CCNA Dev AWS Services Questions

75 of 518 questions · Page 5/7 · Dev AWS Services topic · Answers revealed

301
MCQmedium

A company is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function processes user uploads from Amazon S3 and stores metadata in DynamoDB. The function is experiencing high latency during peak hours. Which action would MOST improve the performance without increasing the function timeout?

A.Increase the DynamoDB table's provisioned read and write capacity.
B.Increase the Lambda reserved concurrency.
C.Move the Lambda function into a VPC with a DynamoDB VPC endpoint.
D.Enable DynamoDB Accelerator (DAX) for the table.
AnswerA

Higher provisioned capacity reduces throttling and write latency, directly improving performance.

Why this answer

Option D is correct because increasing DynamoDB provisioned read/write capacity reduces throttling and latency. Option A is wrong because Lambda reserved concurrency limits throughput. Option B is wrong because DynamoDB Accelerator (DAX) is for read-heavy workloads, but the function writes metadata.

Option C is wrong because moving to a VPC adds network latency.

302
MCQhard

A developer is designing a workflow using AWS Step Functions that includes a task to invoke an AWS Lambda function. The Lambda function sometimes times out due to long-running operations. The developer needs the workflow to wait for the Lambda function to complete asynchronously and retry on failure. Which Step Functions pattern should the developer use?

A.Use a Task state with .waitForTaskToken and have the Lambda function return the token upon completion.
B.Use a Task state that directly invokes the Lambda function synchronously.
C.Use a Parallel state to run multiple Lambda functions concurrently.
D.Use a Choice state to branch based on the Lambda function's output.
AnswerA

Allows asynchronous execution with callback.

Why this answer

Option A is correct because the Task token (.waitForTaskToken) allows the Lambda function to run asynchronously and call back with the token upon completion, enabling long-running operations. Option B is wrong because it's synchronous and tied to Lambda's timeout. Option C is wrong because it's for parallel execution.

Option D is wrong because it doesn't involve Lambda.

303
MCQeasy

A developer needs to store application configuration data, such as database connection strings and third-party API keys, securely. The data must be encrypted at rest and automatically rotated. Which AWS service should the developer use?

A.Amazon S3 with server-side encryption
B.AWS Key Management Service (KMS)
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Designed for secrets with automatic rotation capability.

Why this answer

AWS Secrets Manager is designed for storing secrets with automatic rotation. Option B is correct. Option A (SSM Parameter Store) can store secrets but does not offer automatic rotation by default.

Option C (KMS) is for encryption keys. Option D (S3) is not suitable for secrets without additional complexity.

304
MCQhard

An application uses DynamoDB Streams to trigger downstream processing. The processor must receive both old and new item images after updates. Which stream view type should be configured?

A.KEYS_ONLY
B.NEW_AND_OLD_IMAGES
C.NEW_IMAGE only
D.OLD_IMAGE only
AnswerB

Correct for the stated requirement.

Why this answer

B is correct because DynamoDB Streams must be configured with the NEW_AND_OLD_IMAGES stream view type to capture both the item's state before and after a write operation (update, insert, or delete). This ensures the downstream processor receives the complete old and new item data, which is required for use cases like auditing, change data capture, or reconciling state changes.

Exam trap

The trap here is that candidates often confuse the stream view types and assume NEW_IMAGE alone is sufficient for updates, forgetting that the requirement explicitly demands both old and new images for complete state comparison.

How to eliminate wrong answers

Option A is wrong because KEYS_ONLY captures only the key attributes of the modified item, not the full old or new images, so the processor would lack the complete item data needed for downstream logic. Option C is wrong because NEW_IMAGE only captures the item's state after the update, omitting the previous state, which fails the requirement to receive both old and new images. Option D is wrong because OLD_IMAGE only captures the item's state before the update, omitting the new state, which also fails the requirement for both images.

305
Multi-Selectmedium

Which TWO actions should a developer take to securely store secrets (e.g., database passwords) used by a Lambda function?

Select 2 answers
A.Use AWS Secrets Manager to store and retrieve the secret at runtime.
B.Upload the secret to an S3 bucket and read it from the Lambda function.
C.Use AWS Systems Manager Parameter Store with a SecureString parameter.
D.Store the secret as an environment variable in the Lambda function.
E.Hardcode the secret in the Lambda function code.
AnswersA, C

Secrets Manager encrypts secrets and allows fine-grained access control and automatic rotation.

Why this answer

Options B and D are correct. AWS Secrets Manager can automatically rotate secrets, and the Lambda function retrieves them at runtime via API. Option A is wrong because environment variables are visible in the console and logs.

Option C is wrong because storing secrets in source code is insecure. Option E is wrong because S3 is not designed for secret management and would require encryption and access control.

306
MCQmedium

A developer attaches this IAM policy to a user. The user tries to upload an object to example-bucket without specifying encryption. What will happen?

A.The upload succeeds only if the object is smaller than 5 GB.
B.The upload succeeds but the object is not encrypted.
C.The upload succeeds because S3 default encryption is applied.
D.The upload fails with an access denied error.
AnswerD

The condition requires encryption header, so request is denied.

Why this answer

Option B is correct because the condition requires s3:x-amz-server-side-encryption to be AES256; if not specified, the condition fails and the request is denied. Option A is wrong because S3 default encryption would apply but the policy condition is not met. Option C is wrong because the condition does not require the header to be set; it requires it to be AES256 if present.

Option D is wrong because the policy does not specify any encryption key.

307
MCQhard

A company is using AWS Step Functions to orchestrate a workflow that processes orders. The workflow includes a task that calls a Lambda function to validate the order. If the validation fails, the workflow should wait for manual approval before proceeding. What is the MOST efficient way to implement this manual approval step?

A.Publish a message to an Amazon SNS topic that triggers an email to the approver. The workflow continues after a fixed timeout.
B.Schedule a CloudWatch Events rule to trigger a Lambda function that checks for approval status in a DynamoDB table.
C.Use Amazon Cognito to manage user identities and require the approver to authenticate via a web portal.
D.Use a Step Functions activity task that sends a message to an Amazon SQS queue. The approval process polls the queue and sends a task success response with the .taskToken.
AnswerD

Step Functions activity tasks support callback tokens for manual intervention.

Why this answer

Option A is correct because Step Functions has a built-in 'Wait for Callback' pattern with .taskToken and activity tasks that can integrate with SQS to wait for manual approval. Option B is wrong because an SNS topic does not provide a callback mechanism. Option C is wrong because CloudWatch Events is for scheduling and events, not for manual approval workflows.

Option D is wrong because Cognito is for user authentication, not workflow approval.

308
MCQeasy

A developer is using AWS CodeCommit as a source repository and AWS CodePipeline for CI/CD. The developer wants to automatically trigger a pipeline execution when changes are pushed to the main branch. Which action should the developer take?

A.Configure CodePipeline to poll the CodeCommit repository every minute.
B.Set up a webhook in CodeCommit to notify CodePipeline on push events.
C.Create an Amazon CloudWatch Events rule that detects changes to the CodeCommit repository and triggers the pipeline.
D.Use an SNS topic to send a notification to CodePipeline when a push occurs.
AnswerC

CloudWatch Events can trigger CodePipeline on repository changes.

Why this answer

Option C is correct because configuring a CloudWatch Events rule to detect CodeCommit repository changes and trigger the pipeline is the standard method. Option A is wrong because CodePipeline does not poll repositories directly. Option B is wrong because webhooks are not supported by CodeCommit.

Option D is wrong because SNS notifications do not trigger pipelines directly.

309
MCQmedium

A company has a REST API running on Amazon EC2 instances behind an Application Load Balancer. The API is accessed by mobile clients. The company wants to add authentication and authorization without modifying the backend code. Which AWS service should be used?

A.Amazon Cognito user pools integrated with the Application Load Balancer
B.AWS Identity and Access Management (IAM)
C.Amazon API Gateway with a Lambda authorizer
D.Amazon CloudFront with Lambda@Edge
AnswerA

Cognito user pools can be integrated with ALB to authenticate users.

Why this answer

Correct: B. Amazon Cognito with an Application Load Balancer can authenticate users before requests reach the backend. Option A is wrong because IAM is for AWS service access, not end-user authentication.

Option C is wrong because API Gateway is not used here; the backend is EC2/ALB. Option D is wrong because CloudFront is a CDN, not an authentication service.

310
MCQmedium

A company is building a RESTful API using Amazon API Gateway and AWS Lambda. The API must allow users to authenticate using an identity provider that supports OpenID Connect (OIDC). The developer wants to offload authentication and authorization to API Gateway. Which API Gateway feature should the developer use?

A.Amazon Cognito User Pools authorizer
B.Custom Lambda authorizer
C.Native JWT authorizer (HTTP API)
D.AWS IAM authorizer
AnswerC

API Gateway HTTP APIs support JWT authorizers that can validate tokens from any OIDC identity provider.

Why this answer

Option C is correct because the Native JWT authorizer for HTTP APIs in API Gateway directly validates JSON Web Tokens (JWTs) from an OIDC-compliant identity provider without requiring custom code. This offloads both authentication and authorization to API Gateway by configuring the issuer URL and audience, matching the requirement to use an OIDC provider.

Exam trap

The trap here is that candidates often confuse the Native JWT authorizer (available only for HTTP APIs) with the Cognito User Pools authorizer (available for REST APIs), assuming any OIDC provider requires a Lambda authorizer or Cognito integration.

