SAA-C03 (SAA-C03) — Questions 751825

1040 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

A company runs an Amazon RDS for PostgreSQL database. The application performs frequent OLTP writes, but it also has a separate dashboard that runs heavy SELECT queries and is slowing down overall database performance. The writes must remain on the primary. What is the best approach to improve performance for the dashboard?

A.Create an RDS read replica and route the dashboard’s read-only queries to the replica endpoint
B.Increase instance storage throughput limits and disable synchronous replication to speed up all queries
C.Replace RDS with Amazon S3 because dashboards require SQL result caching
D.Move the primary database to a different AWS Region to reduce network latency
AnswerA

Read replicas offload read workloads from the primary. Since the dashboard performs read-only SELECTs, routing those queries to a replica reduces contention on the primary, allowing OLTP writes to continue with less interference.

Why this answer

Creating an RDS read replica allows you to offload the heavy SELECT queries from the primary database instance. The replica asynchronously replicates data from the primary using PostgreSQL's streaming replication, so the dashboard can query the replica without impacting the OLTP write performance on the primary. This directly addresses the requirement that writes remain on the primary while improving dashboard query performance.

Exam trap

The trap here is that candidates might think increasing instance size or storage throughput is sufficient, but the core issue is workload isolation—offloading read-heavy queries to a read replica is the only scalable solution that preserves write performance on the primary.

How to eliminate wrong answers

Option B is wrong because increasing storage throughput limits does not reduce the impact of heavy SELECT queries on write performance, and disabling synchronous replication (which is not applicable to RDS for PostgreSQL in this context) would not isolate the dashboard workload. Option C is wrong because Amazon S3 is an object storage service, not a relational database; it cannot replace PostgreSQL for OLTP writes or support SQL queries without additional services like Athena or Redshift Spectrum, and it does not provide the transactional consistency required for the application. Option D is wrong because moving the primary database to a different AWS Region would increase network latency for the application's writes, not improve dashboard performance, and it does not separate the read workload from the write workload.

752
MCQhard

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

A.Add a NAT gateway to the private subnet route table and keep using the public Secrets Manager endpoint.
B.Create an interface VPC endpoint for Secrets Manager and enable private DNS for the endpoint.
C.Create a gateway VPC endpoint for Secrets Manager and point the route table to it.
D.Use VPC peering to connect the application subnet to another VPC that already has internet access.
AnswerB

An interface endpoint keeps API calls on the AWS network and private DNS makes the standard service name resolve to the private endpoint.

Why this answer

Option B is correct because an interface VPC endpoint for Secrets Manager allows the application in the private subnet to securely access Secrets Manager over the AWS network using private IP addresses, without needing a NAT gateway or internet gateway. Enabling private DNS ensures that the default Secrets Manager DNS name resolves to the endpoint's private IP addresses, keeping all traffic within the AWS backbone and satisfying the security requirement.

Exam trap

The trap here is that candidates confuse gateway VPC endpoints (which work only for S3 and DynamoDB) with interface VPC endpoints (which are used for most other AWS services including Secrets Manager), leading them to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because adding a NAT gateway would route traffic to the public Secrets Manager endpoint over the internet, violating the requirement that traffic must not traverse the public internet. Option C is wrong because gateway VPC endpoints are only supported for AWS services like S3 and DynamoDB, not for Secrets Manager, which requires an interface endpoint. Option D is wrong because VPC peering with another VPC that has internet access still requires the application to go through a NAT or internet gateway to reach Secrets Manager, breaking the 'no public internet' rule and adding unnecessary complexity.

753
MCQmedium

A company uses Amazon RDS with automated backups enabled (retention period: 7 days). At 10:30 UTC, a bad release corrupts specific rows in a production table. The team detects the issue at 11:10 UTC. They need to revert the database state to what it was from 10:00–10:30 UTC, recover quickly, and minimize risk to the currently running workload. What is the best option?

A.Reboot the DB instance and rely on the corrupted data being overwritten by storage-level changes.
B.Perform a point-in-time restore to a new DB instance using a timestamp before the corruption (for example, a time within 10:00–10:30 UTC).
C.Restore only the most recent automated backup snapshot, even if it is after the corruption timestamp.
D.Create a read replica of the current DB instance and overwrite the corrupted table using SELECT queries from the replica.
AnswerB

With automated backups enabled, RDS supports point-in-time recovery (PITR) within the retention window. Restoring to a timestamp before the corruption creates a consistent copy from that moment. The team can validate the restored DB and then cut over application traffic, reducing risk to the currently running workload.

Why this answer

Amazon RDS automated backups enable point-in-time recovery (PITR) to any second within the retention window. By restoring to a timestamp between 10:00 and 10:30 UTC, you recover the database to a state before the corruption occurred, without affecting the current production instance. This minimizes risk to the running workload because the restore creates a new DB instance, leaving the original untouched until you are ready to switch.

Exam trap

The trap here is that candidates may confuse automated backup snapshots (which are full backups taken once per day) with point-in-time recovery (which uses transaction logs to restore to any point within the retention window), leading them to choose Option C instead of B.

