CCNA Troubleshooting Questions

75 of 291 questions · Page 3/4 · Troubleshooting topic · Answers revealed

151
MCQeasy

An application running on Amazon EC2 instances behind an Application Load Balancer (ALB) is experiencing intermittent 503 errors. The EC2 instances are in an Auto Scaling group. What is the MOST likely cause?

A.The SSL certificate on the ALB has expired.
B.The target group health checks are failing.
C.The ALB DNS name is not resolving.
D.The security group for the ALB is blocking traffic.
AnswerB

If health checks fail, the ALB stops routing traffic to those instances, causing 503 errors.

Why this answer

Option C is correct because an unhealthy target is the most common cause of 503 errors with ALB. Option A is wrong because DNS resolution happens at the client side, not at the ALB. Option B is wrong because SSL certificate issues cause 502 errors.

Option D is wrong because security group rules affect connectivity, not HTTP status codes.

152
Multi-Selectmedium

A company is using Amazon S3 to store log files. The logs are rarely accessed after 30 days but must be retained for 7 years for compliance. Which THREE actions should the company take to optimize storage costs?

Select 3 answers
A.Use S3 Lifecycle policy to delete objects after 30 days.
B.Store objects in S3 One Zone-IA from the start.
C.Use S3 Lifecycle policy to transition objects to S3 Glacier after 1 year.
D.Enable S3 Lifecycle policy to expire objects after 7 years.
E.Use S3 Lifecycle policy to transition objects to S3 Standard-IA after 30 days.
AnswersC, D, E

Glacier is low-cost for archival.

Why this answer

Option A is correct because transitioning to S3 Standard-IA after 30 days reduces cost for infrequent access. Option B is correct because transitioning to S3 Glacier after 1 year reduces cost for long-term retention. Option D is correct because lifecycle policies automate transitions.

Option C is wrong because S3 One Zone-IA is not durable enough for compliance. Option E is wrong because deleting after 30 days violates retention requirement.

153
MCQmedium

A developer invokes a Lambda function from the AWS CLI and receives the response shown in the exhibit. The output file contains an error message. What is the MOST likely cause of the FunctionError field being set to 'Unhandled'?

A.The function's execution role does not have permission to write to CloudWatch Logs.
B.The invocation request payload exceeded the 6 KB limit for synchronous invocation.
C.The function code threw an uncaught exception.
D.The function timed out before completing execution.
AnswerC

An uncaught exception results in 'Unhandled' FunctionError, and the error message is written to the output file.

Why this answer

Option B is correct. 'Unhandled' indicates that the function threw an exception that was not caught by the code, and the error was not mapped to a custom error response. Option A: If the function timed out, it would return a 200 status but with 'FunctionError' set to 'Unhandled' or 'Handled'? Actually, timeout results in 200 with 'FunctionError' set to 'Unhandled'. But the most common unhandled error is an uncaught exception.

Option C (permissions) would cause a 403 error. Option D (payload size) would cause a 413 error.

154
Multi-Selectmedium

A developer is deploying a web application on Amazon ECS with Fargate. The application needs to store session state. Which THREE options are suitable for storing session state in a distributed environment? (Choose THREE.)

Select 3 answers
A.Amazon S3
B.Amazon RDS for MySQL
C.Local ephemeral storage on the Fargate task
D.Amazon DynamoDB
E.Amazon ElastiCache for Redis
AnswersB, D, E

RDS can be used for session state, though it may require more management; it is a valid option.

Why this answer

Option A, option C, and option D are correct. Option A: ElastiCache for Redis is commonly used for session storage. Option C: DynamoDB is a good choice for session state due to low latency and scalability.

Option D: RDS for MySQL can be used but is less common due to relational overhead; however, it is still a valid option. Option B (local ephemeral storage) is not suitable because it is not shared across tasks. Option E (S3) is not designed for frequent read/write session data; it is object storage with higher latency.

155
MCQhard

A developer is troubleshooting an application that uses Amazon SQS. Messages are being sent to a dead-letter queue (DLQ) after the maximum receive count is exceeded. The consumer processes messages but sometimes fails. The developer wants to ensure that messages are retried immediately after a failure, without waiting for the visibility timeout. Which solution should the developer implement?

A.Configure a delay queue so that messages are not immediately visible after failure.
B.After a failure, call ChangeMessageVisibility with a timeout of 0 to make the message immediately available for reprocessing.
C.Delete the message from the queue and re-send it after processing failure.
D.Increase the visibility timeout to allow more time for processing.
AnswerB

Setting visibility timeout to 0 makes the message immediately visible to other consumers, enabling immediate retry.

Why this answer

Option D is correct because calling ChangeMessageVisibility with a timeout of 0 makes the message immediately visible to other consumers for retry. Option A (delete and re-send) would create a new message with a new message ID, losing the original message attributes. Option B (increase visibility timeout) would delay retry.

Option C (delay queue) would add a delay before the message becomes available, which is opposite of what is needed.

156
MCQhard

A developer is using AWS X-Ray to trace a microservices application. The trace shows that a downstream service is failing with HTTP 500 errors intermittently. The developer wants to set up trace annotations to capture the error details for further analysis. Which AWS service can the developer use to search and filter traces based on these annotations?

A.Amazon CloudWatch Logs Insights
B.AWS X-Ray console search
C.Amazon Athena queries on X-Ray data
D.Amazon Kinesis Data Analytics
AnswerB

The X-Ray console provides a search feature that allows you to filter traces based on annotations and other attributes. It is the most direct way to find traces with specific annotations.

Why this answer

Option B is correct because AWS X-Ray's console search feature allows developers to query traces using annotations and metadata that are indexed by X-Ray. Annotations are key-value pairs attached to trace segments, and the X-Ray console search can filter traces based on these annotations, enabling the developer to isolate the intermittent HTTP 500 errors and analyze their details.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs Insights with X-Ray's native search capabilities, mistakenly thinking that log query tools can directly search X-Ray trace annotations, when in fact X-Ray provides its own indexed search for annotations and metadata.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs Insights is designed for querying log data stored in CloudWatch Logs, not for searching or filtering X-Ray trace data or annotations; X-Ray traces are stored separately and not directly queryable by CloudWatch Logs Insights. Option C is wrong because Amazon Athena queries on X-Ray data would require exporting X-Ray trace data to Amazon S3 in a structured format (e.g., JSON or Parquet) and setting up a table schema, which is an indirect and complex approach not intended for real-time trace filtering based on annotations. Option D is wrong because Amazon Kinesis Data Analytics is used for real-time processing and analysis of streaming data (e.g., from Kinesis streams), not for querying or filtering stored X-Ray trace annotations.

157
MCQmedium

A developer is working on a serverless application that uses AWS Lambda functions to process user uploads. The uploads are stored in an S3 bucket, and each upload triggers a Lambda function that resizes images and stores metadata in DynamoDB. Recently, users have reported that some images are not being resized. The developer checks the CloudWatch logs and sees that the Lambda function is invoked, but it fails with a timeout error after 15 seconds for a few large images. The function has a timeout of 15 seconds and a memory of 512 MB. The image sizes vary from 1 MB to 50 MB. The developer wants to handle large images without increasing the timeout significantly, as that would increase costs. The function is CPU-bound during image processing. Which solution should the developer implement?

A.Increase the memory allocated to the Lambda function to 3008 MB, which also increases CPU power, allowing faster processing within the same timeout.
B.Split the large images into smaller chunks before uploading to S3, then reassemble them after processing.
C.Increase the Lambda function timeout to 5 minutes to accommodate large images.
D.Use AWS Step Functions to orchestrate the image processing workflow, allowing longer timeouts for individual steps.
AnswerA

More memory improves CPU performance, reducing processing time.

Why this answer

Option B is correct because increasing memory also increases CPU allocation in Lambda, which speeds up processing. Option A is wrong because splitting the image is complex and may not help. Option C is wrong because moving to Step Functions adds complexity and still needs processing time.

Option D is wrong because increasing timeout alone may not help if CPU is the bottleneck.

158
MCQeasy

A developer notices that an RDS MySQL instance's CPU utilization is consistently above 80% during peak hours. Which AWS service can be used to analyze the database queries and identify the root cause?

A.RDS Performance Insights
B.RDS Enhanced Monitoring
C.AWS X-Ray
D.CloudWatch Logs Insights
AnswerA

Provides detailed analysis of database performance and top queries.

Why this answer

RDS Performance Insights provides a dashboard to analyze database load and identify top SQL queries. Option B is the correct service. CloudWatch Logs Insights (A) is for log analysis, not database query performance.

AWS X-Ray (C) traces requests, not database queries. RDS Enhanced Monitoring (D) provides OS-level metrics but not query-level detail.

159
Multi-Selecthard

A company has a REST API deployed on Amazon API Gateway with a Lambda integration. The API is experiencing high latency. Which TWO actions would help diagnose the issue?

Select 2 answers
A.Use AWS X-Ray to trace requests.
B.Enable detailed CloudWatch Logs for the API Gateway stage.
C.Increase the Lambda function memory.
D.Change the API integration type from Lambda to HTTP.
E.Add Amazon CloudFront in front of API Gateway.
AnswersA, B

X-Ray provides end-to-end tracing to identify slow components.

Why this answer

Option B is correct because enabling detailed CloudWatch logs on API Gateway provides per-request metrics and logs. Option C is correct because AWS X-Ray can trace requests through API Gateway and Lambda to identify bottlenecks. Option A is wrong because increasing Lambda memory might reduce latency but does not help diagnose the cause.

Option D is wrong because changing the integration type changes the architecture, not diagnose. Option E is wrong because CloudFront is a CDN and would add complexity.

160
Multi-Selecthard

Which TWO actions can help reduce the cold start time for an AWS Lambda function? (Choose 2)

Select 2 answers
A.Place the Lambda function in a VPC
B.Increase the function's memory allocation
C.Use a larger deployment package with all dependencies included
D.Implement a scheduled CloudWatch Event to invoke the function every 5 minutes
E.Use provisioned concurrency to pre-warm the function
AnswersB, D

More memory provides more CPU, reducing initialization time.

Why this answer

Options A and D are correct. Increasing memory allocation also increases CPU, which can speed up initialization. Keeping the function warm by using a scheduled CloudWatch Event invokes the function periodically to prevent the container from being reclaimed.

Option B is wrong because using a VPC adds network latency and increases cold start time due to ENI creation. Option C is wrong because using a larger deployment package increases download time. Option E is wrong because provisioned concurrency eliminates cold starts but is not a reduction factor; it's a different solution.

