CCNA Dev AWS Services Questions

75 of 518 questions · Page 6/7 · Dev AWS Services topic · Answers revealed

376
Multi-Selecthard

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses Amazon ElastiCache for session state. Recently, users are experiencing intermittent session timeouts and slow page loads. The developer suspects the issue is related to the ElastiCache cluster. Which THREE actions should the developer take to troubleshoot and resolve the issue? (Choose THREE.)

Select 3 answers
A.Monitor the ElastiCache cluster's CPU utilization and cache hit ratio in CloudWatch.
B.Enable Encryption in transit for the ElastiCache cluster.
C.Scale the ElastiCache cluster by adding more nodes or using a larger node type.
D.Review the application's cache key design and ensure that data is evenly distributed across shards.
E.Enable Multi-AZ replication for the ElastiCache cluster.
AnswersA, C, D

CPU utilization and cache hit ratio help identify performance bottlenecks.

Why this answer

Options B, C, and D are correct. Option B helps identify slow queries and cache hits. Option C helps scale for increased load.

Option D helps distribute traffic evenly. Option A is wrong because multi-AZ is for high availability, not performance. Option E is wrong because Encryption in transit addresses security, not performance.

377
MCQhard

A company is using AWS Lambda to process messages from an Amazon SQS queue. The Lambda function is configured with a reserved concurrency of 10. The SQS queue receives a burst of 1000 messages. The Lambda function processes each message in about 5 seconds. What is the most likely behavior of the system?

A.Lambda rejects the messages and sends them to the dead-letter queue.
B.Lambda automatically scales up to 1000 concurrent executions to process all messages quickly.
C.Lambda increases the reserved concurrency to accommodate the burst.
D.Lambda processes up to 10 messages concurrently, and the rest remain in the queue until processing capacity is available.
AnswerD

With reserved concurrency of 10, only 10 functions run at a time; remaining messages wait in the queue.

Why this answer

The correct answer is D. Lambda will poll the SQS queue, but with reserved concurrency of 10, only 10 Lambda functions can run concurrently. The remaining messages will remain in the queue until the running functions finish.

Option A is wrong because Lambda does not block the queue. Option B is wrong because Lambda does not scale beyond reserved concurrency. Option C is wrong because Lambda does not automatically increase concurrency beyond the limit.

378
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application experiences high latency during peak hours. The developer wants to scale the application automatically based on CPU utilization. Which configuration should the developer use?

A.Configure an Auto Scaling step scaling policy based on MemoryReservation metric.
B.Use AWS CloudFront to cache responses and reduce load on the application.
C.Configure an Auto Scaling simple scaling policy based on Average CPU Utilization > 70% for scale-out and < 30% for scale-in.
D.Configure an Auto Scaling target tracking policy based on NetworkIn metric.
AnswerC

Correct approach using CPU utilization thresholds.

Why this answer

Elastic Beanstalk uses Auto Scaling groups. Option B correctly configures a scale-out policy based on CPU > 70% and a scale-in policy for CPU < 30%. Option A uses incorrect metric (Memory).

Option C uses incorrect service (CloudFront). Option D uses incorrect metric (NetworkIn).

379
Multi-Selecteasy

Which TWO of the following are valid use cases for Amazon S3 event notifications?

Select 2 answers
A.Automatically replicate objects to another bucket
B.Automatically delete objects after 30 days
C.Encrypt objects automatically with KMS
D.Send a notification to an SQS queue when a new object is created
E.Trigger a Lambda function to process an image after upload
AnswersD, E

S3 can publish events to SQS.

Why this answer

S3 event notifications can trigger Lambda functions and send messages to SQS or SNS. Options B and D are correct.

380
Multi-Selecthard

A company uses AWS CloudFormation to deploy infrastructure. A developer needs to update a stack that includes an RDS DB instance. The update requires modifying the DB instance's DB engine version. Which THREE strategies can the developer use to minimize downtime during the update?

Select 3 answers
A.Use the RDS modify-db-instance command to upgrade the engine version in-place.
B.Update the stack directly by modifying the DB engine version property in the template.
C.Use RDS Blue/Green Deployments to create a staging environment, apply the change, and switch over.
D.Delete the current stack and create a new stack with the new engine version.
E.Create a read replica with the new engine version, promote it to primary, and update the stack to point to the new instance.
AnswersA, C, E

In-place upgrade may cause a brief downtime but is a valid strategy if the downtime is acceptable.

Why this answer

Options A, B, and D are correct. Option A: RDS supports upgrading to a new engine version without data loss. Option B: Creating a read replica, promoting it, and updating the stack can reduce downtime.

Option D: Using a blue/green deployment with RDS Blue/Green Deployments allows switching with minimal downtime. Option C is incorrect because deleting the stack would cause data loss. Option E is incorrect because modifying the stack without any strategy may cause downtime.

381
MCQmedium

A developer is building a serverless application using AWS Lambda and Amazon API Gateway. The API requires that the same Lambda function handle different HTTP methods (GET, POST, DELETE) for the same resource. The developer wants to minimize code and configuration. Which integration type should the developer use?

A.Lambda proxy integration
B.Lambda custom integration
C.HTTP integration
D.Mock integration
AnswerA

With proxy integration, the whole request is passed to Lambda, allowing the function to handle multiple methods with minimal API Gateway setup.

Why this answer

Lambda proxy integration (option A) is correct because it automatically passes the entire HTTP request (method, headers, query parameters, path parameters) to the Lambda function as a single event object, allowing the same function to inspect the `httpMethod` field and branch logic for GET, POST, DELETE without any additional API Gateway mapping or transformation configuration. This minimizes both code (the function handles routing internally) and configuration (no need to define separate integration requests/responses per method).

Exam trap

The trap here is that candidates often confuse 'custom integration' (option B) with 'proxy integration' (option A), mistakenly thinking custom integration offers more flexibility when in fact it requires more configuration and does not automatically pass the full request context.

How to eliminate wrong answers

Option B (Lambda custom integration) is wrong because it requires you to explicitly define request/response mapping templates for each HTTP method, increasing configuration complexity and defeating the goal of minimizing code and configuration. Option C (HTTP integration) is wrong because it proxies requests to an HTTP endpoint, not to a Lambda function, so it cannot directly invoke the same Lambda for multiple methods without an intermediate HTTP service. Option D (Mock integration) is wrong because it returns a static response defined in API Gateway without invoking any backend, so it cannot handle dynamic business logic for different HTTP methods.

382
MCQhard

A developer attached the above IAM policy to an IAM user. The user tries to upload an object to the S3 bucket my-bucket without specifying server-side encryption. What will happen?

A.The upload will succeed because the Deny statement is redundant.
B.The upload will succeed because the Allow statement grants PutObject permission.
C.The upload will succeed but the object will be stored without encryption.
D.The upload will be denied because the Deny statement explicitly denies PutObject without AES256 encryption.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

Option A is correct because the Deny statement will match (since s3:x-amz-server-side-encryption is not AES256), and explicit Deny overrides Allow. Option B is incorrect because the Allow statement requires encryption, but the Deny explicitly denies if not AES256. Option C is incorrect because the Deny is not redundant; it enforces encryption.

Option D is incorrect because the upload will be denied, not proceed without encryption.

383
MCQeasy

A developer needs to store application logs from multiple EC2 instances in a centralized location for analysis. The logs should be retained for 90 days. Which AWS service should be used to collect and store the logs?

A.Amazon Kinesis Data Firehose
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon S3 with S3 Server Access Logs
AnswerB

CloudWatch Logs can collect, store, and retain logs with configurable retention.

Why this answer

Correct: C. Amazon CloudWatch Logs can collect logs from EC2 instances via the CloudWatch agent and store them with customizable retention. Option A is wrong because S3 is object storage, not designed for real-time log collection.

Option B is wrong because Kinesis Data Firehose is for streaming data to destinations like S3, but it's more complex for simple log collection. Option D is wrong because CloudTrail records API activity, not application logs.

384
MCQmedium

A developer is building a serverless application that processes images uploaded to an S3 bucket. The processing includes generating thumbnails and storing metadata in DynamoDB. The developer wants to ensure that the processing function is triggered only when new objects are created, not when existing objects are updated. Which S3 event notification configuration should be used?

A.Use s3:ObjectCreated:*
B.Use s3:ObjectCreated:Post
C.Use s3:ObjectCreated:Put
D.Use s3:ObjectCreated:Copy
AnswerC

This triggers only on PUT requests, which typically represent new object creation.

Why this answer

Option B is correct because the s3:ObjectCreated:Put event type triggers only on PUT requests (new object creation), not on other events like POST or Copy. Option A triggers on all object creation events. Option C triggers on all events.

Option D is valid but not the most precise.

385
MCQmedium

A developer is working on an application that uses Amazon SQS as a message queue. The application polls the queue using long polling with a wait time of 20 seconds. Recently, the team noticed that messages are being processed multiple times. The application is idempotent, but duplicate processing is causing unnecessary costs. What should the developer do to reduce duplicate message processing?

A.Use a DynamoDB table to track processed message IDs and ignore duplicates.
B.Switch to a FIFO queue to enable exactly-once processing.
C.Increase the visibility timeout to a value greater than the maximum processing time.
AnswerA

This ensures idempotency even if messages are delivered multiple times, effectively reducing the impact of duplicates.

Why this answer

Option D is correct. Enabling the visibility timeout to be at least as long as the processing time ensures that if the consumer fails to delete the message within the visibility timeout, the message becomes visible again, causing duplicates. Option A is wrong because SQS already provides at-least-once delivery; deduplication is not natively supported for standard queues.

