CCNA Dva Troubleshooting Optimization Questions

66 of 291 questions · Page 4/4 · Dva Troubleshooting Optimization topic · Answers revealed

226
Multi-Selecteasy

A developer is using Amazon RDS for MySQL and notices that the database performance has degraded. The developer suspects that slow queries are the cause. Which THREE actions should the developer take to identify and address the slow queries?

Select 3 answers
A.Enable the slow query log in RDS and review the logs.
B.Increase the DB instance size to improve performance.
C.Enable Performance Insights to analyze database performance.
D.Use the RDS console to review metrics for high CPU or IOPS usage.
E.Create a read replica to offload read traffic.
AnswersA, C, D

Slow query log records queries that take a long time to execute.

Why this answer

Options A, C, and E are correct. Option A: Enabling slow query log captures queries that exceed a threshold. Option C: Performance Insights provides a dashboard to identify database load and wait events.

Option E: Reviewing queries with high latency helps pinpoint problematic SQL. Option B is wrong because increasing instance size is a reactive scaling action, not a diagnostic step. Option D is wrong because read replicas help with read scaling, not diagnosing slow queries.

227
MCQhard

A developer notices that the Lambda function 'my-function' is not generating any logs in CloudWatch, although the function is invoked successfully. The developer runs the command above. What is the MOST likely cause?

A.The log group retention policy is set to 0 days.
B.The Lambda function is configured to log to a custom log group.
C.The Lambda function has reserved concurrency set to 0.
D.The Lambda function's execution role is missing the 'logs:CreateLogStream' and 'logs:PutLogEvents' permissions.
AnswerD

Without these permissions, the function cannot write logs.

Why this answer

The log group exists but has 0 stored bytes, meaning no log streams have been created. This typically indicates that the Lambda function's execution role does not have permissions to create log streams and put log events. The function runs but fails silently to write logs.

228
MCQeasy

A developer runs a script that uses the AWS CLI to copy a large number of files from an on-premises server to an S3 bucket. The copy operation fails partway through with a 'RequestTimeout' error. What is the MOST efficient way to resume the copy and ensure all files are transferred?

A.Delete the S3 bucket and restart the copy operation.
B.Use the aws s3 sync command to synchronize the source directory with the S3 bucket.
C.Use the cp command with the --recursive flag to copy the remaining files.
D.Increase the --cli-read-timeout value in the AWS CLI configuration and retry the original command.
AnswerB

Sync only uploads files that are new or changed.

Why this answer

The `aws s3 sync` command is the most efficient way to resume the copy because it automatically compares the source directory with the destination S3 bucket and transfers only the files that are missing or have been modified. This avoids re-uploading already transferred files, directly addressing the partial failure without manual intervention or unnecessary overhead.

Exam trap

The trap here is that candidates often confuse `cp --recursive` with `sync`, assuming both can resume a copy, but only `sync` performs a differential comparison to avoid re-uploading already transferred files.

How to eliminate wrong answers

Option A is wrong because deleting the S3 bucket and restarting the entire copy operation is extremely inefficient and unnecessary; it would re-upload all files, including those already successfully transferred. Option C is wrong because the `cp --recursive` command does not perform any comparison or state tracking; it would blindly copy all files from the source again, potentially re-uploading already transferred files and wasting time and bandwidth. Option D is wrong because increasing the `--cli-read-timeout` only extends the time the CLI waits for a response from the S3 service; it does not address the root cause of the partial failure (e.g., network interruptions or throttling) and would not resume the copy from where it left off, nor does it skip already transferred files.

229
Multi-Selecthard

A developer is investigating why an AWS Lambda function that processes Kinesis records is experiencing high latency. Which THREE factors could contribute to this? (Select THREE.)

Select 3 answers
A.Low number of shards in the Kinesis stream.
B.High batch size in the event source mapping.
C.High concurrency limit for the Lambda function.
D.Using Lambda@Edge to process the records.
E.Insufficient memory allocated to the Lambda function.
AnswersA, B, E

Fewer shards mean less parallelism, leading to throttling and retries.

Why this answer

High batch size can cause longer processing time per invocation. Insufficient memory slows execution. A low Kinesis shard count can cause throttling and retries, increasing latency.

Option B is wrong because higher concurrency (within limits) reduces latency, not increases. Option E is wrong because Lambda@Edge is for CloudFront, not Kinesis.

230
MCQeasy

An application running on Amazon EC2 generates logs that need to be streamed to Amazon CloudWatch Logs. The developer installs and configures the CloudWatch agent. However, logs are not appearing in the log group. What is the most likely cause?

A.The EC2 instance does not have an IAM role with CloudWatch Logs write permissions.
B.The CloudWatch agent cannot be installed on Amazon Linux 2.
C.The CloudWatch agent must be configured from the AWS Management Console.
D.The log group must be created manually before the agent can send logs.
AnswerA

The agent needs permissions to put log events.

Why this answer

The CloudWatch agent requires an IAM role with permissions to write logs. Without the proper permissions, the agent cannot send logs. Option A is correct.

Option B is wrong because the agent can be installed on EC2. Option C is wrong because the log group is created automatically if not existing. Option D is wrong because the agent is configured via a config file, not the console.

231
MCQhard

A developer is using AWS CodePipeline to deploy a serverless application. The pipeline has a CodeBuild stage that runs unit tests. Recently, the build stage started failing with a 'ResourceNotFoundException: The specified bucket does not exist' error. The buildspec.yml references an artifact bucket. What is the most likely cause?

A.The artifact bucket was deleted or is in a different AWS Region.
B.The IAM service role for CodeBuild does not have s3:GetObject on the bucket.
C.The CodeBuild project does not have permission to write to CloudWatch Logs.
D.The buildspec.yml uses an invalid bucket name syntax.
AnswerA

CodePipeline requires an artifact bucket in the same region, and deletion causes ResourceNotFoundException.

Why this answer

Option A is correct because CodePipeline uses a separate artifact bucket owned by the service, which must be in the same region. Option B is wrong because build logs do not affect artifact storage. Option C is wrong because IAM permissions would give AccessDenied, not ResourceNotFound.

Option D is wrong because the default artifact bucket is managed by CodePipeline, not CodeBuild.

232
Multi-Selectmedium

A developer is debugging an application that uses Amazon SQS. The application occasionally processes the same message twice. Which TWO configurations can help prevent duplicate processing?

Select 2 answers
A.Increase the visibility timeout to ensure messages are deleted before becoming visible again.
B.Configure a dead-letter queue to capture duplicates.
C.Increase the delivery delay to defer message processing.
D.Enable long polling to reduce empty responses.
E.Use a FIFO queue with content-based deduplication.
AnswersA, E

A longer visibility timeout reduces the chance of re-processing.

Why this answer

Option A is correct: enabling content-based deduplication for FIFO queues ensures exactly-once processing. Option B is correct: increasing the visibility timeout gives the consumer more time to process and delete the message before it becomes visible again. Option C is wrong: increasing the delivery delay only delays the first delivery.

Option D is wrong: enabling long polling improves efficiency but does not prevent duplicates. Option E is wrong: using a dead-letter queue handles failed messages, not duplicates.

233
MCQeasy

A developer is deploying a new version of an application to Amazon ECS using the Fargate launch type. The task fails to start and the error message indicates that the task cannot pull the container image from Amazon ECR. What is the MOST likely cause?

A.The task definition family name is incorrect.
B.The task execution role lacks permissions to pull from ECR.
C.The container port is not mapped to a host port.
D.The CPU or memory limits are too low for the container.
AnswerB

Without proper ECR permissions, the task cannot pull the image.

Why this answer

Option A is correct because the task execution role needs ecr:GetDownloadUrlForLayer and ecr:BatchGetImage permissions. Option B is wrong because Fargate does not use a host port mapping. Option C is wrong because CPU/memory limits would cause task failure, not image pull error.

Option D is wrong because task definition family is not related to image pull.

234
MCQhard

A company's DynamoDB table has a read capacity of 10,000 RCUs and receives consistent traffic. Recently, users have reported increased latency for read requests. The application uses strongly consistent reads. The developer checks CloudWatch metrics and sees that 'ConsumedReadCapacityUnits' is at 9,500 but 'ThrottledRequests' is high. What is the most likely cause?

A.The application is using eventually consistent reads but expecting strongly consistent results.
B.A hot partition is exceeding its partition-level read capacity.
C.The DynamoDB table has auto scaling enabled and is scaling down too aggressively.
D.The provisioned read capacity is too low for the traffic.
AnswerB

Even with sufficient table capacity, a single partition can throttle if its share of RCUs is exceeded.

Why this answer

Strongly consistent reads consume twice the RCUs of eventually consistent reads. If the application requests strongly consistent reads, the actual consumed capacity is double the read request units, so 9,500 RCUs consumed may represent only 4,750 read requests, but the provisioned capacity is 10,000. However, throttling occurs because the partition-level capacity may be exceeded.

Option C is correct: a hot partition causes throttling even if table-level capacity is not exhausted. Option A is incorrect because the table has capacity. Option B is incorrect because RCUs are sufficient.

