parts.

Why this answer

Option C is correct because multipart upload is recommended for files over 100 MB and allows parallel uploads with retry capability. Option A is wrong because uploading as a single operation is unreliable for large files. Option B is wrong because EC2 instance store is temporary and not durable.

Option D is wrong because S3 Transfer Acceleration speeds up transfers but does not improve reliability for large files; multipart upload is still better.

271
MCQmedium

A company is using AWS Lambda to process events from an SQS queue. The Lambda function runs for an average of 45 seconds and processes approximately 100 messages per second. The company notices that the Lambda function is being throttled, causing messages to remain in the queue for longer than expected. Which action would MOST effectively reduce throttling?

A.Increase the reserved concurrency for the Lambda function.
B.Increase the number of shards for the SQS queue.
C.Increase the batch size in the Lambda event source mapping.
D.Configure a Dead Letter Queue for the SQS queue.
AnswerA

Reserved concurrency guarantees a set number of concurrent executions, preventing throttling.

Why this answer

Increasing the number of shards for the SQS queue is not applicable because SQS does not use shards. Increasing reserved concurrency for the Lambda function ensures that the function has enough capacity to handle the load without being throttled. Increasing the batch size reduces the number of invocations but does not directly address throttling due to concurrency limits.

Using a Dead Letter Queue helps with failed messages but does not prevent throttling.

272
MCQmedium

A developer is building a serverless application using AWS SAM. The application includes a Lambda function that needs read-only access to an S3 bucket. The developer wants to use SAM's built-in policy templates to grant this permission. Which policy template should be used in the SAM template?

A.S3ReadPolicy
B.S3CrudPolicy
C.S3FullAccessPolicy
D.S3StreamPolicy
AnswerA

This template grants read-only permissions (s3:GetObject, s3:ListBucket) to the specified bucket.

Why this answer

The S3ReadPolicy template is the correct choice because it grants read-only access to an S3 bucket, which aligns with the requirement for the Lambda function. AWS SAM provides this built-in IAM policy template to simplify attaching least-privilege permissions, specifically allowing s3:GetObject, s3:ListBucket, and similar read operations.

Exam trap

The trap here is that candidates may confuse S3CrudPolicy with read-only access, but CRUD implies full data manipulation (create, read, update, delete), which is more permissive than the required read-only scope.

How to eliminate wrong answers

Option B (S3CrudPolicy) is wrong because it grants create, read, update, and delete permissions, which exceeds the required read-only access and violates the principle of least privilege. Option C (S3FullAccessPolicy) is wrong because it provides full administrative access to the S3 bucket, including delete and write operations, far beyond the read-only requirement. Option D (S3StreamPolicy) is wrong because it is not a valid SAM policy template; SAM does not include a template named S3StreamPolicy, and streaming permissions are typically associated with services like Kinesis or DynamoDB Streams, not S3.

273
Multi-Selectmedium

A developer is troubleshooting a Lambda function that times out when processing large files from Amazon S3. The function is configured with a 3-minute timeout and 128 MB memory. Which TWO actions would MOST likely resolve the issue? (Choose TWO.)

Select 2 answers
A.Use S3 multipart upload for large files to improve throughput.
B.Increase the memory allocation for the Lambda function.
C.Change the S3 event notification to send messages to an Amazon SQS queue instead.
D.Update the Lambda function code to use a more efficient algorithm.
E.Increase the Lambda function timeout to 15 minutes.
AnswersA, B

Multipart upload can improve performance for large objects.

Why this answer

Option B is correct because increasing Lambda memory often increases CPU and network throughput, reducing processing time. Option D is correct because using S3 multipart upload for large files can reduce the time to download/upload. Option A is wrong because updating the function code may not help if the issue is resource constraints.

Option C is wrong because changing the trigger to SQS adds complexity and does not directly address the timeout. Option E is wrong because increasing timeout without addressing performance may just delay the failure.

274
MCQeasy

A developer is writing a Lambda function that processes records from a Kinesis stream. The function must handle duplicate records and ensure exactly-once processing. Which approach should the developer use?

A.Disable retries in the Lambda function to avoid processing duplicates.
B.Enable record ordering in the Kinesis stream.
C.Use a unique identifier for each record and store processed IDs in a DynamoDB table to skip duplicates.
D.Send the records to an SQS FIFO queue for deduplication.
AnswerC

This ensures idempotent processing.