Option B is wrong because increasing the visibility timeout helps but does not eliminate duplicates entirely. Option C is wrong because FIFO queues provide exactly-once processing but may not be suitable if the application requires higher throughput or ordering not needed.

386
MCQhard

A developer is creating an AWS Lambda function that processes events from an Amazon S3 bucket. The function writes logs to Amazon CloudWatch Logs. The developer wants to ensure that the Lambda function has the minimum required permissions. Which IAM policy should be attached to the Lambda execution role?

A.A policy that includes 'logs:CreateLogStream', 'logs:PutLogEvents', and 's3:*' on the bucket.
B.A policy that includes 'logs:*' and 's3:*' on the bucket.
C.A policy that includes 'logs:PutLogEvents' and 's3:ListBucket' on the bucket.
D.A policy that includes 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents', and 's3:GetObject' on the specific bucket.
AnswerD

This provides the minimum permissions required for the function to work.

Why this answer

The correct answer is A. The policy grants permissions to write logs to CloudWatch Logs and to get objects from the specific S3 bucket. Option B is wrong because it uses a wildcard for S3 actions, which grants more permissions than needed.

Option C is wrong because it grants unnecessary S3 list permissions. Option D is wrong because it uses 's3:*' which is too permissive.

387
Multi-Selecteasy

A developer is using AWS CodeBuild to run unit tests as part of a CI/CD pipeline. The developer wants to store the test results for later analysis. Which TWO AWS services can the developer use to store and view the test reports?

Select 2 answers
A.AWS CodeBuild test reports
B.AWS X-Ray
C.Amazon Athena
D.Amazon S3
E.Amazon CloudWatch Logs
AnswersA, D

Native test report feature.

Why this answer

Option B is correct because CodeBuild can publish test reports to the CodeBuild console. Option E is correct because CodeBuild can also upload raw test results to S3. Option A is wrong because X-Ray is for tracing.

Option C is wrong because CloudWatch Logs is for logs, not structured reports. Option D is wrong because Athena is for querying data in S3, not storing reports.

388
MCQmedium

A developer is using AWS Lambda to process records from an Amazon Kinesis Data Stream. The Lambda function is invoked with a batch of records. The function processes each record and then returns a response. The developer notices that some records are being processed multiple times. The function's execution time is within the Lambda timeout. The Kinesis stream has 10 shards. The developer wants to ensure that each record is processed exactly once. What should the developer do?

A.Reduce the number of shards to minimize the chance of duplicates.
B.Modify the Lambda function to use the sequence number of each record to deduplicate processing.
C.Configure the Lambda function's error handling to retry only failed records.
D.Increase the batch size to process more records per invocation.
AnswerB

The sequence number is unique per shard; storing the last processed sequence number in external storage (e.g., DynamoDB) allows the function to skip already processed records.

Why this answer

Option B is correct because the Lambda function should use the sequence number to track processed records and avoid reprocessing. Option A is wrong because increasing batch size does not prevent duplicates. Option C is wrong because reducing concurrency can help but does not guarantee exactly-once processing.

Option D is wrong because error handling does not address duplicate processing.

389
Multi-Selectmedium

A Kinesis consumer Lambda shows increasing IteratorAge. Which two changes may improve throughput when processing is CPU-bound?

Select 2 answers
A.Reduce the number of stream shards
B.Increase Lambda memory to provide more CPU
C.Disable checkpointing
D.Increase stream shard count to allow more parallel batches
AnswersB, D

Correct for the stated requirement.

Why this answer

Increasing Lambda memory proportionally increases CPU allocation, which directly improves throughput for CPU-bound processing by reducing per-record processing time. This lowers the IteratorAge as the consumer can process records faster than they arrive.

Exam trap

The trap here is that candidates often think reducing shards reduces load, but it actually reduces parallelism and worsens IteratorAge, while disabling checkpointing is mistakenly seen as a performance shortcut but only compromises reliability.

390
Multi-Selecthard

A developer is designing a serverless application that uses Amazon DynamoDB as the data store. The application must handle sudden spikes in read traffic without throttling. Which THREE actions should the developer take?

Select 3 answers
A.Configure DynamoDB auto scaling for the table
B.Implement exponential backoff and retry in the application code
C.Use a global secondary index with a different partition key
D.Use strongly consistent reads for all queries
E.Enable DynamoDB Accelerator (DAX) for caching
AnswersA, B, E

Auto scaling adjusts capacity based on traffic.

Why this answer

DAX provides caching for reads, DynamoDB auto scaling adjusts capacity, and exponential backoff handles throttling gracefully. Options A, C, and D are correct.

391
MCQhard

A developer wants exactly-once processing semantics for commands submitted to a queue where duplicate command IDs must be rejected within five minutes. Which SQS feature is most directly relevant?

A.Standard queue delay seconds
B.Dead-letter queue redrive policy
C.FIFO queue deduplication ID
D.Visibility timeout extension
AnswerC

Correct for the stated requirement.

Why this answer

FIFO queues support exactly-once processing by using a deduplication ID. When a message with a given deduplication ID is sent, SQS automatically rejects any duplicate within a 5-minute deduplication interval. This directly meets the requirement to reject duplicate command IDs within five minutes.

Exam trap

The trap here is that candidates confuse visibility timeout (which controls reprocessing) with deduplication (which prevents duplicate submissions), leading them to select option D instead of the correct FIFO deduplication ID feature.

How to eliminate wrong answers

Option A is wrong because standard queue delay seconds only postpone message delivery, they do not provide deduplication or exactly-once semantics. Option B is wrong because a dead-letter queue redrive policy moves messages after repeated processing failures, it does not prevent duplicate submissions. Option D is wrong because visibility timeout extension only prevents other consumers from processing a message while it is being handled, it does not reject duplicates.

392
MCQmedium

A company is deploying a microservices architecture on Amazon ECS. Each service needs to store secrets such as database passwords. Which service should be used to securely inject these secrets into containers?

A.AWS Secrets Manager
B.Amazon Elastic File System (EFS)
C.Amazon S3
D.AWS Systems Manager Parameter Store
AnswerA

Secrets Manager integrates with ECS to inject secrets as environment variables.

Why this answer

Option C is correct because AWS Secrets Manager integrates with ECS to inject secrets. Option A is wrong because EFS is a file system. Option B is wrong because SSM Parameter Store can be used but Secrets Manager is preferred for secrets.

Option D is wrong because S3 is not secure for secrets.

393
MCQmedium

A developer configures an AWS Lambda function to process image files uploaded to an S3 bucket. The bucket receives a mix of .jpg, .png, and .pdf files. To reduce costs, the developer wants the Lambda function to be invoked only for image files (.jpg and .png). How should the developer configure the S3 event notification?

A.Configure the S3 event notification to invoke the Lambda function for all object create events, and add logic in the Lambda function to exit early if the object is not an image.
B.Add a suffix filter to the S3 event notification that includes .jpg and .png.
C.Set the S3 bucket policy to deny PutObject requests that do not have a .jpg or .png suffix.
D.Create two separate S3 buckets: one for images and one for other files, and configure the event notification only on the image bucket.
AnswerB

S3 event notifications support filters based on object key patterns. Using a suffix filter restricts the notification to only objects ending with .jpg or .png, preventing Lambda invocations for other file types.

Why this answer

Option B is correct because S3 event notifications support suffix filters that allow you to specify which object key suffixes (e.g., .jpg and .png) trigger the event. By adding a suffix filter for .jpg and .png, only image file uploads invoke the Lambda function, directly reducing unnecessary invocations and costs without requiring any code changes in the function.

Exam trap

The trap here is that candidates may think suffix filters can accept multiple extensions in a single filter value (e.g., '.jpg,.png'), but S3 requires separate notification configurations for each suffix, and they might incorrectly choose Option A as a simpler 'code-based' solution without realizing it fails the cost-reduction requirement.

How to eliminate wrong answers

Option A is wrong because it still invokes the Lambda function for every object create event, including non-image files, which defeats the cost-reduction goal and wastes Lambda invocations and execution time. Option C is wrong because S3 bucket policies cannot filter based on object key suffixes for PutObject requests; they operate on principals, actions, and conditions like s3:object-lock-mode, not on file extensions, and denying non-image uploads would block valid .pdf uploads entirely, which is not the requirement. Option D is wrong because it introduces unnecessary operational complexity by requiring two buckets, and it does not leverage the built-in filtering capability of S3 event notifications, which is the simplest and most cost-effective solution.

394
MCQmedium

A developer is building a REST API using Amazon API Gateway that will serve static content from an Amazon S3 bucket. The API should cache responses for frequently accessed objects to reduce latency. Which API Gateway feature should the developer enable?

A.API Gateway caching with TTL set per method.
B.Amazon CloudFront as a custom domain.
C.Lambda@Edge for caching.
D.S3 Transfer Acceleration.
AnswerA

This is the correct feature to cache backend responses and reduce latency.

Why this answer

API Gateway caching allows you to cache responses from your backend (e.g., an S3 bucket) for a specified Time-to-Live (TTL) per method, reducing the number of calls to the backend and lowering latency for frequently accessed objects. This feature is natively integrated with API Gateway and requires no additional services or complex configurations, making it the most direct solution for caching static content served through a REST API.