How to eliminate wrong answers

Option A is wrong because rebooting a DB instance does not revert data; it only restarts the database engine and does not undo committed transactions or storage-level changes. Option C is wrong because restoring the most recent automated backup snapshot includes the corrupted data, so it does not achieve the goal of reverting to a pre-corruption state. Option D is wrong because a read replica mirrors the current (corrupted) data; using SELECT queries from it cannot overwrite the corrupted table with clean data, and it does not provide a mechanism to roll back changes.

754
MCQmedium

A service processes customer payments from a message queue. Because the queue provides at-least-once delivery, the same payment message can be delivered more than once if the consumer times out before committing its state. Currently, the service sometimes charges the customer twice. Which design change most directly prevents duplicate charges while still allowing safe retries?

A.Delete the message from the queue immediately after receive to prevent redelivery.
B.Make the payment processing idempotent by recording an idempotency key for each payment and ensuring repeated deliveries do not apply the charge twice.
C.Increase the queue visibility timeout to a very large value so messages rarely reappear.
D.Switch to a single-threaded consumer with one worker so messages are processed in order.
AnswerB

Idempotency ensures that reprocessing the same payment message has no additional side effects. Recording an idempotency key and using conditional logic prevents duplicate charges.

Why this answer

Option B is correct because making payment processing idempotent using an idempotency key ensures that even if the same message is delivered multiple times due to at-least-once delivery semantics, the charge is applied only once. The consumer records a unique key (e.g., payment ID) in a durable store (like DynamoDB or Redis) and checks it before processing; if the key already exists, the charge is skipped. This directly prevents duplicate charges while still allowing safe retries, as the consumer can safely reprocess messages without side effects.

Exam trap

The trap here is that candidates often confuse at-least-once delivery with exactly-once delivery and assume that increasing visibility timeouts or using single-threaded consumers will prevent duplicates, when in fact only idempotency guarantees safe retries without duplicate charges.

How to eliminate wrong answers

Option A is wrong because deleting the message immediately after receive violates the at-least-once delivery contract and can lead to message loss if the consumer crashes before processing completes. Option C is wrong because increasing the visibility timeout to a very large value only delays redelivery but does not prevent it entirely; if the consumer fails, the message will reappear after the timeout, still risking duplicate charges. Option D is wrong because single-threaded processing does not eliminate duplicates from at-least-once delivery; the same message can still be redelivered if the consumer times out, and ordering alone does not prevent duplicate charges.

755
MCQmedium

A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?

A.Attach an AWS WAF Web ACL to CloudFront and allow public reads on the S3 bucket so WAF can block direct object access.
B.Use CloudFront Origin Access Control (OAC) and update the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and aws:SourceArn equals the CloudFront distribution ARN.
C.Create IAM users with s3:GetObject permissions and share the IAM credentials with customers so they can fetch objects directly from S3.
D.Enable S3 static website hosting on the bucket and use the S3 website endpoint as the CloudFront origin so access controls can be enforced at CloudFront.
AnswerB

With OAC, CloudFront signs requests to S3 using an AWS-managed identity (the cloudfront.amazonaws.com service principal). A bucket policy that allows s3:GetObject only when AWS:SourceArn matches your specific CloudFront distribution ARN ensures the bucket is not readable from S3 by other principals. Direct S3 requests from users do not present the required CloudFront context, so they are denied at S3 authorization time.

Why this answer

Option B is correct because CloudFront Origin Access Control (OAC) allows you to restrict S3 bucket access exclusively to CloudFront. By configuring the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and the aws:SourceArn matches the CloudFront distribution ARN, you ensure that direct S3 URL requests are denied, even if the bucket name and object key are known. This prevents any unauthorized direct access to the S3 bucket.

Exam trap

The trap here is that candidates often confuse CloudFront's ability to cache content with its ability to enforce access control, mistakenly thinking that enabling static website hosting or using WAF alone can prevent direct S3 access, when in fact only Origin Access Control (or OAI) with a properly scoped bucket policy can achieve this.

How to eliminate wrong answers

Option A is wrong because AWS WAF operates at the application layer (Layer 7) and cannot block direct S3 URL access; it only filters HTTP/HTTPS requests to CloudFront, and allowing public reads on the S3 bucket would still permit direct S3 access. Option C is wrong because sharing IAM credentials with customers violates security best practices, and it does not prevent direct S3 URL access if the credentials are used outside CloudFront. Option D is wrong because enabling S3 static website hosting does not restrict access to CloudFront; the S3 website endpoint is publicly accessible and does not enforce CloudFront-only access controls.

756
MCQhard

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a financial reporting platform. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

A.A security group rule that allows HTTPS to S3
B.A condition that matches aws:RequestedRegion to the bucket Region
C.A deny statement for all IAM users except the EC2 role
D.A condition that matches aws:sourceVpce to the endpoint ID
AnswerD

The aws:sourceVpce condition restricts S3 access to requests that arrive through the specified VPC endpoint.