Option D is incorrect as strongly consistent reads are working.

235
Multi-Selectmedium

A developer is optimizing costs for an AWS account. The account has multiple EC2 instances running different workloads. Some instances are used for development and are only needed during business hours. Which THREE actions can the developer take to reduce costs? (Select THREE.)

Select 3 answers
A.Purchase Reserved Instances for the production instances.
B.Use Spot Instances for fault-tolerant workloads.
C.Use EBS gp3 volumes instead of gp2 to save on storage costs.
D.Increase the instance size to handle peak load more efficiently.
E.Use AWS Instance Scheduler to stop development instances during non-business hours.
AnswersA, B, E

Reserved Instances provide a discount over On-Demand for steady-state usage.

Why this answer

Options A, B, and D are correct. Using Spot Instances (A) reduces costs for fault-tolerant workloads. Scheduling instances to stop during off-hours (B) saves money.

Reserving instances (D) provides discounts for steady-state workloads. Option C (increasing instance size) increases costs. Option E (using EBS gp3) may reduce storage costs but is not specific to the described scenario.

236
MCQmedium

A company uses AWS CodePipeline with CodeBuild to test and deploy a web application. The pipeline has been failing at the deploy stage with an error: 'Access Denied'. CloudTrail shows the CodePipeline service role is making the call. What is the MOST likely cause?

A.The CodeBuild project does not have internet access.
B.The CodePipeline service role lacks permissions for the deploy action.
C.The deploy provider (e.g., ECS, S3) is not in the same AWS region.
D.The source code repository does not have the correct branch.
AnswerB

The service role must have permissions to perform the deploy action on the target resource.

Why this answer

The error 'Access Denied' in the deploy stage, with CloudTrail showing the CodePipeline service role making the call, indicates that the IAM role assumed by CodePipeline does not have the necessary permissions to perform the deploy action against the target provider (e.g., ECS, S3, Elastic Beanstalk). CodePipeline uses its service role to invoke the deploy action, and if that role lacks the required `codedeploy:*`, `s3:PutObject`, or `ecs:UpdateService` permissions, the API call will be denied.

Exam trap

The trap here is that candidates confuse the CodeBuild service role with the CodePipeline service role, assuming the build role is responsible for deployment, when in fact CodePipeline uses its own role for the deploy action.

How to eliminate wrong answers

Option A is wrong because CodeBuild not having internet access would cause build failures (e.g., cannot download dependencies), not a deploy-stage 'Access Denied' error, and CloudTrail shows the CodePipeline service role, not CodeBuild, is making the call. Option C is wrong because deploy providers can be in different regions (cross-region actions are supported with appropriate IAM and resource policies), and the error is 'Access Denied', not a region mismatch. Option D is wrong because an incorrect source branch would cause the pipeline to fetch the wrong code or fail at the source stage, not produce an 'Access Denied' error at the deploy stage.

237
MCQeasy

A developer is using AWS CodeBuild to build a Java application. The build succeeds locally but fails on CodeBuild with a 'Cannot find symbol' error for a class that is in a dependency JAR. What is the MOST likely cause?

A.The build is timing out before dependencies are fully downloaded.
B.The CodeBuild compute type does not have enough memory to compile the project.
C.The dependency cache is not enabled in CodeBuild, so dependencies are not available.
D.The buildspec file has incorrect syntax causing the build to skip dependency resolution.
AnswerC

Without caching, CodeBuild downloads dependencies each time, but if the repository is unreachable or the dependency is not in the repository, it will be missing.

Why this answer

Option C is correct because CodeBuild by default does not include cached dependencies; each build downloads dependencies from scratch unless a cache is configured. The local build works because Maven/Gradle caches dependencies locally. Option A (buildspec syntax) would cause a different error.

Option B (build timeout) would cause a timeout, not a compilation error. Option D (insufficient compute) would cause performance issues but not a missing symbol.

238
MCQhard

Messages in an SQS queue are processed successfully but later reappear and are processed again. What is the most likely configuration issue?

A.The queue uses long polling
B.The queue has a dead-letter queue
C.The messages are encrypted with SSE-SQS
D.The visibility timeout is shorter than the processing time or messages are not deleted after processing
AnswerD

Correct for the stated requirement.

Why this answer

When a message is processed but not deleted from the SQS queue, or when the visibility timeout expires before processing completes, the message becomes visible again in the queue and can be consumed by another worker. This causes duplicate processing. The correct fix is to ensure the visibility timeout is set longer than the expected processing time and that the message is explicitly deleted after successful processing.

Exam trap

The trap here is that candidates may confuse message reappearance with dead-letter queue behavior, but dead-letter queues only trigger after a configurable number of receive attempts, not after a single successful processing cycle.

How to eliminate wrong answers

Option A is wrong because long polling reduces empty responses and cost by waiting for messages, but does not cause messages to reappear after processing. Option B is wrong because a dead-letter queue captures messages that have failed processing multiple times, not cause reprocessing of successfully handled messages. Option C is wrong because SSE-SQS encrypts messages at rest, which has no effect on message visibility or deletion behavior.

239
Multi-Selecteasy

Which TWO actions can help reduce Lambda cold start times? (Choose two.)

Select 2 answers
A.Increase the deployment package size.
B.Increase the memory allocated to the function.
C.Use Provisioned Concurrency.
D.Place the function in a VPC.
E.Reduce the function timeout.
AnswersB, C

More memory = more CPU, faster initialization.

Why this answer

Option B is correct because increasing memory also increases CPU, which speeds up initialization. Option C is correct because using Provisioned Concurrency keeps environments warm. Option A is incorrect because larger deployment packages increase cold start.

Option D is incorrect because VPC adds network overhead, increasing cold start. Option E is incorrect because reducing memory decreases CPU, worsening cold start.

240
Multi-Selecthard

A company runs a serverless application on AWS using API Gateway, AWS Lambda, and DynamoDB. The application processes user uploads and stores metadata in DynamoDB. Recently, users have reported that some uploads fail with a 500 Internal Server Error. The CloudWatch Logs for the Lambda function show 'ProvisionedThroughputExceededException' errors for DynamoDB, followed by 'Task timed out after 3.00 seconds' errors. The Lambda function has a 3-second timeout and 128 MB of memory. The DynamoDB table has 5 read capacity units and 5 write capacity units. The application uses a single Lambda function that processes each upload synchronously. The company expects a steady increase in uploads. Which combination of actions should a developer take to resolve the errors and prepare for future growth? (Choose TWO.)

Select 2 answers
A.Increase the DynamoDB table's write capacity units to a higher value.
B.Switch the Lambda function to asynchronous invocation with a DLQ.
C.Modify the Lambda function to implement retries with exponential backoff on DynamoDB write operations.
D.Increase the Lambda function's timeout to 30 seconds.
E.Increase the Lambda function's reserved concurrency to 100.
AnswersA, C

This directly addresses the ProvisionedThroughputExceededException by providing more write capacity.

Why this answer

The errors are caused by DynamoDB throttling due to insufficient write capacity. Option A increases write capacity to handle the load. Option C implements retries with exponential backoff to handle occasional throttling without failing.

Option B would not help because the errors are from DynamoDB, not Lambda concurrency. Option D would increase latency but not solve throttling. Option E might cause duplicate processing.

241
Multi-Selectmedium

A developer is deploying a new microservice on AWS Elastic Beanstalk. The service uses an RDS database. The developer wants to ensure that database credentials are not stored in the application's source code. Which TWO methods should the developer use to securely provide credentials to the application?

Select 2 answers
A.Use AWS Secrets Manager to store and retrieve the credentials at runtime.
B.Store the credentials in a configuration file within the application source code.
C.Use Elastic Beanstalk environment properties to set the credentials.
D.Store the credentials in an encrypted file on an EC2 instance.
E.Store the credentials in an S3 bucket with a public read policy.
AnswersA, C

Secrets Manager provides secure storage and rotation.

Why this answer

Options B and D are correct. Elastic Beanstalk can set environment variables from a source, and AWS Secrets Manager is a secure service for managing secrets. Option A is wrong because the source code is not secure.

Option C is wrong because an S3 bucket with a public policy is insecure. Option E is wrong because EC2 Parameter Store is a better name for Systems Manager Parameter Store, but the concept is correct; however, Secrets Manager is more appropriate for credentials.

242
MCQhard

A developer is troubleshooting slow response times in a serverless application. The application consists of an Amazon API Gateway REST API that invokes an AWS Lambda function, which then writes data to an Amazon DynamoDB table with on-demand capacity. The function also calls an external API for enrichment. The developer observes that the API Gateway integration latency is high, but the Lambda function duration is low. What is the most likely cause?

A.The Lambda function is experiencing cold starts due to low invocation frequency.
B.The DynamoDB on-demand capacity is throttling requests.
C.The external API call is adding network latency due to its geographic location.
D.The API Gateway request/response payload size is large, increasing transfer time.
AnswerD

Large payloads take longer to transfer between API Gateway and Lambda, increasing integration latency even if the Lambda function executes quickly.