Exam trap

The trap here is that candidates often confuse API Gateway caching with CloudFront, assuming that a CDN is required for caching, when in fact API Gateway has its own built-in caching feature that is simpler to enable for REST APIs serving static content.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront as a custom domain is a content delivery network (CDN) that can cache content at edge locations, but it is not an API Gateway feature; it is a separate service that would be placed in front of API Gateway, not enabled within API Gateway itself. Option C is wrong because Lambda@Edge is used for customizing CloudFront behavior (e.g., modifying requests/responses) and is not a caching mechanism; it runs code at edge locations but does not provide built-in response caching like API Gateway caching. Option D is wrong because S3 Transfer Acceleration is designed to speed up uploads to S3 over long distances using AWS edge locations, but it does not cache responses or reduce latency for GET requests served through API Gateway.

395
MCQeasy

A developer is building a serverless application using AWS Lambda that needs to connect to an Amazon RDS MySQL database. The function will be deployed in a VPC. Which resource should the developer use to ensure secure and efficient database connections?

B.RDS Proxy
C.VPC Endpoint
D.AWS PrivateLink
AnswerB

RDS Proxy is designed for applications like Lambda that open many short-lived connections. It pools connections to the database, reducing connection overhead and improving scalability and security.

Why this answer

RDS Proxy is the correct choice because it manages a pool of database connections, allowing Lambda functions to reuse them efficiently and avoid exhausting MySQL connection limits under high concurrency. It also enforces IAM authentication and securely stores credentials in AWS Secrets Manager, eliminating the need to hardcode database passwords in the function code.

Exam trap

The trap here is that candidates often confuse VPC Endpoints or PrivateLink with database connectivity, not realizing that RDS Proxy is the only service designed specifically to solve connection management and security for Lambda functions accessing RDS in a VPC.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway provides outbound internet access for private subnets but does not manage or secure database connections; it would not help with connection pooling or credential management. Option C is wrong because a VPC Endpoint (Gateway or Interface) enables private connectivity to AWS services like S3 or DynamoDB, not to RDS databases; it does not handle connection pooling or authentication for MySQL. Option D is wrong because AWS PrivateLink is used to expose services privately across VPCs or accounts via Network Load Balancers and interface endpoints, but it does not provide the connection pooling, IAM integration, or failover capabilities that RDS Proxy offers for Lambda-to-RDS connections.

396
Multi-Selecthard

A developer is building a CI/CD pipeline using AWS CodePipeline. The pipeline has a source stage from Amazon S3, a build stage using AWS CodeBuild, and a deploy stage using AWS CodeDeploy. The developer wants to ensure that a manual approval step is required before deploying to production. Which THREE components must be configured? (Choose THREE.)

Select 3 answers
A.Create an AWS Lambda function to process approval logic.
B.Set up an Amazon SNS topic to notify approvers of pending approval.
C.Add an approval action in the pipeline before the deploy stage.
D.Attach an IAM policy to the approver group that allows codepipeline:PutApprovalResult.
E.Configure Amazon CloudWatch Events to trigger the approval step.
AnswersB, C, D

Correct: SNS is used to send approval requests.

Why this answer

B, C, and D are correct. You need an approval action (B), SNS notification for approvers (C), and an IAM policy for approvers to allow approval (D). Option A is wrong because CloudWatch Events is not required for approval.

Option E is wrong because Lambda is not required; approval action is built-in.

397
MCQhard

A company runs a containerized application on Amazon ECS Fargate. The application writes logs to stdout. The operations team wants to centralize log monitoring and set up alarms for error patterns. What should a developer do to meet these requirements with minimal operational overhead?

A.Use Amazon Kinesis Data Firehose to stream logs to Amazon S3 and then to CloudWatch Logs.
B.Modify the application code to use the AWS SDK for CloudWatch Logs to put log events.
C.Install the CloudWatch agent in the container and configure it to send logs.
D.Configure the ECS task definition to use the awslogs log driver and set the log group.
AnswerD

awslogs driver sends stdout to CloudWatch Logs natively.

Why this answer

Option B is correct because the awslogs driver automatically sends stdout logs to CloudWatch Logs, enabling alarms and central monitoring. Option A is wrong because CloudWatch agent is for EC2. Option C is wrong because Kinesis adds complexity.

Option D is wrong because CloudWatch Logs for ECS requires no extra SDK.

398
MCQmedium

A company is building a serverless application using AWS Lambda. The application processes messages from an Amazon SQS queue. The Lambda function is idempotent and handles duplicate messages correctly. The company needs to ensure that messages are processed in the order they were sent. Which solution should the company use?

A.Use Amazon SNS to fan out messages to Lambda.
B.Use Amazon Kinesis Data Streams as the event source for Lambda.
C.Configure the Lambda function to poll an SQS standard queue with a batch size of 10.
D.Configure the Lambda function to poll an SQS FIFO queue with a batch size of 1.
AnswerD

Using an SQS FIFO queue with batch size 1 ensures messages are processed in order and exactly once.

Why this answer

Option A is correct because using an SQS FIFO queue ensures exactly-once processing and preserves message order. Lambda can poll FIFO queues with a batch size of 1 to maintain order. Option B is wrong because standard queues do not guarantee order.

Option C is wrong because Kinesis Data Streams does not integrate natively with Lambda's event source mapping for ordered processing of individual messages. Option D is wrong because SNS does not provide ordering guarantees.

399
MCQmedium

A developer is building a serverless application using AWS Lambda functions that process events from Amazon SQS. The developer notices that some messages are being processed multiple times. What is the MOST likely cause of this issue?

A.The Lambda function's reserved concurrency is set too high.
B.The SQS visibility timeout is too short for the Lambda function's execution time.
C.The SQS queue has a dead-letter queue configured.
D.The Lambda function's batch size is set to more than 1.
AnswerB

If the visibility timeout expires before Lambda finishes processing, the message becomes visible again and can be processed by another invocation.

Why this answer

Option A is correct because Lambda's SQS event source mapping uses long polling and may receive a message, then the visibility timeout expires before processing completes, causing the message to become visible again. Option B is wrong because dead-letter queues do not cause duplication. Option C is wrong because Lambda functions process one message at a time by default from SQS.

Option D is wrong because reserved concurrency limits concurrency, not duplication.

400
MCQhard

A developer runs the above AWS CLI command to invoke a Lambda function. The response shows StatusCode 200 but FunctionError is 'Unhandled'. What does this indicate?

A.The function timed out.
B.The payload was malformed and the function did not run.
C.The function code threw an unhandled exception.
D.The function lacks execution permissions.
AnswerC

'Unhandled' indicates an uncaught exception in the code.

Why this answer

Option C is correct because 'Unhandled' means the Lambda function threw an exception that was not caught by the code. Option A is wrong because a timeout would result in a different error. Option B is wrong because a permission error would give a 403 status.

Option D is wrong because the function was invoked but the error is in the code.

401
Multi-Selectmedium

A developer is configuring an Amazon S3 bucket for static website hosting. The website includes JavaScript that makes AJAX calls to an API Gateway endpoint. Which TWO actions should the developer take to allow cross-origin requests?

Select 2 answers
A.Use Amazon CloudFront to serve the website and set CORS headers.
B.Add a CORS configuration to the S3 bucket.
C.Enable CORS on the API Gateway API.
D.Configure the S3 bucket policy to allow cross-origin access.
E.Modify the Lambda function to include CORS headers in the response.
AnswersC, D

API Gateway must have CORS enabled to accept cross-origin requests from the browser.

Why this answer

Options A and C are correct. Option A: S3 bucket policy can allow cross-origin access to the bucket itself, but for API Gateway, CORS must be enabled on the API. Option B is incorrect because the CORS configuration should be on the API Gateway, not the S3 bucket.

Option C: Enabling CORS on API Gateway allows the browser to make cross-origin requests. Option D is incorrect because CloudFront does not inherently handle CORS; it must be configured. Option E is incorrect because Lambda functions do not handle CORS directly; API Gateway does.

402
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is configured with a batch size of 10, reserved concurrency of 5, and a timeout of 5 minutes. The SQS queue has a large backlog, and CloudWatch metrics show high throttling (Throttles) for the Lambda function. The function is idempotent and can process up to 100 messages in a single invocation. What is the MOST effective way to increase throughput without increasing the reserved concurrency?

A.Increase the batch size to 100.
B.Increase the reserved concurrency to 10.
C.Reduce the batch size to 1.
D.Enable the SQS queue to use long polling.
AnswerA

Increasing the batch size allows each invocation to process more messages, reducing the number of invocations and the likelihood of throttling without increasing reserved concurrency.

Why this answer

Increasing the batch size to 100 allows each Lambda invocation to process up to 100 messages from the SQS queue instead of the current 10. Since the function is idempotent and can handle 100 messages per invocation, this change maximizes the number of messages processed per invocation without altering the reserved concurrency of 5. With a batch size of 100, each of the 5 concurrent invocations can process up to 100 messages, yielding a potential throughput of 500 messages per invocation cycle, which directly reduces the backlog and throttling by consuming messages faster.

Exam trap

The trap here is that candidates may think increasing reserved concurrency is the only way to improve throughput, but the question explicitly forbids that, and they overlook that increasing the batch size can achieve the same goal by processing more messages per invocation without adding more concurrent executions.

How to eliminate wrong answers

Option B is wrong because increasing reserved concurrency to 10 would increase throughput but directly violates the constraint of not increasing reserved concurrency, and it would also increase the risk of throttling other functions sharing the account concurrency limit. Option C is wrong because reducing the batch size to 1 would drastically decrease throughput, as each invocation would process only one message, requiring more invocations to handle the same backlog and potentially increasing throttling due to more concurrent executions. Option D is wrong because enabling long polling for the SQS queue reduces the number of empty responses and improves efficiency in message retrieval, but it does not increase the number of messages processed per invocation or reduce throttling caused by the Lambda function's concurrency limit.