Why this answer

Option D is correct because the bucket policy can use the `aws:sourceVpce` condition key to restrict access to requests that originate from a specific VPC endpoint (a Gateway VPC Endpoint for S3). This ensures that only traffic flowing through that endpoint can access the bucket, meeting the security team's requirement. The EC2 instance in the private subnet routes S3 traffic through the endpoint via the subnet's route table, and the bucket policy enforces the restriction at the resource level.

Exam trap

The trap here is that candidates often confuse `aws:sourceVpce` with `aws:SourceVpc` or think that a security group rule (Option A) can enforce endpoint-based access, but only the bucket policy condition key can restrict based on the specific VPC endpoint ID.

How to eliminate wrong answers

Option A is wrong because security group rules control network traffic at the instance level, not at the S3 bucket policy level, and they cannot enforce that traffic must come through a specific VPC endpoint. Option B is wrong because `aws:RequestedRegion` checks the AWS Region in the request, not the VPC endpoint used; it does not restrict traffic to a specific endpoint. Option C is wrong because denying all IAM users except the EC2 role would block legitimate access from other authorized principals (e.g., cross-account roles or services) and does not enforce the endpoint requirement.

757
MCQhard

Based on the exhibit, a media rendering job runs on a single EC2 instance and writes a large working set of metadata to block storage. The workload performs sustained random reads and writes and must keep latency consistently low for the entire run. The instance may be stopped and started between jobs, and the data must persist. Which storage choice best meets the requirements?

A.Amazon S3 with multipart uploads because it provides durable object storage and high throughput.
B.Amazon EFS because it can be mounted by EC2 and supports persistent file access.
C.Provisioned IOPS SSD EBS volume (io2).
D.Amazon FSx for Windows File Server because it offers durable storage and low latency.
AnswerC

io2 is designed for sustained high IOPS with low and consistent latency on EC2 block storage. The workload is single-instance, random I/O intensive, and needs persistence across stop/start, which matches EBS block storage behavior well.

Why this answer

The workload requires sustained low-latency random reads and writes to block storage, and the data must persist across instance stop/start cycles. Provisioned IOPS SSD EBS volumes (io2) are block-level storage designed for high-performance, low-latency workloads with consistent IOPS, and they persist independently of the EC2 instance lifecycle.

Exam trap

The trap here is that candidates confuse file storage (EFS, FSx) or object storage (S3) with block storage, failing to recognize that sustained low-latency random reads and writes require a block-level device like EBS, not a network-mounted file system.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is object storage, not block storage, and does not support low-latency random read/write access required for a working set of metadata; multipart uploads are for throughput, not latency-sensitive random I/O. Option B is wrong because Amazon EFS is a file-level NFS service that introduces network latency and does not provide the consistent sub-millisecond latency of local block storage for sustained random I/O. Option D is wrong because Amazon FSx for Windows File Server is file-level storage with higher latency than direct-attached block storage and is optimized for Windows workloads, not for the low-latency random block I/O pattern described.

758
MCQmedium

A media company stores original uploads in an S3 bucket. They must recover from accidental overwrites/deletes and also recover quickly from a full Region outage. The required RPO is about 1 hour. Which configuration best meets these requirements?

A.Enable an S3 lifecycle policy to transition objects to Glacier after 7 days without enabling versioning.
B.Enable S3 cross-Region replication (CRR) but leave the bucket without versioning enabled.
C.Enable S3 versioning and configure cross-Region replication to a bucket in another Region.
D.Rely on frequent EBS snapshots of a temporary cache used during uploads.
AnswerC

Versioning enables recovery from accidental overwrites/deletes, and CRR provides near-current copies for Region-level disaster recovery.

Why this answer

Option C is correct because enabling S3 versioning protects against accidental overwrites and deletes by preserving all object versions, while cross-Region replication (CRR) asynchronously replicates objects to a bucket in another Region, providing recovery from a full Region outage. With versioning enabled, CRR replicates both current and previous object versions, meeting the ~1-hour RPO (typically within minutes for new objects) and ensuring data durability across Regions.

Exam trap

AWS often tests the misconception that CRR can work without versioning, but the S3 API explicitly requires versioning on the source bucket for replication to function, and candidates may overlook that versioning is also the mechanism that protects against accidental overwrites and deletes.

How to eliminate wrong answers

Option A is wrong because a lifecycle policy to transition objects to Glacier after 7 days does not protect against accidental overwrites or deletes (versioning is required for that), nor does it provide cross-Region recovery; Glacier is a cold storage class in the same Region, not a replication mechanism. Option B is wrong because S3 cross-Region replication requires versioning to be enabled on the source bucket; without versioning, CRR cannot replicate objects and will fail, leaving no protection against overwrites/deletes or Region outages. Option D is wrong because EBS snapshots of a temporary cache used during uploads do not protect the original S3 objects from overwrites/deletes, and EBS snapshots are tied to a single Availability Zone, not a full Region, failing the cross-Region recovery requirement.

759
MCQmedium

A media platform runs a CPU-heavy thumbnail generation workload on an EC2 Auto Scaling group using t3.large instances. During peak traffic, p95 processing time increases significantly even though average CPU remains around 40–50%. CloudWatch also shows CPU credit depletion behavior. Which change will most directly improve performance predictability for this workload?