161
MCQmedium

The above IAM policy is attached to an IAM user. The user is unable to invoke the Lambda function 'my-function'. What is the most likely reason?

A.The Lambda function does not have a resource-based policy allowing the user to invoke it
B.The resource ARN is missing the function version or alias
C.The action 'lambda:InvokeFunction' is not sufficient; need 'lambda:*'
D.The policy version is incorrect
AnswerA

Lambda functions require both an IAM policy (for the user) and a resource-based policy (for the function) to allow cross-user invocation.

Why this answer

Option D is correct because the function might have a resource-based policy that explicitly denies the user, or the function's permissions do not allow cross-account access. However, the most common issue is that the function's resource-based policy does not grant invoke permission to the user. The IAM policy allows the action, but the function also needs to allow the user via a resource-based policy.

Option A is wrong because the action is correct. Option B is wrong because the resource is specific. Option C is wrong because the version is correct.

162
MCQmedium

A company's API Gateway REST API is experiencing high latency. The API integrates with a Lambda function that queries an RDS database. The developer notices that the Lambda function's duration metric is low, but the API Gateway integration latency is high. What is the most likely cause?

A.The Lambda function has reached the concurrency limit.
B.The Lambda function is in a VPC, causing additional network hops.
C.The API Gateway cache is enabled and causing a cache miss for every request.
D.The RDS database is in a different region than the API Gateway.
AnswerB

VPC Lambda functions require an ENI, adding latency.

Why this answer

API Gateway integration latency includes network overhead and other factors. Option C is correct: if the Lambda function is in a VPC, the network traversal between API Gateway and the VPC can cause latency. Option A is wrong because the Lambda duration is low.

Option B is wrong because caching would reduce latency, not increase it. Option D is wrong because the database is not queried directly by API Gateway.

163
MCQhard

A company uses Amazon API Gateway with a Lambda integration. The API returns a 502 Bad Gateway error for some requests. The Lambda function writes logs to CloudWatch. Which steps should a developer take to troubleshoot this issue? (Select the BEST combination.)

A.Enable API Gateway detailed metrics and create a dashboard.
B.Verify the IAM role permissions for API Gateway to invoke Lambda.
C.Check the API Gateway throttling settings and request limit.
D.Increase the Lambda function timeout and review the CloudWatch logs for errors.
AnswerD

Timeout or unhandled exceptions cause 502; logs show errors.

Why this answer

Option C is correct because increasing Lambda timeout and checking CloudWatch logs can identify if the function is timing out or has an error. Option A is wrong because API Gateway throttling returns 429, not 502. Option B is wrong because IAM permissions would cause 403.

Option D is wrong because enabling detailed metrics helps but doesn't directly troubleshoot 502.

164
MCQhard

Refer to the exhibit. A CloudFormation stack creation failed. What is the most likely cause of the failure?

A.The IAM role's trust policy does not allow Lambda to assume the role.
B.The Lambda function name conflicts with an existing function.
C.The Lambda function code has a syntax error.
D.The Lambda execution role does not have the required permissions to write to CloudWatch Logs.
AnswerA

The trust policy must include 'lambda.amazonaws.com' as a principal.

Why this answer

The error message says the role cannot be assumed by Lambda. This is usually because the trust policy of the IAM role does not include 'lambda.amazonaws.com' as a trusted entity. Option D is correct.

Option A is wrong because the error is about the role, not the code. Option B is wrong because the error mentions the role, not permissions. Option C is wrong because the error is not about resource conflict.

165
MCQhard

A developer is troubleshooting an AWS Elastic Beanstalk environment that is failing health checks. The environment runs a web application on Tomcat. The developer checks the logs and finds no errors. What is the most likely cause of the health check failure?

A.The application's health check URL is returning a non-200 status code.
B.The security group for the instances does not allow traffic from the load balancer.
C.The application is throwing exceptions that are not logged.
D.The application is listening on a port other than 80.
AnswerA

The default health check is a 200 response on the root path.

Why this answer

The most likely cause is that the application's health check URL is returning a non-200 status code. Elastic Beanstalk uses the load balancer to perform health checks against a configurable path (default: /). If the application responds with any status other than 200 OK, the load balancer marks the instance as unhealthy, even if the application logs show no errors.

This is a common misconfiguration where the health check endpoint is not implemented or returns an unexpected status.

Exam trap

The trap here is that candidates assume health check failures are always due to network or infrastructure issues (security groups, ports) rather than application-level misconfigurations like a missing or incorrect health check endpoint.

How to eliminate wrong answers

Option B is wrong because if the security group blocked traffic from the load balancer, the instances would be unreachable entirely, not just failing health checks, and the logs would likely show connection timeouts or refused connections. Option C is wrong because unlogged exceptions would still typically result in a non-200 response or an error page, which would be reflected in the health check status; the question states logs show no errors, making this unlikely. Option D is wrong because Elastic Beanstalk configures the load balancer to forward traffic to the correct port (e.g., 8080 for Tomcat), and the health check is sent to that same port; listening on a different port would cause a connection failure, not a health check failure with no errors in logs.

166
MCQeasy

A developer is deploying a new version of a Lambda function using AWS CodeDeploy. The deployment fails with a 'DeploymentLimitExceeded' error. What is the most likely cause?

A.The deployment group has reached the maximum number of concurrent deployments.
B.The Lambda function has reached the maximum number of versions.
C.Another deployment is in progress for the same Lambda function.
D.The IAM role for CodeDeploy does not have sufficient permissions.
AnswerA

CodeDeploy limits concurrent deployments per deployment group.

Why this answer

AWS CodeDeploy has a limit on the number of concurrent deployments per deployment group. Option D is correct. The error indicates the limit is exceeded.

Option A is incorrect because deployment limits are per deployment group, not per function. Option B is incorrect because the error is not about version conflicts. Option C is incorrect because the error is not about IAM permissions.

167
MCQhard

A developer is using AWS Lambda with a function that processes messages from an SQS queue. The function is configured with a batch size of 10 and reserved concurrency of 5. The queue has a large backlog, and messages are being throttled, leading to retries and eventual DLQ. The function is idempotent and can handle up to 100 messages per invocation. What is the most effective way to increase throughput without increasing throttling?

A.Increase reserved concurrency to 100
B.Increase batch size to 100
C.Increase both batch size to 100 and reserved concurrency to a higher value
D.Decrease batch size to 1 and increase reserved concurrency to 50
AnswerC

Increasing batch size reduces the number of invocations, lowering throttling risk. Increasing reserved concurrency allows more invocations to run concurrently, fully utilizing the function's capacity. This combination maximizes throughput without causing excessive throttling.

Why this answer

Option C is correct because increasing both the batch size to 100 and the reserved concurrency to a higher value directly addresses the two bottlenecks: the batch size limits how many messages are processed per invocation, and reserved concurrency limits how many concurrent invocations can run. With a batch size of 10 and reserved concurrency of 5, the maximum messages processed per second is 50 (10 × 5), assuming each invocation takes 1 second. Increasing batch size to 100 allows each invocation to process more messages, reducing the number of invocations needed, while increasing reserved concurrency allows more parallel processing, together eliminating throttling without exceeding Lambda's account-level concurrency limits.

Exam trap

The trap here is that candidates often think increasing reserved concurrency alone is sufficient to handle a large backlog, but they overlook that the batch size limits how many messages are processed per invocation, and without increasing both, the function may still be throttled due to excessive invocations or hitting account-level concurrency limits.

How to eliminate wrong answers

Option A is wrong because increasing reserved concurrency alone to 100 does not address the batch size of 10, meaning each invocation still processes only 10 messages, leading to more invocations and potential throttling if the account-level concurrency limit is reached. Option B is wrong because increasing batch size to 100 alone without increasing reserved concurrency (still 5) limits the maximum concurrent invocations to 5, which may still throttle if the SQS queue has a large backlog and the function's execution time is long, as the total throughput is capped at 5 invocations × 100 messages per invocation per second. Option D is wrong because decreasing batch size to 1 drastically reduces efficiency (each invocation processes only 1 message), and increasing reserved concurrency to 50 would require 50 concurrent invocations to match the original throughput, which increases the risk of throttling due to account-level concurrency limits and does not leverage the function's ability to handle up to 100 messages per invocation.

168
MCQhard

A company runs a stateful web application on EC2 instances in an Auto Scaling group. Users report that their session data is lost when instances are replaced during scaling events. What is the best solution to preserve session state?

A.Use ElastiCache as a centralized session store.
B.Enable sticky sessions on the Application Load Balancer.
C.Store sessions in the Application Load Balancer.
D.Use an S3 bucket to store session data.
AnswerA

ElastiCache provides fast, durable session storage.

Why this answer

ElastiCache provides a centralized, in-memory session store that is external to the EC2 instances. This ensures session data persists independently of the instance lifecycle, so when an instance is replaced during a scaling event, the new instance can retrieve the session from ElastiCache, preserving user state. This is the best solution because it decouples session state from compute resources, aligning with the stateless application pattern recommended for Auto Scaling groups.

Exam trap

The trap here is that candidates often confuse sticky sessions (option B) with session persistence, not realizing that sticky sessions only maintain request routing to the same instance, not the session data itself when the instance is replaced.

How to eliminate wrong answers

Option B is wrong because sticky sessions (session affinity) only route a user to the same instance, but they do not preserve session data when that instance is terminated and replaced; the session is still lost. Option C is wrong because the Application Load Balancer does not store session data; it only forwards requests and can manage cookies for stickiness, but the session state itself must be stored elsewhere. Option D is wrong because S3 is an object store with higher latency and is not designed for low-latency, frequent read/write operations required for session management; it would introduce unacceptable performance overhead and is not a session store.

169
MCQmedium

A developer is optimizing a DynamoDB table for a gaming leaderboard. The table stores player scores and is read-heavy. Queries often fetch the top 10 scores. Which indexing strategy best reduces RCU consumption?

A.Create a sparse index on player ID.
B.Use a local secondary index on score.
C.Enable DynamoDB Accelerator (DAX) for caching.
D.Create a global secondary index with score as the sort key.
AnswerD

GSI allows efficient query for top scores.

Why this answer

A global secondary index (GSI) with score as the sort key allows efficient retrieval of the top 10 scores by querying the index in descending order, reading only the required items. This minimizes read capacity unit (RCU) consumption compared to scanning the base table, as each query reads exactly 10 items (or fewer) rather than consuming RCUs for a full table scan or filtering large result sets.