Why this answer

Kinesis does not guarantee exactly-once delivery; the application must handle duplicates. Using a unique identifier to deduplicate in a DynamoDB table ensures idempotency. Enabling record ordering does not prevent duplicates.

Using a FIFO queue is not applicable for Kinesis. Disabling retries would lose data.

275
MCQeasy

A developer creates an AWS CloudFormation stack with the template snippet shown. The stack creation fails with the error: "Bucket with name my-unique-bucket-12345 already exists." What is the MOST likely cause?

A.The developer does not have permission to create S3 buckets.
B.The bucket name is already taken by another AWS account.
C.The CloudFormation template has a syntax error.
D.The bucket name was used by another stack in the same account.
AnswerB

S3 bucket names are globally unique.

Why this answer

Option C is correct because AWS S3 bucket names must be globally unique, and CloudFormation is trying to create a bucket with a name that already exists. Option A is wrong because the template is valid. Option B is wrong because the name is not taken by the same account.

Option D is wrong because IAM permissions would cause a different error.

276
MCQmedium

A developer is deploying a Node.js application on AWS Elastic Beanstalk. The application uses environment variables for database credentials. The developer wants to ensure that the credentials are encrypted at rest and rotated automatically. Which solution meets these requirements with minimal effort?

A.Store the credentials in AWS Secrets Manager and retrieve them in the application code. Configure automatic rotation.
B.Hardcode the credentials in the application code and use environment variables for different environments.
C.Store the credentials in AWS Systems Manager Parameter Store as SecureString parameters and reference them in the application code.
D.Use Elastic Beanstalk environment properties to set the credentials as plaintext environment variables.
AnswerA

Secrets Manager provides encryption and built-in rotation.

Why this answer

Correct: B. AWS Secrets Manager provides automatic rotation of secrets and encryption at rest. Option A is wrong because SSM Parameter Store with SecureString provides encryption but does not automatically rotate.

Option C is wrong because hardcoding credentials is insecure. Option D is wrong because environment variables in Elastic Beanstalk are not encrypted by default and do not rotate.

277
MCQmedium

A company is using AWS Lambda with a 1 GB memory configuration. The function processes large CSV files from S3 and occasionally times out after 15 seconds. The function currently uses synchronous invocation. What is the MOST cost-effective solution to handle larger files without losing data?

A.Increase the Lambda timeout to 15 minutes and keep memory at 1 GB.
B.Switch to asynchronous Lambda invocation to allow up to 15 minutes of processing.
C.Increase the Lambda memory to 3 GB to improve processing speed.
D.Use AWS Step Functions to orchestrate the processing in smaller chunks.
AnswerA

Lambda timeout can be set up to 15 minutes for synchronous invocations, and this is cost-effective.

Why this answer

Option B is correct because increasing the Lambda timeout up to 15 minutes (the maximum for synchronous invocation) and keeping memory at 1 GB is cost-effective. Option A is wrong because increasing memory also increases cost without guaranteeing timeout resolution. Option C is wrong because asynchronous invocation has a 15-minute timeout but may not be suitable for all use cases.

Option D is wrong because Step Functions add complexity and cost.

278
Multi-Selecteasy

Which TWO AWS services can be used to store and retrieve application configuration data? (Choose two.)

Select 2 answers
A.AWS AppConfig
B.AWS Systems Manager Parameter Store
C.AWS Secrets Manager
D.Amazon S3
E.AWS CloudFormation
AnswersA, B

Managed service for application configuration.

Why this answer

Option B (AWS AppConfig) and Option D (AWS Systems Manager Parameter Store) are correct. AppConfig is designed for application configuration, and Parameter Store can store configuration parameters. Option A (Secrets Manager) is for secrets, not general config.

Option C (S3) is for objects. Option E (CloudFormation) is for infrastructure as code.

279
MCQmedium

An IAM policy attached to an AWS Lambda function's execution role. What actions can this Lambda function perform?

A.Invoke the specified Lambda function and receive messages from the SQS queue.
B.Send messages to the SQS queue and invoke any Lambda function.
C.Invoke the specified Lambda function and receive messages from the SQS queue.
D.Invoke the specified Lambda function and send messages to the SQS queue.
AnswerD

Both actions are explicitly allowed.