Why this answer

Option D is correct because high API Gateway integration latency combined with low Lambda duration indicates that the delay is occurring in the data transfer between API Gateway and Lambda, not within the function itself. A large request/response payload increases the network transfer time over the HTTPS connection, which is measured as part of integration latency but not reflected in the function's billed duration.

Exam trap

The trap here is that candidates confuse 'integration latency' with 'Lambda duration' and assume the issue must be inside the function (cold starts, throttling, or external calls), rather than recognizing that integration latency specifically captures network transfer time between API Gateway and the backend.

How to eliminate wrong answers

Option A is wrong because cold starts would increase the Lambda function duration (reported as 'duration' in CloudWatch), not the API Gateway integration latency, and the question states Lambda duration is low. Option B is wrong because DynamoDB on-demand capacity throttling would cause errors or retries in the Lambda function, increasing its duration, not API Gateway integration latency. Option C is wrong because external API call latency would be included in the Lambda function's duration, not in the API Gateway integration latency metric, which measures only the time between API Gateway and Lambda invocation.

243
MCQmedium

A developer is troubleshooting an AWS CloudFormation stack that failed to create. The error message says 'The following resource(s) failed to create: [MyEC2Instance]'. What is the first step the developer should take?

A.Update the stack with a new template.
B.Delete the stack and try again.
C.Review the CloudFormation template for syntax errors.
D.View the stack events in the CloudFormation console to see the specific error for the resource.
AnswerD

Stack events provide detailed error messages for each resource.

Why this answer

Option D is correct because when a CloudFormation stack fails to create, the error message only indicates which resource failed, not why. The first troubleshooting step is to view the stack events in the CloudFormation console, which provides detailed error messages for each resource, such as an API call failure, insufficient permissions, or a resource limit exceeded. This allows the developer to diagnose the root cause before making any changes.

Exam trap

The trap here is that candidates often jump to fixing the template or retrying the stack, overlooking that the specific error details are available in the stack events, which is the fastest path to identifying the actual cause.

How to eliminate wrong answers

Option A is wrong because updating the stack with a new template without understanding the failure reason could introduce additional errors or mask the underlying issue. Option B is wrong because deleting the stack and retrying without investigation wastes time and may repeat the same failure if the root cause (e.g., a missing parameter or IAM role) is not addressed. Option C is wrong because syntax errors in the template would typically be caught during validation before stack creation, and the error message specifically indicates a resource creation failure, not a template syntax issue.

244
MCQmedium

A company's application running on Amazon ECS Fargate is experiencing high CPU utilization. The task definition has CPU set to 256 units. What should be done to improve performance?

A.Increase the desired count of tasks.
B.Increase the CPU value in the task definition and redeploy the service.
C.Increase the memory value in the task definition.
D.Switch to EC2 launch type.
AnswerB

Allocating more CPU per task reduces utilization.

Why this answer

Option B is correct because increasing CPU units in the task definition and redeploying the service will allocate more CPU to the tasks. Option A is wrong because horizontal scaling can help but the root cause is insufficient CPU per task. Option C is wrong because increasing memory does not affect CPU.

Option D is wrong because changing the launch type changes billing but not CPU allocation.

245
MCQhard

A company runs a production web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application uses a custom health check endpoint /health that returns HTTP 200 when the application is healthy. Recently, the operations team noticed that the Auto Scaling group is repeatedly launching and terminating instances (flapping) even though the application is stable. The health check grace period is set to 300 seconds. The ALB health check interval is 30 seconds, unhealthy threshold is 2, and healthy threshold is 5. The Auto Scaling group uses the ELB health check type. The application logs show no errors. What is the MOST likely cause of the flapping?

A.The EC2 instance type is not suitable for the application, causing slow responses.
B.The healthy threshold is set too high, causing instances to be considered unhealthy for too long.
C.The ALB is experiencing high latency and marking instances unhealthy.
D.The Auto Scaling group has a target tracking scaling policy that is too aggressive.
AnswerB

A high healthy threshold (5) means instances take longer to be marked healthy, leading to cycles of termination and launch.

Why this answer

Option D is correct. The healthy threshold is 5, meaning an instance must pass 5 consecutive health checks to be considered healthy. With a 30-second interval, it takes 2.5 minutes to become healthy, but the health check grace period is 300 seconds (5 minutes).

However, if the instance initially fails health checks because the application takes longer than 30 seconds to start, it will be marked unhealthy. More importantly, the healthy threshold of 5 is high, so after the grace period, the instance may still be considered unhealthy if it has not passed 5 checks. The combination of high healthy threshold and low unhealthy threshold can cause flapping.

Option A is wrong because the ALB is not failing. Option B is wrong because scaling policies are not mentioned. Option C is wrong because the instance type is unlikely to cause this.

246
MCQmedium

A developer is troubleshooting a Lambda function that intermittently times out. The function makes HTTP requests to an external API. The function's CloudWatch logs show 'Task timed out after 3.01 seconds'. What is the MOST likely cause?

A.The Lambda function timeout is set to 3 seconds, but the HTTP request takes longer.
B.The Lambda function has insufficient reserved concurrency causing throttling.
C.The Lambda function is not configured with a VPC and cannot reach the external API.
D.The Lambda function is not starting execution due to a missing IAM role.
AnswerA

The default Lambda timeout is 3 seconds. The log shows the task timed out after 3.01 seconds, indicating the function timeout was exceeded.

Why this answer

Option C is correct because the Lambda function timeout is set to 3 seconds by default, causing the timeout error. Option A is wrong because VPC configuration does not cause timeout logs about 'Task timed out' - that message specifically refers to the function timeout. Option B is wrong because the function has no reserved concurrency issue.

Option D is wrong because the logs indicate the function started execution.

247
Multi-Selecteasy

A developer is troubleshooting an AWS Lambda function that is failing with a timeout error. The function has a 15-minute timeout and processes messages from an Amazon SQS queue. Which TWO actions should the developer take to resolve the issue?

Select 2 answers
A.Reduce the SQS visibility timeout.
B.Increase the Lambda function timeout to 15 minutes.
C.Increase the SQS batch size in the Lambda event source mapping.
D.Configure a dead-letter queue for the SQS queue.
E.Use SQS batch operations in the Lambda function to process multiple messages at once.
AnswersC, E

Larger batches reduce overhead and improve throughput.

Why this answer

Options A and D are correct. A: Increasing batch size reduces the number of invocations, but each invocation processes more messages quickly. D: Using SQS batch operations can improve throughput.

Option B is wrong because dead-letter queue is for failed messages after retries. Option C is wrong because reducing visibility timeout would cause more retries. Option E is wrong because Lambda can have up to 15 minutes; the issue is processing speed.

248
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user tries to download an object from s3://my-bucket/secret/config.txt. What will happen?

A.The user is denied access only if the bucket policy also denies access.
B.The user can download the object because the Deny statement only applies to 's3:*' actions, not s3:GetObject.
C.The user can download the object because the Allow statement grants s3:GetObject on the bucket.
D.The user is denied access because the Deny statement explicitly denies access to the 'secret/' prefix.
AnswerD

Explicit Deny always overrides Allow.

Why this answer

The Deny statement explicitly denies all s3 actions on the 'secret/' prefix. Deny statements override Allow statements. Option C is correct.

Option A is wrong because the Deny is explicit. Option B is wrong because the Deny applies to the 'secret/' prefix. Option D is wrong because the Deny is not conditional.

249
MCQmedium

A developer runs the AWS CLI command above to view the latest log stream for a Lambda function. The output shows a log stream with lastEventTimestamp of 1710493200000 (approximately 1 hour ago). However, the function was invoked 5 minutes ago and did not produce any errors. What is the MOST likely explanation?

A.The Lambda function was not actually invoked 5 minutes ago.
B.The Lambda function execution role lacks permissions to write to CloudWatch Logs.
C.The log stream was deleted after the last invocation.
D.The command returned only the oldest log stream because of the limit and ordering parameters.
AnswerD

Descending order with limit 1 returns the most recent log stream, but the most recent may be older if there are multiple streams.

Why this answer

Option D is correct because the command only returns one log stream due to the limit 1 parameter. There may be newer log streams that are not shown. Option A is wrong because the function did not fail.

Option B is wrong because the log stream exists. Option C is wrong because the function was invoked recently.

250
Drag & Dropmedium

Drag and drop the steps to troubleshoot an application that cannot connect to an RDS database in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with network connectivity, then security groups, credentials, direct connection test, and finally database logs.

251
MCQhard

A developer deployed a new Lambda function that processes messages from an SQS queue. The function runs correctly for small workloads but starts timing out after 15 seconds when traffic increases. The function has a reserved concurrency of 10 and a timeout of 30 seconds. CloudWatch logs show occasional throttling errors (429). What is the MOST likely cause?

A.The function memory is too low.
B.The reserved concurrency is too low.
C.The SQS batch size is too large.
D.The function timeout is too low.
AnswerB

Low reserved concurrency causes throttling (429) and delays leading to timeouts.