A.Increase the t3.large maximum CPU credits and keep the Auto Scaling group using the same burstable instance type.
B.Change the Auto Scaling group instance type to a compute-optimized family (for example, c7i) to provide steady CPU performance.
C.Add a placement group to the existing t3.large instances so they are packed close together for lower latency between nodes.
D.Switch the workload to run on Lambda with the same logic so invocations automatically scale without instance selection changes.
AnswerB

Compute-optimized instances are designed for consistently high CPU performance and do not rely on a burst-credit model. Switching to a steady-performance family removes the credit-depletion/throttling pattern that is driving the p95 latency spikes under sustained load.

Why this answer

The t3.large instances rely on CPU credits for burst performance, and when credits are exhausted, CPU performance is throttled to the baseline (e.g., 30% for t3.large). This causes unpredictable processing times during peak traffic, even if average CPU is moderate. Switching to a compute-optimized family like c7i provides dedicated, consistent CPU performance without credit-based throttling, directly improving predictability for CPU-heavy thumbnail generation.

Exam trap

The trap here is that candidates assume 'CPU credit depletion' can be fixed by increasing credits or scaling out, but the real issue is that burstable instances are fundamentally unsuitable for sustained CPU-heavy workloads, and only switching to a non-burstable instance type (e.g., compute-optimized) guarantees predictable performance.

How to eliminate wrong answers

Option A is wrong because increasing maximum CPU credits (which is not a configurable parameter; t3 instances have a fixed credit earning/balance limit) would only delay throttling, not eliminate it, and the workload would still face unpredictable performance once credits are depleted. Option C is wrong because placement groups optimize network latency between instances (e.g., for tightly coupled workloads like HPC), but the issue here is CPU credit exhaustion, not network latency. Option D is wrong because Lambda has a 15-minute execution timeout and limited CPU allocation per invocation (proportional to memory), making it unsuitable for long-running, CPU-heavy thumbnail generation; it also introduces cold start latency and does not inherently solve the CPU credit problem.

760
Multi-Selectmedium

A DevOps team is designing a high-performance CI/CD pipeline to build and test code changes. The pipeline needs to scale to handle hundreds of concurrent builds, with fast build times and minimal idle compute cost. The builds are containerized and require consistent, reproducible environments. Which three options should be used to meet these requirements? (Choose three.)

Select 3 answers
.Use AWS CodeBuild with a large number of concurrent build projects.
.Use self-managed Jenkins on EC2 Spot Instances to reduce costs.
.Use AWS CodePipeline to orchestrate the build, test, and deploy stages.
.Use AWS CodeBuild with pre-built Docker images cached in Amazon ECR.
.Use Amazon EC2 Auto Scaling with a custom AMI for build agents.
.Use Amazon S3 as a cache store for CodeBuild to speed up dependency download.

Why this answer

AWS CodePipeline is the correct orchestration service to define and manage the CI/CD pipeline stages (build, test, deploy) in a serverless, highly available manner. Pre-built Docker images cached in Amazon ECR ensure consistent, reproducible environments and drastically reduce build times by avoiding image rebuilds. Using Amazon S3 as a cache store for CodeBuild allows storing and retrieving dependency caches (e.g., Maven .m2, npm node_modules) across builds, minimizing download times and speeding up the pipeline.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing self-managed or auto-scaling options (like Jenkins or EC2 Auto Scaling) instead of recognizing that AWS managed services (CodePipeline, CodeBuild, ECR, S3) provide the required scalability, speed, and cost efficiency with far less operational overhead.

761
MCQhard

A company runs EC2 workloads including web servers (m5.large), batch jobs (c5.xlarge), and a data processing service that will migrate from r5 to r6i instances within 6 months. The company wants to commit to 1 year to reduce costs but needs flexibility for the planned instance family migration. Which purchasing option provides the GREATEST savings while accommodating the change?

A.Standard Reserved Instances for each instance type with a 1-year term
B.Compute Savings Plans with a 1-year term commitment
C.EC2 Instance Savings Plans for the r5 instance family with a 1-year term
D.Convertible Reserved Instances for all instance types with a 1-year term
AnswerB

Compute Savings Plans apply automatically to any instance family including both r5 and r6i. The migration from r5 to r6i requires no Savings Plan changes. Up to 66% savings.

Why this answer

Compute Savings Plans automatically apply to any EC2 instance regardless of family, size, region, OS, or tenancy — including both r5 and r6i. When the data processing service migrates from r5 to r6i, the Compute Savings Plan continues to apply without any action required.

EC2 Instance Savings Plans lock to a specific instance family in a specific region. When the workload migrates from r5 to r6i, the EC2 Instance Savings Plan for r5 no longer applies — leaving the r6i workload billed at On-Demand rates.

Exam trap

EC2 Instance Savings Plans offer a deeper discount (up to 72%) but are locked to a specific instance family and region. Compute Savings Plans sacrifice ~2-5% discount compared to EC2 Instance Savings Plans but cover all families, sizes, regions, and Lambda/Fargate. When a family migration is planned, Compute Savings Plans are the correct choice — EC2 Instance Savings Plans would not cover the new r6i family.