403
MCQeasy

A developer is creating a new DynamoDB table to store order data. The orders have a unique order ID and are retrieved by order ID. Occasionally, the developer needs to query orders by customer ID. Which design approach would minimize costs and provide the fastest queries?

A.Use the order ID as the partition key and create a global secondary index on customer ID
B.Use the customer ID as the partition key and order ID as the sort key
C.Use the order ID as the partition key and scan the table for customer ID queries
D.Use the customer ID as the partition key and create a local secondary index on order ID
AnswerA

This provides fast queries by order ID (primary) and by customer ID via GSI, minimizing cost and performance impact.

Why this answer

Option A is correct because using the order ID as the partition key ensures the most efficient primary key access for the primary query pattern (retrieving by order ID). Creating a Global Secondary Index (GSI) on customer ID allows efficient querying by customer ID without scanning the base table, and GSIs have separate read/write capacity from the base table, so you only pay for the index when it is used. This design minimizes costs by avoiding unnecessary scans and provides the fastest queries for both access patterns.

Exam trap

The trap here is that candidates often choose Option B (customer ID as partition key) thinking it naturally supports both access patterns, but they overlook the hot partition problem and the fact that retrieving a single order by order ID would require a scan or a query with a known customer ID, which is not always available.

How to eliminate wrong answers

Option B is wrong because using customer ID as the partition key would cause all orders for the same customer to be stored in the same partition, leading to hot partitions and potential throttling, and it does not provide efficient retrieval by order ID (which would require a scan or a query with a known customer ID). Option C is wrong because scanning the entire table to find orders by customer ID is extremely inefficient and costly, as it reads every item in the table and incurs read capacity for all items, even those not matching the query. Option D is wrong because a Local Secondary Index (LSI) requires the same partition key as the base table (customer ID), which would still cause hot partitions for high-volume customers, and LSIs share the base table's read/write capacity, so they do not provide the same cost flexibility as a GSI.

404
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with the template. After the stack is created, the developer tries to access https://my-app-data-123.s3.amazonaws.com/index.html but gets a 403 Forbidden error. The S3 bucket has public access blocked at the account level. What should the developer do to allow public read access?

A.Enable static website hosting on the bucket.
B.Modify the bucket policy to include the AWS account ID as Principal.
C.Add a bucket policy that grants s3:ListBucket.
D.Disable the block public access settings at the account level.
AnswerD

Account-level block prevents public access despite bucket policy.

Why this answer

Account-level public access block overrides bucket policy. Option D is correct. Option A is wrong because bucket policy already allows.

Option B is wrong because account setting overrides. Option C is wrong because static website hosting is not required for direct S3 access.

405
MCQhard

A developer is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database. The developer wants to use Amazon RDS for the database and needs to ensure that each microservice can only access its own set of tables. Which approach should the developer take?

A.Create a single RDS instance with a separate database per microservice.
B.Use RDS with IAM database authentication and create database users with limited privileges for each microservice.
C.Use RDS in a VPC and restrict network access per microservice using security groups.
D.Use Amazon RDS Proxy to control access.
AnswerB

IAM database authentication allows you to create database users with specific privileges (e.g., SELECT, INSERT on certain tables) and use IAM roles to authenticate, providing fine-grained access control.

Why this answer

Option B is correct because IAM database authentication allows the developer to create database users with granular, table-level privileges using standard SQL GRANT statements, ensuring each microservice can only access its own set of tables. By combining IAM roles with database user credentials, the developer can enforce least-privilege access without sharing a single database user across services. This approach directly addresses the requirement for per-microservice table isolation while leveraging RDS's native authentication and authorization capabilities.

Exam trap

The trap here is that candidates often confuse network-level isolation (security groups) with database-level authorization, assuming that restricting network access per microservice is sufficient to enforce table-level separation, when in fact security groups cannot differentiate between tables within the same database instance.

How to eliminate wrong answers

Option A is wrong because creating a separate database per microservice on a single RDS instance does not prevent a microservice from connecting to another microservice's database if it has the same database user credentials or network access; it only provides logical separation, not access control. Option C is wrong because security groups control network-layer access to the RDS instance as a whole, not to individual tables or databases within it; once a microservice can connect to the RDS endpoint, it can access any table unless further database-level permissions are enforced. Option D is wrong because Amazon RDS Proxy manages connection pooling and provides some IAM authentication support, but it does not enforce table-level access control; it still relies on the underlying database user permissions for authorization.

406
Multi-Selectmedium

A developer is designing a microservices architecture using Amazon ECS with Fargate. The application needs to store and retrieve user session data. Which TWO AWS services can be used to store session state?

Select 2 answers
A.Amazon DynamoDB
B.Amazon ElastiCache for Redis
C.Amazon S3
D.Amazon EFS
E.Amazon RDS for MySQL
AnswersA, B

DynamoDB is a low-latency NoSQL database suitable for session state.

Why this answer

Option A (ElastiCache Redis) and Option C (DynamoDB) are both suitable for storing session state. Option B (S3) is object storage, not optimal for low-latency session state. Option D (RDS MySQL) is relational and can work but is not a typical choice for session state due to overhead.

Option E (EFS) is file storage, not suitable for session data.

407
MCQhard

A developer wants a Lambda function to process SQS messages in batches but avoid losing the whole batch when only one record fails. Which feature should be enabled?

A.Partial batch response for SQS event source mapping
B.Reserved concurrency of one
C.Maximum message size increase
D.SQS short polling
AnswerA

Correct for the stated requirement.

Why this answer

Partial batch response for SQS event source mapping allows the Lambda function to report which messages in a batch failed processing. When enabled, Lambda retries only the failed messages instead of the entire batch, preventing successful messages from being reprocessed or lost. This is achieved by returning a `batchItemFailures` array in the function's response, which tells Lambda which message IDs to retry.

Exam trap

The trap here is that candidates may confuse partial batch response with SQS dead-letter queues or retry policies, but the key differentiator is that partial batch response is a Lambda event source mapping feature that specifically allows per-message failure handling within a batch.

How to eliminate wrong answers

Option B is wrong because reserved concurrency of one limits the Lambda function to a single concurrent execution, which does not affect how individual messages within a batch are handled; it only throttles overall throughput. Option C is wrong because maximum message size increase is a queue-level setting in SQS that controls the maximum payload size (up to 256 KB for standard queues), not a mechanism for handling partial batch failures. Option D is wrong because SQS short polling returns immediately with available messages but does not provide any per-message failure handling within a batch; it only affects message retrieval latency.

408
MCQeasy

A developer is creating an AWS Lambda function that processes files uploaded to an S3 bucket. The developer wants to invoke the Lambda function automatically when a new file is uploaded. Which approach should the developer use?

A.Use Amazon API Gateway to expose an endpoint and have S3 call it.
B.Configure S3 to send events to an SQS queue, and configure Lambda to poll the queue.
C.Configure S3 event notifications to invoke the Lambda function directly.
D.Use Amazon CloudWatch Events to trigger Lambda on S3 PUT events.
AnswerC

S3 can directly invoke Lambda via event notifications.

Why this answer

Option C is correct because S3 can send event notifications to Lambda directly. Option A is wrong because SQS is an intermediate step that adds complexity. Option B is wrong because CloudWatch Events is not the native way to trigger Lambda from S3.

Option D is wrong because API Gateway is for HTTP APIs, not for S3 events.

409
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application needs to access an Amazon RDS MySQL database using credentials stored in AWS Secrets Manager. The ECS task role has the following IAM policy: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:prod-db-*"}]}. The application fails to retrieve the secret with an AccessDeniedException. What is the most likely cause?

A.The task execution role does not have permission to retrieve the secret.
B.The secret's resource-based policy denies access to the task role.
C.The task is in a private subnet without a VPC endpoint to Secrets Manager.
D.The secret name does not match the pattern in the policy.
AnswerB

Secrets Manager secrets have resource-based policies that can deny access.

Why this answer

Option B is correct because the resource-based policy on the secret must explicitly grant the ECS task role permission to retrieve the secret, even if the task role has an allow policy. Option A is wrong because the task role policy uses a wildcard, which matches the secret name. Option C is wrong because Fargate tasks can access Secrets Manager via VPC endpoints without internet.

Option D is wrong because the task role, not the task execution role, is used for accessing secrets from the application.

410
MCQhard

A developer is investigating why an AWS Lambda function is not writing logs to CloudWatch Logs. The function has been invoked multiple times, but the log group shows 0 stored bytes. What is the most likely cause?

A.The CloudWatch Logs log group does not exist.
B.The Lambda execution role lacks permissions to write to CloudWatch Logs.
C.The Lambda function is failing before any logging code is executed.
D.The Lambda function is configured to use a different log group name.
AnswerB

Without the necessary IAM permissions (logs:CreateLogStream, logs:PutLogEvents), the function cannot write logs.

Why this answer

The correct answer is A. The Lambda function's execution role does not have permissions to create log streams and put log events. Option B is wrong because the log group exists.

Option C is wrong because the function has been invoked, so it is not failing before logging. Option D is wrong because the log group name is correct.

411
MCQeasy

A developer is using AWS Lambda to process messages from an Amazon SQS queue. The function needs to access an Amazon DynamoDB table. What is the MOST secure way to grant the Lambda function access to DynamoDB?

A.Use the Lambda function's execution role to grant full administrative access to DynamoDB.
B.Store the AWS access key and secret access key as environment variables in the Lambda function.
C.Assign an IAM role to the Lambda function with a policy that grants the required DynamoDB permissions.
D.Create an IAM user with DynamoDB access and use its credentials in the Lambda function.
AnswerC

Using an IAM role is the secure and recommended way to grant permissions to AWS services.