How to eliminate wrong answers

Option A is wrong because Amazon Cognito User Pools authorizer is a proprietary solution that requires users to authenticate through Cognito, not a generic OIDC identity provider; it does not support arbitrary OIDC providers. Option B is wrong because a Custom Lambda authorizer involves writing and managing custom code to validate tokens, which contradicts the requirement to offload authentication and authorization to API Gateway. Option D is wrong because AWS IAM authorizer uses AWS Signature Version 4 for request signing and is designed for AWS credentials, not OIDC tokens from a third-party identity provider.

311
MCQeasy

A company is using Amazon SQS to decouple microservices. The producer sends messages, and the consumer processes them. The consumer occasionally fails to process a message due to transient errors. What is the BEST way to ensure such messages are retried automatically?

A.Use a delay queue to postpone message processing.
B.Configure a dead-letter queue with a redrive policy on the source queue.
C.Use a FIFO queue with content-based deduplication.
D.Increase the visibility timeout to give the consumer more time.
AnswerB

Redrive policy allows automatic retries up to maxReceiveCount.

Why this answer

Option A is correct because setting the 'redrive policy' with a dead-letter queue (DLQ) allows messages to be retried up to maxReceiveCount, and then moved to DLQ. Option B is wrong because delay queues delay all messages, not retry failures. Option C is wrong because FIFO queues still need redrive policy.

Option D is wrong because visibility timeout alone does not retry on failure.

312
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application uses sessions stored in an ElastiCache Redis cluster. Recently, users have been experiencing session timeouts and errors. The developer notices that the Redis cluster is running out of memory. What should the developer do to resolve this issue?

A.Increase the session timeout in the application configuration.
B.Enable the 'allkeys-lru' eviction policy in the Redis parameter group.
C.Reduce the number of EC2 instances behind the load balancer.
D.Migrate from Redis to a Memcached cluster.
AnswerB

Eviction policies allow Redis to free memory by removing keys when limit is reached.

Why this answer

Option A is correct because enabling eviction policies (like allkeys-lru) allows Redis to remove less frequently used keys when memory is full, preventing out-of-memory errors. Scaling up is a longer-term solution but may not be needed if eviction is enabled.

313
Multi-Selecthard

A Lambda function writes order records to DynamoDB after receiving API Gateway requests. Which two practices improve reliability during client retries?

Select 2 answers
A.Use an idempotency token from the request in a conditional DynamoDB write
B.Generate a new random primary key for every retry
C.Return the same result for repeated requests with the same idempotency key
D.Disable API Gateway request validation
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because using an idempotency token from the request in a conditional DynamoDB write ensures that if a client retries the same request, the Lambda function can check whether the token already exists in the table. If it does, the write is skipped, preventing duplicate order records. This pattern leverages DynamoDB's conditional writes (e.g., `attribute_not_exists(idempotencyKey)`) to guarantee exactly-once processing, which is critical for reliability during retries.

Exam trap

The trap here is that candidates may confuse idempotency with uniqueness — they might think generating a new random key (Option B) is a valid retry strategy, but it actually creates duplicates, whereas the correct approach is to reuse the same token and conditionally reject duplicates.

314
MCQhard

A developer notices that an AWS Lambda function is timing out after 15 seconds. The function makes HTTP requests to an external API. How can the developer resolve this issue without changing the function code?

A.Increase the reserved concurrency
B.Increase the timeout setting of the Lambda function
C.Place the Lambda function in a VPC
D.Decrease the memory allocation of the Lambda function
AnswerB

The timeout can be increased up to 15 minutes (900 seconds).

Why this answer

Option D is correct because increasing the Lambda timeout allows the function to wait longer. Option A is wrong because reducing memory may increase execution time. Option B is wrong because VPC does not affect timeout.

Option C is wrong because reserved concurrency does not affect timeout.

315
MCQmedium

A developer is using AWS AppSync to build a GraphQL API. The API needs to allow clients to receive real-time updates when data changes in a DynamoDB table. Which AppSync feature should the developer use?

A.Resolvers
B.Subscriptions
C.Queries
D.Mutations
AnswerB

Subscriptions enable real-time notifications. When a mutation is performed, subscribed clients receive the updated data via WebSocket.

Why this answer

Subscriptions in AWS AppSync are the feature designed for real-time updates. They use WebSocket connections to push data to clients automatically when a mutation modifies the underlying data source, such as a DynamoDB table. By configuring a subscription on a specific mutation, the developer enables clients to receive live changes without polling.

Exam trap

The trap here is that candidates often confuse mutations (which trigger the update) with subscriptions (which deliver the update), leading them to select 'Mutations' instead of 'Subscriptions'.

How to eliminate wrong answers

Option A is wrong because resolvers are functions that map GraphQL operations (queries, mutations, subscriptions) to data sources like DynamoDB; they do not themselves provide real-time push capabilities. Option C is wrong because queries are request-response operations that fetch data on demand, not real-time updates. Option D is wrong because mutations are write operations that modify data; while they can trigger subscriptions, they are not the mechanism for delivering real-time updates to clients.

316
MCQhard

A developer is designing a microservice that processes orders. The service must ensure that each order is processed exactly once. The developer uses an SQS queue to decouple the order submission from processing. Which SQS feature should be used to prevent duplicate processing?

A.Standard queue with visibility timeout
B.FIFO queue with content-based deduplication
C.FIFO queue with a dead-letter queue
D.Standard queue with message retention period
AnswerB

FIFO queues provide exactly-once processing.

Why this answer

Option B is correct because SQS FIFO queues support exactly-once processing through deduplication based on message deduplication ID. Option A is wrong because standard queues guarantee at-least-once delivery. Option C is wrong because visibility timeout prevents other consumers from processing the same message, but does not prevent duplicates if the message is delivered again.

Option D is wrong because dead-letter queues store messages that could not be processed, they do not prevent duplicates.

317
MCQeasy

A developer is creating a CI/CD pipeline using AWS CodeBuild and AWS CodeDeploy for a Java application that runs on EC2 instances. The build process must compile the code, run unit tests, and package the application into a WAR file. The deployment should use the blue/green deployment strategy. What is the correct sequence of actions?

A.Use CodeCommit to store the source code, CodeBuild to build, and CodePipeline to orchestrate the deployment.
B.Use CodeDeploy to build the application and then use CodePipeline to deploy it.
C.Use Elastic Beanstalk to build and deploy the application.
D.Use CodeBuild to compile and package the application, and then use CodeDeploy to perform the blue/green deployment.
AnswerA, D

This is a common pipeline, but the question asks for the sequence of actions for build and deployment specifically; however, CodePipeline orchestrates the entire process.

Why this answer

Option B is correct. CodeBuild compiles and packages the application, then CodeDeploy performs the blue/green deployment. Option A is wrong because CodeDeploy does not build.

Option C is wrong because CodeCommit is for source control, not building. Option D is wrong because Elastic Beanstalk is a platform-as-a-service, not a CI/CD service.

318
MCQeasy

A developer wants to debug an AWS Lambda function by viewing real-time logs. Which AWS service should the developer use?

A.Amazon CloudWatch Logs
B.AWS X-Ray
C.Amazon S3
D.AWS CloudTrail
AnswerA

Lambda automatically sends logs to CloudWatch Logs.

Why this answer

Option A is correct because CloudWatch Logs captures Lambda logs. Option B is wrong because X-Ray is for tracing. Option C is wrong because CloudTrail is for API calls.

Option D is wrong because S3 can store logs but not in real-time.

319
MCQhard

A developer is using AWS Step Functions to orchestrate a workflow that includes a Lambda function for data transformation. The Lambda function occasionally times out after 15 seconds. The Step Function execution fails with a 'States.Timeout' error. The developer wants to retry the Lambda task up to 3 times with exponential backoff. Which configuration should the developer add to the state definition in the Amazon States Language (ASL)?

A."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 3 } ]
B."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 2, "BackoffRate": 3, "MaxAttempts": 5 } ]
C."Retry": [ { "ErrorEquals": ["States.Timeout"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 2 } ]
D."Retry": [ { "ErrorEquals": ["Lambda.ServiceException"], "IntervalSeconds": 1, "BackoffRate": 2, "MaxAttempts": 3 } ]
AnswerA

Correctly catches States.Timeout, exponential backoff with 3 attempts.

Why this answer

Option C is correct because it defines a Retry with a 1-second interval, backoff rate of 2, and max attempts of 3. Option A is wrong because it uses 'ErrorEquals' with 'Lambda.ServiceException' which is not the timeout error; the error is 'States.Timeout'. Option B is wrong because it has 'MaxAttempts' as 5, not 3.

Option D is wrong because it has only 2 max attempts.

320
MCQmedium

A Lambda function must retrieve feature flags at runtime with low latency and controlled rollout. Which AWS service is most appropriate?

A.AWS CloudFormation Parameters
B.AWS IAM Access Analyzer
C.Amazon Inspector
D.AWS AppConfig
AnswerD

Correct for the stated requirement.

Why this answer

AWS AppConfig is the correct choice because it is purpose-built for managing application configuration at runtime, including feature flags, with support for controlled rollouts (e.g., percentage-based deployments, canary releases) and low-latency retrieval via the AppConfig agent or direct API calls. It integrates with AWS Lambda to fetch configuration values on-demand without requiring a full deployment, enabling dynamic feature toggling.