Why the other options are wrong

A

Standard RIs are locked to a specific instance type, size, and region. When the r5 workload migrates to r6i, the r5 RI continues billing but no longer matches the running instances — creating waste and uncovered On-Demand charges.

C

EC2 Instance Savings Plans lock to a specific instance family (e.g., r5) in a specific region. When the workload migrates to r6i, the Savings Plan no longer covers the new instances — they are charged at On-Demand rates.

D

Convertible RIs allow exchanging for different families, which could handle the r5→r6i migration. However, the exchange process is manual, requires purchasing new RIs of equal or greater value, and Compute Savings Plans provide the same flexibility automatically.

762
MCQmedium

A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used. Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging. Which approach best satisfies the requirement?

A.Enable an AWS Organizations CloudTrail organization trail that delivers management event logs (including IAM) to a centralized S3 bucket in a dedicated audit account, for all regions.
B.Use CloudWatch Logs metric filters on application logs to infer which principals changed trust policies.
C.Rely on GuardDuty alerts to provide the full request parameters for every IAM policy change.
D.Enable AWS Config only and store periodic snapshots without CloudTrail management events.
AnswerA

CloudTrail management events provide authoritative audit logs for API actions like IAM policy changes and can be centralized via an organization trail.

Why this answer

Option A is correct because an AWS Organizations CloudTrail organization trail captures management events (including IAM API calls like ChangeTrustPolicy) across all accounts and regions, storing immutable logs in a centralized S3 bucket in a dedicated audit account. This provides the exact principal ARN, source IP, and request parameters needed for forensic investigation, meeting the immutable and centralized audit requirement.

Exam trap

The trap here is that candidates may confuse AWS Config's configuration tracking with CloudTrail's API-level auditing, or assume GuardDuty provides detailed request parameters, but only CloudTrail management events capture the full principal identity and API call details required for forensic analysis.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs metric filters on application logs cannot capture the full API request parameters or the exact principal identity for IAM changes; they only analyze log text patterns and lack the granularity of CloudTrail management events. Option C is wrong because GuardDuty alerts are designed for threat detection (e.g., anomalous API behavior) and do not provide the complete request parameters or a centralized, immutable audit trail of every IAM policy change. Option D is wrong because AWS Config alone records resource configuration snapshots and changes but does not capture who made the change or the API request parameters; it requires CloudTrail to provide the identity and source of changes.

763
Multi-Selectmedium

An application in Account B reads objects from an Amazon S3 bucket in Account A. The bucket uses SSE-KMS with a customer managed key in Account A. The role in Account B already has s3:GetObject, but downloads fail with AccessDenied on decrypt. Which two changes are required for the role to read the object successfully? Select two.

Select 2 answers
A.Add an SCP that grants the role additional permissions for KMS usage.
B.Add kms:Decrypt permission in the role's IAM policy for the KMS key.
C.Update the KMS key policy in Account A to allow the role from Account B to use Decrypt.
D.Grant the role read access with an S3 bucket ACL.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersB, C

The caller needs an identity-based permission that allows kms:Decrypt on the specific CMK used to encrypt the S3 object. Without that allow statement, KMS denies the decrypt request even if S3 access is permitted.

Why this answer

Option B is correct because the role in Account B needs explicit kms:Decrypt permission in its IAM policy to use the KMS key for decrypting the S3 objects. Option C is correct because the KMS key policy in Account A must grant the role from Account B permission to call kms:Decrypt, as the key is customer managed and cross-account access requires both the key policy and the IAM policy to allow the action.

Exam trap

The trap here is that candidates often think only the IAM policy (Option B) is needed, forgetting that cross-account KMS access requires the key policy (Option C) to explicitly grant the external role decrypt permission, as IAM policies alone are insufficient for resource-based policies like KMS key policies.

764
MCQmedium

A company hosts a image sharing application on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

A.AWS Systems Manager Session Manager with the required instance role
B.An internet gateway attached to the private subnet
C.A public Elastic IP address on each instance
D.A bastion host with SSH open to 0.0.0.0/0
AnswerA

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent and an IAM instance role to establish a bidirectional connection via the AWS API, eliminating the need for a bastion host or public IP. This meets the requirement of avoiding custom operational scripts because Session Manager is a fully managed service with no additional configuration beyond the agent and role.

Exam trap

The trap here is that candidates may think a bastion host or public IP is necessary for administrative access, failing to recognize that AWS Systems Manager Session Manager provides secure, agent-based access without opening any inbound ports or requiring custom scripts.

How to eliminate wrong answers

Option B is wrong because an internet gateway attached to a private subnet does not provide administrative access; it only enables outbound internet traffic for instances in that subnet, and inbound connections still require a public IP or NAT device. Option C is wrong because assigning a public Elastic IP address to each instance would expose SSH or RDP ports to the internet, violating the requirement to avoid opening those ports. Option D is wrong because a bastion host with SSH open to 0.0.0.0/0 explicitly opens port 22 to the entire internet, which is insecure and contradicts the requirement to avoid opening SSH or RDP ports to the internet.