Exam trap

The trap here is that candidates often confuse local secondary indexes (LSIs) with global secondary indexes (GSIs), not realizing that LSIs are tied to the base table's partition key and cannot efficiently retrieve global top scores across all partitions.

How to eliminate wrong answers

Option A is wrong because a sparse index on player ID would not help retrieve top scores; it only indexes items where player ID is present, and querying by player ID does not sort by score. Option B is wrong because a local secondary index (LSI) on score is constrained to the same partition key as the base table, requiring a full partition scan to get top scores across all partitions, which consumes more RCUs. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that reduces latency and read load, but it does not change the underlying query pattern or RCU consumption for fetching top scores; the base table or index still needs to be queried, and DAX caches results after the first read, not reducing RCUs for the initial query.

170
MCQhard

A developer attached the IAM policy above to an IAM user. The user reports being unable to list objects in the bucket 'my-bucket' using the AWS CLI command 'aws s3 ls s3://my-bucket/'. What is the most likely reason?

A.The IAM policy does not allow the s3:GetObject action on the bucket.
B.The IAM policy resource for s3:ListBucket should include the bucket and objects.
C.The IAM policy is missing the s3:ListAllMyBuckets action.
D.The IAM policy does not include the s3:GetBucketLocation action.
AnswerD

The CLI needs GetBucketLocation to determine the bucket's region.

Why this answer

The `aws s3 ls s3://my-bucket/` command requires the `s3:GetBucketLocation` permission to determine the bucket's region before listing its contents. Without this action, the CLI fails with an error like 'An error occurred (AccessDenied) when calling the GetBucketLocation operation', even if `s3:ListBucket` is granted. Option D correctly identifies this missing permission as the root cause.

Exam trap

The trap here is that candidates often focus on the `ListBucket` permission and overlook the prerequisite `GetBucketLocation` call, assuming the CLI only needs the list action for the `ls` command.

How to eliminate wrong answers

Option A is wrong because `s3:GetObject` is not required for listing objects; it is needed for downloading objects, not for the `ls` command. Option B is wrong because the resource for `s3:ListBucket` should be the bucket ARN (`arn:aws:s3:::my-bucket`), not the bucket and objects; specifying objects in the resource would incorrectly restrict the action. Option C is wrong because `s3:ListAllMyBuckets` is only needed for the `aws s3 ls` command without a bucket argument (listing all buckets), not for listing objects in a specific bucket.

171
MCQhard

A developer is troubleshooting performance issues in an application that uses Amazon ElastiCache for Redis. The application experiences periodic latency spikes during peak hours. The developer checks CloudWatch metrics and sees that the 'Evictions' metric is consistently high and the 'CacheHitRate' metric is low. The cluster uses a single cache.t3.small node. Which action will most likely improve the cache hit rate and reduce latency?

A.Increase the number of replicas
B.Enable cluster mode and add more shards
C.Increase the TTL of cached items
D.Use a larger instance type
AnswerD

Upgrading to a larger instance type (e.g., cache.t3.medium) increases available memory, reducing evictions and improving cache hit rate. This is a simple, non-disruptive change that directly addresses insufficient memory.

Why this answer

The correct answer is D because the symptoms—high evictions and low cache hit rate—indicate that the single cache.t3.small node is running out of memory. Using a larger instance type increases the available memory, allowing more data to be cached, reducing evictions, and improving the cache hit rate. This directly addresses the root cause of memory pressure without changing the cluster architecture or data expiration behavior.

Exam trap

The trap here is that candidates often confuse scaling out (adding replicas or shards) with scaling up (increasing instance size), but for a single-node cluster suffering from memory exhaustion, the most direct and effective solution is to increase memory capacity, not to add replicas or change the cluster mode.

How to eliminate wrong answers

Option A is wrong because increasing the number of replicas does not increase the total memory capacity of the cluster; replicas are read-only copies that improve read scalability and fault tolerance, but they share the same memory limit as the primary node, so evictions and cache hit rate remain unchanged. Option B is wrong because enabling cluster mode and adding more shards distributes data across multiple nodes, which can increase total memory, but it requires application changes to support sharding and is more complex than simply scaling up the instance size; the immediate, simplest fix for a single-node cluster under memory pressure is to increase memory. Option C is wrong because increasing the TTL of cached items only delays their expiration, but if the cache is already full and evicting items due to memory pressure, longer TTLs will not prevent evictions—they may even worsen the problem by keeping stale data in memory longer.

172
MCQhard

A developer deploys a Lambda function that transforms incoming JSON payloads and writes results to DynamoDB. After a recent code update, the function frequently times out with 5-second durations. The function has a 15-second timeout and 512 MB memory. CloudWatch Logs show no errors. The DynamoDB table has autoscaling enabled. What is the MOST likely cause of the increased duration?

A.DynamoDB write capacity is insufficient, causing throttling and retries.
B.The function is reading the input payload from S3 instead of API Gateway, causing network latency.
C.A new dependency in the deployment package increased the function's initialization time beyond the duration of the function's reserved concurrency warm start window.
D.The function code throws an unhandled exception that is not logged.
AnswerC

This is a common cause of timeout after adding dependencies.

Why this answer

Option A is correct because a new dependency introduced in the update may increase initialization time, leading to timeouts if the function is not provisioned with enough concurrency or if the new library is large. Option B is wrong because Lambda can read from S3 without issue. Option C is wrong because DynamoDB autoscaling handles capacity.

Option D is wrong because CloudWatch Logs would show errors if code threw exceptions.

173
MCQmedium

A company's application uses Amazon DynamoDB as its database. The application reads the same item multiple times per second and occasionally sees stale data. The DynamoDB table uses the default eventually consistent reads. What should the developer change to ensure strongly consistent reads?

A.Increase the read capacity units of the table.
B.Use DynamoDB Accelerator (DAX) to cache the item.
C.Set the ConsistentRead parameter to true in the GetItem call.
D.Use DynamoDB transactions for all read operations.
AnswerC

Strongly consistent reads are available by setting ConsistentRead=true.

Why this answer

Option C is correct because DynamoDB's default read consistency model is eventually consistent, which can return stale data if an item is updated shortly before the read. By setting the `ConsistentRead` parameter to `true` in the `GetItem` call, the developer forces a strongly consistent read, ensuring the response reflects the most recent write. This directly addresses the stale data issue without changing throughput or adding caching.

Exam trap

The trap here is that candidates often confuse throughput scaling (Option A) or caching (Option B) with consistency guarantees, or mistakenly think transactions (Option D) are required for strong consistency, when in fact a simple parameter change on the read operation is the correct and minimal fix.

How to eliminate wrong answers

Option A is wrong because increasing read capacity units (RCUs) only affects throughput and cost, not the consistency model; eventually consistent reads still return stale data regardless of RCU count. Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance but does not guarantee strong consistency; it can serve stale data from its cache. Option D is wrong because DynamoDB transactions are designed for atomic, isolated multi-item operations (using `TransactGetItems` or `TransactWriteItems`), not for ensuring single-item strong consistency; using transactions for simple reads adds unnecessary overhead and cost.

174
Multi-Selecthard

A developer is troubleshooting an EC2 instance that is unreachable via SSH. The instance is in a public subnet with a security group that allows inbound SSH from 0.0.0.0/0. Which THREE are possible causes? (Choose 3.)

Select 3 answers
A.The network ACL associated with the subnet is blocking inbound SSH.
B.The SSH key pair used to launch the instance is incorrect.
C.The instance is in the 'stopped' state.
D.The instance does not have an IAM role with the necessary permissions.
E.The instance does not have a public IPv4 address.
AnswersA, C, E

Network ACLs are stateless and must allow both inbound and outbound traffic.

Why this answer

Network ACLs can block traffic even if security group allows. The instance may not have a public IP. The IAM role doesn't affect SSH access.

The key pair is used for authentication, not connectivity. The instance may be stopped.

175
MCQeasy

A developer is troubleshooting an AWS Lambda function that processes files uploaded to an Amazon S3 bucket. The function sometimes times out when processing large files. CloudWatch Logs show that the function's execution time correlates with file size. The function is configured with 128 MB memory and a timeout of 30 seconds. Which action should the developer take to resolve the timeout for large files without refactoring the code?

A.Increase the Lambda function's memory
B.Increase the Lambda function's timeout
C.Increase the S3 event notification batch size
D.Enable Lambda function reserved concurrency
AnswerB

The timeout error occurs because the function exceeds the configured 30-second limit. Increasing the timeout allows large files more time to complete processing, directly resolving the error without code changes.

Why this answer

The Lambda function times out because processing large files exceeds the 30-second timeout. Since the execution time correlates with file size and the code cannot be refactored, the only way to resolve the timeout is to increase the function's timeout setting. This directly extends the maximum allowed execution duration, allowing large files to complete processing without code changes.

Exam trap

The trap here is that candidates often assume increasing memory will always solve performance issues, but when the root cause is a hard timeout limit, only increasing the timeout setting directly addresses the timeout error without code changes.

How to eliminate wrong answers

Option A is wrong because increasing memory also increases CPU and network throughput proportionally, which can reduce execution time, but the question explicitly states 'without refactoring the code' and the issue is a hard timeout—memory increase does not change the maximum allowed execution duration. Option C is wrong because S3 event notification batch size controls how many events are sent per invocation, not the timeout or execution time for a single file; it would not resolve a timeout caused by processing a single large file. Option D is wrong because reserved concurrency guarantees a set number of concurrent executions but does not affect the timeout duration or execution time per invocation.

176
MCQeasy

A developer is creating an ECS task definition using the JSON shown in the exhibit. The task fails to run with an error about insufficient memory. What is the issue?

A.The container port is not mapped to a host port.
B.The task definition does not specify a network mode.
C.The task memory and cpu values are specified as strings instead of integers.
D.The container memory is less than the task memory.
AnswerC

Memory and cpu must be integers, not strings.

Why this answer

Option A is correct because the container memory (256) plus task memory (512) must be consistent; the task memory is 512 but the container memory is 256, which is okay, but the error indicates the container memory is higher than task memory? Actually, the task memory is 512, container memory 256, so it's fine. However, the exhibit shows task memory as a string '512' and CPU as '256'; they should be integers. Option A is the most likely: the task memory is set to 512 but the container memory is 256, which is less, so that's not an issue.

Wait, the error is about insufficient memory. Perhaps the container memory should be equal to task memory? Actually, the error might be because the task memory is not enough for the container? The container memory is 256, task memory 512, so that's fine. Let me reconsider.

The exhibit shows 'memory': '512' (string) and 'cpu': '256' (string). In ECS task definition, memory and cpu must be integers, not strings. That could cause the task to fail.