Why this answer

Option C is correct because assigning an IAM role to the Lambda function with a policy that allows DynamoDB actions follows the principle of least privilege and is the recommended approach. Option A is wrong because embedding access keys in environment variables is insecure. Option B is wrong because IAM users are for human users, not services.

Option D is wrong because granting full admin access violates least privilege.

412
MCQmedium

A company is building a serverless application using AWS Lambda and Amazon API Gateway. The application needs to process user uploads to an S3 bucket. The Lambda function should be invoked only when new objects are created in the bucket. Which service should be used to trigger the Lambda function?

A.Amazon Kinesis Data Streams
B.Amazon S3 event notifications
C.Amazon CloudWatch Events
D.Amazon Simple Queue Service (SQS)
AnswerB

S3 can be configured to send event notifications directly to Lambda when an object is created.

Why this answer

Option B is correct because S3 can send events directly to Lambda when objects are created. Option A is wrong because SQS requires polling. Option C is wrong because CloudWatch Events can't directly trigger from S3 object creation.

Option D is wrong because Kinesis requires a stream consumer.

413
MCQmedium

A developer is using Amazon SQS to decouple microservices. The consumer service processes messages from the queue. To reduce processing time, the developer wants to receive multiple messages in a single API call. What is the maximum number of messages that can be received at once?

A.5
B.100
C.20
D.10
AnswerD

The maximum number of messages per ReceiveMessage call is 10.

Why this answer

Option B is correct because the maximum number of messages that can be retrieved in a single ReceiveMessage call is 10. Option A is wrong because 5 is the default but not the max. Option C and D are wrong because they exceed the maximum.

414
Multi-Selecthard

A developer is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. Which TWO options can the developer use for service discovery?

Select 2 answers
A.AWS Cloud Map
B.AWS Global Accelerator
C.Amazon ECS Service Connect
D.Amazon Route 53 private hosted zones
E.Application Load Balancer internal
AnswersA, C

Managed service discovery.

Why this answer

Option A is correct because Cloud Map provides DNS-based service discovery. Option D is correct because Service Connect is a native ECS feature for service discovery. Option B is wrong because R53 private hosted zones are for custom domain names, not dynamic service discovery.

Option C is wrong because ALB is for load balancing, not service discovery. Option E is wrong because Global Accelerator is for global traffic.

415
MCQmedium

A company has a Lambda function that processes records from an SQS queue. The function is failing intermittently with timeout errors. The processing time per record varies, but the SQS queue has a visibility timeout of 30 seconds. The Lambda function has a timeout of 1 minute. What is the MOST likely cause of the timeout errors?

A.The Lambda function's reserved concurrency is set too low.
B.The SQS queue has too many messages causing Lambda to throttle.
C.The SQS visibility timeout is shorter than the Lambda function timeout.
D.The SQS queue's default visibility timeout of 30 seconds is too long.
AnswerC

If the visibility timeout is shorter than the Lambda timeout, the message becomes visible again before processing completes, causing duplicate invocations and potential timeouts.

Why this answer

Option B is correct because the Lambda function's maximum execution time is 15 minutes, but the SQS visibility timeout of 30 seconds is shorter than the Lambda timeout of 1 minute. If the Lambda function takes longer than 30 seconds, the message becomes visible again and another Lambda invocation may process it, causing duplicate processing and potential timeouts. Option A is incorrect because Lambda can scale to handle many messages.

Option C is irrelevant because batch size affects concurrency but not individual function timeout. Option D is incorrect because 30 seconds is a typical visibility timeout.

416
MCQhard

A company uses AWS Lambda functions behind an API Gateway REST API. The Lambda functions are written in Python and use the boto3 SDK to interact with DynamoDB. After a recent deployment, some users report sporadic 502 Bad Gateway errors when calling the API. The Lambda function logs show occasional 'AccessDeniedException' errors. What is the most likely cause and solution?

A.The Lambda function is timing out. Increase the timeout value in the Lambda configuration.
B.The DynamoDB table is throttling requests. Enable auto-scaling for the table.
C.The Lambda execution role lacks permissions to access DynamoDB. Update the role to include the necessary DynamoDB actions.
D.The API Gateway request is too large. Set the payload size limit higher in API Gateway settings.
AnswerC

This directly addresses the AccessDeniedException by granting required permissions.

Why this answer

Option A is correct because the sporadic 502 errors and AccessDeniedException in logs indicate that the Lambda execution role is missing permissions for DynamoDB operations, and the errors occur when the function attempts to access DynamoDB. Adding the required DynamoDB permissions resolves the issue.

417
MCQmedium

A developer is deploying a new version of an AWS Lambda function. The function uses an environment variable for a database password. The developer wants to securely store the password and automatically rotate it. Which combination of AWS services should the developer use?

A.Use AWS KMS to generate a data key and store it in the Lambda environment variable.
B.Store the password in AWS Secrets Manager and retrieve it in the Lambda function using the AWS SDK.
C.Store the password in AWS Systems Manager Parameter Store and reference it in the Lambda function.
D.Encrypt the password using AWS KMS and store it in Amazon DynamoDB.
AnswerB

Secrets Manager supports automatic rotation and secure retrieval.

Why this answer

AWS Secrets Manager securely stores secrets and supports automatic rotation. Lambda can retrieve the secret at runtime. Option B is correct.

Option A is incorrect because Parameter Store does not natively support rotation. Option C is incorrect because DynamoDB is not a secure secret store. Option D is incorrect because KMS encrypts data but does not store or rotate secrets.

418
Multi-Selecteasy

Which TWO of the following are benefits of using Amazon API Gateway to manage APIs? (Choose two.)

Select 2 answers
A.Built-in caching of database queries to Amazon RDS
B.Direct integration with Amazon S3 for file storage
C.Throttling and rate limiting of API requests
D.Generation of client SDKs for multiple programming languages
E.Automatic connection pooling for backend databases
AnswersC, D

API Gateway supports throttling at the API level.

Why this answer

Correct: A and D. API Gateway provides throttling to protect backend services and can generate SDKs for multiple languages. Option B is wrong because API Gateway does not provide a built-in caching layer for RDS; it can cache responses but not RDS queries directly.

Option C is wrong because API Gateway does not manage database connections. Option E is wrong because API Gateway does not handle file storage.

419
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is triggered by the SQS queue. Recently, the function started failing due to timeout errors when processing large messages. The function's timeout is set to the maximum of 15 minutes. What should a developer do to resolve this issue?

A.Increase the SQS queue's visibility timeout.
B.Increase the maximum message size in the SQS queue.
C.Decrease the SQS batch size in the Lambda trigger.
D.Split the large messages into smaller messages before sending to SQS.
AnswerD

Smaller messages reduce processing time per invocation.

Why this answer

Option D is correct because splitting large messages into smaller ones reduces processing time. Option A is wrong because increasing visibility timeout doesn't help if function times out. Option B is wrong because batch size reduction may not help per-message timeout.

Option C is wrong because SQS message size limit is 256 KB, cannot increase.

420
Multi-Selectmedium

A developer is designing a serverless application that processes orders. The order processing must be transactional: either all steps succeed or none. Which TWO AWS services can be combined to achieve this?

Select 2 answers
A.AWS Step Functions
B.Amazon SNS with filtering
C.Amazon SQS with FIFO queues
D.Amazon DynamoDB transactions
E.AWS Lambda with DLQ
AnswersA, D

Step Functions can coordinate multiple AWS services with error handling.

Why this answer

Options B and D are correct. Step Functions (B) can orchestrate a workflow with error handling and rollback. DynamoDB transactions (D) provide ACID transactions for multiple items.

Option A is wrong because SQS does not provide transactional processing. Option C is wrong because Lambda alone does not manage transactions across multiple steps. Option E is wrong because SNS is for pub/sub messaging, not transactions.

421
MCQmedium

A company uses Amazon CloudFront to distribute content from an S3 bucket. The content is static and rarely changes. The developer wants to reduce the load on the origin and improve performance for users. Which configuration change would achieve this?

A.Disable caching for the distribution.
B.Enable Lambda@Edge to process requests at edge locations.
C.Decrease the TTL (Time to Live) for the cache behavior.
D.Increase the TTL (Time to Live) for the cache behavior.
AnswerD

Higher TTL allows longer caching, reducing origin requests.

Why this answer

Option D is correct because increasing the TTL allows CloudFront to cache content longer, reducing requests to the origin. Option A is wrong because decreasing TTL increases origin load. Option B is wrong because disabling caching defeats the purpose.

Option C is wrong because Lambda@Edge adds compute but does not reduce origin load.

422
Multi-Selectmedium

A company is running a web application on EC2 instances behind an Application Load Balancer. The application experiences high latency during peak hours. A developer needs to improve performance. Which TWO actions should the developer take? (Choose TWO.)

Select 2 answers
A.Configure Auto Scaling to add more instances during peak hours.
B.Increase the ALB idle timeout.
C.Implement Amazon ElastiCache to cache frequently accessed data.
D.Use larger EC2 instance types.
E.Enable EBS optimization on the instances.
AnswersA, C

Auto Scaling adds capacity to handle increased load.

Why this answer

Options A and C are correct. Auto Scaling adds instances during peak hours, spreading the load. ElastiCache caches database results, reducing latency.

Option B is wrong because increasing instance size helps but is less elastic. Option D is wrong because increasing ALB idle timeout does not affect latency. Option E is wrong because EBS optimization is about network throughput, not application latency.