Why this answer

Option D is correct because the function is experiencing throttling due to insufficient reserved concurrency, causing requests to be delayed and eventually time out. Option A is wrong because the timeout is set to 30 seconds, but the issue is throttling, not timeout. Option B is wrong because SQS batch size does not cause throttling.

Option C is wrong because Lambda scales horizontally, not vertically.

252
Multi-Selectmedium

Which TWO actions can help reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer? (Select TWO.)

Select 2 answers
A.Increase the EC2 instance size to a larger type.
B.Use Amazon CloudFront as a content delivery network.
C.Disable keep-alive connections on the ALB.
D.Use multiple Availability Zones for the ALB.
E.Enable HTTP/2 on the Application Load Balancer.
AnswersB, E

CloudFront caches content at edge locations, reducing latency.

Why this answer

Enabling HTTP/2 on the ALB reduces latency by multiplexing requests. Using a Content Delivery Network (CloudFront) caches content at edge locations, reducing latency for users. Option B is wrong because increasing instance size may not reduce latency, especially if the bottleneck is network or I/O.

Option C is wrong because multiple subnets increase availability, not latency. Option E is wrong because disabling keep-alive increases latency by requiring new connections.

253
MCQmedium

A developer has deployed a serverless application using AWS SAM. After a recent update, the API Gateway endpoints return 500 errors. The Lambda function logs show no errors. What should the developer investigate first?

A.Increase the Lambda function timeout.
B.Check the Lambda function's reserved concurrency.
C.Review the CloudFormation stack events for any failures.
D.Verify the API Gateway integration response and mapping templates.
AnswerD

Incorrect mapping can cause API Gateway to return 500 even if Lambda executes successfully.

Why this answer

Option D is correct because when API Gateway returns 500 errors but Lambda logs show no errors, the issue is typically in the API Gateway integration response or mapping templates. API Gateway may fail to transform the Lambda response into the expected format, causing an internal server error without the Lambda function ever throwing an exception.

Exam trap

The trap here is that candidates assume 500 errors always originate from the Lambda function, but the question explicitly states Lambda logs show no errors, forcing the candidate to look at the API Gateway integration layer instead.

How to eliminate wrong answers

Option A is wrong because increasing the Lambda function timeout would not resolve 500 errors if the function is completing successfully (as indicated by no errors in logs); timeout issues would manifest as 504 errors, not 500. Option B is wrong because reserved concurrency controls the number of concurrent executions, not response formatting; concurrency issues would cause throttling (429 errors) or invocation failures, not 500 errors with successful logs. Option C is wrong because CloudFormation stack events would show deployment failures, but the question states the application was deployed successfully and only after an update the errors appeared; stack events would not reveal runtime integration issues between API Gateway and Lambda.

254
MCQmedium

A developer is troubleshooting a Lambda function that times out sporadically. The function reads from an S3 bucket and processes CSV files. Which of the following is the MOST likely cause?

A.VPC configuration missing a NAT gateway.
B.Cold starts due to low invocation frequency.
C.S3 GET request throttling during high traffic.
D.Insufficient memory allocated to the Lambda function.
AnswerC

High request rates can lead to S3 throttling, causing intermittent delays and timeouts.

Why this answer

Sporadic timeouts often occur due to throttling or limits. S3 throttling (especially for GET requests) can cause delays. Cold starts would cause initial delays but not sporadic ones.

Memory exhaustion would cause failures, not timeouts. VPC configuration would cause consistent timeouts.

255
MCQmedium

A developer is troubleshooting an application that uses Amazon ElastiCache for Redis to cache database query results. The application experiences high latency during cache misses. The developer notices that frequently accessed keys (hot keys) are often missing from the cache, suggesting they are being evicted. Which action should the developer take to reduce cache misses for hot keys?

A.Increase the number of cache nodes.
B.Switch to the 'allkeys-lru' eviction policy.
C.Disable the TTL on all cached keys.
D.Increase the size of the cache cluster.
AnswerB

allkeys-lru evicts the least recently used keys from all keys, which tends to retain frequently used hot keys.

Why this answer

Option B is correct because the 'allkeys-lru' eviction policy allows Redis to evict any key (including those with TTL) based on least-recently-used access, which helps retain frequently accessed hot keys. By default, ElastiCache for Redis uses the 'volatile-lru' policy, which only evicts keys with an expiration set, leaving hot keys without TTL vulnerable to eviction when memory pressure occurs. Switching to 'allkeys-lru' ensures that even keys without TTL can be considered for eviction, reducing the likelihood of hot keys being removed.

Exam trap

The trap here is that candidates assume scaling up or out is the only solution for cache misses, overlooking that the eviction policy directly controls which keys are removed under memory pressure, and 'volatile-lru' by default excludes keys without TTL from eviction consideration.

How to eliminate wrong answers

Option A is wrong because increasing the number of cache nodes (scaling out) distributes data across shards but does not change the eviction policy; hot keys can still be evicted under memory pressure if the policy does not protect them. Option C is wrong because disabling TTL on all cached keys would prevent expiration-based eviction but does not address eviction due to memory limits; Redis would still evict keys under the 'volatile-lru' policy, and without TTL, those keys become ineligible for eviction, potentially causing out-of-memory errors. Option D is wrong because increasing the size of the cache cluster (scaling up) adds more memory, which delays eviction but does not change the eviction policy; hot keys without TTL remain vulnerable to eviction once memory is exhausted.

256
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is experiencing high invocation errors. The developer sees that the function's reserved concurrency is set to 0. What is the impact?

A.The function's memory is insufficient, causing out-of-memory errors.
B.The function is throttled due to high request volume.
C.The function's code has an error causing it to fail.
D.The function is not receiving any invocations because it has no concurrency available.
AnswerD

With reserved concurrency 0, the function cannot be invoked.

Why this answer

Reserved concurrency of 0 means the function cannot scale, so no invocations occur. This causes all messages to stay in the queue or go to DLQ. Option B is correct.

Option A is wrong because throttling is not the main issue. Option C is wrong because the function never runs. Option D is wrong because concurrency limit is 0.

257
MCQhard

A developer is troubleshooting an AWS Lambda function that processes large CSV files (up to 1 GB) uploaded to an Amazon S3 bucket. The function uses Python and the pandas library to perform data transformations. Recently, the function started timing out on large files. CloudWatch Logs show that the function's execution time is close to the 15-minute Lambda timeout, and memory utilization peaks at around 80% of the configured 3,008 MB. The function has not been modified in months. Which action will most likely resolve the timeout issue without requiring code changes?

A.Increase the memory allocation of the Lambda function to the maximum available (10,240 MB)
B.Increase the function timeout to the maximum allowed (900 seconds is already the max)
C.Use S3 Select to filter columns and rows before invoking the Lambda function
D.Increase the batch size of the S3 event notification to invoke the function with multiple files
AnswerA

More memory provides more CPU, speeding up the CPU-intensive pandas processing and reducing execution time below the timeout.

Why this answer

Increasing the memory allocation to the maximum (10,240 MB) proportionally increases the CPU and network throughput allocated to the Lambda function, which directly reduces execution time for CPU-bound pandas operations. Since memory utilization is only at 80% of the current 3,008 MB, the bottleneck is likely CPU, not memory, and Lambda's CPU scales linearly with memory configuration. This action resolves the timeout without any code changes.

Exam trap

The trap here is that candidates assume the function needs more memory because memory utilization is at 80%, but the real bottleneck is CPU, which is tied to memory allocation in Lambda's pricing and performance model.

How to eliminate wrong answers

Option B is wrong because the Lambda function timeout is already at 900 seconds (15 minutes), which is the maximum allowed; increasing it further is impossible. Option C is wrong because S3 Select filters data before the Lambda function is invoked, which would require modifying the S3 event notification or adding a separate trigger, thus requiring code changes to the Lambda function or infrastructure. Option D is wrong because increasing the batch size of the S3 event notification would invoke the function with multiple files at once, which would increase the processing load and worsen the timeout issue, not resolve it.

258
Multi-Selectmedium

A developer is troubleshooting a slow-performing Amazon RDS for MySQL database. Which TWO actions should the developer take to improve query performance?

Select 2 answers
A.Delete unused indexes to reduce write overhead.
B.Enable Multi-AZ deployment for better read performance.
C.Increase the instance size to provide more CPU and memory.
D.Enable the slow query log to identify poorly performing queries.
E.Delete the binary log files to free up storage.
AnswersC, D

More resources can improve performance.

Why this answer

Option A: Enabling slow query log helps identify problematic queries. Option D: Increasing instance size provides more resources. Option B is wrong because Multi-AZ is for availability.

Option C is wrong because deleting unused indexes improves write performance, not read. Option E is wrong because deleting logs doesn't improve performance.

259
MCQmedium

A developer deployed a new version of a Lambda function using an alias that points to the new version. However, the function continues to invoke the old version. What is the MOST likely cause?