Why this answer

Option C is correct. The policy allows invoking a specific Lambda function (which may be itself or another) and sending messages to a specific SQS queue. It does not allow receiving messages.

Option A (only invoke) is incomplete. Option B (only send) is incomplete. Option D (invoke and receive) is incorrect because receive is not allowed.

280
MCQeasy

A developer is writing a script to programmatically create an Amazon EC2 instance. The script will run on an EC2 instance that already has an IAM role attached. Which AWS SDK method should the developer use to securely obtain temporary credentials for the script?

A.Retrieve the temporary credentials from the instance metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/).
B.Store the access key ID and secret access key in the script.
C.Use AWS Secrets Manager to store and retrieve the credentials.
D.Use the AWS SDK's default credential provider chain.
AnswerA

Instance metadata provides temporary credentials from the IAM role automatically.

Why this answer

Option C is correct because instance metadata provides temporary credentials from the attached IAM role. Options A and B are wrong because hardcoding keys is insecure. Option D is wrong because AWS Secrets Manager is for secrets, not automatic credential retrieval for EC2.

281
MCQmedium

The IAM policy above is attached to a user. The user tries to decrypt a KMS key with encryption context {"department": "finance"}. What will happen?

A.The action is allowed because the Allow statement matches the encryption context.
B.The action is denied because the Deny statement applies to all resources.
C.The action is denied because there is an explicit Deny that overrides any Allow.
D.The action is denied because the Allow statement does not explicitly allow.
AnswerA

The Allow condition matches, and the Deny condition does not, so the action is allowed.

Why this answer

Option C is correct because the first statement allows decryption when the encryption context equals "finance", and the second statement denies if it does not equal "finance". For the context {"department": "finance"}, it matches both: the Allow applies, and the Deny does not because the condition is not met (it equals, not not-equals). Since an explicit Allow overrides an explicit Deny? Actually, Deny always overrides Allow.

But here the Deny condition is not satisfied, so only the Allow applies. So the action is allowed. Option A is wrong because the Deny condition does not match.

Option B is wrong because the Allow condition matches. Option D is wrong because the Deny does not apply.

282
Multi-Selecthard

A company is using AWS CloudFormation to manage infrastructure. A developer needs to create a stack that will launch an EC2 instance and associate an Elastic IP address. The Elastic IP must be released when the stack is deleted. Which TWO resources should the developer include in the CloudFormation template? (Choose TWO.)

Select 2 answers
A.AWS::EC2::Instance
B.AWS::EC2::EIP
C.AWS::EC2::NetworkInterface
D.AWS::EC2::Address
E.AWS::EC2::EIPAssociation
AnswersB, E

Creates the Elastic IP.

Why this answer

AWS::EC2::EIP and AWS::EC2::EIPAssociation are needed. Option B and D are correct. Option A (EC2::Instance) is needed but not part of the pair.

Option C (EC2::NetworkInterface) is not required. Option E (EC2::Address) is not a valid resource.

283
MCQeasy

A developer is building a serverless application that needs to store user session data. The data is small (a few KB per user) and must be accessible across multiple invocations of the same Lambda function and across different Lambda functions. The session data should persist for the duration of the user session (up to 1 hour). Which storage solution should the developer use?

A.Amazon ElastiCache with Redis
B.Amazon DynamoDB with TTL
C.Amazon S3
D.Local storage (Lambda ephemeral storage /tmp)
AnswerA

ElastiCache with Redis is ideal for session state storage. It provides in-memory caching with low latency, supports TTL for automatic expiration, and can be accessed from any Lambda function via a VPC. It is a common pattern for serverless session management.

Why this answer

Amazon ElastiCache with Redis is the correct choice because it provides an in-memory data store with sub-millisecond latency, making it ideal for storing small, ephemeral session data that needs to be shared across multiple Lambda invocations and functions. Redis supports key-value storage with configurable Time-to-Live (TTL) for automatic expiration, aligning perfectly with the 1-hour session duration requirement. Unlike other options, ElastiCache is designed for low-latency, cross-function access without the overhead of database writes or file system limitations.

Exam trap

The trap here is that candidates often choose DynamoDB with TTL because it is a serverless, managed service with automatic expiration, but they overlook the fact that session data requires ultra-low latency and high throughput that only an in-memory cache like Redis can provide, and DynamoDB's per-request latency and cost model are suboptimal for this use case.