423
MCQmedium

A developer is building a RESTful API using Amazon API Gateway (HTTP API) and AWS Lambda. The API receives a large number of requests with duplicate payloads within a short time window. To improve performance and reduce costs, the developer wants to ensure that if the same request (based on a unique client ID) is sent within 5 minutes, the Lambda function is not invoked again, and the previously calculated response is returned. Which API Gateway feature should the developer use?

A.Enable API caching on the stage with a TTL of 300 seconds and configure the client ID as a cache key parameter.
B.Enable request validation to reject duplicate requests.
C.Configure a usage plan with a throttle rate to limit requests from each client.
D.Enable stage variables to store the previous response.
AnswerA

API Gateway caching stores responses for a configurable TTL. By setting the TTL to 300 seconds and including the client ID in the cache key (e.g., as a query string parameter or request header), identical requests will return the cached response without invoking the Lambda function, reducing costs and improving performance.

Why this answer

Option A is correct because API Gateway's caching feature stores responses from your endpoint for a specified time-to-live (TTL). By setting the TTL to 300 seconds (5 minutes) and configuring the client ID as a cache key parameter, API Gateway will use the client ID to uniquely identify requests. If a request with the same client ID arrives within the TTL window, API Gateway returns the cached response without invoking the Lambda function, reducing costs and improving performance.

Exam trap

The trap here is that candidates confuse throttling (which limits request rate) with caching (which stores and returns previous responses), leading them to pick Option C instead of A.

How to eliminate wrong answers

Option B is wrong because request validation in API Gateway checks for required headers, query strings, or body structure, but it does not detect or reject duplicate requests based on content or client ID. Option C is wrong because a usage plan with throttling limits the rate of requests per client (e.g., requests per second), but it does not cache responses or prevent Lambda invocation for duplicate requests within a time window; it simply rejects excess requests. Option D is wrong because stage variables are used to pass configuration values (like endpoint URLs) to integration functions at deployment time, not to store or return previous responses.

424
MCQmedium

A developer is building a serverless application that processes user-submitted images. The images are uploaded to an S3 bucket, which triggers an AWS Lambda function that creates a thumbnail and stores it in another S3 bucket. The developer notices that sometimes the Lambda function is invoked multiple times for a single image upload. What should the developer configure to ensure idempotent processing?

A.Enable S3 event notifications with a suffix filter.
B.Use an SQS queue to decouple S3 events.
C.Implement a DynamoDB table to track processed objects.
D.Increase the Lambda function's timeout.
AnswerC

Correct. Storing processed object keys (e.g., with a condition check before writing) enables the Lambda function to detect duplicates and skip reprocessing, ensuring idempotency.

Why this answer

Option C is correct because S3 event notifications can occasionally deliver duplicate events (at-least-once semantics). By storing the unique object key (or ETag) in a DynamoDB table with a TTL, the Lambda function can check if the object has already been processed and skip duplicate invocations, ensuring idempotent processing.

Exam trap

The trap here is that candidates often assume SQS or filters guarantee exactly-once delivery, but AWS services like S3 and SQS both use at-least-once semantics, so idempotency must be implemented at the consumer level.

How to eliminate wrong answers

Option A is wrong because suffix filters only control which objects trigger notifications based on file extension; they do not prevent duplicate invocations for the same object. Option B is wrong because while an SQS queue can buffer events and reduce throttling, it does not eliminate duplicate events—S3 still sends at-least-once notifications to SQS, so duplicates can still occur. Option D is wrong because increasing the Lambda timeout only allows the function to run longer; it does not address the root cause of duplicate invocations or provide idempotency.

425
Multi-Selecthard

Which THREE actions can a developer take to improve the cold start latency of an AWS Lambda function?

Select 3 answers
A.Use a language runtime with faster startup time, such as Python or Node.js.
B.Place the Lambda function inside a VPC.
C.Enable provisioned concurrency for the function.
D.Increase the function's memory allocation.
E.Increase the function's timeout setting.
AnswersA, C, D

These runtimes have lower initialization overhead compared to Java or .NET.

Why this answer

Options A, B, and C are correct. Provisioned concurrency keeps environments warm. Using a smaller runtime (e.g., Python vs Java) reduces startup time.

Allocating more memory also increases CPU, speeding up initialization. Option D is wrong because VPC adds latency due to ENI setup. Option E is wrong because increasing timeout does not affect cold start.

426
Multi-Selecthard

A developer is using Amazon Kinesis Data Streams to ingest real-time events. The application uses the Kinesis Client Library (KCL) to process records. The developer notices that one shard is falling behind while others are processing fine. Which THREE actions can help improve processing of the lagging shard? (Choose THREE.)

Select 3 answers
A.Use Enhanced Fan-Out to reduce contention.
B.Decrease the record size by compressing the data.
C.Reduce the number of shards in the stream.
D.Increase the number of KCL workers processing the shard.
E.Split the hot shard into multiple shards using resharding.
AnswersA, D, E

Reduces read throttling.

Why this answer

Options A, C, and D are correct. A: Increasing the number of workers can increase parallelism within a shard. C: Using Enhanced Fan-Out allows multiple consumers to read from the same shard without contention.

D: Resharding splits the hot shard into multiple shards. Option B is wrong because decreasing the record size reduces data volume but is not a direct fix for lag. Option E is wrong because reducing shard count reduces parallelism.

427
MCQhard

A company uses AWS CodeBuild to build and test code. The buildspec.yml includes a pre-build phase that downloads dependencies from a private repository. The developer wants to securely store the credentials for the private repository. Which AWS service should the developer use to store these credentials and reference them in the buildspec?

A.Store the credentials in an S3 bucket with server-side encryption.
B.Store the credentials in AWS Secrets Manager and use the AWS CLI in the build phase to retrieve them.
C.Store the credentials in the buildspec.yml file as environment variables.
D.Store the credentials in AWS Systems Manager Parameter Store and reference them in the buildspec.
AnswerD

Parameter Store can securely store and retrieve credentials.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store can securely store credentials and be referenced in buildspec using parameter-store syntax. Option A is incorrect because environment variables in buildspec are not secure. Option C is incorrect because Secrets Manager is for secrets, not directly referenced in buildspec.

Option D is incorrect because S3 is not secure for credentials.

428
MCQmedium

A developer is using the AWS Serverless Application Model (SAM) to define a serverless application with an API Gateway endpoint. The developer wants to enable API caching only in the development stage to speed up testing, but disable it in the production stage to ensure data freshness. What is the most efficient way to achieve this with SAM?

A.Use AWS SAM parameters with a condition to set CacheClusterEnabled based on the stage parameter.
B.Deploy two separate SAM templates, one for each stage.
C.Use a custom resource to toggle caching after deployment.
D.Enable caching globally and configure a usage plan with a quota for production.
AnswerA

Correct. This allows a single template to behave differently per stage without manual edits.

Why this answer

AWS SAM parameters allow you to define a stage parameter (e.g., 'dev' or 'prod') and use a condition to conditionally set the `CacheClusterEnabled` property on the `AWS::Serverless::Api` resource. This is the most efficient approach because it uses a single template and SAM's built-in intrinsic functions (like `Fn::Equals`) to toggle caching based on the deployment stage, avoiding separate templates or post-deployment custom resources.

Exam trap

The trap here is that candidates may think caching must be managed via usage plans or custom resources, overlooking SAM's ability to conditionally set API Gateway stage properties directly through parameters and conditions in a single template.

How to eliminate wrong answers

Option B is wrong because deploying two separate SAM templates duplicates infrastructure code and increases maintenance overhead, which is less efficient than using a single parameterized template. Option C is wrong because using a custom resource to toggle caching after deployment adds unnecessary complexity and latency, and SAM already supports conditional resource properties natively. Option D is wrong because enabling caching globally and using a usage plan with a quota does not disable caching for production; usage plans control throttling and API keys, not the API Gateway cache behavior, and caching would still be active in production, violating the requirement for data freshness.

429
Multi-Selectmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application needs to store session state. Which THREE services can be used for session state storage? (Choose THREE.)

Select 3 answers
A.Amazon ElastiCache for Redis
B.Amazon DynamoDB
C.Amazon S3
D.Amazon CloudFront
E.Amazon RDS
AnswersA, B, E

Redis is an in-memory store ideal for sessions.

Why this answer

Options A, B, and D are correct. DynamoDB is a common session store; ElastiCache Redis is a popular in-memory session store; RDS can store sessions in a database. Option C is wrong because S3 is object storage, not suitable for session state due to latency and cost.

Option E is wrong because CloudFront is a CDN, not a storage service.

430
Multi-Selecteasy

A company is using AWS Elastic Beanstalk to deploy a web application. The environment is running behind a load balancer. The developer needs to ensure that the application logs are centralized and retained for analysis. Which TWO services can be used to collect and store logs from the EC2 instances?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS X-Ray
C.Amazon Kinesis Data Firehose
D.AWS CloudTrail
E.Amazon S3
AnswersA, E

Agent can send logs directly to CloudWatch Logs.

Why this answer

CloudWatch Logs agent sends logs to CloudWatch Logs for centralized storage. S3 can be used as a destination for log exports. X-Ray is for tracing, not log collection.

Kinesis Data Firehose can stream logs to destinations but is not directly installed on instances. CloudTrail records API calls, not application logs.

431
MCQmedium

A company is using Amazon DynamoDB as the database for a web application. The application reads and writes items based on a primary key. The traffic pattern shows that reads are 10 times more frequent than writes. The development team wants to reduce read latency and costs. They are considering adding a cache layer. The data is not sensitive, but stale data is acceptable for up to 5 minutes. The application runs on EC2 instances. What should the team do to implement caching?