A.The IAM execution role for the Lambda function does not have permission to invoke the new version.
B.The alias was not updated to point to the new version after deployment.
C.The Lambda function's reserved concurrency is set to 0, preventing new invocations.
D.The function name in the invocation request is different from the deployed function.
AnswerB

An alias is a pointer to a specific version. If the alias still points to the old version, new invocations will use the old code.

Why this answer

Option B is correct because if the version number in the alias is not updated, the alias still points to the old version. Option A (concurrency) does not affect which version is invoked. Option C (different function name) would cause a different error.

Option D (IAM permissions) would cause access denied errors, not invocation of old code.

260
MCQmedium

A developer is using AWS CloudFormation to deploy a stack. The stack creation fails with the error 'API: iam:CreateRole User: arn:aws:iam::123456789012:user/DevUser is not authorized to perform: iam:CreateRole'. The developer is using an IAM user with AdministratorAccess policy attached. What is the MOST likely cause of this error?

A.The account has reached the IAM role limit.
B.The CloudFormation stack is using a service role that does not have iam:CreateRole permission.
C.The CloudFormation stack is being created in a region where IAM is not supported.
D.The AdministratorAccess policy has been modified to remove IAM permissions.
AnswerB

If a service role is used, CloudFormation assumes that role to create resources. If the role lacks permissions, the operation fails.

Why this answer

Option D is correct because CloudFormation uses a service role to create resources if a service role is specified. If the service role does not have the necessary permissions, the stack creation will fail even if the user has full permissions. Option A (region issue) is not relevant.

Option B (resource limit) would give a limit exceeded error. Option C (policy version) would not cause this specific error.

261
MCQmedium

A developer is troubleshooting a CloudFormation stack that fails to create. The stack includes an Auto Scaling group with a launch template. The error message says 'Value (null) for parameter groupId is invalid.' What is the MOST likely cause?

A.The launch template references a SecurityGroupId parameter that is not provided or is misspelled.
B.The Auto Scaling group does not specify a VPC subnet.
C.The Auto Scaling group's user data script contains a syntax error.
D.The launch template specifies an invalid key pair name.
AnswerA

The error indicates a null value for groupId, meaning the security group parameter is missing or not resolved.

Why this answer

The error 'Value (null) for parameter groupId is invalid' indicates that a SecurityGroupId parameter referenced in the launch template is either not provided or misspelled. CloudFormation resolves parameters at stack creation; if the parameter is missing or has a typo, it evaluates to null, causing the launch template to fail validation because a security group ID is required for the network interface.

Exam trap

The trap here is that candidates confuse a missing subnet or user data error with a parameter null value, but the specific 'groupId' error points directly to a security group parameter issue, not infrastructure or script problems.

How to eliminate wrong answers

Option B is wrong because a missing VPC subnet would cause a different error, such as 'VPCIdNotSpecified' or 'SubnetIDNotSpecified', not a null groupId parameter. Option C is wrong because a syntax error in user data would result in a script execution failure, not a parameter validation error during stack creation. Option D is wrong because an invalid key pair name would produce an error like 'InvalidKeyPair.NotFound', not a null parameter value for groupId.

262
MCQmedium

The exhibit shows the output of invoking a Lambda function from the AWS CLI. The function returned a status code of 200 but included a FunctionError field set to 'Unhandled'. What does this indicate?

A.The function executed but threw an unhandled exception.
B.The function returned an error in the LogResult field.
C.The function timed out during execution.
D.The function was invoked but there was a network error.
AnswerA

Unhandled indicates an exception that was not caught.

Why this answer

Option C is correct because FunctionError: 'Unhandled' means the function threw an exception that was not caught by the code. Option A is wrong because status code 200 indicates invocation succeeded. Option B is wrong because LogResult is base64-encoded logs, not error.

Option D is wrong because the function ran but threw an error.

263
Multi-Selectmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application is experiencing high latency. Which TWO steps should the developer take to troubleshoot and optimize the application?

Select 2 answers
A.Configure an Amazon RDS read replica.
B.Enable AWS X-Ray integration and analyze service maps.
C.Enable enhanced health reporting and review the environment health metrics.
D.Increase the instance type to a larger size.
E.Deploy the application to a different AWS region.
AnswersB, C

Identifies bottlenecks in the application.

Why this answer

Option B is correct because enabling enhanced health reporting provides detailed metrics. Option D is correct because enabling X-Ray integration provides tracing to identify bottlenecks. Option A is wrong because deploying to a different region might not help latency for existing users.

Option C is wrong because increasing instance size could help but not a troubleshooting step. Option E is wrong because RDS is not involved.

264
MCQmedium

A developer is troubleshooting an AWS Lambda function that processes records from an Amazon Kinesis Data Stream. The function is configured with a batch size of 100 and a parallelization factor of 1. The iterator age metric is increasing, and CloudWatch Logs show the function execution time is around 4 minutes (timeout is 5 minutes). The stream has 10 shards. What is the most cost-effective way to increase processing throughput?

A.Increase the batch size to 500
B.Increase the number of shards
C.Increase the timeout to 10 minutes
D.Increase the parallelization factor per shard
AnswerD

Increasing the parallelization factor allows the function to process multiple batches from the same shard concurrently, improving throughput without additional cost from more shards.

Why this answer

Increasing the parallelization factor per shard (option D) allows each shard to be processed by multiple Lambda instances concurrently, which directly increases throughput without requiring additional shards or changes to the stream. Since the function is not hitting the 5-minute timeout but is taking ~4 minutes per batch, the bottleneck is processing concurrency per shard, not batch size or execution duration. This is the most cost-effective solution because it uses existing shards and avoids the cost of additional shards or unnecessary timeout increases.

Exam trap

The trap here is that candidates often assume increasing batch size (option A) is the natural fix for slow processing, but they overlook that the function is already near its timeout limit, making a larger batch size impractical without also increasing the timeout.

How to eliminate wrong answers

Option A is wrong because increasing the batch size to 500 would likely cause the function to exceed the 5-minute timeout (since it already takes ~4 minutes for 100 records), leading to throttling and failed processing. Option B is wrong because increasing the number of shards incurs additional costs and is not the most cost-effective approach; the current 10 shards are underutilized due to the parallelization factor of 1. Option C is wrong because the function is not timing out (it completes in ~4 minutes with a 5-minute timeout), so increasing the timeout does not address the throughput bottleneck and only delays potential failures.

265
Multi-Selectmedium

A developer is troubleshooting an AWS Lambda function that is timing out. The function has a timeout of 5 seconds and is configured with 128 MB of memory. Which TWO of the following are effective ways to resolve the timeout?

Select 2 answers
A.Increase the memory allocation to 512 MB.
B.Decrease the memory allocation to 64 MB.
C.Deploy the function inside a VPC.
D.Optimize the function code to reduce execution time.
E.Increase the function timeout to 10 seconds.
AnswersA, D

More memory can improve performance and reduce execution time.

Why this answer

Option A is correct because increasing memory often also increases CPU, which can improve performance. Option C is correct because optimizing the code can reduce execution time. Option B is wrong because increasing timeout alone may not solve the root cause.

Option D is wrong because increasing memory is an alternative to increasing timeout. Option E is wrong because deploying in a VPC adds latency due to ENI creation.

266
MCQhard

A developer is running an AWS Lambda function that is triggered by Amazon S3 events. The function writes processed data to an Amazon DynamoDB table. Over time, the function's execution time has increased significantly. CloudWatch Logs show many DynamoDBProvisionedThroughputExceededException errors. The table is configured with 5 read capacity units (RCUs) and 5 write capacity units (WCUs). The function performs both reads and writes. Which optimization will MOST effectively reduce throttling errors while maintaining performance?

A.Increase the RCUs and WCUs of the table to 50 each
B.Switch the DynamoDB table to on-demand capacity mode
C.Implement a DynamoDB Accelerator (DAX) cluster for caching reads
D.Increase Lambda function memory to 1024 MB
AnswerB

On-demand mode automatically scales read and write capacity based on traffic. This eliminates throttling caused by insufficient provisioned capacity and requires no capacity planning.

Why this answer

The DynamoDBProvisionedThroughputExceededException errors indicate that the Lambda function is exceeding the provisioned write capacity of 5 WCUs. Switching to on-demand capacity mode eliminates the need to manage throughput, automatically scaling to handle the workload without throttling. This directly resolves the root cause—capacity exhaustion—without requiring manual adjustments or architectural changes.

Exam trap

The trap here is that candidates often confuse read throttling with write throttling and reach for DAX (a read cache) or assume that increasing Lambda resources will solve database-level throughput issues, when the real fix is to match the database capacity mode to the workload pattern.

How to eliminate wrong answers

Option A is wrong because simply increasing RCUs and WCUs to 50 is a manual, reactive fix that does not address the root cause of unpredictable traffic patterns; it may still lead to throttling if the workload spikes beyond the new limit, and it incurs unnecessary cost if the average usage is lower. Option C is wrong because DAX caches reads only, but the errors are DynamoDBProvisionedThroughputExceededException, which primarily affects writes (the function writes processed data); caching reads does not reduce write throttling. Option D is wrong because increasing Lambda memory only increases CPU and network throughput, not DynamoDB capacity; it does not resolve the throttling errors caused by exceeding the table's write capacity.