How to eliminate wrong answers

Option B (Amazon DynamoDB with TTL) is wrong because while DynamoDB can store session data and TTL can expire it, it introduces higher latency and cost for small, ephemeral data compared to an in-memory cache, and it is not optimized for the sub-millisecond access patterns typical of session management. Option C (Amazon S3) is wrong because S3 is an object storage service with higher latency (typically tens to hundreds of milliseconds), and it is not designed for frequent read/write operations on small data items, making it unsuitable for session data that must be accessed across multiple invocations. Option D (Local storage /tmp) is wrong because Lambda's ephemeral storage is isolated to a single invocation instance and cannot be shared across different Lambda functions or even across concurrent invocations of the same function, violating the requirement for cross-function accessibility.

284
MCQeasy

A developer is creating an Amazon S3 bucket to store sensitive documents. The bucket must encrypt objects at rest using an AWS Key Management Service (KMS) key. Which S3 bucket property should be configured?

A.Bucket policy
B.Default encryption
C.Versioning
D.Lifecycle configuration
AnswerB

Sets server-side encryption for all objects.

Why this answer

Option B is correct because S3 default encryption can be set to use SSE-KMS. Option A is wrong because bucket policies control access, not encryption. Option C is wrong because lifecycle policies manage object lifecycle.

Option D is wrong because versioning is for object versions, not encryption.

285
MCQmedium

A developer is deploying a new version of an AWS Lambda function. The deployment failed because the new function code references a layer that is not available. Which AWS CLI command can be used to list all layers associated with the function?

A.aws lambda list-layer-versions --layer-name my-layer
B.aws lambda get-function --function-name my-function
C.aws lambda get-function-configuration --function-name my-function
D.aws lambda list-layers --function-name my-function
AnswerC

Returns configuration including attached layers.

Why this answer

Option C is correct because `aws lambda get-function-configuration` returns the function's configuration, including Layers. Option A is wrong because `list-layers` lists all layers in the account, not those attached to a specific function. Option B is wrong because `list-layer-versions` lists versions of a specific layer.

Option D is wrong because `get-function` returns the function code but does not include layers by default.

286
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function sometimes fails due to transient errors. The developer wants to ensure that failed messages are retried automatically and then sent to a dead-letter queue after three failed attempts. How should the developer configure this?

A.Enable Lambda function's DLQ and set the retry attempts to 3.
B.Configure the Lambda function's reserved concurrency to 0 and set the DLQ on the function.
C.Configure the SQS queue with a redrive policy and a dead-letter queue. Set the maxReceiveCount to 3.
D.Use an Amazon SNS topic to send failed messages to a DLQ after three Lambda invocations.
AnswerC

SQS handles retries via visibility timeout and moves to DLQ after 3 receives.

Why this answer

Option A is correct because SQS redrive policy and dead-letter queue handle retries and failures. Option B is wrong because Lambda's retry is separate. Option C is wrong because DLQ on Lambda doesn't integrate with SQS retry logic.

Option D is wrong because Lambda destination is for success/failure, not retries.

287
Multi-Selecthard

An event-driven application uses EventBridge rules to route partner events. Which two design choices improve maintainability?

Select 2 answers
A.Use event patterns that match stable business attributes
B.Put all routing logic in a single Lambda that invokes every target
C.Hardcode account root credentials in targets
D.Use a custom event bus or partner event source separation where appropriate
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because using event patterns that match stable business attributes (e.g., order status, payment type) decouples routing logic from infrastructure details. This means if the underlying service changes its ARN or endpoint, the rule remains valid as long as the business attribute stays the same. It improves maintainability by reducing the need to update rules when non-functional aspects change.

Exam trap

The trap here is that candidates often confuse 'maintainability' with 'simplicity' and choose a single Lambda function (Option B) thinking it reduces complexity, but in reality it creates a hard-to-maintain monolith that violates AWS best practices for event-driven architectures.

288
Multi-Selecthard

A developer is building an API using Amazon API Gateway and AWS Lambda. The API must authenticate users using a third-party OAuth 2.0 provider. Which THREE components are required to implement this authentication?