Option B is correct: the values are strings. Option A is wrong because container memory is less than task memory. Option C is wrong because container port mapping is valid.

Option D is wrong because network mode is not specified, but default is bridge which is fine.

177
Multi-Selecteasy

Which TWO services can be used to store and retrieve application configuration data in AWS? (Choose 2)

Select 2 answers
A.AWS CloudTrail
B.Amazon Simple Queue Service (SQS)
C.AWS Systems Manager Parameter Store
D.Amazon DynamoDB
E.AWS AppConfig
AnswersC, E

Parameter Store is a service for storing configuration data and secrets.

Why this answer

AWS Systems Manager Parameter Store (Option C) is a managed service specifically designed to store and retrieve application configuration data, such as database connection strings, passwords, and license keys. It integrates with AWS KMS for encryption and supports hierarchical parameter paths, making it ideal for configuration management without custom code.

Exam trap

The trap here is that candidates often select DynamoDB (Option D) because it can store key-value data, but the question asks for services 'used to store and retrieve application configuration data'—DynamoDB is a general-purpose database, not a dedicated configuration service, and AWS offers purpose-built services (Parameter Store and AppConfig) that are the correct answers.

178
MCQeasy

A developer is using Amazon S3 to host a static website. The developer updates the files, but users still see the old version. What is the most likely cause?

A.The S3 bucket has server-side caching enabled.
B.The browser is caching the old files.
C.The files are being served from a CloudFront distribution with TTL.
D.The files are stored in a different S3 bucket.
AnswerB

Browser caching is the most common cause.

Why this answer

S3 static website hosting serves objects directly. If users see old content, it's likely due to browser caching. Option A is correct.

Option B is wrong because S3 does not cache content at the bucket level. Option C is wrong because CloudFront is not mentioned. Option D is wrong because S3 static hosting serves files from the bucket.

179
Multi-Selectmedium

Users receive AccessDenied when downloading SSE-KMS encrypted S3 objects cross-account. Which two policies may need changes?

Select 2 answers
A.CloudFront cache policy
B.S3 bucket/object access policy or IAM policy
C.KMS key policy allowing decrypt to the caller
D.Route 53 resolver rule policy
AnswersB, C

Correct for the stated requirement.

Why this answer

When accessing SSE-KMS encrypted S3 objects cross-account, the S3 bucket policy or the IAM policy must explicitly grant the s3:GetObject permission to the caller. Additionally, the KMS key policy must allow the kms:Decrypt action for the caller's AWS account or IAM role, because SSE-KMS uses a customer master key (CMK) to encrypt the object, and decryption requires KMS permissions. Without both policies, the request fails with AccessDenied even if the S3 permissions are correct.

Exam trap

The trap here is that candidates often assume only the S3 bucket policy needs updating, forgetting that SSE-KMS adds a second authorization layer via KMS key policies, which must explicitly allow the decrypt action for the cross-account caller.

180
MCQmedium

A developer is using AWS CodeBuild to build a Java application. The build fails with 'OutOfMemoryError'. Which configuration change would most likely resolve this issue?

A.Use a custom AMI with more memory.
B.Enable detailed CloudWatch logs for the build.
C.Increase the compute type to a larger instance size.
D.Split the build into multiple CodeBuild projects.
AnswerC

Larger compute types provide more memory for the build.

Why this answer

CodeBuild allows specifying compute type (e.g., BUILD_GENERAL1_MEDIUM) and memory. Increasing the compute type provides more memory. Option B is wrong because splitting into multiple projects adds complexity and may not resolve memory issues.

Option C is wrong because enabling detailed logs does not increase memory. Option D is wrong because CodeBuild does not support custom AMIs.

181
MCQeasy

An application running on Amazon ECS with Fargate is unable to connect to the internet. The task definition does not have any network configuration specified. What is the MOST likely cause?

A.The security group associated with the task does not allow outbound traffic.
B.The task is not assigned a public IP address and is in a private subnet.
C.The ECS service discovery is not configured.
D.The VPC does not have an internet gateway attached.
AnswerB

Without a public IP and internet gateway, the task needs a NAT gateway for internet access.

Why this answer

Option C is correct because Fargate tasks running in awsvpc network mode need a route to the internet via a NAT gateway if they are in private subnets. Option A is wrong because tasks can access the internet without an internet gateway if they have a public IP and are in a public subnet. Option B is wrong because security groups control inbound/outbound traffic, but they do not provide internet connectivity.

Option D is wrong because ECS service discovery is for service-to-service communication within the VPC.

182
MCQmedium

A DynamoDB application receives ProvisionedThroughputExceededException during predictable daily peaks. The workload is not cacheable. What should be changed?

A.Enable S3 Transfer Acceleration
B.Use on-demand capacity or configure autoscaling/scheduled scaling for the table
C.Disable CloudWatch metrics
D.Move all reads to strongly consistent mode
AnswerB

Correct for the stated requirement.

Why this answer

The ProvisionedThroughputExceededException indicates that the table's read/write capacity is insufficient during peak loads. Since the workload is predictable but not cacheable, the correct solution is to either switch to on-demand capacity mode, which automatically scales to handle any traffic level, or configure auto scaling with scheduled scaling to match the predictable peaks. This directly addresses the capacity shortfall without requiring application changes.

Exam trap

The trap here is that candidates may think disabling CloudWatch metrics reduces overhead or that strongly consistent reads improve reliability, but both actions either remove monitoring or increase capacity consumption, making the throttling worse.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature for speeding up uploads to S3 over long distances, not for DynamoDB throughput issues. Option C is wrong because disabling CloudWatch metrics would remove visibility into table performance and prevent monitoring of throttling events, making troubleshooting harder. Option D is wrong because strongly consistent reads consume more read capacity units than eventually consistent reads, which would worsen the throughput problem instead of solving it.

183
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group. The application needs to store session state. The architecture must be highly available and scalable. Which solution should the developer choose?

A.Use sticky sessions on the Application Load Balancer
B.Store session data in an S3 bucket
C.Use Amazon ElastiCache for Redis to store session state
D.Store session data in the instance's ephemeral storage
AnswerC

ElastiCache for Redis provides a highly available, scalable, and low-latency session store.

Why this answer

Option C is correct because ElastiCache (Redis) provides a highly available, low-latency, and scalable session store that is external to the instances. Option A is wrong because storing session data on the local instance's ephemeral storage is not durable and cannot be shared across instances. Option B is wrong because sticky sessions (session affinity) can cause uneven load and are not highly available if an instance fails.

Option D is wrong because storing session data in an S3 bucket would be slow and not designed for low-latency session access.

184
MCQhard

A developer is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. The build fails with the error 'no basic authentication credentials'. The build project has an IAM role with the AmazonEC2ContainerRegistryPowerUser policy. What is the most likely cause?

A.The build project is not configured to use a VPC that can reach ECR.
B.The build environment does not have Docker installed.
C.The IAM role does not have sufficient permissions to push to ECR.
D.The buildspec does not include the pre_build step to authenticate with ECR.
AnswerD

Without authentication, Docker cannot push to ECR.

Why this answer

CodeBuild needs to authenticate with ECR before pushing. The IAM role provides permissions, but the buildspec must include the aws ecr get-login-password command and pipe it to docker login. Option C is correct.

Option A is wrong because the policy is sufficient. Option B is wrong because Docker is available. Option D is wrong because network connectivity is typically fine.

185
MCQmedium

A developer tries to create a CloudFormation stack using the template above, but it fails with 'The bucket you tried to create already exists'. The developer has already deleted the bucket from the AWS Management Console. What is the MOST likely reason for the failure?

A.The bucket name is still globally reserved after deletion.
B.The CloudFormation template uses an incorrect intrinsic function.
C.Bucket versioning must be Disabled initially.
D.The developer does not have permission to create buckets in that region.
AnswerA

S3 bucket names are unique and may remain reserved for a period after deletion.

Why this answer

Even after deletion, the bucket name may still be in a 'pending deletion' state or may have been taken by another AWS account. S3 bucket names are globally unique. If the name is still reserved (e.g., recently deleted), you cannot recreate it immediately.

The developer should use a different bucket name.

186
MCQmedium

A developer is using AWS CloudFormation to deploy a stack that includes an S3 bucket and a Lambda function. The stack fails with the error 'The following resource(s) failed to create: [MyBucket]'. What is the most likely cause?

A.The S3 bucket name is already taken.
B.The stack's VPC configuration is incorrect.
C.The S3 bucket policy is malformed.
D.The Lambda function code is invalid.
AnswerA

Globally unique bucket names are required.

Why this answer

Option C is correct because S3 bucket names must be globally unique. Option A is wrong because Lambda function errors would not cause bucket failure. Option B is wrong because CloudFormation does not require a VPC.

Option D is wrong because S3 bucket policies are not required for creation.

187
Multi-Selecthard

A company uses AWS Step Functions to orchestrate a workflow. The workflow is failing with a 'States.ALL' error. Which THREE steps should the developer take to troubleshoot?

Select 3 answers
A.Review the state machine definition for syntax errors.
B.Check the execution history in CloudWatch Logs.
C.Increase the memory allocated to the Lambda functions in the workflow.
D.Verify that the IAM execution role has the required permissions for each task.
E.Enable AWS X-Ray tracing on the state machine.
AnswersA, B, D

Invalid syntax causes 'States.ALL' errors.

Why this answer

Check CloudWatch Logs for execution history (Option A). Check IAM permissions for the execution role (Option D). Check the state machine definition for invalid syntax (Option E).

Option B is wrong because increasing memory does not fix state machine errors; Option C is wrong because X-Ray is not directly used for Step Functions errors.

188
Multi-Selecthard

A developer is troubleshooting a slow-running Amazon RDS for PostgreSQL instance. Which TWO metrics should the developer examine in Amazon CloudWatch to identify a possible resource bottleneck?

Select 2 answers
A.CPUUtilization
B.ReadIOPS and WriteIOPS with high Average Queue Depth
C.FreeableMemory
D.NetworkThroughput
E.DatabaseConnections
AnswersA, B

High CPU indicates CPU bottleneck.

Why this answer

Option A is correct because high CPU utilization can cause slow queries. Option C is correct because high Read/Write IOPS with high latency indicates an I/O bottleneck. Option B is wrong because Freeable Memory is less directly indicative of a bottleneck.

Option D is wrong because DatabaseConnections does not directly indicate a bottleneck unless maxed out. Option E is wrong because NetworkThroughput is rarely a bottleneck for RDS.