267
MCQeasy

A developer is using Amazon S3 to host a static website. The website returns 403 Forbidden errors. The bucket policy allows public read access. What is the most likely cause?

A.The bucket's 'Block public access' settings are enabled.
B.The bucket has an ACL that denies read access.
C.The bucket policy does not include the 's3:GetObject' action.
D.The bucket policy is not correctly attached to the bucket.
AnswerA

Block public access settings override bucket policies.

Why this answer

The most likely cause is that the bucket's 'Block public access' settings are enabled. Even if the bucket policy explicitly grants public read access, S3's Block Public Access settings act as an overarching security override that denies all public requests, resulting in a 403 Forbidden error. These settings are enabled by default for new buckets and can be applied at the account or bucket level, making them a common pitfall.

Exam trap

The trap here is that candidates often focus on the bucket policy syntax or ACLs, overlooking the fact that S3's Block Public Access settings can silently override all public permissions, even when the policy is perfectly written.

How to eliminate wrong answers

Option B is wrong because if an ACL denies read access, it would conflict with the bucket policy, but the question states the bucket policy allows public read access, and S3 evaluates both ACLs and policies; however, Block Public Access settings are a more common and immediate cause. Option C is wrong because the bucket policy is stated to allow public read access, which implicitly includes the 's3:GetObject' action; if it were missing, the error would be Access Denied, but the policy is correctly configured per the question. Option D is wrong because if the bucket policy were not correctly attached, the bucket would not have any policy to evaluate, leading to default private access (403), but the question explicitly says the policy allows public read access, implying it is attached; the issue is the Block Public Access override.

268
MCQmedium

Refer to the exhibit. A developer runs the AWS CLI command for an EC2 instance. The instance is in the 'running' state, but the application hosted on it is not reachable. What should the developer check first?

A.Check the security group rules for inbound traffic.
B.Check the ELB health check settings.
C.Check the instance status checks in the EC2 console.
D.Verify the instance ID is correct.
AnswerA

Security groups control inbound traffic; missing rules can block access.

Why this answer

The application is unreachable despite the EC2 instance being in the 'running' state, which indicates the OS and instance services are operational. The most common cause for this scenario is that the security group's inbound rules are not allowing traffic on the application's port (e.g., HTTP/HTTPS on port 80/443). Security groups act as a virtual firewall at the instance level, and unless an inbound rule explicitly permits the traffic, it will be silently dropped, making the application unreachable.

Exam trap

The trap here is that candidates assume a 'running' instance means the application should be reachable, overlooking that security groups control network access independently of the instance's operational state.

How to eliminate wrong answers

Option B is wrong because ELB health check settings are only relevant if the instance is behind an Elastic Load Balancer, and the question does not mention an ELB; even if it were, the health check would fail due to the same security group issue, making it a secondary check. Option C is wrong because instance status checks verify the OS and hypervisor health (e.g., system reachability), and since the instance is 'running' and the application is unreachable, the issue is likely at the network layer, not the instance's operational status. Option D is wrong because verifying the instance ID is a basic validation step that would have been done before running the CLI command; if the ID were incorrect, the CLI command would have failed with an error, not left the instance running but unreachable.

269
MCQmedium

A developer attached the IAM policy above to an IAM role used by an EC2 instance. The instance is in a VPC with CIDR 10.0.0.0/16, but it cannot access objects in the S3 bucket 'example-bucket'. What is the MOST likely reason?

A.The condition should use 'aws:VpcSourceIp' instead of 'aws:SourceIp'.
B.The policy does not allow 's3:ListBucket' action.
C.The IAM role does not have a trust policy.
D.The S3 bucket is in a different region than the EC2 instance.
AnswerA

For requests from a VPC endpoint, use VpcSourceIp. For direct requests, the source IP is the public IP, not private.

Why this answer

The condition uses 'aws:SourceIp', but EC2 instances in a VPC have private IPs. For S3, the source IP that AWS sees is the public IP (if traffic goes through internet gateway) or the VPC endpoint's private IP. If the bucket policy uses 'aws:SourceIp', it compares against the source IP of the request, which for EC2 instances without a VPC endpoint is the instance's public IP (if any) or the NAT gateway's IP, not the private IP.

The condition should use 'aws:VpcSourceIp' if using a VPC endpoint, or the policy should not rely on source IP from private ranges.

270
Multi-Selectmedium

An application running on Amazon ECS with Fargate is experiencing intermittent failures when connecting to an Amazon RDS database. The security group for the RDS instance allows inbound traffic from the security group attached to the ECS tasks. Which TWO additional checks should the developer perform to troubleshoot the connectivity issue?

Select 2 answers
A.Enable VPC Flow Logs to capture dropped packets.
B.Check that the database credentials are correctly stored in AWS Secrets Manager.
C.Verify that the security group for the RDS instance has an inbound rule allowing traffic from the security group used by the ECS tasks.
D.Check the network ACLs for the subnets to ensure they allow inbound and outbound traffic on ephemeral ports.
E.Ensure that the ECS tasks have a route to the internet through an Internet Gateway.
AnswersC, D

The security group rule must reference the correct source security group.

Why this answer

Options A and D are correct. Option A: The RDS security group must allow inbound traffic from the ECS task security group; this is already stated, but verifying the exact configuration is important. Option D: The NACL for the subnets must allow ephemeral ports for the response traffic.

Option B is wrong because the ECS tasks are in a private subnet, so an Internet Gateway is not used for RDS connectivity. Option C is wrong because the database credentials are not related to network connectivity. Option E is wrong because VPC Flow Logs are useful for analyzing traffic but not a first check; the question asks for additional checks after security group.

271
MCQhard

A company runs a serverless application using AWS Lambda and Amazon API Gateway. The application experiences intermittent 502 Bad Gateway errors. The Lambda function logs show no errors. What is the most likely cause?

A.The Lambda function execution time exceeds API Gateway's 29-second timeout.
B.The API Gateway account-level throttling limit is exceeded.
C.The Lambda function is throwing unhandled exceptions.
D.The API Gateway request payload exceeds 10 MB.
AnswerA

API Gateway has a 29-second integration timeout; exceeding it causes 502 errors.

Why this answer

The most likely cause is that the Lambda function execution time exceeds API Gateway's 29-second timeout. API Gateway has a hard limit of 29 seconds for integration responses, and if the Lambda function takes longer, API Gateway returns a 502 Bad Gateway error. Since the Lambda logs show no errors, the function is running successfully but timing out at the API Gateway level, not failing within Lambda itself.

Exam trap

The trap here is that candidates assume 502 errors always indicate Lambda function failures, but API Gateway's 29-second timeout is a separate, often overlooked limit that causes 502 errors even when the Lambda function runs successfully.

How to eliminate wrong answers

Option B is wrong because exceeding API Gateway account-level throttling limits results in 429 Too Many Requests errors, not 502 Bad Gateway errors. Option C is wrong because unhandled exceptions in Lambda would produce error logs in CloudWatch and typically result in 500 Internal Server Error or 502 errors with logged exceptions, but the question states logs show no errors. Option D is wrong because API Gateway has a 10 MB payload limit, but exceeding it would return a 413 Request Entity Too Large error, not a 502 Bad Gateway error.

272
MCQhard

A developer ran the above CLI command to describe an EC2 instance. The instance is running but the developer cannot connect to it via SSH. Which additional step should the developer take to troubleshoot the connectivity issue?

A.Check the AMI ID to ensure it is a valid Linux AMI
B.Check the instance's network interfaces for a public IP
C.Check the instance status checks in the EC2 console
D.Check the security group rules associated with the instance
AnswerD

Security groups control inbound traffic; if port 22 is not allowed, SSH will fail.

Why this answer

Option C is correct because checking the security group rules is essential to verify that inbound SSH traffic (port 22) is allowed. The describe-instances output does not include security group information. Option A is wrong because the instance is already running.

Option B is wrong because the instance type is t2.micro, which has a default ENI limit. Option D is wrong because the AMI ID is present.

273
MCQeasy

A developer is using AWS CloudFormation to deploy a stack. The stack creation fails with a 'CREATE_FAILED' status for an EC2 instance resource. The event message says 'The requested configuration is currently not supported. Please check the documentation for supported configurations.' What should the developer do to resolve this issue?

A.Update the stack with a new parameter value.
B.Add an IAM role to the EC2 instance.
C.Change the instance type or specify a different Availability Zone in the template.
D.Use a different Amazon Machine Image (AMI).
AnswerC

The instance type is not supported in the selected AZ.

Why this answer

The error indicates the instance type is not available in the specified Availability Zone. Option A is correct: changing the instance type or AZ resolves it. Option B is wrong because the error is not about permissions.

Option C is wrong because the stack creation failed; updating the stack is not possible. Option D is wrong because the error is not about the AMI.

274
Multi-Selecteasy

Which TWO approaches can be used to optimize costs for an Amazon DynamoDB table with predictable read/write patterns? (Select TWO.)