765
MCQeasy

Your web tier runs on an EC2 Auto Scaling group behind an Application Load Balancer (ALB). You currently deploy both the ALB and the Auto Scaling group in only two Availability Zones (AZs). One AZ fails. What is the best configuration change to improve resilience?

A.Reduce health check timeouts so instances are replaced sooner in the failed AZ.
B.Add a third Availability Zone so the ALB and Auto Scaling group span at least three AZs.
C.Enable instance scale-in protection to stop the ASG from terminating unhealthy instances.
D.Switch the ALB to an internal Network Load Balancer (NLB) to avoid cross-AZ traffic.
AnswerB

An AZ failure typically reduces available capacity to the other AZs. Spreading the ALB subnets and ASG instances across at least three AZs reduces the impact of losing any single AZ and helps ensure the remaining AZs can continue serving traffic.

Why this answer

Adding a third Availability Zone (AZ) ensures that the Application Load Balancer (ALB) and Auto Scaling group (ASG) can continue to route traffic and maintain capacity even if one AZ fails. With only two AZs, a single AZ failure reduces the fleet by 50% and may cause the ALB to lose the minimum healthy hosts required to serve traffic. Spreading across three AZs provides a higher resilience margin, as the remaining two AZs can absorb the load while the failed AZ recovers.

Exam trap

The trap here is that candidates think reducing health check timeouts or enabling scale-in protection can compensate for an AZ failure, but AWS explicitly requires a minimum of three AZs to achieve high availability for ALB-based architectures.

How to eliminate wrong answers

Option A is wrong because reducing health check timeouts only accelerates the replacement of unhealthy instances in the failed AZ, but does not prevent the loss of capacity from that AZ; the ASG will still be unable to launch instances in a failed AZ, so the fleet remains degraded. Option C is wrong because instance scale-in protection prevents termination of instances during scale-in events, but does not protect against AZ failure; unhealthy instances in a failed AZ will still be terminated by the ASG health check process, and scale-in protection does not help maintain capacity. Option D is wrong because switching to an internal NLB does not improve resilience to AZ failure; NLBs also operate within AZs and cross-AZ traffic is not the issue—the core problem is insufficient AZ count to absorb a single AZ outage.

766
MCQmedium

A fintech startup uses AWS to run a web API and a PostgreSQL database. They must meet an RPO of 15 minutes and an RTO of 2 hours for a Region-wide disaster. Budget allows running a small, always-on set of infrastructure in a secondary Region, but not full production capacity. The team wants a DR approach that is regularly testable without large manual effort. Which disaster recovery strategy is the best fit?

A.Pilot light: replicate databases and store backups, keep only minimal infrastructure in the secondary Region, and scale up fully during failover.
B.Warm standby: keep a scaled-down application environment and database replication active in the secondary Region, using automated failover controls.
C.Backup and restore only: rely on daily automated backups and restore into the secondary Region during an incident.
D.Multi-site active-active: run both Regions at full capacity and route live traffic to both simultaneously.
AnswerB

Warm standby aligns with moderate RTO requirements by having ready-to-run resources plus continuous replication to meet the RPO target during failover.

Why this answer

Warm standby (B) is the best fit because it maintains a scaled-down but fully functional application environment in the secondary Region with active database replication, meeting the RPO of 15 minutes (via synchronous or near-synchronous replication like PostgreSQL streaming replication) and RTO of 2 hours (via automated failover controls such as Route 53 health checks and AWS Lambda automation). This approach allows regular testing without large manual effort by simply promoting the standby environment, and the budget constraint is satisfied by running only minimal compute resources (e.g., smaller EC2 instances) in the secondary Region.

Exam trap

The trap here is that candidates often confuse pilot light with warm standby, assuming minimal infrastructure is sufficient for a 2-hour RTO, but pilot light requires provisioning and configuring application servers during failover, which typically takes longer than 2 hours, whereas warm standby already has the application running and only needs scaling.

How to eliminate wrong answers

Option A is wrong because pilot light keeps only minimal infrastructure (e.g., database replicas and storage) but does not maintain a running application environment; scaling up during failover would likely exceed the 2-hour RTO due to provisioning and configuration time, and testing requires manual steps. Option C is wrong because backup and restore relies on daily backups, which cannot achieve a 15-minute RPO (backups are typically taken every 24 hours) and restoring from backups into a new environment would take far longer than 2 hours, violating both RPO and RTO. Option D is wrong because multi-site active-active requires full production capacity in both Regions, which exceeds the budget constraint of running only a small, always-on set of infrastructure in the secondary Region.

767
MCQmedium

Your company has an internal service hosted behind a Network Load Balancer (NLB) in VPC 10.0.0.0/16. A consumer team in a different VPC (10.1.0.0/16) must call the service without using the public internet. You want private connectivity using AWS PrivateLink. Which configuration best enables least-privilege access while keeping the traffic private?