A.Use Amazon DynamoDB Accelerator (DAX) as a caching layer.
B.Store frequently accessed items in an S3 bucket and read from S3.
C.Set up an Amazon ElastiCache Memcached cluster and update the application to check the cache before reading from DynamoDB.
D.Use Amazon CloudFront to cache responses from the application.
AnswerC

Memcached is a simple, scalable cache for read-heavy workloads with acceptable staleness.

Why this answer

Option D is correct because Amazon ElastiCache with Memcached provides a distributed cache that is suitable for read-heavy workloads and handles frequent reads. Option A is incorrect because DAX is a DynamoDB accelerator that is tightly coupled with DynamoDB and may be overkill. Option B is incorrect because CloudFront is for content delivery, not for caching database queries.

Option C is incorrect because S3 is not suitable for low-latency caching of database items.

432
MCQmedium

A developer is using AWS Lambda with an Amazon RDS MySQL database. The Lambda function frequently times out when connecting to the database. What is the MOST likely cause?

A.The Lambda function is not configured with enough memory
B.The Lambda function is not using a reserved concurrency limit
C.The Lambda function is not attached to the same VPC as the RDS instance
D.The Lambda function's execution role lacks RDS permissions
AnswerC

Lambda must be in the same VPC or use VPC peering to access RDS.

Why this answer

Lambda functions in a VPC require a VPC endpoint for internet access or NAT gateway; without it, they cannot reach RDS if the RDS is in a private subnet. Option C is correct.

433
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with the above template. The stack creation fails with the error 'The runtime parameter of nodejs18.x is not supported.' What is the most likely cause?

A.The ZipFile property cannot contain inline code for Node.js functions.
B.The IAM role is missing necessary permissions for CloudWatch Logs.
C.The Handler property is incorrect; it should be 'index.handler' but with the correct filename.
D.The runtime 'nodejs18.x' is not a valid Lambda runtime; use a supported runtime like 'nodejs16.x'.
AnswerD

Node.js 18.x is not supported; must use a supported version.

Why this answer

The error indicates that the Node.js 18.x runtime is not supported. At the time of this exam, Node.js 18.x is not a valid Lambda runtime; supported runtimes include nodejs14.x, nodejs16.x, and nodejs20.x. The developer should use a supported runtime.

The other options are not related to the error: ZipFile is valid for inline code, the handler is correct, and the IAM role is properly defined.

434
MCQeasy

A developer is building a serverless application that needs to process messages from an Amazon SQS queue and store the results in an Amazon DynamoDB table. Which AWS service should the developer use to orchestrate the processing logic without managing servers?

A.Amazon Elastic Container Service (ECS) with Fargate
B.Amazon EC2 instances with a custom application
C.AWS Lambda
D.AWS Step Functions
AnswerC

Lambda is a serverless compute service that can be triggered by SQS and write to DynamoDB.

Why this answer

AWS Lambda is the correct choice because it is a serverless compute service that can be triggered by SQS messages via event source mappings, process each message, and write results to DynamoDB without provisioning or managing any servers. The developer simply uploads the processing code, and Lambda handles scaling, concurrency, and execution, making it ideal for this event-driven, serverless workflow.

Exam trap

The trap here is that candidates often confuse AWS Step Functions as a serverless orchestrator for simple tasks, but Step Functions is designed for coordinating multi-step workflows and state machines, not for directly processing individual SQS messages, which is a core Lambda use case.

How to eliminate wrong answers

Option A is wrong because Amazon ECS with Fargate, while serverless in terms of infrastructure management, still requires defining a container image, task definitions, and cluster configuration, which adds unnecessary overhead for a simple message-processing task that can be handled by a single function. Option B is wrong because Amazon EC2 instances require manual server provisioning, patching, scaling, and management, which violates the 'without managing servers' requirement of the question. Option D is wrong because AWS Step Functions is a state machine orchestration service designed to coordinate multiple AWS services and handle complex workflows, not to directly process individual SQS messages; using it here would introduce unnecessary complexity and cost compared to a direct Lambda trigger.

435
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to the S3 bucket 'example-bucket' from an IP address 198.51.100.5. What will happen?

A.The request is allowed because the user is an IAM user.
B.The request is allowed because the action s3:PutObject is allowed.
C.The request is denied because the source IP does not match the condition.
D.The request is denied because the bucket policy is missing.
AnswerC

The IP condition restricts access.

Why this answer

The policy allows s3:PutObject only if the source IP is within 192.0.2.0/24. The user's IP 198.51.100.5 is not in that range, so the request is denied. Option A is correct.

Option B is incorrect because the condition is not met. Option C is incorrect because the policy does not enable public access. Option D is incorrect because the user is not root.

436
MCQmedium

A developer deployed this CloudFormation template. What happens to a message after it has been received from 'MyQueue' 3 times but not deleted?

A.The message is moved to the dead-letter queue.
B.The message remains in the queue and is retried indefinitely.
C.The message is deleted from the queue.
D.The message is deleted after the visibility timeout expires.
AnswerA

The RedrivePolicy moves the message to the DLQ after 3 receives.

Why this answer

Option D is correct because the RedrivePolicy specifies maxReceiveCount: 3, so after 3 receives, the message is sent to the dead-letter queue (MyDeadLetterQueue). Option A is wrong because the message is not deleted; it is moved. Option B is wrong because it is not kept in the queue indefinitely; it is moved after 3 receives.

Option C is wrong because the message is not deleted automatically after the 3rd receive; it is redirected.

437
MCQeasy

A developer is writing a Lambda function that needs to access an Amazon RDS MySQL database. The function will be invoked frequently. What is the BEST practice for managing the database connection?

A.Close the database connection at the end of each invocation.
B.Open a new database connection inside the handler for each invocation.
C.Open the database connection outside the handler function and reuse it.
D.Use Amazon RDS Proxy to manage the connection pool.
AnswerC

Reusing connections across invocations reduces latency and resource usage.

Why this answer

Option A is correct because opening a connection inside the handler and reusing it across invocations within the same container reduces overhead. Option B is wrong because opening a connection each invocation is inefficient. Option C is wrong because RDS Proxy is for connection pooling but adds complexity when not needed.

Option D is wrong because closing the connection after each invocation defeats caching.

438
Multi-Selecteasy

A developer is using Amazon DynamoDB for a gaming leaderboard. The table has a sort key of 'score' (Number). The developer wants to retrieve the top 10 players. Which TWO operations can achieve this? (Choose TWO.)

Select 2 answers
A.TransactGetItems
B.Scan and sort results client-side, then take first 10
C.BatchGetItem
D.GetItem
E.Query with ScanIndexForward set to false and Limit set to 10
AnswersB, E

Scan returns all items; client-side sorting and limiting achieves top 10.

Why this answer

Options B and D are correct. Query requires a partition key and can use ScanIndexForward to get descending order, then limit to 10. Scan can also retrieve all items and sort client-side, then limit to 10.

Option A is wrong because GetItem retrieves a single item. Option C is wrong because BatchGetItem retrieves multiple items by key, not sorted. Option E is wrong because TransactGetItems is for transactional reads.

439
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer. The application needs to authenticate users via an external OpenID Connect (OIDC) identity provider. The company wants to offload authentication to the load balancer and use IAM roles to access AWS resources. Which solution should the developer implement?

A.Configure the ALB target group to authenticate using the OIDC identity provider.
B.Use AWS Lambda@Edge to authenticate users at the edge.
C.Configure the ALB to use the OIDC identity provider for user authentication. Use the identity token to assume an IAM role via web identity federation.
D.Use Amazon Cognito user pools as the OIDC provider and integrate with ALB.
AnswerC

ALB supports OIDC authentication and the application can use the token to assume an IAM role.

Why this answer

Option B is correct because ALB can authenticate users via OIDC and pass the user's identity to the application via HTTP headers. The application can then use the token to assume an IAM role using web identity federation. Option A is wrong because Cognito is not required; ALB supports OIDC directly.

Option C is wrong because Lambda@Edge is for CloudFront, not ALB. Option D is wrong because ALB does not support OIDC directly with just a target group; authentication is configured on the listener rule.

440
MCQeasy

An IAM policy is attached to a user. What is the effect when the user tries to download an object from the 'confidential' folder in 'my-bucket' from an IP address within the 192.0.2.0/24 range?

A.The request is denied.
B.The request results in an error due to conflicting statements.
C.The request is allowed.
D.The request is denied because the Deny statement overrides the Allow.
AnswerC

The Deny condition is not satisfied, so the Allow applies.

Why this answer

Option A is correct because the Deny statement has a condition that checks if the source IP is NOT in the specified range. Since the condition is not met (the IP is in the range), the Deny does not apply, and the Allow statement allows s3:GetObject on the bucket. Option B is wrong because the Deny does not apply.

Option C is wrong because the Deny condition is not met. Option D is wrong because the policy does not result in an error.

441
MCQmedium

A developer is building a RESTful API using Amazon API Gateway and AWS Lambda. The API needs to support custom domain names with SSL/TLS certificates. The developer has created the custom domain name in API Gateway and uploaded the certificate to AWS Certificate Manager (ACM) in the same region. However, when accessing the custom domain, users get an SSL error. What is the most likely cause?

A.The certificate was not issued by a trusted certificate authority.
B.The custom domain name's DNS record does not point to API Gateway's regional domain name.
C.The API Gateway API is not deployed to a stage that is mapped to the custom domain name.
D.The certificate is in the wrong region relative to the API Gateway regional endpoint.
AnswerB

The DNS record (e.g., CNAME) must map the custom domain to the API Gateway endpoint. Without the correct DNS mapping, the SSL handshake will fail.