Select 2 answers
A.Increase the read capacity units to avoid throttling.
B.Use provisioned capacity with auto scaling.
C.Use DynamoDB global tables for multi-region replication.
D.Use DynamoDB Accelerator (DAX) to cache read results.
E.Use on-demand capacity mode.
AnswersB, D

Auto scaling adjusts capacity to actual usage, optimizing cost.

Why this answer

Using provisioned capacity with auto scaling adjusts capacity based on usage, avoiding over-provisioning. DynamoDB Accelerator (DAX) reduces read costs by caching reads. Option A is wrong because on-demand is more expensive for predictable workloads.

Option C is wrong because global tables increase costs. Option D is wrong because increasing read capacity units costs more.

275
MCQmedium

A developer has deployed an AWS Lambda function that is triggered by an Amazon S3 event. The function processes image files and stores metadata in an Amazon DynamoDB table. CloudWatch metrics show that the function's error count has increased. The developer checks CloudWatch Logs and sees errors related to insufficient memory. The function is configured with 128 MB of memory. What should the developer do to resolve the errors?

A.Increase the function's memory to 256 MB or higher.
B.Increase the function's timeout to 30 seconds.
C.Reduce the size of the images being uploaded to S3.
D.Move the DynamoDB write operation to an asynchronous invocation.
AnswerA

Increasing memory alleviates the out-of-memory error and also increases CPU power, which will help process images faster.

Why this answer

The error is caused by insufficient memory, which directly impacts the CPU and execution resources allocated to the Lambda function. Increasing the memory allocation to 256 MB or higher provides more CPU throughput and memory, resolving the out-of-memory errors without requiring code changes.

Exam trap

The trap here is that candidates confuse memory errors with timeout errors and incorrectly choose to increase the timeout, but the logs explicitly state insufficient memory, not duration limits.

How to eliminate wrong answers

Option B is wrong because increasing the timeout does not address memory exhaustion; timeout errors occur when execution duration exceeds the limit, not when memory is insufficient. Option C is wrong because reducing image sizes is a workaround that may not be feasible or controlled by the developer, and it does not fix the underlying resource allocation issue. Option D is wrong because moving the DynamoDB write to an asynchronous invocation does not reduce memory consumption during image processing; the function still needs enough memory to process the image in memory before any write occurs.

276
MCQeasy

A developer invoked a Lambda function and saw the above output. What is the root cause of the error?

A.The Lambda function lacks permission to access the event payload.
B.The function code expects a property that is missing from the event payload.
C.The Lambda function's handler name is incorrect.
D.The Lambda function timed out.
AnswerB

The code tries to access 'length' on undefined, meaning expected property not in event.

Why this answer

Option C is correct because the error message 'Cannot read property 'length' of undefined' suggests that the code expects a property that does not exist in the event object. Option A is wrong because there is no timeout error. Option B is wrong because the log shows the function started and ran.

Option D is wrong because there is no mention of missing permissions.

277
MCQmedium

A development team is using AWS CodeCommit as a source repository and CodeBuild for build automation. They want to trigger a build automatically whenever a pull request is created or updated in the repository. Which configuration should they use?

A.Configure an S3 event notification on the repository
B.Configure a webhook in CodeCommit to trigger CodeBuild
C.Use Amazon EventBridge to capture CodeCommit events and trigger CodeBuild
D.Create a CodePipeline that polls CodeCommit for changes
AnswerC

EventBridge can detect pull request events from CodeCommit and invoke CodeBuild.

Why this answer

Option B is correct because CodeCommit can send events via CloudWatch Events (Amazon EventBridge) to trigger CodeBuild. Option A is wrong because webhooks are used with GitHub/Bitbucket, not CodeCommit. Option C is wrong because CodePipeline is a higher-level orchestration service and not necessary for simple build triggers.

Option D is wrong because S3 events are not applicable to CodeCommit.

278
MCQhard

A developer is optimizing an API Gateway REST API that uses Lambda integration. The response times are high, and CloudWatch logs show that the Lambda function has cold starts frequently. The function is written in Java and uses a large library. What is the MOST effective optimization?

A.Rewrite the function in Node.js to reduce cold start time.
B.Increase the Lambda function's memory allocation to 3008 MB.
C.Enable provisioned concurrency on the Lambda function.
D.Use the AWS SDK for Java 2.x to reduce initialization time.
AnswerC

Provisioned concurrency keeps a number of execution environments initialized and ready to respond immediately, eliminating cold starts.

Why this answer

Option B is correct because using provisioned concurrency keeps the function initialized and warm, eliminating cold starts. Option A is wrong because increasing memory does not directly reduce cold start time. Option C is wrong because using the AWS SDK alone does not reduce cold starts.

Option D is wrong because using a Node.js function would reduce cold starts but may require rewriting the code, which is not as effective as provisioned concurrency.

279
Matchingmedium

Match each AWS deployment strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Switch between two environments

Gradual traffic shifting

Update instances incrementally

Immediate full deployment

Equal percentage increments

Why these pairings

Deployment strategies are tested in the exam.

280
MCQmedium

A developer deployed a new version of a Lambda function that processes S3 events. After deployment, some S3 events are not being processed. The CloudWatch Logs show no errors. What is the most likely cause?

A.The Lambda function has a syntax error.
B.The S3 bucket's event notification still points to the old Lambda function.
C.The Lambda function alias is not pointing to the new version.
D.The S3 events are being throttled by Lambda.
AnswerB

S3 event notification must be updated to invoke the new function.

Why this answer

Option B is correct because after deploying a new version of a Lambda function, the S3 bucket's event notification configuration still references the Amazon Resource Name (ARN) of the old Lambda function version or the function without a qualifier. S3 event notifications are configured to invoke a specific Lambda function ARN, and if the ARN does not point to the new version (e.g., by using an alias or the $LATEST qualifier), events will continue to be sent to the old version, which may not be processing them. Since CloudWatch Logs show no errors, the old version is likely not being invoked or is not logging, confirming the mismatch.

Exam trap

The trap here is that candidates assume deploying a new Lambda version automatically updates all event sources, but S3 event notifications are static ARN references that must be manually updated or use aliases to reflect the new version.

How to eliminate wrong answers

Option A is wrong because a syntax error would cause the Lambda function to fail during invocation, which would generate error logs in CloudWatch Logs, but the question states there are no errors. Option C is wrong because Lambda function aliases are optional; if the S3 event notification is configured to invoke the function directly without an alias (e.g., using the function ARN without a qualifier), the alias not pointing to the new version is irrelevant. Option D is wrong because Lambda throttling would produce a 'ThrottleReason' metric in CloudWatch and error logs (e.g., 429 TooManyRequestsException), but the question states no errors are present.

281
Multi-Selectmedium

A developer is troubleshooting a slow-running application that uses ElastiCache for Redis as a caching layer. The application frequently reads and writes data to the cache. Which TWO actions should the developer take to improve cache performance?

Select 2 answers
A.Use optimized data structures like hashes instead of strings for complex data.
B.Configure the cache to use LRU eviction policy.
C.Disable persistence by setting appendonly to no.
D.Increase the number of shards to distribute data.
E.Enable ElastiCache auto scaling to adjust the number of nodes.
AnswersA, E

Hashes can reduce memory usage and improve performance.

Why this answer

Option A is correct: enabling auto scaling for ElastiCache can adjust capacity based on demand. Option D is correct: optimizing data structures reduces memory and CPU overhead. Option B is wrong: TTL eviction is already handled by Redis.

Option C is wrong: more nodes increase complexity and may not help if the bottleneck is CPU. Option E is wrong: disabling persistence improves write performance but may not be the primary issue.

282
Multi-Selectmedium

A developer is troubleshooting a slow Amazon DynamoDB table. The table has a read capacity of 1000 RCU and a write capacity of 500 WCU. The application frequently reads the same item. Which TWO actions can improve read performance?

Select 2 answers
A.Increase the read capacity units (RCU) to 2000.
B.Add a Global Secondary Index (GSI) on the frequently read attribute.
C.Decrease the write capacity units (WCU) to 250.
D.Implement DynamoDB Accelerator (DAX) for caching.
E.Use eventually consistent reads instead of strongly consistent reads.
AnswersD, E

DAX caches reads, reducing latency.

Why this answer

Option D is correct because DynamoDB Accelerator (DAX) is an in-memory cache that can reduce read latency for frequently accessed items from milliseconds to microseconds, offloading read traffic from the table and improving performance without requiring a capacity increase. Option E is correct because eventually consistent reads consume half the RCU of strongly consistent reads (0.5 RCU vs 1 RCU per 4 KB item) and return data faster, which is suitable when the application can tolerate slightly stale data for the same item.

Exam trap

The trap here is that candidates often choose to increase RCU (Option A) as a knee-jerk reaction to slow reads, overlooking that caching (DAX) and consistency model changes are more cost-effective and targeted solutions for repeated reads of the same item.