A.Expose the NLB with an Internet Gateway route and restrict access using a security group attached to the NLB.
B.Create a VPC endpoint (interface endpoint) in the consumer VPC that points to the service name published by the provider account, and limit allowed clients using the endpoint’s security group rules.
C.Create an S3 Gateway endpoint in the consumer VPC and store the service hostname in SSM Parameter Store so clients can resolve privately.
D.Use a bastion host in the provider VPC and allow the consumer VPC to SSH to it; from there, the consumer makes HTTP calls to the NLB.
AnswerB

PrivateLink uses an interface VPC endpoint in the consumer VPC (using the provider’s published service name). Traffic stays on the AWS network, not the public internet. Security groups on the interface endpoint provide least-privilege control over which client resources can reach the endpoint, and the provider side can also restrict who can connect.

Why this answer

Option B is correct because AWS PrivateLink uses an interface VPC endpoint in the consumer VPC to connect privately to a Network Load Balancer (NLB) in the provider VPC, without traversing the public internet. The endpoint’s security group acts as a least-privilege firewall, allowing only specific clients (by source IP or security group) to access the service. This keeps traffic within the AWS network and avoids exposing the NLB to the internet.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints (which only work for S3 and DynamoDB) with Interface Endpoints (which support PrivateLink for services behind an NLB), leading them to pick Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway route to the NLB would expose it to the public internet, violating the requirement to keep traffic private, and NLBs do not support security groups—security groups are only supported for ALBs and ENIs, not NLB itself. Option C is wrong because an S3 Gateway endpoint is designed exclusively for Amazon S3 access, not for connecting to an NLB-hosted service; it cannot resolve or route traffic to a service hostname behind an NLB. Option D is wrong because using a bastion host introduces a single point of failure, requires SSH key management, and adds unnecessary complexity and latency; it also violates least-privilege by granting broad network access rather than a direct private connection.

768
MCQhard

A warehouse integration service must process every event at least once, but duplicate processing is acceptable if the consumer handles idempotency. Which eventing approach is most suitable? The design must avoid adding custom operational scripts.

A.Use CloudFront signed URLs
B.Use Amazon SQS standard queue and design consumers to be idempotent
C.Use UDP messages sent directly to workers
D.Use an in-memory queue on one EC2 instance
AnswerB

SQS standard queues provide at-least-once delivery and high throughput; consumers must handle occasional duplicates.

Why this answer

Amazon SQS standard queues provide at-least-once delivery, ensuring every event is processed at least once, with the possibility of duplicates. Designing consumers to be idempotent handles duplicates without requiring custom scripts, aligning with the requirement to avoid operational overhead. This approach is serverless, scalable, and fits the warehouse integration use case.

Exam trap

The trap here is that candidates may choose UDP (Option C) thinking it is lightweight and fast, but they overlook its lack of delivery guarantees, which fails the 'process every event at least once' requirement.

How to eliminate wrong answers

Option A is wrong because CloudFront signed URLs are for controlling access to content, not for event processing or messaging; they do not provide at-least-once delivery guarantees. Option C is wrong because UDP is a connectionless, unreliable protocol that does not guarantee message delivery, making it unsuitable for processing every event at least once. Option D is wrong because an in-memory queue on a single EC2 instance introduces a single point of failure and requires custom scripts for management, violating the 'avoid adding custom operational scripts' constraint.

769
MCQeasy

Based on the exhibit, which EBS volume type should the team use to meet the performance need at lower cost than overprovisioning capacity?

A.Use gp3 and provision the needed IOPS independently of volume size.
B.Use sc1 because it is optimized for infrequent access and large objects.
C.Use st1 because it provides high throughput for streaming data.
D.Use standard magnetic storage because it is compatible with all EC2 instances.
AnswerA

gp3 is the best fit because it lets you provision IOPS and throughput separately from volume size. The exhibit shows the workload needs around 10,000 IOPS and experiences queue buildup on gp2. With gp3, the team can raise performance without unnecessarily increasing storage capacity, which is usually more cost-effective for this kind of database workload.

Why this answer

The gp3 volume type allows you to provision baseline performance of 3,000 IOPS and 125 MiB/s regardless of volume size, and you can independently increase IOPS up to 16,000 and throughput up to 1,000 MiB/s without needing to add more storage capacity. This decoupling of performance from size means you can meet the required IOPS at a lower cost compared to gp2, where performance scales with volume size and often forces overprovisioning of capacity to achieve the needed IOPS.

Exam trap

The trap here is that candidates assume all EBS volume types require overprovisioning capacity to achieve higher IOPS, overlooking gp3's ability to independently scale performance from storage size, which is a key differentiator tested on the SAA-C03 exam.

How to eliminate wrong answers

Option B is wrong because sc1 (Cold HDD) is designed for infrequently accessed, large sequential workloads with a maximum throughput of 250 MiB/s and very low IOPS (tens), making it unsuitable for workloads requiring consistent IOPS performance. Option C is wrong because st1 (Throughput Optimized HDD) is optimized for high-throughput, sequential streaming data (e.g., big data, log processing) and cannot provide the low-latency, random IOPS that gp3 delivers. Option D is wrong because standard magnetic storage (previous generation) offers very low IOPS (approximately 100 IOPS per volume) and is not cost-effective for any performance-sensitive workload, nor is it compatible with all modern EC2 instance types (e.g., Nitro-based instances do not support it).