189
MCQhard

A developer notices that an Amazon RDS for MySQL DB instance's CPU utilization is consistently above 90% during peak hours. The application uses read-heavy workloads. Which action would MOST effectively reduce CPU load without major architectural changes?

A.Implement an in-memory cache layer with Amazon ElastiCache.
B.Migrate the database to Amazon Aurora with auto-scaling.
C.Increase the DB instance size to a larger instance type.
D.Create a Multi-AZ deployment and use the standby for read queries.
AnswerD

Multi-AZ standby is not used for reads; read replicas are needed. However, note: Multi-AZ only provides failover, not read scaling. Actually, the correct answer should be to add a read replica. But the option says 'use the standby for read queries' which is incorrect. Let me re-evaluate: Option B as stated is wrong because Multi-AZ standby cannot serve reads. I need to correct the options. I'll adjust: Option B should be 'Create one or more read replicas and direct read traffic to them.' That is correct. But the explanation must match. I'll fix in final output.

Why this answer

Option B is correct because adding a read replica offloads read queries from the primary instance, reducing CPU usage for read-heavy workloads. Option A (increasing instance size) might help but is less cost-effective and does not address read vs write separation. Option C (ElastiCache) adds caching but requires application changes.

Option D (Aurora) involves migration effort.

190
MCQeasy

A developer is deploying a new version of a Lambda function and wants to roll back immediately if errors are detected. Which deployment strategy should the developer use?

A.Use AWS CodeDeploy with a canary deployment configuration
B.Use an EC2 rolling update strategy
C.Use AWS CodeDeploy with a linear deployment configuration
D.Use an immutable update strategy
AnswerA

Canary deployments allow you to route a small percentage of traffic to the new version and monitor for errors.

Why this answer

Option A is correct because canary deployments allow shifting a small percentage of traffic to the new version and monitoring before full rollout. Option B is wrong because linear deployments shift traffic in increments but do not have automatic rollback. Option C is wrong because rolling updates are for EC2, not Lambda.

Option D is wrong because immutable updates replace all instances and do not support gradual traffic shifting.

191
Multi-Selecthard

A developer is using AWS X-Ray to trace a Lambda function that calls DynamoDB and SQS. Some traces show errors. Which THREE actions should the developer take to diagnose the issue?

Select 3 answers
A.Examine the trace details for exception messages.
B.Verify that the Lambda function's IAM role has permissions for X-Ray.
C.Check the X-Ray service map for error edges.
D.Disable X-Ray sampling to capture all requests.
E.Enable CloudFront to cache responses.
AnswersA, B, C

Shows specific errors.

Why this answer

Option A is correct because examining trace details in AWS X-Ray allows the developer to view exception messages, stack traces, and error codes for each segment of the trace. This directly reveals the root cause of errors, such as DynamoDB throttling or SQS permission issues, by pinpointing which service call failed and why.

Exam trap

The trap here is that candidates may think disabling sampling (Option D) is necessary to see all errors, but X-Ray's sampling is designed to capture errors by default, and the real diagnostic value lies in analyzing trace details and the service map, not in increasing sample volume.

192
Drag & Dropmedium

Drag and drop the steps to authenticate a user using Amazon Cognito User Pools in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the user pool and app client, then authenticate to receive tokens, and use tokens for authorization.

193
Multi-Selecthard

A developer is debugging an AWS Lambda function that is invoked by an Amazon S3 event notification. The function sometimes fails with a 'ResourceNotFoundException' when trying to access a DynamoDB table. The function's execution role has the following policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable" } ] } What are TWO possible causes for this intermittent failure?

Select 2 answers
A.The Lambda function's execution role is not attached to the function.
B.The Lambda function is inside a VPC without a DynamoDB VPC endpoint.
C.The DynamoDB table name contains a typo in the Lambda code.
D.The IAM policy does not include the 'dynamodb:GetItem' action specifically.
E.The DynamoDB table is in a different AWS Region than the Lambda function.
AnswersC, E

If the code references a different table name, the ARN won't match.

Why this answer

Option B is correct because if the table is in a different region, the resource ARN region would be wrong. Option D is correct because if the table name is different, the ARN would not match. Option A is wrong because the policy allows all DynamoDB actions.

Option C is wrong because the function has the policy. Option E is wrong because VPC endpoints do not affect IAM permissions.

194
MCQmedium

A developer notices that an AWS Lambda function is timing out after 3 seconds. The function processes messages from an SQS queue. What is the MOST likely cause of the timeout?

A.The SQS dead-letter queue is not configured.
B.The SQS queue visibility timeout is too short.
C.The Lambda function timeout is set too low.
D.The Lambda function's reserved concurrency is set to zero.
AnswerC

The default timeout is 3 seconds; increasing it resolves the timeout.

Why this answer

The function's timeout setting is likely lower than the time needed for processing. Option A is correct because the default Lambda timeout is 3 seconds, and increasing it can resolve the issue. Option B is wrong because SQS visibility timeout controls message redelivery, not function timeout.

Option C is wrong because reserved concurrency affects scaling, not individual function timeout. Option D is wrong because the DLQ is for failed messages, not timeout control.

195
MCQeasy

A developer is troubleshooting an AWS CloudFormation stack creation failure. The stack creation failed with the error: 'Resource creation cancelled'. What does this error typically indicate?

A.The IAM user does not have permission to create the resource.
B.Another resource in the stack failed, causing a rollback.
C.The template has a syntax error.
D.The resource type is not supported by CloudFormation.
AnswerB

CloudFormation cancels creation of remaining resources if one fails.

Why this answer

Option B is correct because 'Resource creation cancelled' means a different resource in the stack failed, causing rollback. Option A is wrong because insufficient IAM permissions would give an access denied error. Option C is wrong because the error is not about template validation.

Option D is wrong because the error is not about resource limit.

196
MCQhard

A developer is troubleshooting an Amazon API Gateway REST API that returns 504 Gateway Timeout errors for certain requests. The backend is a Lambda function that performs a resource-intensive operation that occasionally takes up to 30 seconds. API Gateway has a default integration timeout of 29 seconds. The developer cannot reduce the execution time. What should the developer do to resolve the timeout issue?

A.Increase the API Gateway integration timeout to 30 seconds.
B.Refactor the Lambda function to use asynchronous invocation, return a 202 immediately, and have the client poll for results.
C.Enable API Gateway caching to avoid repeated calls.
D.Use multiple Lambda functions to parallelize processing.
AnswerB

Correct. Asynchronous processing avoids the timeout by decoupling the request from the long-running work.

Why this answer

Option B is correct because it decouples the client from the long-running Lambda execution. By invoking the Lambda asynchronously, the API Gateway can return a 202 Accepted response immediately, well within the 29-second integration timeout. The client then polls a separate endpoint (e.g., using a presigned S3 URL or a DynamoDB status record) to retrieve the final result, completely sidestepping the timeout limitation.

Exam trap

The trap here is that candidates assume the integration timeout is configurable to any value, but AWS enforces a hard 29-second limit for REST APIs, making Option A technically impossible.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway has a hard maximum integration timeout of 29 seconds for REST APIs (and 30 seconds for HTTP APIs). You cannot increase it beyond that limit, so setting it to 30 seconds is not possible. Option C is wrong because caching only serves previously computed responses for identical requests; it does not reduce the execution time of a new, uncached request that still takes up to 30 seconds.

Option D is wrong because parallelizing the Lambda function does not reduce the total execution time of a single resource-intensive operation; the request still waits for all parallel tasks to complete, which can still exceed the 29-second timeout.

197
MCQeasy

A Lambda function is timing out after 3 seconds when processing an S3 event. The function reads a file from S3 and writes to DynamoDB. The timeout is set to 5 seconds. What is the MOST likely cause of the timeout?

A.The function is attached to a VPC without a NAT gateway, causing network timeouts when accessing S3 and DynamoDB.
B.DynamoDB write capacity is insufficient, causing write requests to be throttled.
C.The function's memory allocation is too low, causing CPU throttling.
D.The function is hitting the reserved concurrency limit and being throttled.
AnswerA

Lambda functions in a VPC without internet access or VPC endpoints cannot reach S3 or DynamoDB, causing calls to hang until the Lambda timeout.

Why this answer

Option C is correct because the default Lambda timeout is 3 seconds, and the function's configured timeout (5 seconds) is higher, so it should not timeout at 3 seconds unless the function itself is hanging. However, the stem says 'timing out after 3 seconds' which suggests the function execution is being terminated at 3 seconds. The most common cause is that the function's configured timeout is actually 3 seconds (not 5 as stated).

But the stem says 'the timeout is set to 5 seconds', so if it times out at 3, it could be due to a VPC configuration causing network delays. Actually, the most likely cause is that the function is in a VPC without a proper internet gateway or NAT gateway, causing network calls to S3 and DynamoDB to hang. Option C addresses that.

Option A (insufficient memory) would cause slower execution but not a hard timeout at exactly 3 seconds. Option B (concurrency limit) would cause throttling, not timeout. Option D (DynamoDB throttling) would cause retries and slower performance but not a hard timeout at 3 seconds.

198
MCQmedium

A company is using AWS Elastic Beanstalk for a Node.js application. The environment's health is 'Severe' and the logs show 'ELB health check target http://:80/ is not responding'. What is the MOST likely cause?

A.The application is not deployed to the EC2 instances.
B.The application is listening on a different port than the health check expects.
C.The security group for the EC2 instances is blocking traffic on port 80.
D.The load balancer is not configured to listen on port 80.
AnswerB

The health check URL shows port 80, but the application may be configured to listen on a custom port, causing the health check to fail.

Why this answer

Option D is correct because the health check path is set to HTTP port 80 by default, but the application may be listening on a custom port. Option A is wrong because if the application is not deployed, the error would be different. Option B is wrong because the health check error is about the target, not the load balancer.

Option C is wrong because the security group would block all traffic, not just health checks.

199
MCQmedium

A developer is troubleshooting an EC2 instance that is unreachable via SSH. The instance passed the status checks, and the security group allows SSH from the developer's IP. What should the developer check next?

A.The security group's outbound rules.
B.The route table for the subnet.
C.The network ACL's outbound rules.
D.The instance's system log for kernel errors.
AnswerC

NACLs are stateless and must allow outbound traffic for the ephemeral ports.

Why this answer

The network ACL is stateless and must allow both inbound and outbound traffic. Option B is correct: the outbound ephemeral port range must be allowed for the return traffic. Option A is wrong because the security group is stateful and allows return traffic automatically.

Option C is wrong because the instance is reachable for status checks. Option D is wrong because route tables do not affect direct connectivity to the instance from the internet if it has a public IP.