Why this answer

The most likely cause is that the custom domain name's DNS record does not point to API Gateway's regional domain name. When using a custom domain name with API Gateway, you must create a DNS record (typically a CNAME or A record using Route 53 alias) that maps your custom domain to the API Gateway-generated regional domain name (e.g., d-xxxxx.execute-api.region.amazonaws.com). Without this correct DNS mapping, the SSL/TLS handshake fails because the certificate presented by API Gateway does not match the domain name the client is connecting to, resulting in an SSL error.

Exam trap

The trap here is that candidates often confuse SSL errors with API configuration issues like missing stage mappings or incorrect certificate authorities, but SSL errors occur at the transport layer due to DNS misconfiguration or certificate domain mismatch, not at the application layer.

How to eliminate wrong answers

Option A is wrong because AWS Certificate Manager (ACM) only issues certificates that are trusted by major browsers and operating systems; if ACM issued the certificate, it is automatically from a trusted CA, so this is not the cause. Option C is wrong because while the API must be deployed to a stage and the stage must be mapped to the custom domain name for the API to respond, an SSL error occurs at the TLS handshake level before any API routing happens; a missing stage mapping would cause a 404 or 403 error, not an SSL error. Option D is wrong because the developer created the custom domain name in API Gateway and uploaded the certificate to ACM in the same region, so the region mismatch is not the issue; the certificate must be in the same region as the API Gateway regional endpoint, which it is.

442
MCQhard

Refer to the exhibit. A developer creates a CloudFormation stack with this template. The developer wants to ensure that all objects uploaded to the bucket are encrypted at rest using SSE-KMS. However, the current policy allows anyone to put objects without encryption. What additional change is needed to enforce SSE-KMS?

A.Set the bucket's default encryption configuration to SSE-KMS.
B.Add a bucket policy that denies PutObject if encryption is not set.
C.Modify the condition to use s3:x-amz-server-side-encryption-aws-kms-key-id.
D.Remove the condition to allow all PutObject requests.
AnswerA

Default encryption ensures encryption even if not specified in request.

Why this answer

Option B is correct because the policy condition only checks for the header, but if the user does not specify it, the request is denied. However, the bucket policy should also deny PutObject if the header is not present, which is already done via the condition. But the issue is that the bucket does not have a default encryption setting.

Option A is wrong because the condition already requires the header. Option C is wrong because the condition is already correct. Option D is wrong because bucket policy already exists.

443
MCQeasy

A developer needs to store application configuration that can be accessed by multiple microservices running on Amazon ECS. The configuration must be encrypted at rest and automatically rotate secrets. Which AWS service should be used?

A.AWS Systems Manager Parameter Store
B.AWS CloudFormation
C.Amazon S3
D.AWS Secrets Manager
AnswerA

Parameter Store provides encrypted parameter storage and can be used for configuration; it integrates with Secrets Manager for rotation.

Why this answer

Option C is correct because AWS Systems Manager Parameter Store supports encryption (using KMS) and can store configuration data as parameters. For automatic rotation of secrets, AWS Secrets Manager is better, but Parameter Store can integrate with Secrets Manager. In this scenario, Parameter Store is the appropriate choice for configuration storage with encryption.

444
MCQhard

A DynamoDB table uses partition key customerId. One enterprise customer generates most traffic and is throttled while the table has unused capacity elsewhere. What design change best addresses the hot partition?

A.Enable point-in-time recovery
B.Reduce item size by removing attributes
C.Use strongly consistent reads only
D.Add write sharding or redesign the partition key to distribute that customer's workload
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because the hot partition is caused by a single customerId receiving a disproportionate amount of traffic, exceeding the 3000 RCU or 1000 WCU per partition limit. By adding write sharding (e.g., appending a random suffix to the partition key) or redesigning the partition key to include a more granular attribute, you distribute that customer's writes across multiple partitions, eliminating the bottleneck and utilizing the table's unused capacity.

Exam trap

The trap here is that candidates mistakenly believe reducing item size or changing read consistency can resolve a hot partition, when only redistributing the partition key's workload addresses the underlying throughput imbalance.

How to eliminate wrong answers

Option A is wrong because point-in-time recovery (PITR) enables continuous backups and restores to any point within the last 35 days; it does not affect request distribution or throttling. Option B is wrong because reducing item size can lower consumed capacity per operation but does not change how requests are distributed across partitions; the hot partition remains throttled if the same customerId still receives high traffic. Option C is wrong because strongly consistent reads consume twice the RCU of eventually consistent reads and do not alter partition key distribution; they would actually increase throttling risk on the hot partition.

445
MCQeasy

A developer is building a data processing pipeline that uses AWS Lambda to process files uploaded to an S3 bucket. The S3 bucket receives thousands of files per second, and the developer wants to minimize processing latency. Which approach should the developer use to trigger the Lambda function?

A.Configure an SQS queue and have the Lambda function poll the queue for S3 event notifications.
B.Use Amazon CloudWatch Events to trigger the Lambda function on a schedule.
C.Configure S3 event notifications to directly invoke the Lambda function.
D.Publish S3 events to an SNS topic and subscribe the Lambda function to that topic.
AnswerC

Direct invocation provides the lowest latency.

Why this answer

Option B is correct because S3 event notifications can directly invoke Lambda asynchronously, providing low-latency processing. Option A (SQS) adds polling latency. Option C (CloudWatch Events) is for scheduled events, not S3 events.

Option D (SNS) adds an extra hop and requires subscription.

446
MCQeasy

A developer wants to trigger an AWS Lambda function every time a new object is created in an Amazon S3 bucket. Which S3 event notification configuration should be used?

A.s3:ObjectCreated:*
B.s3:ObjectRestore:*
C.s3:ReducedRedundancyLostObject:*
D.s3:ObjectRemoved:*
AnswerA

Matches all object creation events.

Why this answer

Option A is correct because s3:ObjectCreated:* captures all object creation events. Option B is wrong because s3:ObjectRemoved:* is for deletion events. Option C is wrong because s3:ObjectRestore:* is for restore events.

Option D is wrong because s3:ReducedRedundancyLostObject:* is for loss of reduced redundancy objects.

447
Multi-Selectmedium

A developer is deploying an application using AWS Elastic Beanstalk. The application requires a relational database. Which THREE components are created by Elastic Beanstalk when you add a database to your environment?

Select 3 answers
A.A DB subnet group
B.An Amazon RDS DB instance
C.An AWS CloudFormation stack
D.An Amazon DynamoDB table
E.A security group for the database
AnswersB, C, E

Elastic Beanstalk provisions an RDS instance.

Why this answer

Options A, C, and D are correct. Elastic Beanstalk creates an Amazon RDS DB instance, a security group for the DB, and a CloudFormation stack that manages the resources. Option B is incorrect because the DB subnet group is created but not listed as a separate component; it is part of the RDS configuration.

Option E is incorrect because Elastic Beanstalk does not create a DynamoDB table by default.

448
Multi-Selectmedium

A developer is designing a messaging system where orders are placed into an SQS queue and processed by a Lambda function. The developer wants to ensure that failed messages are not lost and can be analyzed later. Which TWO steps should the developer take? (Choose 2.)

Select 2 answers
A.Configure a dead-letter queue (DLQ) for the SQS queue.
B.Enable Lambda function retries on failure.
C.Set the redrive policy to move messages to the DLQ after a specified number of receive attempts.
D.Increase the visibility timeout of the SQS queue.
E.Set up a CloudWatch alarm to monitor the queue depth.
AnswersA, C

DLQ captures messages that failed processing.

Why this answer

A and C are correct. Configuring a dead-letter queue (A) captures failed messages for later analysis. Setting the redrive policy (C) allows moving messages to the DLQ after a number of failed attempts.

Option B (increasing visibility timeout) may help but does not preserve failed messages. Option D (Lambda retries) is already done by default but does not preserve messages. Option E (CloudWatch alarms) only alerts, does not preserve messages.

449
Multi-Selecteasy

A developer is using Amazon DynamoDB as a data store for a serverless application. The application requires strongly consistent reads and must be able to recover from failures. Which THREE measures should the developer implement? (Choose THREE.)

Select 3 answers
A.Use the ConsistentRead parameter set to true in GetItem and Query operations.
B.Use DynamoDB read replicas to offload read traffic.
C.Configure DynamoDB global tables for multi-region replication.
D.Enable DynamoDB Streams to capture changes.
E.Implement DAX (DynamoDB Accelerator) for caching.
AnswersA, C, E

This ensures strongly consistent reads.

Why this answer

Option B is correct because strongly consistent reads can be requested per operation. Option C is correct because DynamoDB global tables provide multi-region replication for disaster recovery. Option D is correct because DynamoDB Accelerator (DAX) can improve read performance, though not directly for recovery.

Option A is wrong because DynamoDB Streams is for changes, not recovery. Option E is wrong because read replicas are a feature of RDS, not DynamoDB.

450
Multi-Selecthard

Which THREE AWS services are commonly used together to build a serverless event-driven architecture that processes real-time streaming data? (Choose three.)

Select 3 answers
A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon DynamoDB
D.Amazon SQS
E.Amazon Redshift
AnswersA, B, C

Kinesis ingests real-time streaming data.

Why this answer

Amazon Kinesis Data Streams ingests real-time data. AWS Lambda processes the data. Amazon DynamoDB stores the processed data.

Amazon SQS is for message queues, not real-time streaming. Amazon Redshift is a data warehouse, not for real-time streaming. AWS Step Functions orchestrates workflows but is not typically part of a basic streaming pipeline.

← PreviousPage 6 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.