Exam trap

The trap here is that candidates may confuse AWS AppConfig with AWS Systems Manager Parameter Store or AWS Secrets Manager, but AppConfig is the only service that combines runtime configuration retrieval with controlled rollout and validation, which is explicitly required for feature flags.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation Parameters are used to pass values into CloudFormation templates at stack creation or update time, not for runtime retrieval of feature flags with low latency and controlled rollout. Option B is wrong because AWS IAM Access Analyzer is a security tool that analyzes resource policies to identify unintended access, not a service for managing feature flags or application configuration. Option C is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and network exposure, not a runtime configuration or feature flag service.

321
MCQmedium

A developer is using the AWS CLI to upload a large file to S3. The file is 2 GB. The developer uses the following command: aws s3 cp largefile.zip s3://mybucket/. The upload is taking longer than expected. Which change would MOST improve the upload speed?

A.Disable multipart upload by setting --no-multipart.
B.Increase the multipart upload part size using the --multipart-upload-part-size option.
C.Enable S3 Transfer Acceleration on the bucket and use the --endpoint-url parameter.
D.Use the aws s3api put-object command instead.
AnswerB

Increasing part size reduces the number of parts, improving speed.

Why this answer

For large files, the aws s3 cp command automatically uses multipart upload, but increasing the part size can reduce the number of parts and improve throughput. Using aws s3api put-object is single-part and not suitable for large files. Disabling multipart upload would slow it down.

S3 Transfer Acceleration reduces latency over long distances, but does not necessarily improve throughput for a single upload.

322
MCQmedium

An independent software vendor (ISV) is building a serverless application that processes incoming HTTP requests. The incoming requests must be validated against an OpenAPI schema before being passed to the Lambda function. Which AWS service should the ISV use to perform this validation?

A.Amazon API Gateway (with request validation)
B.AWS WAF
C.Amazon Cognito
D.AWS AppSync
AnswerA

Correct. API Gateway can validate requests against an OpenAPI schema before forwarding them to the Lambda function, reducing unnecessary invocations and improving security.

Why this answer

Amazon API Gateway's request validation feature can validate incoming HTTP requests against an OpenAPI (Swagger) schema before the request reaches the Lambda function. This offloads validation from the Lambda code, reducing cost and latency by rejecting invalid requests early. The ISV can define the schema in the API Gateway REST API or HTTP API, and API Gateway will automatically check headers, query strings, and request bodies against the schema.

Exam trap

The trap here is confusing AWS WAF's ability to inspect HTTP requests (e.g., body size, headers) with API Gateway's schema-based validation, leading candidates to choose WAF for payload validation instead of API Gateway's built-in request validation.

How to eliminate wrong answers

Option B (AWS WAF) is wrong because WAF is a web application firewall that filters traffic based on IP addresses, SQL injection patterns, or cross-site scripting, not for validating request payloads against an OpenAPI schema. Option C (Amazon Cognito) is wrong because Cognito provides authentication, authorization, and user management, not request schema validation. Option D (AWS AppSync) is wrong because AppSync is a managed GraphQL service for real-time data synchronization and offline access, not for validating RESTful HTTP requests against an OpenAPI schema.

323
Multi-Selectmedium

A developer is designing a system that requires processing of streaming data from IoT devices in real time. The processed data will be stored in an S3 bucket for analytics. Which AWS services should the developer use together to build this solution? (Choose TWO.)

Select 2 answers
A.Amazon Kinesis Data Firehose
B.Amazon Kinesis Data Streams
C.AWS Lambda
D.Amazon S3
E.Amazon SQS
AnswersA, B

Firehose can load streaming data into S3 for analytics.

Why this answer

The correct answers are A and D. Amazon Kinesis Data Streams ingests streaming data, and Amazon Kinesis Data Firehose delivers that data to S3. Option B is wrong because Lambda is not a streaming ingestion service.

Option C is wrong because SQS is for message queues, not real-time streaming. Option E is wrong because S3 is the destination, not the processing service.

324
Drag & Dropmedium

Drag and drop the steps to configure an S3 bucket for static website hosting in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the bucket, then enable static website hosting, configure index and error documents, set appropriate permissions, and finally upload content.

325
MCQmedium

A developer is deploying an application using AWS CodeDeploy with an in-place deployment configuration. The application runs on an EC2 instance behind an Application Load Balancer. The deployment fails because the health check fails after the new version is installed. What should the developer do to prevent the deployment from failing due to health checks?

A.Deregister the instance from the target group before deployment and register it after.
B.Switch to a blue/green deployment strategy.
C.Configure a longer health check grace period in the CodeDeploy application specification.
D.Increase the health check interval on the load balancer.
AnswerC

The grace period allows the application to initialize before health checks are performed, preventing premature failure.

Why this answer

The correct answer is D. Configuring a longer health check grace period allows the application to start and stabilize before the load balancer checks its health. Option A is wrong because deregistering the instance during deployment is not a standard practice and may cause traffic loss.

Option B is wrong because a blue/green deployment is a different strategy, not a fix for in-place deployment. Option C is wrong because increasing the interval alone does not provide a grace period.

326
Multi-Selectmedium

A developer is designing a serverless application that uses AWS Lambda and Amazon DynamoDB. The application needs to handle high traffic spikes without data loss. Which TWO actions should the developer take?

Select 2 answers
A.Enable DynamoDB Auto Scaling
B.Use Provisioned IOPS for DynamoDB
C.Enable DynamoDB Streams
D.Use Amazon SQS to buffer requests to Lambda
E.Increase the Lambda concurrency limit to the maximum
AnswersA, D

Auto scaling adjusts read/write capacity to handle traffic spikes.

Why this answer

Option B is correct because SQS decouples processing and provides a buffer. Option D is correct because DynamoDB auto scaling handles capacity. Option A is wrong because Lambda concurrency limit would throttle.

Option C is not directly related. Option E is wrong because Provisioned IOPS is for EBS.

327
Multi-Selectmedium

Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls?

Select 2 answers
A.Condition: { "Null": { "aws:MultiFactorAuthPresent": "false" } }
B.Condition: { "StringLike": { "iam:MFADeviceType": "Virtual" } }
C.Condition: { "ForAllValues:StringEquals": { "aws:SourceIdentity": "admin" } }
D.Condition: { "StringEquals": { "iam:ResourcePath": "/" } }
E.Condition: { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
AnswersA, E

This denies access if the MFA key is absent (null), effectively requiring MFA.

Why this answer

Options B and D are correct. 'Bool' condition with 'aws:MultiFactorAuthPresent' checks if MFA was used. 'Null' condition can check if the MFA key is absent. Option A is wrong because it checks the user's path. Option C is wrong because it checks the MFA device type.

Option E is wrong because it checks the caller identity.

328
MCQhard

A developer is working on a serverless application that uses Amazon DynamoDB as the database. The application reads and writes data to a DynamoDB table named 'Orders'. The table has a partition key 'OrderID' and a sort key 'OrderDate'. The application experiences high read latency during peak hours. The developer checks the CloudWatch metrics and notices high ReadThrottleEvents for the table. The table's read capacity is set to on-demand mode. The developer also notices that the application performs many queries that scan the entire table to find orders by customer ID, which is not a key attribute. What should the developer do to reduce read throttling?

A.Enable DynamoDB Accelerator (DAX) to cache the read results.
B.Switch the table to provisioned capacity mode and increase the read capacity units.
C.Create a Global Secondary Index (GSI) on the CustomerID attribute and query the index instead of scanning the table.
D.Keep the table in on-demand mode but increase the maximum read capacity limit.
AnswerC

A GSI allows efficient querying by CustomerID, avoiding full table scans.

Why this answer

Option C is correct because creating a Global Secondary Index (GSI) on CustomerID allows efficient queries without scanning. Option A is wrong because increasing read capacity units doesn't apply to on-demand mode. Option B is wrong because on-demand mode already handles spikes, but throttling can still occur if a partition's throughput is exceeded.

Option D is wrong because DAX is an in-memory cache that can reduce read load, but it doesn't fix the inefficient query pattern.

329
MCQhard

A developer uses the AWS SDK to list thousands of DynamoDB items from a query. Only the first page is processed. What should be implemented?

A.Pagination using LastEvaluatedKey until no further key is returned
B.A larger Lambda memory setting only
C.A global secondary index with the same key
D.Strongly consistent reads on every request
AnswerA

Correct for the stated requirement.

Why this answer

The DynamoDB Query API returns paginated results, with a maximum of 1 MB of data per page. The `LastEvaluatedKey` in the response indicates that more items exist. To retrieve all items, the application must check for `LastEvaluatedKey` and, if present, issue a subsequent Query request with the `ExclusiveStartKey` parameter set to that value, repeating until `LastEvaluatedKey` is no longer returned.

This is the standard pagination pattern for DynamoDB.

Exam trap

The trap here is that candidates may assume DynamoDB returns all matching items in a single response, overlooking the 1 MB pagination limit and the necessity of handling `LastEvaluatedKey` in a loop.