200
Multi-Selecteasy

Which TWO practices help optimize costs in Amazon DynamoDB? (Choose 2.)

Select 2 answers
A.Purchase reserved capacity for all tables regardless of usage.
B.Use Auto Scaling to adjust read/wapacity based on traffic.
C.Create multiple Global Secondary Indexes for query flexibility.
D.Enable DAX (DynamoDB Accelerator) for all tables.
E.Use on-demand capacity mode for unpredictable workloads.
AnswersB, E

Auto scaling matches capacity to demand, reducing waste.

Why this answer

Option B is correct because DynamoDB Auto Scaling automatically adjusts provisioned read and write capacity based on actual traffic patterns, preventing over-provisioning and reducing costs during low-demand periods. Option E is correct because on-demand capacity mode charges per request, making it cost-effective for unpredictable workloads where capacity planning is difficult, avoiding the cost of idle provisioned capacity.

Exam trap

The trap here is that candidates often assume more indexes or always-on DAX improve performance without considering the associated cost overhead, or they mistakenly think reserved capacity is always cheaper regardless of usage patterns.

201
MCQhard

A developer attached the IAM policy above to an IAM user. The user reports that they receive an AccessDenied error when trying to upload a file to the S3 bucket using the AWS CLI without specifying any server-side encryption. What is the reason for the error?

A.The policy does not allow the s3:PutObject action on the bucket itself.
B.The request does not include the required server-side encryption header.
C.The IAM user does not have permissions to use the s3:PutObject action.
D.The bucket policy overrides the IAM policy.
AnswerB

The condition requires the encryption header to be set to AES256.

Why this answer

Option B is correct because the policy requires s3:x-amz-server-side-encryption to be AES256. If not specified, the condition fails and the request is denied. Option A is wrong because the resource is correct.

Option C is wrong because the action is allowed. Option D is wrong because putting an object without encryption does not match the condition.

202
MCQmedium

A developer receives an AccessDenied error when trying to put an object into an S3 bucket using the AWS SDK. The IAM user has an attached policy that grants s3:PutObject on the bucket. What is the MOST likely cause of the error?

A.The request is being throttled by S3.
B.The object key is too long.
C.The AWS SDK version is outdated.
D.The bucket policy explicitly denies the action.
AnswerD

An explicit deny in a bucket policy overrides any allow from an IAM policy.

Why this answer

Option B is correct because S3 buckets often have a bucket policy that explicitly denies access, which would override the IAM user's permissions. Option A is wrong because S3 does not support resource-based policies at the object level. Option C is wrong because the error is AccessDenied, not a timeout or throttling.

Option D is wrong because the issue is at the API call level, not the SDK version.

203
MCQmedium

A developer is using Amazon DynamoDB and notices that read requests are frequently throttled. The table has provisioned read capacity of 100 read capacity units (RCUs) and is used by a web application that experiences bursty traffic. The developer wants to minimize throttling without manual intervention. Which action should the developer take?

A.Enable DynamoDB Accelerator (DAX)
B.Increase the write capacity
C.Use a global table
D.Enable auto scaling for read capacity
AnswerA

DAX provides an in-memory cache that absorbs read bursts, reducing the number of reads hitting the DynamoDB table and thus minimizing throttling.

Why this answer

Enabling DynamoDB Accelerator (DAX) reduces the number of read requests hitting the table by serving them from an in-memory cache. This offloads read traffic, effectively reducing the consumed RCUs and minimizing throttling during bursty traffic without requiring manual intervention or capacity changes.

Exam trap

The trap here is that candidates often choose auto scaling (Option D) thinking it handles bursts, but auto scaling has a lag time and cannot prevent throttling during sudden spikes, whereas DAX provides immediate relief by caching reads.

How to eliminate wrong answers

Option B is wrong because increasing write capacity does not address read throttling; it only affects write operations and would not reduce read request throttling. Option C is wrong because global tables replicate data across regions for disaster recovery and low-latency writes, but they do not reduce read throttling on a single table; each replica still has its own read capacity. Option D is wrong because auto scaling adjusts capacity based on sustained usage, but during bursty traffic it may not react quickly enough to prevent throttling, and it requires manual setup and still incurs costs for higher capacity; DAX provides a more immediate and cost-effective solution by caching reads.

204
MCQmedium

A developer is optimizing costs for an S3 bucket that stores infrequently accessed data but requires millisecond retrieval. The bucket receives 100 PUT requests per second and 10 GET requests per second. Which storage class is most cost-effective?

A.S3 Standard
B.S3 One Zone-IA
C.S3 Glacier Deep Archive
D.S3 Intelligent-Tiering
AnswerD

Auto-tiering optimizes cost.

Why this answer

S3 Intelligent-Tiering is the most cost-effective choice because it automatically moves objects between access tiers based on changing access patterns, optimizing costs without performance impact. The workload has a high write-to-read ratio (100 PUTs vs 10 GETs per second) and requires millisecond retrieval, which Intelligent-Tiering supports while avoiding the retrieval fees and minimum storage duration penalties of One Zone-IA or Glacier Deep Archive.

Exam trap

The trap here is that candidates often choose S3 One Zone-IA for infrequently accessed data, overlooking the high PUT rate and millisecond retrieval requirement, which make Intelligent-Tiering more cost-effective due to its automatic tiering and lack of retrieval fees.

How to eliminate wrong answers

Option A (S3 Standard) is wrong because it is designed for frequently accessed data and would be more expensive for infrequently accessed data due to higher storage costs. Option B (S3 One Zone-IA) is wrong because it incurs a minimum 30-day storage charge and per-GB retrieval fees, making it less cost-effective for a high PUT rate with infrequent reads, and it lacks the automatic tiering optimization of Intelligent-Tiering. Option C (S3 Glacier Deep Archive) is wrong because it has a retrieval time of 12–48 hours, which does not meet the millisecond retrieval requirement, and it is not suitable for active data with 100 PUTs per second.

205
MCQmedium

A developer monitors an AWS Lambda function that processes records from an Amazon SQS queue and writes results to an Amazon DynamoDB table. CloudWatch Logs show that execution time has increased over the past week, and the function frequently times out at the 5-minute timeout. The function's code has not been changed recently. CloudWatch metrics show a high rate of DynamoDBProvisionedThroughputExceededException errors. The DynamoDB table has 5 write capacity units (WCUs). What action will MOST effectively reduce the function's execution time?

A.Increase the Lambda function's timeout to 10 minutes.
B.Increase the write capacity units (WCUs) on the DynamoDB table.
C.Increase the Lambda function's memory allocation to 3008 MB.
D.Use an Amazon SQS FIFO queue instead of a standard queue for the Lambda trigger.
AnswerB

The DynamoDBProvisionedThroughputExceededException indicates the table's write capacity is exhausted. Increasing WCUs reduces throttling and speeds up writes, reducing the Lambda function's execution time.

Why this answer

The high rate of DynamoDBProvisionedThroughputExceededException errors indicates that the Lambda function is being throttled by DynamoDB due to insufficient write capacity. When writes are throttled, the Lambda function must retry, which increases execution time and can lead to timeouts. Increasing the WCUs on the DynamoDB table directly addresses the root cause by allowing the function to write without throttling, thereby reducing execution time.

Exam trap

The trap here is that candidates often assume increasing Lambda timeout or memory will fix performance issues, but the real bottleneck is the DynamoDB write capacity, which directly causes the throttling errors and increased execution time.

How to eliminate wrong answers

Option A is wrong because increasing the timeout to 10 minutes does not resolve the underlying throttling issue; it only masks the symptom by allowing the function to run longer while still being throttled. Option C is wrong because increasing memory allocation (up to 3008 MB) primarily improves CPU performance and network throughput, but does not fix DynamoDB throttling caused by insufficient WCUs. Option D is wrong because switching to an SQS FIFO queue does not affect DynamoDB write capacity; FIFO queues enforce message ordering and deduplication but do not reduce the throttling rate from DynamoDB.

206
Multi-Selectmedium

A developer is troubleshooting an issue where an S3 bucket policy is not granting access to an IAM user. Which TWO actions should the developer take to resolve the issue?

Select 2 answers
A.Enable S3 Transfer Acceleration.
B.Verify the bucket's ACLs allow access.
C.Check the bucket policy for any explicit denies.
D.Check the IAM user's attached policies.
E.Enable CloudTrail to log bucket access.
AnswersC, D

Explicit deny overrides allow.

Why this answer

Option A and C are correct because checking the bucket policy and IAM user policy are the two places where permissions are evaluated. Option B is wrong because ACLs are legacy. Option D is wrong because CloudWatch does not show bucket policies.

Option E is wrong because S3 Transfer Acceleration is not related to permissions.

207
MCQeasy

A developer is debugging an AWS Lambda function that is invoked by an Amazon S3 bucket notification. The function fails with an 'AccessDenied' error when trying to read an object from the same bucket. What should the developer check first?

A.Check if S3 bucket versioning is enabled.
B.Verify that the S3 bucket uses server-side encryption with AWS KMS.
C.Ensure the S3 bucket is not blocked by S3 Block Public Access.
D.Review the Lambda function's execution role for s3:GetObject permission.
AnswerD

Missing s3:GetObject is a common cause of AccessDenied.

Why this answer

Option D is correct because the Lambda execution role must have s3:GetObject permission for the bucket. Option A is wrong because S3 Block Public Access does not affect Lambda access. Option B is wrong because encryption settings do not cause AccessDenied if permissions are correct.

Option C is wrong because bucket versioning is not related to access.

208
MCQeasy

A developer is troubleshooting an Amazon RDS for MySQL instance that is experiencing high CPU utilization. The application performs many read operations. The developer wants to reduce the load on the database. What is the MOST effective solution?

A.Upgrade the DB instance to a larger instance class.
B.Create a read replica and direct read queries to it.
C.Enable Multi-AZ for automatic failover.
D.Purchase reserved instances to reduce costs.
AnswerB

Read replicas handle read traffic, reducing the load on the primary instance and lowering CPU utilization.

Why this answer

Option C is correct because adding a read replica offloads read traffic from the primary instance, reducing CPU utilization. Option A is wrong because vertical scaling increases capacity but does not specifically address read load efficiently. Option B is wrong because reserved instances do not reduce CPU usage.

Option D is wrong because Multi-AZ provides high availability, not performance improvement.