Select 3 answers
A.The OAuth 2.0 access token in the Authorization header
B.Amazon CloudFront distribution for API caching
C.An API Gateway resource policy that invokes the Lambda authorizer
D.An AWS Lambda authorizer function
E.An Amazon Cognito user pool as the OAuth provider
AnswersA, C, D

The token is passed in the header for validation.

Why this answer

Option A, B, and D are required. A Lambda authorizer can validate tokens from a third-party OAuth provider. The token must be included in the request header.

API Gateway invokes the Lambda authorizer. Option C (Cognito user pool) is not required if using a third-party provider. Option E (CloudFront) is not needed for authentication.

289
MCQmedium

Refer to the exhibit. An IAM policy is attached to a Lambda function's execution role. The Lambda function is triggered by an S3 event and needs to invoke another Lambda function and decrypt an S3 object encrypted with a customer-managed KMS key. However, the invocation fails with an access denied error. What is the MOST likely cause?

A.The policy does not allow s3:GetObject on the S3 bucket.
B.The policy resource for Lambda is incorrect.
C.The policy is missing kms:GenerateDataKey and kms:Decrypt might not be sufficient for all decryption scenarios.
D.The policy does not allow kms:Decrypt for the key.
AnswerC

May need additional KMS actions like kms:DescribeKey.

Why this answer

Option C is correct because the policy allows kms:Decrypt but not kms:DescribeKey or other necessary actions for decryption; also, the function might need kms:Decrypt on the key. Option A is wrong because kms:Decrypt is allowed. Option B is wrong because the resource is specific.

Option D is wrong because the policy does not cover S3 actions, but the error is about invocation.

290
MCQeasy

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API needs to support a custom domain name and an SSL/TLS certificate. Which AWS service should the developer use to manage the SSL/TLS certificate?

A.AWS Key Management Service (AWS KMS)
B.AWS Certificate Manager (ACM)
C.AWS Identity and Access Management (IAM)
D.AWS Secrets Manager
AnswerB

ACM provides a simple way to create, manage, and deploy public and private SSL/TLS certificates for use with AWS services like API Gateway, CloudFront, and Elastic Load Balancers.

Why this answer

AWS Certificate Manager (ACM) is the correct service for provisioning, managing, and deploying SSL/TLS certificates for use with AWS services like API Gateway. ACM integrates directly with API Gateway to automatically renew certificates and attach them to custom domain names, ensuring secure HTTPS connections without manual intervention.

Exam trap

The trap here is that candidates confuse AWS KMS or Secrets Manager with certificate management, but ACM is the only service that directly provisions and manages SSL/TLS certificates for use with AWS services like API Gateway and CloudFront.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a service for creating and controlling encryption keys used to encrypt data at rest, not for managing SSL/TLS certificates. Option C is wrong because IAM is used for managing user identities and permissions, not for issuing or managing SSL/TLS certificates. Option D is wrong because AWS Secrets Manager is designed to securely store and rotate secrets like database credentials or API keys, not for managing SSL/TLS certificates.

291
MCQmedium

A company is using AWS Lambda to process messages from an Amazon SQS queue. The Lambda function sometimes fails to process a message due to a transient error. The company wants to automatically retry failed messages up to 3 times, with a 5-minute delay between retries. What should the company configure?

A.Configure a dead-letter queue on the Lambda function with a redrive policy that allows up to 3 retries and a 5-minute delay.
B.Use AWS Step Functions to poll the SQS queue and implement a retry loop with exponential backoff.
C.Set the Lambda function's reserved concurrency to 1 and enable the 'Retry attempts' option to 3 in the function configuration.
D.Configure the SQS queue with a delivery delay of 5 minutes and a redrive policy to move messages to a dead-letter queue after 3 receives.
AnswerA

Lambda supports a dead-letter queue (DLQ) with a redrive policy to retry failed invocations. The redrive policy can specify maxReceiveCount and delaySeconds.

Why this answer

Option A is correct because the Lambda dead-letter queue (DLQ) with a redrive policy allows specifying the maximum number of retries and the delay. Option B is wrong because Lambda's maximum retry count is limited to 2 for synchronous invocations. Option C is wrong because SQS delay queues are for delaying new messages, not retries.

Option D is wrong because Step Functions is overkill for this simple retry logic.