How to eliminate wrong answers

Option B is wrong because increasing Lambda memory only increases CPU and network bandwidth, but does not change the DynamoDB API's 1 MB page size limit or the need to handle pagination; the query would still return only the first page. Option C is wrong because a global secondary index (GSI) with the same key would not solve the pagination issue; it would simply provide an alternative query path that also returns paginated results. Option D is wrong because strongly consistent reads ensure the most up-to-date data but do not affect the number of items returned per page or the pagination mechanism; they are unrelated to the pagination problem.

330
MCQeasy

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) intermittently returns 503 errors. The ALB health checks are failing for some instances intermittently. The developer checks the instance system logs and finds no application errors. What is the most likely cause of the health check failures?

A.The application on the instances is experiencing resource exhaustion (e.g., memory or CPU) which causes it to stop responding to health checks temporarily
B.The security group for the instances does not allow inbound traffic from the ALB on the health check port
C.The health check path is not configured correctly and the default path returns a 404 status
D.The target group is not configured with the correct protocol
AnswerA

Intermittent failures suggest transient issues like high resource utilization. The application may become unresponsive during spikes, causing health checks to fail until resources are freed.

Why this answer

Intermittent 503 errors from the ALB combined with intermittent health check failures and no application errors in the system logs strongly point to transient resource exhaustion (CPU or memory) on the EC2 instances. When an instance runs out of memory or CPU, the application process may become unresponsive or be killed by the OS (e.g., OOM killer), causing it to fail health checks temporarily. Once resources are freed (e.g., after a spike subsides), the application resumes responding, which explains the intermittent nature of the failures.

Exam trap

The trap here is that candidates often assume health check failures are always due to misconfiguration (security groups, paths, or protocols) and overlook transient resource exhaustion, which is a common cause of intermittent failures in production.

How to eliminate wrong answers

Option B is wrong because if the security group did not allow inbound traffic from the ALB on the health check port, health checks would fail consistently, not intermittently. Option C is wrong because a misconfigured health check path returning a 404 would cause persistent health check failures, not intermittent ones. Option D is wrong because an incorrect target group protocol (e.g., HTTP vs HTTPS) would cause all health checks to fail consistently, not intermittently.

331
Multi-Selectmedium

A company is designing a microservices architecture using AWS Lambda. Each microservice has its own DynamoDB table. The Lambda functions need to perform CRUD operations on their respective tables. Which TWO IAM best practices should be applied? (Choose TWO.)

Select 2 answers
A.Grant access to all DynamoDB tables using a wildcard in the resource ARN.
B.Use a single IAM role shared by all Lambda functions.
C.Attach the IAM policy to the AWS account instead of the role.
D.Scope the IAM policy resource to the specific DynamoDB table ARN.
E.Create a separate IAM role for each Lambda function.
AnswersD, E

Limits access to required resources.

Why this answer

Options A and D are correct. A: Using separate IAM roles for each function enforces least privilege. D: Scoping IAM policies to specific DynamoDB tables using ARN ensures functions can only access their own table.

Option B is wrong because using a single IAM role violates least privilege. Option C is wrong because using wildcard for all tables grants too much access. Option E is wrong because attaching policies at the account level is too broad.

332
MCQmedium

A company uses AWS Lambda to process user-uploaded images stored in an S3 bucket. Recently, the Lambda function started timing out, and CloudWatch Logs show 'Error: Unable to locate credentials' in the function logs. What is the most likely cause?

A.The function's environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are missing.
B.The Lambda function is configured with a different runtime that does not support the AWS SDK.
C.The Lambda execution role does not have the necessary IAM policy to access the S3 bucket.
D.The function's code is explicitly setting AWS credentials using the AWS SDK.
AnswerC

Without the correct IAM policy, the function cannot assume the role to get credentials for S3 access.

Why this answer

Option B is correct because the Lambda function's execution role must have permissions to access S3. If the role lacks the necessary IAM policy, the SDK cannot retrieve credentials to make the S3 API call. Option A is wrong because Lambda functions use a temporary credentials provider via the execution role, not the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Option C is wrong because Lambda's execution environment sets its own credentials; setting them manually is not recommended. Option D is wrong because the error is about credentials, not the function's runtime.

333
MCQeasy

A developer is using the AWS SDK for Python (Boto3) to upload objects to an S3 bucket. The developer wants to encrypt the objects at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Which parameter should the developer include in the put_object call?

A.SSEAlgorithm: 'AES256'
B.SSEKMSKeyId: 'alias/aws/s3'
C.ServerSideEncryption: 'aws:kms'
D.ServerSideEncryption: 'AES256'
AnswerC

This specifies SSE-KMS encryption.

Why this answer

Option C is correct because the ServerSideEncryption parameter set to 'aws:kms' tells S3 to use SSE-KMS. Option A is wrong because SSEAlgorithm is not a valid parameter. Option B is wrong because SSE-S3 uses 'AES256'.

Option D is wrong because the key ID is not required if using the default KMS key.

334
MCQeasy

A developer needs to store application configuration data that can be read by multiple EC2 instances. The data is less than 1 KB and changes frequently. Which AWS service is BEST suited for this?

A.Amazon S3
B.AWS Systems Manager Parameter Store
C.AWS AppConfig
D.Amazon DynamoDB
AnswerC

AppConfig is designed for application configuration with frequent updates.

Why this answer

Option C is correct because AWS AppConfig is designed for application configuration and supports frequent updates. Option A is wrong because S3 is object storage, not ideal for small frequently changing configs. Option B is wrong because Parameter Store can store configs but is better for less frequent changes; AppConfig is optimized for frequent changes.

Option D is wrong because DynamoDB is a database, overkill for simple config.

335
Multi-Selectmedium

A developer is deploying an application on Amazon ECS using Fargate. The application needs to securely access an Amazon RDS database. The developer wants to avoid hardcoding database credentials in the application code. Which THREE actions should the developer take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Hardcode the credentials in the application code and encrypt the code using AWS KMS.
B.Store the database credentials in AWS Systems Manager Parameter Store or AWS Secrets Manager.
C.Reference the secrets in the task definition as environment variables using the 'secrets' parameter.
D.Grant the ECS task execution role permission to read the secrets from Parameter Store or Secrets Manager.
E.Store the credentials in Amazon Elastic Container Registry (ECR) as a tag.
AnswersB, C, D

Parameter Store or Secrets Manager can securely store secrets and be retrieved by the application.

Why this answer

Options A, C, and D are correct. Option A: AWS Systems Manager Parameter Store or AWS Secrets Manager can store credentials. Option C: Task execution role allows ECS to retrieve secrets.

Option D: Secrets can be injected as environment variables. Option B is wrong because database credentials are not stored in ECR. Option E is wrong because Secrets Manager cannot be directly accessed by the application without proper IAM permissions.

336
MCQhard

A company uses Amazon DynamoDB as a session store for a web application. The application recently experienced a spike in traffic, causing increased read latency. The DynamoDB table has a read capacity of 5000 RCUs and uses eventual consistent reads. The application performs many GetItem calls. What should a developer do to improve read performance with minimal cost?

A.Enable DynamoDB Accelerator (DAX) for the table
B.Increase the read capacity to 10000 RCUs
C.Configure DynamoDB global tables for the application
D.Enable DynamoDB Streams and process updates asynchronously
AnswerA

DAX provides an in-memory cache that reduces read latency.

Why this answer

Option B is correct because DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that reduces read latency from single-digit milliseconds to microseconds. Option A is wrong because increasing RCUs increases cost and does not use caching. Option C is wrong because DynamoDB Streams are for change data capture, not caching.

Option D is wrong because Global Tables are for multi-region replication, not read performance.

337
MCQeasy

A developer is building a CI/CD pipeline using AWS CodePipeline. The source stage is an Amazon S3 bucket. The developer wants to automatically start the pipeline when a new file is uploaded to the S3 bucket. What should the developer do?

A.Configure the S3 bucket to send events to an SQS queue, and poll the queue from CodePipeline.
B.Create an Amazon CloudWatch Events rule that triggers on S3 object creation events and targets the pipeline.
C.Set up a periodic Lambda function that checks the S3 bucket for new files and starts the pipeline.
D.Configure the S3 bucket to send events to an SNS topic, and subscribe CodePipeline to the topic.
AnswerB

CloudWatch Events (EventBridge) can capture S3 events and start the pipeline automatically.

Why this answer

Option B is correct because CodePipeline can be configured to use Amazon CloudWatch Events (now Amazon EventBridge) to detect S3 events and start the pipeline. Option A is incorrect because SQS does not trigger CodePipeline. Option C is incorrect because SNS can be used but is not a direct trigger; EventBridge is the recommended approach.

Option D is incorrect because polling is not efficient; EventBridge provides real-time events.

338
MCQmedium

A developer is building a serverless application using AWS Step Functions to orchestrate multiple AWS Lambda functions. One of the Lambda functions occasionally fails due to a transient error. The developer wants the Step Functions execution to automatically retry the failed task up to three times with exponential backoff. Which configuration should the developer set in the Step Functions state machine definition?

A.Add a Retry clause in the Lambda function's configuration with a maximum retry count of 3.
B.Use the Amazon States Language (ASL) Retry field in the Task state definition.
C.Wrap the Lambda function invocation in a custom while loop within the function code.
D.Use the Amazon States Language Catch field in the Task state to redirect to a retry logic.
AnswerB

The ASL Retry field allows defining retry policies, including exponential backoff and maximum retry attempts.