209
MCQeasy

A developer is troubleshooting an AWS Lambda function that writes to an S3 bucket. The function is failing with an 'AccessDenied' error. The Lambda execution role has the following policy. What is the likely issue? { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::my-bucket/*" } ] }

A.The resource ARN should be 'arn:aws:s3:::my-bucket' instead of 'my-bucket/*'.
B.The action should be 's3:PutObject' only, not 's3:GetObject'.
C.The role is missing s3:ListBucket permission.
D.The bucket uses SSE-KMS encryption, and the role lacks kms:Decrypt permission.
AnswerD

Without KMS permissions, PutObject fails with AccessDenied.

Why this answer

Option A is correct because the policy only grants access to objects in the bucket, not to the bucket itself for operations like ListBucket, but for PutObject, the resource is correct. However, the error may be due to a missing permission for s3:PutObject on the bucket level if the bucket policy also requires it. Actually, the most common issue for PutObject is the resource ARN, which is correct.

But if the bucket is encrypted, you need kms:Decrypt permissions. Option A points to missing KMS permissions, which is plausible. Option B is wrong because the resource is correct.

Option C is wrong because S3 does not require s3:ListBucket for PutObject. Option D is wrong because the action is allowed.

210
MCQhard

An application uses DynamoDB as its database with on-demand capacity. The application experiences increased latency during peak hours. CloudWatch metrics show ConsumedWriteCapacityUnits is below ProvisionedWriteCapacityUnits, but ThrottledWriteEvents is zero. What is the most likely cause?

A.The table is experiencing write throttling.
B.The table has too many read capacity units.
C.The provisioned capacity is insufficient.
D.The workload has hot partitions.
AnswerD

Hot partitions cause latency even if overall capacity is sufficient.

Why this answer

Option C is correct because even though capacity is not exceeded, hot partitions can cause latency. On-demand capacity is per-table, not per-partition. Option A is wrong because throttled events are zero.

Option B is wrong because on-demand capacity is automatically managed. Option D is wrong because RCUs are not related to write latency.

211
MCQmedium

A developer is troubleshooting a slow-running Amazon RDS for MySQL query. The query performance has degraded over time. Which approach should the developer take first to identify the cause?

A.Enable Performance Insights and review the database load
B.Upgrade the DB instance to a larger instance class
C.Create a read replica to offload read traffic
D.Enable the MySQL query cache
AnswerA

Performance Insights helps identify the top waits and queries causing the slowdown.

Why this answer

Option C is correct because enabling RDS Performance Insights gives a quick view of database load and wait events. Option A is wrong because query caching is not directly available in RDS MySQL and may not help. Option B is wrong because a read replica does not fix the performance issue.

Option D is wrong because increasing instance size may be unnecessary without first diagnosing the bottleneck.

212
Multi-Selectmedium

A developer is troubleshooting a slow-running query on an Amazon RDS for MySQL database. The query is used by a reporting application and takes over 30 seconds to complete. The database is a db.r5.large instance with 200 GB of gp2 storage. Which TWO actions should the developer take to improve query performance?

Select 2 answers
A.Terminate idle connections to free up resources.
B.Review the slow query log to identify the query and its execution plan.
C.Increase the allocated storage to 500 GB to improve I/O performance.
D.Add appropriate indexes to the tables involved in the query.
E.Enable Multi-AZ deployment for better read performance.
AnswersB, D

Slow query log provides insights for optimization.

Why this answer

Option A and D are correct: reviewing the slow query log helps identify the query, and adding appropriate indexes can speed up execution. Option B is wrong because increasing storage does not directly improve query speed. Option C is wrong because terminating idle connections has no impact.

Option E is wrong because Multi-AZ is for high availability, not performance.

213
MCQeasy

A developer notices that an S3 bucket policy allows public read access to all objects. The bucket contains sensitive data that should only be accessible by authorized IAM users. What is the BEST way to remediate this?

A.Enable default encryption on the bucket.
B.Modify the bucket policy to remove the public statement and use IAM policies for access.
C.Enable S3 Block Public Access at the account level.
D.Enable S3 Object Ownership and use ACLs.
AnswerB

Using IAM policies allows fine-grained access control.

Why this answer

Option B is correct because the bucket policy currently grants public read access, which overrides any IAM-based restrictions. By removing the public statement from the bucket policy and relying solely on IAM policies, access is controlled at the user level, ensuring only authorized IAM users can read objects. This aligns with the principle of least privilege and follows AWS best practices for securing S3 data.

Exam trap

The trap here is that candidates often confuse encryption with access control, thinking that enabling encryption (Option A) will prevent unauthorized access, when in fact encryption only protects data at rest and does not affect public read permissions.

How to eliminate wrong answers

Option A is wrong because enabling default encryption only encrypts data at rest; it does not restrict access, so public read access would still be allowed. Option C is wrong because S3 Block Public Access at the account level would prevent all public access, but it is a broad, account-wide setting that may inadvertently block legitimate public access for other buckets; the question asks for the best remediation for this specific bucket, not a blanket account-level change. Option D is wrong because S3 Object Ownership and ACLs are legacy access control mechanisms that are less secure and more complex to manage than IAM policies, and they do not directly address the public read access granted by the bucket policy.

214
MCQhard

A company uses AWS CloudFormation to deploy a stack that includes an RDS MySQL instance. During an update, the stack fails with a 'DELETE_FAILED' status on a security group resource. The security group has a dependency on the RDS instance. What is the MOST likely cause?

A.The RDS instance is not fully deleted because of a deletion protection flag.
B.The security group has a rule that references itself.
C.The security group must be deleted manually before updating the stack.
D.The security group is attached to an EC2 instance outside the stack.
AnswerA

Deletion protection prevents RDS deletion, blocking security group deletion.

Why this answer

Option C is correct because the RDS instance is in a 'deleting' state and the security group cannot be deleted until the RDS instance is fully deleted. Option A is wrong because the security group is not the issue. Option B is wrong because CloudFormation does not require manual deletion.

Option D is wrong because the issue is not about the security group being in use by other resources.

215
MCQhard

A developer notices that an application is generating duplicate entries in a DynamoDB table. The application uses a Lambda function triggered by an SQS queue. Messages are processed with at-least-once delivery. Which design change will reduce duplicates?

A.Increase the visibility timeout of the SQS queue.
B.Use a FIFO SQS queue with content-based deduplication.
C.Use DynamoDB Transactions to ensure atomic writes.
D.Implement idempotent processing by checking a condition expression in DynamoDB PutItem.
AnswerD

Idempotent writes using ConditionExpression prevent duplicate inserts.

Why this answer

SQS provides at-least-once delivery, so duplicates are possible. Making the Lambda function idempotent using a unique message deduplication ID (e.g., using the message ID as a condition in DynamoDB) prevents duplicates.

216
MCQeasy

A Lambda function that processes S3 events is failing with timeout errors. The function downloads a 100 MB file from S3 and processes it. The current timeout is 30 seconds. What is the most cost-effective way to troubleshoot this issue?

A.Use a larger EC2 instance type instead of Lambda
B.Increase the function timeout to 5 minutes
C.Provision a dedicated Lambda instance for the function
D.Increase the function memory allocation to 2048 MB
AnswerD

More memory provides more CPU, reducing processing time and cost.

Why this answer

Option B is correct because increasing the function's memory also increases CPU allocation, which can speed up processing and reduce runtime. Option A is wrong because Lambda supports up to 15 minutes, but increasing timeout without addressing performance may not help. Option C is wrong because using a larger instance type is not applicable to Lambda.

Option D is wrong because Lambda does not support dedicated instances.

217
MCQeasy

A developer is using AWS CloudFront to serve static content. Users in some geographic regions report slow load times. Which CloudFront feature can the developer use to reduce latency for these users?

A.Change the CloudFront price class to include all edge locations.
B.Create multiple origins in different regions.
C.Enable S3 Transfer Acceleration on the origin S3 bucket.
D.Use Lambda@Edge to optimize content delivery.
AnswerA

Price Class All ensures CloudFront uses all edge locations, reducing latency for users in all regions.

Why this answer

CloudFront has a global network of edge locations. If latency is high in certain regions, the developer can add additional edge locations by using Origin Shield or ensuring the price class includes those regions. However, CloudFront automatically uses all edge locations; the issue may be that the origin is far.

Adding more edge locations (via price class) helps. But the simplest is to use a regional edge cache or Origin Shield. Option A is wrong because S3 Transfer Acceleration is for uploads to S3, not CloudFront distribution.

Option B is wrong because Lambda@Edge runs at edge, but it adds compute, not reduce latency for static content. Option C is wrong because multiple origins are for different content, not latency. Option D is correct: enabling additional edge locations via price class (e.g., Price Class All) ensures all edge locations serve content.

218
MCQeasy

A developer is deploying a new version of a Lambda function using an alias for blue/green deployment. Traffic is gradually shifted to the new version. During the shift, a high error rate is observed. What should the developer do to minimize impact?

A.Use the Lambda function's provisioned concurrency to pre-warm the new version.
B.Manually revert the alias to point back to the old version.
C.Configure the alias with a canary deployment and an error rate alarm for automatic rollback.
D.Delete the new version and redeploy after fixing the issue.
AnswerC

Canary deployment with alarm-based rollback minimizes impact.

Why this answer

Option C is correct because it automates the rollback process using AWS CodeDeploy's canary deployment with an Amazon CloudWatch alarm on the error rate. When the alarm triggers, CodeDeploy automatically shifts traffic back to the previous version, minimizing impact without manual intervention. This is the recommended approach for safe blue/green deployments with Lambda aliases.

Exam trap

The trap here is that candidates may think manual reversion (Option B) is the simplest fix, but the exam emphasizes automated rollback strategies (like canary deployments with alarms) as the best practice for minimizing impact during blue/green deployments.

How to eliminate wrong answers

Option A is wrong because provisioned concurrency pre-warms execution environments to reduce cold starts, but it does not address a high error rate during traffic shifting; errors are typically caused by code defects, not cold starts. Option B is wrong because manually reverting the alias is a valid fallback but is slower and error-prone compared to an automated rollback; the question asks to minimize impact, and manual reversion introduces delay and potential for human error. Option D is wrong because deleting the new version and redeploying after fixing the issue is a reactive approach that does not minimize impact during the shift; it requires manual intervention and does not provide automatic recovery.

219
MCQmedium

A developer is managing an application running on Amazon EC2 instances behind an Application Load Balancer. Users report that the application becomes unresponsive after several hours, and restarting the instance temporarily fixes the issue. The developer suspects a memory leak but cannot add custom instrumentation. Which AWS service can collect memory utilization metrics and help identify the memory leak with minimal configuration?