292
MCQmedium

A company is using Amazon CloudFront to serve content from an Application Load Balancer (ALB) origin. The ALB is configured as an internal load balancer in a VPC. Users are getting HTTP 502 errors when accessing the CloudFront distribution. What is the MOST likely cause?

A.The ALB has AWS WAF enabled, blocking CloudFront IP addresses.
B.The CloudFront distribution's cache behavior is set to cache all objects.
C.The ALB is not internet-facing, so CloudFront cannot reach it.
D.The CloudFront distribution is not associated with a VPN connection to the VPC.
AnswerC

CloudFront cannot reach internal ALBs.

Why this answer

Option D is correct because CloudFront cannot reach an internal ALB unless it is internet-facing. Option A is wrong because CloudFront does not need a VPN. Option B is wrong because WAF does not cause 502 errors.

Option C is wrong because content caching does not cause 502.

293
MCQhard

A company runs a critical application on AWS Lambda that processes real-time financial transactions. The Lambda function is triggered by an SQS queue that receives messages from an API Gateway. Recently, the team has observed an increase in processing errors and occasional data loss. Upon investigation, they find that the Lambda function's concurrency limit is set to 5, and the SQS queue has a visibility timeout of 30 seconds. The function typically takes 2 seconds to process a message, but during peak hours, the queue depth grows to thousands of messages. The errors occur when the Lambda function throws an exception, causing the message to return to the queue after the visibility timeout expires. However, some messages are never processed again and are eventually lost. The team suspects that the messages are being sent to the dead-letter queue (DLQ) after multiple retries, but the DLQ is not configured. The team needs to ensure that no messages are lost and that processing errors are handled appropriately. What should the team do to resolve this issue?

A.Increase the Lambda concurrency limit to 100 and set the SQS visibility timeout to 60 seconds.
B.Configure an Amazon CloudWatch alarm on the queue depth and set a Lambda function as the on-failure destination for asynchronous invocations.
C.Change the Lambda invocation mode to synchronous and use API Gateway as a proxy to invoke the function directly.
D.Configure a dead-letter queue on the SQS source queue and set the maximum receives to 3. Implement error handling in the Lambda function to catch exceptions and log them.
AnswerD

A DLQ captures failed messages after retries, preventing data loss and allowing manual or automated reprocessing.

Why this answer

Option B is correct. Configuring a dead-letter queue (DLQ) on the SQS queue ensures that messages that cannot be processed after a specified number of retries are moved to a separate queue for later analysis and reprocessing, preventing data loss. Option A is incorrect because increasing concurrency without a DLQ would still result in lost messages after retries are exhausted.

Option C is incorrect because synchronous invocation does not solve the retry and loss problem. Option D is incorrect because Lambda's on-failure destination is for async invocations, not SQS-triggered Lambda (which uses event source mapping).

294
MCQhard

A company has a production AWS Lambda function that processes critical financial transactions. The function's code is stored in an S3 bucket. A developer accidentally deletes the S3 bucket, causing the function to fail. The developer wants to prevent this in the future by ensuring that the Lambda function can always be updated and deployed even if the original S3 bucket is deleted. What should the developer do?

A.Enable AWS CloudTrail to monitor bucket deletions.
B.Update the Lambda function code directly using the AWS CLI or SDK, and remove the dependency on S3 for future updates.
C.Set up cross-region replication to another S3 bucket.
D.Enable versioning on the S3 bucket.
AnswerB

Lambda can be updated directly, eliminating the S3 dependency.

Why this answer

Option C is correct because Lambda functions can be updated directly with new code, making them independent of the original S3 bucket. Option A is incorrect because versioning prevents accidental deletion of objects, not the bucket itself. Option B is incorrect because replicating to another account still has the same dependency.

Option D is incorrect because CloudTrail logs actions but does not prevent failures.

295
MCQeasy

A company is using AWS CodePipeline to automate the deployment of a web application. The pipeline has three stages: Source (Amazon S3), Build (AWS CodeBuild), and Deploy (AWS CodeDeploy). The application is deployed to an Auto Scaling group of EC2 instances. Recently, a deployment failed because the CodeDeploy agent on one of the instances was not running. The developer wants to ensure that the CodeDeploy agent is always running on all instances. What is the MOST efficient solution?