Why this answer

Option B is correct because the Amazon States Language (ASL) provides a native Retry field within a Task state definition that allows you to specify retry policies, including a maximum retry count and exponential backoff. This is the intended mechanism for handling transient failures in Step Functions without requiring custom code or external retry logic.

Exam trap

The trap here is that candidates confuse the Retry field (for retries) with the Catch field (for error handling) or mistakenly think retry logic belongs in the Lambda function code rather than in the state machine definition.

How to eliminate wrong answers

Option A is wrong because the Retry clause in a Lambda function's configuration (e.g., in the function's reserved concurrency or event source mapping) does not control Step Functions retries; Step Functions retries are defined in the state machine definition, not in the Lambda function itself. Option C is wrong because wrapping the Lambda invocation in a custom while loop within the function code would not integrate with Step Functions' retry mechanism and would violate the serverless orchestration pattern, as Step Functions manages retries at the state machine level. Option D is wrong because the Catch field is used to handle errors by redirecting to a different state (e.g., a fallback or error-handling state), not to implement retry logic; retries are handled exclusively by the Retry field.

339
MCQeasy

A developer needs to store a small amount of session state data (less than 1 MB) for a web application running on EC2. The data must be shared across multiple instances. Which solution is MOST cost-effective?

A.Use an Amazon EBS volume with multi-attach.
B.Use Amazon ElastiCache for session state.
C.Store session data in Amazon S3.
D.Use Amazon DynamoDB to store session data.
AnswerB

ElastiCache provides low-latency, shared session storage.

Why this answer

Option A is correct because ElastiCache (Redis or Memcached) is designed for session state and is cost-effective. Option B is wrong because DynamoDB is more expensive for simple session state. Option C is wrong because S3 is slow for session state.

Option D is wrong because EBS cannot be shared across instances.

340
MCQhard

A company runs a containerized application on Amazon ECS using Fargate launch type. The application needs to read and write files to a shared file system across multiple tasks. The development team wants a solution that provides high throughput and is POSIX-compliant. Which storage solution should the team use?

A.Amazon S3 with mountpoint-s3
B.Amazon EFS
C.Amazon EBS with multi-attach enabled
D.Amazon FSx for Windows File Server
AnswerB

EFS provides a fully managed, POSIX-compliant file system that can be shared across multiple ECS tasks.

Why this answer

The correct answer is C. Amazon EFS provides a scalable, POSIX-compliant file system that can be mounted by multiple ECS tasks. Option A is wrong because S3 is object storage, not POSIX-compliant.

Option B is wrong because EBS volumes can only be attached to one instance at a time. Option D is wrong because FSx for Windows File Server is not POSIX-compliant.

341
Multi-Selectmedium

A company is using Amazon API Gateway to expose a REST API. The API is integrated with an AWS Lambda function. The developer wants to implement caching to improve performance. Which THREE steps are necessary to enable caching for a specific stage? (Choose THREE.)

Select 3 answers
A.Attach an IAM policy to the API Gateway role for cache access.
B.Modify the Lambda function to store responses in ElastiCache.
C.Enable API caching in the stage settings.
D.Set a cache time-to-live (TTL) value.
E.Specify a cache cluster size (e.g., 0.5 GB).
AnswersC, D, E

Correct: This turns on caching for the stage.

Why this answer

A, B, and D are correct. You must enable caching in API Gateway (A), specify a cache size (B), and set a TTL (D). Option C is wrong because the Lambda function does not need changes.

Option E is wrong because IAM permissions are not directly required for caching.

342
MCQhard

A company is running a containerized application on Amazon ECS with Fargate launch type. The application needs to access an Amazon S3 bucket. The company wants to follow the principle of least privilege. How should the developer provide the necessary permissions?

A.Use Amazon EFS to store access keys.
B.Assign an IAM instance profile to the Fargate tasks.
C.Create an IAM task role with S3 permissions and associate it with the ECS task definition.
D.Store AWS credentials in the container image.
AnswerC

Task roles provide least privilege for Fargate tasks.

Why this answer

Option B is correct because an IAM task role is the recommended way to grant permissions to ECS tasks. Option A is wrong because instance roles are for EC2, not Fargate. Option C is wrong because storing credentials in the container is insecure.

Option D is wrong because EFS is for file storage, not for granting S3 permissions.

343
Multi-Selectmedium

A developer is using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function is triggered by S3 events. The developer notices that the function sometimes processes the same file multiple times. Which TWO steps should the developer take to make the processing idempotent? (Choose TWO.)

Select 2 answers
A.Check if the file has already been processed by storing a marker in DynamoDB.
B.Use conditional writes in DynamoDB to ensure that updates are idempotent.
C.Reduce the S3 event batch size in the Lambda trigger.
D.Increase the Lambda function's timeout.
E.Enable S3 versioning on the bucket.
AnswersA, B

Using a marker ensures idempotent processing by checking existence.

Why this answer

Options B and D are correct. Option B ensures that if a file is processed again, it checks for a marker. Option D ensures updates are idempotent.

Option A is wrong because increasing timeout does not prevent duplicate processing. Option C is wrong because batch size is for SQS, not S3 triggers. Option E is wrong because it does not prevent reprocessing.

344
Drag & Dropmedium

Drag and drop the steps to encrypt an EBS volume using AWS KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create a KMS key, then snapshot the unencrypted volume, copy with encryption, and create the encrypted volume.

345
MCQmedium

A company uses AWS CodeBuild to run unit tests. The buildspec.yml file is stored in the source repository. The build fails intermittently with 'command not found' for a tool that is installed in the build environment. What should the developer do to ensure the tool is available?

A.Use a custom Docker image that includes the tool.
B.Configure the build environment to include the tool via the AWS Management Console.
C.Add a post_build phase to install the tool.
D.Add a pre_build phase to install the tool.
AnswerD

pre_build phase runs before build and can install dependencies.

Why this answer

Option A is correct because CodeBuild supports installing dependencies in the pre_build phase. Option B is wrong because phases are already defined. Option C is wrong because the tool may not be available in all environments.

Option D is wrong because CodeBuild environments are not customizable via console.

346
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application uses an Amazon RDS MySQL database. The developer wants to ensure that database credentials are not stored in the application code or environment variables. The solution must automatically rotate credentials every 90 days. The developer has created a secret in AWS Secrets Manager containing the database credentials. The Elastic Beanstalk environment is configured with an IAM instance profile that has permission to read the secret. However, when the application is deployed, it fails to connect to the database. The developer checks the application logs and sees a 'Host not found' error. The RDS instance is in a private subnet, and the Elastic Beanstalk environment is in the same VPC. What is the MOST likely cause of the connection failure?

A.The secret is not correctly referenced in the Elastic Beanstalk environment properties.
B.The application code is not retrieving the secret from Secrets Manager at startup.
C.The IAM instance profile does not have the necessary permissions to access the secret.
D.The secret is stored in a different region than the Elastic Beanstalk environment.
AnswerB

The application must call Secrets Manager to get the credentials; otherwise it tries to connect with undefined values.

Why this answer

Option D is correct. The application likely needs to retrieve the secret at runtime, but the code may be incorrect. However, the 'Host not found' error suggests the database hostname is not being resolved.

Option A is wrong because the instance profile has permission. Option B is wrong because Secrets Manager does not automatically inject into environment; the app must fetch it. Option C is wrong because the secret can be stored as plaintext or JSON; format is not the issue.

347
Multi-Selectmedium

A company uses AWS CodePipeline to deploy a web application to an EC2 instance. The deployment often fails because the application is still running when new files are copied. Which THREE actions can be combined to achieve zero-downtime deployments?

Select 3 answers
A.Use AWS CodeDeploy with an in-place deployment configuration.
B.Configure the EC2 instances behind an Auto Scaling group and use a rolling update.
C.Define an AppSpec file that includes 'BeforeInstall' and 'AfterInstall' hooks to stop and start the application.
D.Use AWS CodeBuild to build and deploy the application.
E.Use Amazon Inspector to check the application before deployment.
AnswersA, B, C

CodeDeploy can manage application lifecycle during deployment.

Why this answer

Options A, B, and D are correct. Using CodeDeploy (A) with an in-place deployment can manage the lifecycle. The AppSpec file (B) can define hooks to stop the application before install and start it after.

Auto Scaling group (D) with a rolling update can ensure instances are replaced without downtime. Option C is wrong because CodeBuild is for building, not deployment. Option E is wrong because Amazon Inspector is for security scanning.

348
MCQhard

A developer is deploying a microservice using Amazon ECS with Fargate. The service needs to scale based on CPU utilization. Which combination of actions is required? (Select TWO)

A.Configure an ELB target group health check
B.Create a CloudWatch alarm on the ECS service's CPUUtilization metric
C.Create a target tracking scaling policy for the ECS service
D.Enable auto scaling on the ECS cluster
E.Create an Application Auto Scaling step scaling policy
AnswerB, C

The alarm triggers scaling actions.

Why this answer

To scale ECS services, you create a CloudWatch alarm on CPU utilization and associate it with an Application Auto Scaling target tracking policy. Options B and D are correct.

349
MCQhard

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API receives a large number of requests with duplicate payloads from the same client within a short time window. To reduce Lambda invocations and improve performance, the developer wants to return the previously computed response for identical requests based on a unique client ID in the header. How can the developer achieve this using API Gateway features?