283
Multi-Selecteasy

A developer is using Amazon ElastiCache to improve the performance of a read-heavy web application. After implementing caching, some users see stale data. Which TWO strategies can the developer use to ensure cache coherence?

Select 2 answers
A.Set a suitable TTL for cached data.
B.Use write-through caching.
C.Invalidate the cache entry when the underlying data is updated.
D.Use read replicas of the database to serve read traffic.
E.Implement lazy loading with a short TTL.
AnswersA, C

TTL ensures data is refreshed periodically.

Why this answer

Option A is correct because setting a suitable Time-To-Live (TTL) on cached data ensures that stale entries are automatically evicted after a defined period. This forces the application to fetch fresh data from the primary database when the TTL expires, thereby maintaining cache coherence without requiring immediate invalidation on every write. In ElastiCache (Redis or Memcached), TTL is set per key using commands like EXPIRE or SETEX, and it is a simple, effective strategy for read-heavy workloads where eventual consistency is acceptable.

Exam trap

The trap here is that candidates often confuse 'lazy loading' (which loads data into cache on a miss) with 'TTL-based expiration' (which evicts stale data), and they may incorrectly select Option E as a separate strategy when it is functionally identical to Option A; also, they may overlook that write-through caching (Option B) is a valid coherence strategy but is not listed as correct in this specific question because the exam expects the two most common and straightforward approaches: TTL and explicit invalidation.

284
MCQmedium

A company runs a Node.js application on AWS Elastic Beanstalk. The application is experiencing high latency. The developer suspects the database queries are slow. Which step should the developer take first to diagnose the issue?

A.Migrate the database to Amazon DynamoDB for better performance.
B.Enable enhanced health reporting and monitor CloudWatch metrics for database connection time.
C.Add database indexing to improve query performance.
D.Increase the instance size to improve performance.
AnswerB

Enhanced health reporting provides detailed metrics to diagnose latency issues.

Why this answer

The first step is to enable enhanced health reporting and use CloudWatch metrics to monitor database query performance. Option B is wrong because increasing instance size is a solution, not diagnosis. Option C is wrong because you need to identify the slow queries first.

Option D is wrong because switching to DynamoDB is a major architectural change.

285
MCQeasy

A developer attaches the above bucket policy to an S3 bucket. An anonymous user tries to access https://my-bucket.s3.amazonaws.com/secret/key.txt. What is the result?

A.Access is denied because the explicit Deny overrides the Allow.
B.Access is allowed because the Allow statement covers all objects.
C.Access is allowed because anonymous requests are not affected by Deny statements.
D.Access is denied because the policy is invalid (two statements conflict).
AnswerA

Explicit Deny takes precedence.

Why this answer

Option B is correct because the explicit Deny overrides the Allow. Even though the Allow grants access to all objects, the Deny for the secret/ prefix explicitly denies access. Option A is incorrect because the explicit Deny takes precedence.

Option C is incorrect because the policy is valid. Option D is incorrect because the user is anonymous but the Deny applies.

286
MCQmedium

A developer is troubleshooting a CloudFront distribution that serves static content from an S3 bucket. Users in some geographic locations report slow load times. The developer checks the CloudFront metrics and sees a high number of cache misses. What is the MOST likely cause?

A.The CloudFront distribution is configured with Price Class 100, which uses only the US and Europe edge locations.
B.The S3 bucket is configured with signed URLs for access.
C.The CloudFront distribution is not configured to compress objects.
D.The object TTL is set to a very low value (e.g., 0 seconds).
AnswerD

A TTL of 0 means each request must go to the origin, resulting in high cache misses and slower performance for users.

Why this answer

Option B is correct because a short TTL causes objects to expire from edge caches quickly, leading to frequent cache misses and requests going back to the origin. Option A (price class) affects edge locations but not cache hits. Option C (compression) does not affect cache hits.

Option D (signed URLs) would cause misses if URLs are not properly constructed but not high miss rate.

287
Multi-Selecthard

A company is using CloudFront with an S3 origin to serve static content. Users in some geographic regions experience high latency. The developer wants to optimize performance. Which THREE actions should the developer take?

Select 3 answers
A.Increase the TTL for the cache behavior to reduce requests to the origin.
B.Enable S3 Transfer Acceleration for the origin bucket.
C.Enable CloudFront Origin Shield to reduce the number of requests to the origin.
D.Configure multiple origins and set up origin failover.
E.Add additional CloudFront edge locations in the affected regions.
AnswersA, C, D

Higher TTL improves cache hit ratio, reducing origin requests and latency.

Why this answer

Option A is correct: adding more edge locations (through additional origins) is not possible directly, but optimizing the origin is. Actually, CloudFront has many edge locations, but adding more origins doesn't help. Option B is correct: enabling origin shield reduces load on the origin.

Option C is correct: using multiple origins and failover can improve availability. Option D is wrong: S3 Transfer Acceleration is for uploading to S3, not for CloudFront. Option E is wrong: TTL does not affect latency, only cache hit ratio.

288
MCQmedium

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing increased latency. The developer suspects the ALB is the bottleneck. How can the developer confirm this using CloudWatch metrics?

A.Monitor the HealthyHostCount metric and ensure it is equal to the number of instances.
B.Monitor the SurgeQueueLength metric and look for sustained high values.
C.Monitor the TargetResponseTime metric and compare it to the client's perspective.
D.Monitor the RequestCount metric and check if it exceeds the ALB's limit.
AnswerB

High SurgeQueueLength means requests are queued, causing latency.

Why this answer

The SurgeQueueLength metric tracks the number of requests that are queued by the ALB because it cannot route them to a healthy target. A sustained high value indicates that the ALB is overwhelmed and requests are waiting, which directly confirms the ALB as the bottleneck causing increased latency.

Exam trap

The trap here is that candidates often confuse SurgeQueueLength with backend metrics like TargetResponseTime, assuming latency must come from the targets rather than the load balancer's internal queuing.

How to eliminate wrong answers

Option A is wrong because HealthyHostCount only indicates the number of registered instances that pass health checks; it does not measure ALB load or queuing, so it cannot confirm the ALB as the bottleneck. Option C is wrong because TargetResponseTime measures the time taken by the backend targets to respond, not the ALB's internal processing or queuing delay; comparing it to client-perceived latency would highlight backend issues, not ALB overload. Option D is wrong because RequestCount alone does not have a fixed 'limit' that triggers latency; ALBs scale automatically based on request load, and exceeding a limit would cause errors, not necessarily increased latency.

289
MCQmedium

A developer is using Amazon CloudFront to serve static content from an S3 bucket. Users are reporting that they see outdated content. The CloudFront distribution has a default TTL of 24 hours. What is the MOST efficient way to serve updated content immediately?

A.Create a CloudFront invalidation for the updated objects.
B.Disable and re-enable the CloudFront distribution.
C.Update the object key in the S3 bucket.
D.Change the default TTL to 0.
AnswerA

Invalidations remove objects from edge caches, ensuring users get the latest version.

Why this answer

Option C is correct because creating an invalidation removes the cached objects from edge locations, forcing CloudFront to fetch the updated content from the origin. Option A is wrong because changing the TTL would affect future cache behavior but not immediately purge existing cached objects. Option B is wrong because updating the object key would require users to use a new URL.

Option D is wrong because disabling and re-enabling the distribution would cause downtime.

290
MCQeasy

A developer uses the CloudFormation template in the exhibit to create an S3 bucket. The stack creation fails with the error 'Bucket already exists'. What is the MOST likely reason?

A.The CloudFormation template has invalid JSON syntax.
B.The bucket name is already taken by another AWS account.
C.The IAM user does not have permission to create S3 buckets.
D.The bucket name is not available in the specified region.
AnswerB

S3 bucket names must be unique across all AWS accounts.

Why this answer

Option B is correct because S3 bucket names must be globally unique. If the bucket name 'my-unique-bucket-name' already exists in another AWS account, the creation will fail. Option A (region) is not true; bucket names are global.

Option C (permissions) would cause a different error. Option D (template format) is valid JSON.

291
MCQmedium

A developer attached the above IAM policy to an AWS Lambda function that writes encrypted objects to an S3 bucket. The function fails with an 'AccessDenied' error when putting objects. What is the most likely reason?

A.The policy does not include s3:PutObjectAcl permission.
B.The policy is missing a statement for the S3 bucket itself (not the objects).
C.The policy allows s3:GetObject, which is unnecessary and conflicts with PutObject.
D.The KMS key policy does not allow the Lambda function to decrypt.
AnswerA

If the bucket requires object ACLs, the function needs s3:PutObjectAcl.

Why this answer

Option C is correct because the policy allows s3:PutObject but does not include s3:PutObjectAcl or other permissions that may be needed by the Lambda function or the encryption context. Option A is wrong because the policy is not missing; it is there. Option B is wrong because KMS permissions are granted.

Option D is wrong because s3:GetObject is not needed for writing; but missing s3:PutObjectAcl is common when bucket policies enforce specific ACLs.

← PreviousPage 4 of 4 · 291 questions total

Ready to test yourself?

Try a timed practice session using only Dva Troubleshooting Optimization questions.