A.Use AWS CloudTrail to monitor the CodeDeploy agent status and trigger an AWS Lambda function to restart it.
B.Configure a CloudWatch alarm to detect when the CodeDeploy agent is not running and restart it automatically.
C.Modify the Auto Scaling group's launch configuration to include a user data script that installs and starts the CodeDeploy agent.
D.Use AWS Systems Manager Run Command to run a script that checks and restarts the CodeDeploy agent on a schedule.
AnswerC

User data runs at instance launch, ensuring the agent is installed and started.

Why this answer

Option B is correct because using an EC2 user data script to install and start the CodeDeploy agent ensures it runs on instance launch. Option A is wrong because manual restart is not efficient. Option C is wrong because CloudWatch does not restart agents; it can only monitor.

Option D is wrong because Systems Manager Run Command can fix the issue after detection, but user data is proactive.

296
MCQeasy

A developer is using AWS CodePipeline to automate the deployment of a web application. The developer wants to run unit tests after the source stage and before deploying to a staging environment. Which action should the developer add to the pipeline?

A.AWS CodeBuild
B.AWS CodeCommit
C.AWS CloudFormation
D.AWS CodeDeploy
AnswerA

CodeBuild can run tests as part of the build.

Why this answer

Option B is correct because AWS CodeBuild is a build service that can run unit tests. Option A is wrong because CodeDeploy deploys, does not test. Option C is wrong because CodeCommit is a source repository.

Option D is wrong because CloudFormation is for infrastructure provisioning.

297
MCQhard

An application running on Amazon EC2 instances in an Auto Scaling group processes messages from an SQS queue. The application runs in a private subnet and needs to send metrics to Amazon CloudWatch. How can the developer ensure the EC2 instances can send metrics without traversing the internet?

A.Attach a NAT Gateway to the private subnet and update the route table.
B.Install the CloudWatch agent on each instance and configure it to use a proxy.
C.Attach an Internet Gateway to the VPC and assign public IPs to instances.
D.Create a VPC Endpoint for CloudWatch (com.amazonaws.region.monitoring).
AnswerD

VPC Endpoint enables private connectivity to CloudWatch.

Why this answer

VPC Endpoint for CloudWatch allows private connectivity. Option D is correct. Option A (NAT Gateway) requires internet.

Option B (Internet Gateway) is public. Option C (CloudWatch Agent) can send but still needs network path; endpoint is the solution.

298
Multi-Selectmedium

A developer is using AWS CodeCommit as the source repository for a CI/CD pipeline. The developer wants to trigger a build automatically when changes are pushed to a specific branch. Which services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.AWS CodeBuild
B.Amazon CloudWatch Events
C.AWS CodeStar
D.AWS CodeDeploy
E.AWS CodePipeline
AnswersA, E

CodeBuild can be triggered by CodeCommit webhooks.

Why this answer

Option A is correct because CodePipeline can be configured with a CodeCommit source action that triggers on changes. Option C is correct because CodeBuild can be triggered directly by CodeCommit via webhooks. Option B is wrong because CloudWatch Events can trigger on CodeCommit events as well, but it is not a build service; however, it can trigger CodeBuild.

But the question asks for services that can achieve the trigger, and both CodePipeline and CodeBuild are valid. However, Option D is wrong because CodeDeploy is for deployment, not build. Option E is wrong because CodeStar is a management console, not a trigger service.

299
MCQmedium

A developer is using API Gateway to expose a Lambda function as a REST API. The API must be accessible from a web application hosted on a different domain. The developer configured CORS but the browser still shows CORS errors. What should the developer do to resolve the issue?

A.Enable CORS in API Gateway and ensure the OPTIONS method returns the required headers.
B.Configure the Lambda function to return HTTP 200 for preflight OPTIONS requests.
C.Set the Access-Control-Allow-Origin header in the Lambda function response.
D.Add the web application's domain to an API Gateway usage plan.
AnswerA

API Gateway must have CORS enabled, which automatically creates the OPTIONS method.

Why this answer

API Gateway requires explicit CORS configuration including OPTIONS method. Option D is correct. Option A is irrelevant.

Option B is not enough without enabling CORS. Option C is incorrect because Lambda does not handle CORS for API Gateway.

300
Matchingmedium

Match each AWS service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Object storage

NoSQL database

Serverless compute

RESTful API creation

Message queuing

Why these pairings

These services are core to the AWS Certified Developer Associate exam.

← PreviousPage 4 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.