A.Enable API Gateway caching on the stage and configure the client ID header as a cache key parameter. Set a cache TTL of 5 minutes.
B.Configure a usage plan with a quota and throttle settings to limit requests per client ID.
C.Use request validation to reject requests that have the same client ID within 5 minutes.
D.Reduce the Lambda function's batch size to 1 and implement caching logic inside the function using an external cache like ElastiCache.
AnswerA

API Gateway caching uses cache key parameters to index responses. By including the client ID header in the cache key, different clients get separate cached responses. The TTL controls how long the response is cached.

Why this answer

Option A is correct because API Gateway caching allows you to store responses for a configurable TTL and use the client ID header as a cache key parameter. This means that when a request with the same client ID arrives within the TTL window, API Gateway returns the cached response directly without invoking the Lambda function, reducing invocations and improving performance.

Exam trap

The trap here is that candidates may confuse API Gateway caching (which returns cached responses for identical cache keys) with usage plans or throttling (which only limit request rates) or with Lambda-level caching (which still incurs invocation costs).

How to eliminate wrong answers

Option B is wrong because usage plans with quota and throttle settings limit the rate or total number of requests, but they do not return previously computed responses for duplicate payloads; they simply reject or delay requests. Option C is wrong because request validation in API Gateway only checks the structure and presence of required headers or body fields, not the content or duplication of payloads; it cannot reject requests based on a client ID being repeated. Option D is wrong because reducing the Lambda batch size to 1 is irrelevant (Lambda functions process one event at a time by default) and implementing caching inside the function with ElastiCache would still invoke Lambda for every request, missing the goal of reducing invocations; API Gateway caching avoids Lambda invocation entirely for cached responses.

350
MCQhard

A developer is deploying a microservices application using Amazon ECS with Fargate. The application consists of multiple services that need to communicate with each other over HTTP. The developer wants to ensure that service-to-service communication is encrypted in transit and that the services can discover each other by logical service names instead of IP addresses. Which combination of AWS services should the developer use?

A.Elastic Load Balancing with AWS Systems Manager
B.Amazon Route 53 with AWS Direct Connect
C.AWS Lambda with Amazon API Gateway
D.AWS App Mesh with AWS Cloud Map
AnswerD

App Mesh provides mTLS and Cloud Map provides service discovery, meeting both requirements.

Why this answer

AWS App Mesh provides service mesh capabilities including mTLS for encryption and service discovery using virtual services. AWS Cloud Map is used for service discovery with logical names. Together, they enable encrypted service-to-service communication.

Route 53 is for DNS but not mTLS. ELB is for load balancing, not service discovery. Systems Manager is for configuration management, not networking.

Direct Connect is a dedicated network connection.

351
MCQmedium

A developer is building an application that processes user-uploaded images. The application uses Amazon S3 to store the images and AWS Lambda to generate thumbnails. When a user uploads an image to an S3 bucket, an S3 event notification triggers a Lambda function. The Lambda function processes the image and saves the thumbnail to another S3 bucket. The developer notices that sometimes the Lambda function is not triggered after an upload. The developer checks the Lambda function's CloudWatch logs and sees no invocation records for those uploads. The S3 bucket event notification configuration appears correct. What is the most likely cause of this issue?

A.The destination S3 bucket does not have the correct bucket policy to allow the Lambda function to write thumbnails.
B.The S3 event notification is configured as an asynchronous invocation, and the event is lost.
C.The Lambda function's execution role does not have permission to read from the S3 bucket.
D.The S3 bucket and the Lambda function are in different AWS regions.
AnswerD

S3 event notifications can only trigger Lambda functions in the same region.

Why this answer

Option A is correct because S3 event notifications might not be delivered if the bucket is in a different region than the Lambda function; the Lambda function must be in the same region as the S3 bucket for S3 event notifications. Option B is wrong because the Lambda function's IAM role does not affect invocation; it affects execution. Option C is wrong because S3 event notifications are not asynchronous; they are delivered synchronously.

Option D is wrong because the destination bucket's permissions are not relevant to the invocation trigger.

352
MCQhard

A developer is designing a serverless application that uses Amazon API Gateway and AWS Lambda. The application needs to handle a sudden spike in traffic. The Lambda function performs CPU-intensive operations. What should the developer do to ensure the application scales without errors?

A.Set the API Gateway throttling limits to a high value.
B.Use an Amazon SQS queue to buffer requests before processing.
C.Configure the Lambda function with reserved concurrency and provisioned concurrency.
D.Increase the Lambda function timeout to the maximum value.
AnswerC

Reserved concurrency ensures capacity, provisioned concurrency reduces cold starts.

Why this answer

Option C is correct because Lambda concurrency limits control scaling, and provisioned concurrency prevents cold starts. Option A is wrong because API Gateway throttling would reject requests. Option B is wrong because increasing timeout doesn't help scaling.

Option D is wrong because reserved concurrency sets a limit, not a guarantee.

353
MCQeasy

A developer is building a microservice that needs to invoke another AWS Lambda function and wait for the result to continue processing. Which Lambda invocation type must the developer use to achieve synchronous invocation?

A.RequestResponse
B.Event
C.DryRun
D.None of the above
AnswerA

This invocation type causes the client to wait for the function to execute and return a response, enabling synchronous processing.

Why this answer

The RequestResponse invocation type is the correct choice for synchronous invocation of a Lambda function, where the caller waits for the function to execute and receive a response. This is the default invocation type when using the Invoke API with InvocationType set to 'RequestResponse', and it is required for microservices that need to block until the downstream Lambda returns a result.

Exam trap

The trap here is that candidates may confuse the Event invocation type (asynchronous) with synchronous behavior, or mistakenly think DryRun is a valid Lambda invocation type, leading them to select 'None of the above' when they don't recognize RequestResponse as the correct term.

How to eliminate wrong answers

Option B is wrong because the Event invocation type is asynchronous; it queues the invocation and returns immediately with an HTTP status code of 202, without waiting for the function to execute or return a result. Option C is wrong because DryRun is not a valid Lambda invocation type; it is a parameter used with other AWS services (e.g., EC2) to test permissions without executing the action. Option D is wrong because 'None of the above' is incorrect since RequestResponse is a valid and correct invocation type for synchronous invocation.

354
MCQmedium

A developer is using Amazon API Gateway to expose a Lambda function as a REST API. The Lambda function queries an Amazon RDS database. Under heavy load, the database connection pool is exhausted, causing errors. What is the BEST way to manage database connections in this serverless architecture?

A.Migrate the database to Amazon DynamoDB.
B.Increase the concurrency limit of the Lambda function.
C.Use Amazon RDS Proxy to pool and share database connections.
D.Use Amazon ElastiCache to cache database connections.
AnswerC

RDS Proxy manages connection pooling, allowing Lambda functions to share connections efficiently.

Why this answer

Option D is correct because RDS Proxy is designed to manage database connection pooling for serverless applications, reducing connection exhaustion. Option A is incorrect because increasing Lambda concurrency would make the problem worse. Option B is incorrect because storing connections in ElastiCache does not help with database connections.

Option C is incorrect because using DynamoDB would change the database, not solve the connection management issue.

355
MCQhard

An application stores session data in DynamoDB and must expire sessions automatically after a timestamp. Which feature should be used?

A.DynamoDB global tables
B.DynamoDB transactions
C.DynamoDB export to S3
D.DynamoDB Time to Live
AnswerD

Correct for the stated requirement.

Why this answer

DynamoDB Time to Live (TTL) allows you to define a timestamp attribute per item, and DynamoDB automatically deletes items once that timestamp is reached. This is the ideal feature for expiring session data without requiring custom scan-and-delete logic, reducing cost and operational overhead.

Exam trap

The trap here is that candidates may confuse DynamoDB TTL with DynamoDB Streams or Lambda triggers for cleanup, but TTL is the native, serverless mechanism that requires no custom code for expiration.

How to eliminate wrong answers

Option A is wrong because DynamoDB global tables replicate data across regions for low-latency access and disaster recovery, not for automatic expiration of items. Option B is wrong because DynamoDB transactions provide ACID guarantees for multi-item operations, not scheduled deletion based on time. Option C is wrong because DynamoDB export to S3 is used for point-in-time backups or data lake integration, not for expiring items within the table.

356
MCQhard

A developer is using AWS CodeBuild to build a Java application. The build fails with 'OutOfMemoryError: Java heap space'. How can the developer fix this without changing the source code?

A.Add -Xmx1024m to the buildspec commands
B.Change the build image to a smaller one
C.Set the memory parameter in the build project
D.Increase the compute type of the build project
AnswerD

Larger compute types have more memory, which can resolve heap space errors.

Why this answer

Option A is correct because increasing the compute type provides more memory. Option B is wrong because CodeBuild does not support custom JVM options in buildspec. Option C is wrong because changing the image may not help.

Option D is wrong because CodeBuild doesn't have a memory setting separate from compute type.

357
MCQhard

A company has a Lambda function that writes to an S3 bucket. The IAM role used by the function has an inline policy allowing s3:PutObject on the bucket. However, writes fail with an access denied error. What is the MOST likely cause?

A.The S3 bucket is in a different region.
B.The S3 bucket uses SSE-KMS encryption and the function lacks kms:Decrypt permissions.
C.The Lambda function does not have the correct execution role.
D.The S3 bucket has a bucket policy that denies the request.
AnswerD

A bucket policy can override IAM permissions with an explicit deny.