A.Use Amazon CloudWatch Logs agent to capture application logs.
B.Use the EC2 instance metadata service to query memory usage.
C.Install the CloudWatch agent on the EC2 instances to collect memory metrics and emit them to CloudWatch.
D.Use AWS X-Ray to trace memory allocation.
AnswerC

Correct. The CloudWatch agent can collect memory metrics and send them to CloudWatch for monitoring.

Why this answer

The CloudWatch agent can collect custom metrics, including memory utilization, from EC2 instances and publish them to Amazon CloudWatch. This allows the developer to monitor memory usage over time and identify a memory leak without modifying the application code. The default EC2 metrics do not include memory utilization, so the CloudWatch agent is the minimal-configuration solution for this requirement.

Exam trap

The trap here is that candidates assume EC2 automatically provides memory metrics in CloudWatch, but in reality, only CPU, network, and disk metrics are available by default; memory requires the CloudWatch agent.

How to eliminate wrong answers

Option A is wrong because the CloudWatch Logs agent captures application logs, not memory utilization metrics; logs could indirectly indicate issues but do not provide direct memory metrics needed to identify a leak. Option B is wrong because the EC2 instance metadata service provides information about the instance itself (e.g., instance ID, AMI ID) but does not expose memory utilization data; it is not a monitoring service for OS-level metrics. Option D is wrong because AWS X-Ray traces requests and identifies performance bottlenecks in distributed applications, not memory allocation or utilization; it is designed for tracing, not OS-level resource monitoring.

220
MCQmedium

A developer is troubleshooting a DynamoDB table that is experiencing high write throttling (ProvisionedThroughputExceededException) on certain days. The table has provisioned write capacity of 1000 WCU. The table has a partition key of 'user_id' which is a UUID. The table is accessed by multiple services. CloudWatch metrics show that the WriteThrottleEvents are spiking during specific hours, and the ConsumedWriteCapacityUnits often reaches 1000. What is the most likely cause of the throttling?

A.The partition key is not distributed evenly, causing a hot partition.
B.The provisioned write capacity is insufficient to handle the traffic spikes.
C.The table does not have DynamoDB Accelerator (DAX) enabled.
D.The table is configured with eventual consistency, which throttles writes.
AnswerB

The consumed capacity is reaching the provisioned limit, causing throttling.

Why this answer

The correct answer is B because the ConsumedWriteCapacityUnits consistently reaches the provisioned 1000 WCU during specific hours, and WriteThrottleEvents spike at those same times. This indicates that the provisioned capacity is insufficient to handle peak traffic, causing requests to be throttled. The partition key (UUID) is well-distributed, so a hot partition is unlikely.

Exam trap

The trap here is that candidates often assume throttling must be caused by a hot partition (Option A) when the partition key is not a UUID, but in this case the UUID ensures even distribution, so the real issue is simply insufficient capacity during traffic spikes.

How to eliminate wrong answers

Option A is wrong because the partition key is a UUID, which is inherently random and evenly distributes writes across partitions, making a hot partition improbable. Option C is wrong because DAX is an in-memory cache for reads, not writes, and does not affect write throttling or provisioned write capacity. Option D is wrong because eventual consistency applies only to reads, not writes; writes are always strongly consistent and throttling is based on write capacity, not consistency settings.

221
MCQhard

An application uses an Application Load Balancer (ALB) with a target group of EC2 instances. Users report intermittent HTTP 503 errors. The ALB access logs show that the error occurs when the request rate exceeds 10,000 requests per second. What is the most likely cause?

A.The EC2 instances are failing health checks.
B.The SSL certificate is expiring.
C.The ALB is exceeding its connection limit.
D.The target group's connection draining is too short.
AnswerC

ALB has a default limit that can be increased via a limit increase request.

Why this answer

Option A is correct because ALB has a default limit of 10,000 new connections per second (which may be lower depending on region) and exceeding it causes 503 errors. Option B is wrong because connection draining is a graceful shutdown, not causing errors. Option C is wrong because the instances are healthy.

Option D is wrong because the issue is not SSL negotiation.

222
MCQmedium

A company is using Amazon API Gateway to expose a REST API. The API is integrated with an AWS Lambda function. Lately, the API is returning 502 Bad Gateway errors. What is the MOST likely cause?

A.The API Gateway request throttling limit has been exceeded.
B.The API Gateway API key is invalid.
C.The Lambda function is returning an unhandled exception.
D.The Lambda function's execution role does not allow API Gateway to invoke it.
AnswerC

API Gateway expects a specific response format; any error from Lambda results in a 502.

Why this answer

Option B is correct because 502 errors in API Gateway with Lambda integration typically indicate that the Lambda function returned an error. Option A is wrong because throttling would cause 429 Too Many Requests. Option C is wrong because IAM permissions would cause 403 Forbidden.

Option D is wrong because API keys are used for client authentication, not for backend integration.

223
MCQhard

A developer is using SQS to decouple microservices. The producer sends messages, but the consumer (an EC2 instance) does not process them. The CloudWatch metric 'ApproximateNumberOfMessagesVisible' is increasing. The consumer's IAM role has 'sqs:ReceiveMessage' and 'sqs:DeleteMessage' permissions. What is the most likely cause?

A.A dead-letter queue is configured and messages are being moved there.
B.The consumer does not have permission to call 'sqs:ReceiveMessage'.
C.The consumer is not using long polling, so calls to ReceiveMessage return empty frequently.
D.The queue is encrypted with SSE, and the consumer does not have permission to use the KMS key.
AnswerC

Short polling may return empty responses even when messages are available.

Why this answer

The consumer must also have 'sqs:ChangeMessageVisibility' to extend the visibility timeout if needed, but the key issue is that the consumer may not be calling ReceiveMessage with the correct queue URL or there is a network issue. However, the most common cause is that the visibility timeout is too short and messages are not being deleted before becoming visible again, but that would cause the metric to fluctuate. Another possibility is that the consumer is polling the wrong queue.

Option D is correct: the consumer is not using long polling, which can lead to empty responses and the impression that there are no messages. Option A is wrong because the permissions include ReceiveMessage. Option B is wrong because a DLQ would receive messages after max receives, but messages are still visible.

Option C is wrong because the queue is not encrypted by default.

224
MCQmedium

A developer notices that an AWS Lambda function, configured to access an Amazon RDS database in the same VPC, is timing out. The function has a 30-second timeout. CloudWatch Logs show that the function starts execution but never reaches the database. The VPC configuration includes private subnets without a NAT gateway. The RDS database is in the same VPC. What is the most likely cause of the timeout?

A.The Lambda function does not have internet access because it is in a VPC without a public IP.
B.The security group of the RDS database does not allow inbound traffic from the Lambda function's security group.
C.The Amazon RDS database is not publicly accessible and the Lambda function cannot resolve the database endpoint.
D.The VPC does not have a VPC endpoint for Amazon RDS, and the Lambda function cannot access the database through the NAT gateway.
AnswerB

This is the most common cause: the RDS security group must allow inbound connections from the Lambda's security group on the database port.

Why this answer

Option B is correct because the Lambda function is timing out when trying to connect to the RDS database, which is in the same VPC. The most likely cause is that the RDS database's security group does not have an inbound rule allowing traffic from the Lambda function's security group on the database port (e.g., 3306 for MySQL, 5432 for PostgreSQL). Without this rule, the TCP connection attempt is silently dropped or rejected, causing the Lambda function to wait until its 30-second timeout expires.

Exam trap

The trap here is that candidates often assume the Lambda function needs internet access or a NAT gateway to communicate with an RDS database in the same VPC, overlooking the fact that security group rules are the primary control for inbound traffic within a VPC.

How to eliminate wrong answers

Option A is wrong because the Lambda function does not need internet access to reach an RDS database in the same VPC; private subnet communication within a VPC does not require a public IP or NAT gateway. Option C is wrong because the RDS database being publicly accessible is irrelevant when both resources are in the same VPC; DNS resolution of the database endpoint works via the VPC's internal DNS, and the Lambda function can resolve it without public access. Option D is wrong because a VPC endpoint for Amazon RDS is used for accessing RDS API operations (e.g., CreateDBInstance), not for database client connections (e.g., MySQL/PostgreSQL protocol), and the scenario explicitly states there is no NAT gateway, but the Lambda function does not need one to communicate within the VPC.

225
MCQhard

A web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). During rolling updates of the Auto Scaling group, users intermittently receive HTTP 502 (Bad Gateway) errors. The developer checks the ALB access logs and notices that requests are being routed to instances that are in the 'Draining' state. The ALB has connection draining enabled with a timeout of 30 seconds. The Auto Scaling group terminates instances after they are taken out of service. What is the most likely cause of the 502 errors?

A.The connection draining timeout is too short, causing the ALB to terminate connections before in-flight requests finish.
B.The health check interval is set too long, causing the ALB to consider unhealthy instances as healthy.
C.Cross-zone load balancing is disabled, so the ALB is routing requests to instances that are already draining.
D.The Auto Scaling group's minimum size is too small, causing the ALB to have no healthy targets.
AnswerA

When connection draining is enabled, the ALB waits for the draining timeout before deregistering the instance. If the timeout is too short, requests still in progress are terminated, resulting in 502 errors.

Why this answer

The 502 errors occur because the ALB's connection draining timeout of 30 seconds is too short to allow all in-flight requests to complete before the Auto Scaling group terminates the instances. When an instance enters the 'Draining' state, the ALB stops sending new requests but waits up to the draining timeout for existing connections to finish. If the timeout expires before requests complete, the ALB forcibly closes connections, resulting in HTTP 502 (Bad Gateway) errors for clients whose requests were still in progress.

Exam trap

The trap here is that candidates often confuse connection draining timeout with health check interval, assuming that a long health check interval causes the ALB to route to unhealthy instances, when in fact the 502 errors are caused by the ALB forcibly terminating connections before in-flight requests complete due to an insufficient draining timeout.

How to eliminate wrong answers

Option B is wrong because a long health check interval would cause the ALB to consider unhealthy instances as healthy for longer, but the issue here is that requests are being routed to instances already in the 'Draining' state, not that unhealthy instances are mistakenly considered healthy. Option C is wrong because cross-zone load balancing affects how traffic is distributed across Availability Zones, not the routing of requests to draining instances; the ALB routes to draining instances only when connection draining is active, regardless of cross-zone settings. Option D is wrong because a small minimum size would cause a lack of healthy targets, leading to 503 errors, not 502 errors; the 502 errors here are specifically tied to connection termination during draining, not insufficient capacity.

← PreviousPage 3 of 4 · 291 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Troubleshooting questions.