Why this answer

Option D is correct because S3 bucket policies can explicitly deny access even if IAM allows it. Option A is wrong because the function role has permissions. Option B is wrong because S3 does not require VPC endpoints.

Option C is wrong because KMS encryption requires additional permissions, but access denied could be due to bucket policy deny.

358
Multi-Selectmedium

A developer is designing a system that ingests high-volume data from IoT devices. The data must be processed in near real-time and then stored in Amazon S3 for analytics. Which TWO AWS services should the developer use together to meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon SQS
B.Amazon SNS
C.Amazon Kinesis Data Streams
D.Amazon EC2
E.AWS Lambda
AnswersC, E

Kinesis Data Streams ingests high-volume streaming data.

Why this answer

Options A and D are correct. Amazon Kinesis Data Streams can ingest high-volume streaming data, and AWS Lambda can process the stream in near real-time. Option B is wrong because SQS is for message queues, not streaming.

Option C is wrong because SNS is for pub/sub, not streaming. Option E is wrong because EC2 is not serverless and requires management.

359
Multi-Selecthard

A developer is designing a serverless application that processes streaming data from IoT devices. The application must be able to handle data from millions of devices and store the data in a durable, scalable data store. Which AWS services should the developer use? (Choose THREE.)

Select 3 answers
A.Amazon Kinesis Data Streams
B.Amazon RDS
C.Amazon DynamoDB
D.AWS Lambda
E.Amazon SQS
AnswersA, C, D

Kinesis Data Streams can ingest high-throughput streaming data.

Why this answer

Option A is correct because Kinesis Data Streams can ingest large volumes of streaming data. Option C is correct because Lambda can process the data in real-time. Option E is correct because DynamoDB is a scalable, durable data store suitable for IoT data.

Option B is wrong because SQS is not a streaming service. Option D is wrong because RDS is not as scalable for high-throughput streaming data.

360
MCQeasy

A developer is building a serverless application using AWS Lambda. The function needs to access a private S3 bucket in the same AWS account. What is the BEST way to grant the Lambda function access to the bucket?

A.Create an IAM execution role with an S3 access policy and attach it to the Lambda function.
B.Store AWS credentials in environment variables and use them in the function code.
C.Attach an inline IAM policy directly to the Lambda function.
D.Add a bucket policy to the S3 bucket allowing the Lambda function's ARN.
AnswerA

Correct: The execution role is the standard way to grant permissions to Lambda.

Why this answer

Option A is correct because the Lambda execution role can be attached to the function and include an IAM policy granting access to the S3 bucket. This follows the principle of least privilege and avoids hardcoding credentials. Option B is wrong because bucket policies are resource-based and not attached to functions.

Option C is wrong because environment variables would expose credentials. Option D is wrong because Lambda does not have an inline policy property - policies are attached via roles.

361
Multi-Selecthard

A developer is using AWS Lambda with an Amazon DynamoDB trigger. The Lambda function processes items from a DynamoDB Stream. The developer needs to ensure that the function processes each change exactly once and in order. Which TWO configurations should the developer use?

Select 2 answers
A.Use a FIFO queue as an event source instead of DynamoDB Streams.
B.Increase the Lambda function's concurrency limit.
C.Set a reserved concurrency for the Lambda function to limit concurrent executions.
D.Set the batch size to 1 in the event source mapping.
E.Enable the batch window in the event source mapping.
AnswersC, D

Prevents too many parallel invocations.

Why this answer

Option A is correct because a Lambda reservation ensures concurrency for the function. Option C is correct because specifying a batch size of 1 processes each record individually, ensuring order. Option B is wrong because DynamoDB Streams is already ordered by default; no need for FIFO.

Option D is wrong because increasing concurrency is unnecessary. Option E is wrong because batch window is not needed.

362
MCQmedium

A company runs a production application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application receives high traffic and needs to process incoming HTTP requests, store the request payload in an S3 bucket for auditing, and return a response. The development team uses AWS Lambda to process the payload. The team wants to ensure that the solution is scalable, fault-tolerant, and decoupled. The current approach is to have the EC2 instances send requests directly to the Lambda function via the AWS SDK. However, the team notices that during traffic spikes, some requests are lost and the Lambda function throttles. What should the team do to improve the architecture?

A.Increase the Lambda function's reserved concurrency to the maximum allowed.
B.Place API Gateway in front of Lambda and have EC2 send requests to API Gateway.
C.Use Amazon Kinesis Data Streams instead of Lambda to process the payload.
D.Have the EC2 instances send messages to an Amazon SQS queue, and configure the SQS queue as an event source for the Lambda function.
AnswerD

SQS decouples the producers from consumers, provides a buffer, and Lambda can poll at its own pace, reducing throttling.

Why this answer

Option C is correct because using SQS decouples the EC2 instances from Lambda, provides buffering, and reduces throttling. Option A is incorrect because increasing Lambda concurrency may not solve the loss of requests; requests can still be dropped if Lambda is overwhelmed. Option B is incorrect because API Gateway still requires synchronous invocation and may still cause throttling.

Option D is incorrect because Kinesis is for real-time streaming, not ideal for simple request queuing.

363
Multi-Selecthard

A company is using AWS CloudFormation to deploy a web application. The template creates an Auto Scaling group, an Application Load Balancer, and a security group. The developer wants to ensure that the stack update fails if the new Auto Scaling group instances fail health checks. Which THREE steps should the developer take? (Choose THREE.)

Select 3 answers
A.Configure the Auto Scaling group to send a signal to CloudFormation using cfn-signal.
B.Associate the Auto Scaling group with an ALB target group.
C.Add a CreationPolicy to the Auto Scaling group.
D.Add an UpdatePolicy to the Auto Scaling group with a rolling update configuration.
E.Use the AWS::CloudFormation::Init metadata to run a health check script.
AnswersA, B, C

cfn-signal is used to notify CloudFormation of success or failure.

Why this answer

Option A is correct because the Auto Scaling group must associate with the ALB target group for health checks. Option B is correct because creation policies allow CloudFormation to wait for a signal of success. Option D is correct because a CloudFormation signal (cfn-signal) is used to report success/failure.

Option C is wrong because UpdatePolicy is used for rolling updates, not for signaling health checks. Option E is wrong because AWS::CloudFormation::Init is for software configuration, not health check signaling.

364
MCQmedium

A developer is implementing an e-commerce application where a purchase operation must deduct inventory and create an order atomically. The inventory and orders are stored in separate DynamoDB tables. Which DynamoDB feature should the developer use to execute these operations as a single, all-or-nothing transaction?

A.DynamoDB Streams
B.DynamoDB Transactions
C.DynamoDB Accelerator (DAX)
D.DynamoDB Global Tables
AnswerB

Correct. DynamoDB Transactions (TransactWriteItems) guarantee atomic, consistent, isolated, and durable (ACID) operations across one or more tables.

Why this answer

DynamoDB Transactions provide ACID (Atomicity, Consistency, Isolation, Durability) guarantees across one or more tables within a single AWS account and region. This allows the developer to combine the deduct-inventory and create-order operations into a single all-or-nothing transaction, ensuring that both succeed or both fail without partial updates.

Exam trap

The trap here is that candidates often confuse DynamoDB Streams with transactional capabilities, assuming that capturing changes in order guarantees atomicity, but Streams are asynchronous and cannot enforce all-or-nothing semantics across multiple tables.

How to eliminate wrong answers

Option A is wrong because DynamoDB Streams capture a time-ordered sequence of item-level changes in a table, but they do not provide atomicity or transactional coordination across multiple tables. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory caching layer that improves read performance but does not offer transactional write capabilities. Option D is wrong because DynamoDB Global Tables provide multi-region replication for disaster recovery and low-latency reads, but they do not enable atomic multi-table transactions within a single region.

365
Multi-Selectmedium

Which TWO AWS services can be used to build a serverless event-driven application that processes data from Amazon S3 and stores results in Amazon DynamoDB? (Choose 2.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon EC2
D.AWS Step Functions
E.Amazon EMR
AnswersA, D

Lambda can be triggered by S3 events to process data.

Why this answer

B and D are correct. AWS Lambda can be triggered by S3 events to process data, and AWS Step Functions can orchestrate the workflow. Option A (Amazon Kinesis) is for streaming data, not S3 events.

Option C (Amazon EC2) is server-based. Option E (Amazon EMR) is for big data processing.

366
MCQmedium

A developer is building a web application that uses Amazon DynamoDB as the database. The application needs to store user session data and must support eventual consistency reads for most use cases, but strongly consistent reads for critical operations. The developer wants to minimize costs. Which read capacity unit (RCU) configuration should the developer use?

A.Use on-demand capacity mode to pay per request, avoiding provisioned capacity costs.
B.Use provisioned capacity with 1 RCU per item, since eventually consistent reads consume half the RCUs.
C.Use provisioned capacity with sufficient RCUs to handle strongly consistent reads, as they consume the same as eventually consistent.
D.Use provisioned capacity with enough RCUs for peak traffic, and use DynamoDB Accelerator (DAX) for caching.
AnswerA

On-demand mode is ideal for unpredictable traffic and eliminates the overhead of capacity planning, often resulting in lower costs for variable workloads like session data.

Why this answer

Option A is correct because on-demand capacity mode charges per request (read/write), eliminating the need to provision fixed RCUs. For a session store with mixed consistency requirements, on-demand is cost-effective when traffic is unpredictable or low, as you only pay for actual reads and writes. Eventually consistent reads consume half the RCUs of strongly consistent reads, but on-demand pricing automatically accounts for this difference without manual configuration.

Exam trap

The trap here is that candidates assume provisioned capacity is always cheaper, but for variable workloads like session stores, on-demand can minimize costs by eliminating unused capacity, especially when mixed consistency models are needed.

How to eliminate wrong answers

Option B is wrong because 1 RCU per item is not a fixed rule; RCU consumption depends on item size (1 RCU = one strongly consistent read of up to 4 KB per second) and eventually consistent reads consume 0.5 RCUs, not a fixed 1 RCU per item. Option C is wrong because strongly consistent reads and eventually consistent reads do not consume the same RCUs; eventually consistent reads use half the RCUs (0.5 RCU per 4 KB item) compared to strongly consistent reads (1 RCU per 4 KB item). Option D is wrong because provisioning for peak traffic with DAX adds cost and complexity; DAX is a caching layer that reduces read load but incurs additional charges, contradicting the goal to minimize costs.

367
MCQeasy

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API should allow users to retrieve data from an Amazon DynamoDB table. The developer wants to minimize latency for frequently accessed data. What should the developer do?

A.Deploy a CloudFront distribution in front of the API Gateway.
B.Increase the Lambda function memory to improve performance.
C.Use DynamoDB Accelerator (DAX) as a caching layer.
D.Enable API Gateway caching.
AnswerC

DAX is an in-memory cache specifically for DynamoDB, reducing query latency for frequently accessed data.

Why this answer

The correct answer is C. Using DynamoDB Accelerator (DAX) provides an in-memory cache that reduces latency for frequently accessed data. Option A is wrong because API Gateway caching caches the entire API response, which may not be efficient for all requests.

Option B is wrong because increasing Lambda memory does not directly reduce latency for DynamoDB queries. Option D is wrong because CloudFront is for content delivery, not for reducing database latency.

368
MCQhard

A developer is using AWS CodePipeline to deploy a microservices application to Amazon ECS using the 'Rolling update' deployment type. The pipeline includes a source stage (CodeCommit), build stage (CodeBuild), and deploy stage (CodeDeploy to ECS). After a recent commit, the build stage succeeds, but the deploy stage fails with 'The service has reached the maximum number of running tasks.' What is the MOST likely cause?

A.The task definition is misconfigured and the task fails to start.
B.The ECS service is configured with auto scaling and has reached the maximum task count.
C.The ECS service has reached the AWS account service quota for Fargate tasks.
D.The CodeDeploy deployment configuration uses a 'canary' instead of 'rolling' update.
AnswerB

Auto scaling can set a maximum tasks; if already at max, a rolling update that tries to start new tasks before stopping old ones will fail.

Why this answer

Option A is correct because ECS service auto scaling can set a maximum number of tasks; if the desired count is already at max, the deployment cannot add new tasks. Option B is wrong because deployment type does not affect task count limits. Option C is wrong because ECS service quota is a hard limit, but the error specifically mentions 'maximum number of running tasks' which aligns with auto scaling settings.

Option D is wrong because a misconfigured task definition would cause task start failures, not a max task count error.

369
MCQmedium

A service needs loosely coupled asynchronous communication where one producer sends events to many different AWS service targets using rules. Which service fits best?

A.Amazon EFS
B.AWS CloudHSM
C.Amazon EventBridge
D.AWS DataSync
AnswerC

Correct for the stated requirement.

Why this answer

Amazon EventBridge is a serverless event bus service that enables loosely coupled asynchronous communication. It allows a single producer to publish events, and then uses rules to route those events to multiple AWS service targets (e.g., Lambda, SQS, Step Functions) simultaneously, fulfilling the requirement exactly.

Exam trap

The trap here is that candidates may confuse Amazon EventBridge with Amazon SNS (Simple Notification Service), but the question explicitly mentions 'rules' to filter events, which is a core EventBridge feature, whereas SNS uses topic subscriptions without rule-based filtering.

How to eliminate wrong answers

Option A is wrong because Amazon EFS is a file storage service for EC2 instances, not an event-driven communication service; it cannot route events or support producer-to-multiple-target patterns. Option B is wrong because AWS CloudHSM provides hardware security modules for cryptographic key storage, not event routing or asynchronous messaging. Option D is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises and AWS storage, not for event-driven, loosely coupled communication with rules.

370
MCQhard

A developer is building a real-time chat application using WebSockets via API Gateway. The backend uses AWS Lambda functions to handle connect, disconnect, and message events. The application needs to broadcast messages to all connected clients. What is the most scalable and cost-effective way to maintain the list of connection IDs and broadcast messages?

A.Use an SQS FIFO queue to store connection IDs and have a Lambda function poll the queue to broadcast.
B.Store connection IDs in a DynamoDB table. Use a Lambda function to query all connection IDs and send messages using the API Gateway Management API.
C.Maintain an in-memory list of connection IDs in a global variable of a single Lambda function.
D.Use Amazon ElastiCache Redis to store connection IDs and use Redis Pub/Sub for broadcasting.
AnswerB

DynamoDB is fully managed, scalable, and cost-effective for storing and retrieving connection IDs.

Why this answer

Option A is correct. DynamoDB is a scalable, low-latency database that can store connection IDs and allow Lambda to query all connections for broadcasting. Option B is wrong because an in-memory list in a single Lambda instance does not scale across multiple instances.

Option C is wrong because ElastiCache is more expensive and complex than DynamoDB for this use case. Option D is wrong because SQS is not designed for real-time broadcasting and would require polling.

371
MCQeasy

Refer to the exhibit. A developer created this CloudFormation template for an S3 bucket. What is the expected behavior?

A.Noncurrent versions of objects are deleted 30 days after they become noncurrent.
B.The bucket will have versioning disabled because the rule conflicts.
C.Current versions are transitioned to another storage class after 30 days.
D.Objects are automatically deleted after 30 days.
AnswerA

The NoncurrentVersionExpirationInDays deletes noncurrent versions after the specified days.

Why this answer

Option B is correct because the lifecycle rule will delete noncurrent versions after 30 days. Option A is wrong because versioning is enabled, so old versions are kept. Option C is wrong because the rule only applies to noncurrent versions.

Option D is wrong because the action is expiration, not transition.

372
MCQeasy

A developer is building a serverless application using AWS Lambda that processes files uploaded to an S3 bucket. The function needs to read the file content and store metadata in DynamoDB. Which AWS service should be used to trigger the Lambda function when a new object is created in S3?

A.Amazon CloudWatch Events
B.Amazon SQS
C.Amazon SNS
D.Amazon S3 Event Notifications
AnswerD

S3 can directly invoke Lambda via event notifications on object creation.

Why this answer

Correct: C. S3 can be configured to send events to Lambda, SQS, or SNS when objects are created. Option A is wrong because SQS is a queue service, not a direct trigger source for S3 events.

Option B is wrong because SNS is a notification service, but S3 can directly invoke Lambda without SNS. Option D is wrong because CloudWatch Events is used for scheduled or pattern-based events, not S3 object creation.

373
MCQhard

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API has a REST endpoint that triggers a Lambda function to write data to an Amazon DynamoDB table. Under high traffic, some requests are failing with 5xx errors. The developer notices that the Lambda function's duration is spiking. Which combination of actions should the developer take to improve performance and reduce errors?

A.Enable DynamoDB Accelerator (DAX) for the table and set a Lambda reserved concurrency.
B.Use an Amazon SQS queue as a buffer between API Gateway and Lambda.
C.Increase the Lambda function's memory and enable DynamoDB auto-scaling.
D.Switch the API endpoint to HTTP API and enable API Gateway caching.
AnswerA

DAX reduces read latency and load on DynamoDB; reserved concurrency prevents overloading the function.

Why this answer

Option B is correct because enabling DynamoDB acceleration and Lambda concurrency limits address both performance and throttling. Option A is wrong because increasing memory reduces duration but not concurrency issues. Option C is wrong because DAX is not for API Gateway.

Option D is wrong because SQS adds latency for real-time APIs.

374
MCQeasy

An S3 bucket has versioning enabled with MFA Delete. A developer tries to permanently delete a specific version of an object using the AWS CLI without providing MFA. What is the result?

A.A delete marker is created for the object version.
B.The object version is permanently deleted.
C.The request is denied with an AccessDenied error.
D.The object version is marked with a delete marker.
AnswerC

MFA Delete requires MFA authentication for permanent deletions.

Why this answer

Option B is correct because when MFA Delete is enabled, permanent deletion of object versions requires MFA authentication. Without MFA, the request fails. Option A is wrong because the delete marker is not created; the request is denied.

Option C is wrong because the request does not succeed. Option D is wrong because a delete marker is not created when trying to delete a specific version.

375
MCQeasy

A developer wants to store session state for a web application running on multiple EC2 instances. Which AWS service provides a fully managed, in-memory data store that is ideal for this use case?

A.Amazon ElastiCache for Redis
B.Amazon S3
C.Amazon DynamoDB
D.Amazon RDS for MySQL
AnswerA

Redis is an in-memory data store commonly used for session management.

Why this answer

Option B is correct because Amazon ElastiCache for Redis is a fully managed in-memory data store that supports session state management with features like persistence, replication, and high availability.

← PreviousPage 5 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.