770
MCQmedium

A content publishing system uses Lambda functions that call an unreliable third-party API. Failed events must be retained for later investigation after retries are exhausted. What should be configured? The team wants the control to be enforceable during normal operations.

A.Lambda reserved concurrency set to zero
B.A larger deployment package
C.CloudFront error pages
D.A Lambda dead-letter queue or failure destination
AnswerD

A DLQ or asynchronous failure destination captures failed events after retry attempts.

Why this answer

Option D is correct because a Lambda dead-letter queue (DLQ) or failure destination allows you to capture events that have exhausted all retry attempts from an asynchronous invocation. This ensures failed events are retained in Amazon SQS or SNS for later investigation, providing enforceable control during normal operations without impacting the function's ability to process successful events.

Exam trap

The trap here is that candidates may confuse Lambda's synchronous invocation error handling (where DLQs are not supported) with asynchronous invocation, or mistakenly think that increasing function resources (like deployment package size) can improve reliability against external API failures.

How to eliminate wrong answers

Option A is wrong because setting Lambda reserved concurrency to zero would completely disable the function, preventing any invocations and thus failing to process events at all, which does not address the need to retain failed events after retries. Option B is wrong because a larger deployment package does not affect error handling or retention of failed events; it only increases the function's size, potentially impacting cold start times and deployment limits. Option C is wrong because CloudFront error pages are used for customizing HTTP error responses for web distributions, not for capturing or retaining Lambda invocation failures from asynchronous API calls.

771
Multi-Selectmedium

A SaaS application is deployed in us-east-1 and us-west-2 behind separate ALBs. The business wants DNS to send new clients to the primary Region when it is healthy and automatically fail over to the secondary Region when the primary endpoint is unhealthy. Which two Route 53 settings are required? Select two.

Select 2 answers
A.Use a failover routing policy with a primary and secondary record.
B.Create a health check and associate it with the primary endpoint.
C.Use weighted routing with a 50/50 traffic split between both Regions.
D.Use latency-based routing so clients always choose the fastest Region.
E.Use a geolocation policy without health checks.
AnswersA, B

Failover routing is designed specifically to send traffic to a secondary endpoint when the primary becomes unhealthy.

Why this answer

A failover routing policy is correct because it allows you to designate one record as primary and another as secondary. Route 53 will route traffic to the primary record as long as it is healthy, and automatically fail over to the secondary record when the primary is unhealthy. This directly meets the requirement to send new clients to the primary region when healthy and fail over to the secondary region.

Exam trap

The trap here is that candidates often confuse failover routing with weighted or latency-based routing, thinking any multi-region setup with health checks will automatically fail over, but only failover routing policy provides the explicit primary/secondary failover behavior required.

772
MCQmedium

A public web application is fronted by Amazon CloudFront and an ALB. The team is seeing SQL injection attempts and bursts of malicious HTTP requests that increase origin load. They want to block common web attacks before they reach the ALB. What should they do?

A.Associate an AWS WAF web ACL with the CloudFront distribution.
B.Add an inbound security group rule to the ALB for the attacker IP ranges.
C.Use a network ACL to inspect and block SQL statements in the request body.
D.Enable Amazon KMS encryption on the ALB listener certificates.
AnswerA

AWS WAF is the correct service for filtering HTTP(S) requests based on patterns such as SQL injection, bad bots, and rate-based abuse. When associated with CloudFront, the filtering happens at the edge before traffic reaches the ALB and origin, reducing load and blocking malicious requests earlier in the path. Shield Standard is already included for basic DDoS protection, but WAF is the component that provides the application-layer controls needed here.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting. By associating an AWS WAF web ACL with the CloudFront distribution, you can inspect and filter HTTP(S) requests at the edge before they reach the ALB, reducing origin load and blocking malicious traffic early. This is the recommended approach for defending against layer 7 attacks at the CDN level.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups, NACLs) with application-layer protection, mistakenly thinking they can block SQL injection at the network level, when only a WAF can inspect HTTP request bodies for such attacks.

How to eliminate wrong answers

Option B is wrong because security group rules operate at the network layer (layer 3/4) and cannot inspect application-layer payloads like SQL statements; they only allow or deny traffic based on IP addresses, ports, and protocols, so they cannot block SQL injection attempts. Option C is wrong because network ACLs are stateless packet filters that operate at the subnet level and cannot inspect or block SQL statements in the request body; they only filter based on IP, port, and protocol headers. Option D is wrong because Amazon KMS encryption on ALB listener certificates is used for encrypting data in transit (TLS termination) and has no capability to inspect or block malicious HTTP requests or SQL injection attempts.

773
MCQhard

Based on the exhibit, the platform team wants developers to create application roles for Lambda and ECS, but no developer-created role may ever exceed the approved permission set. Which change best meets this requirement?

A.Remove all IAM permissions from AppProvisioner and require a central security team to create every role manually.
B.Attach a permissions boundary strategy to the delegated workflow and require every created role to include that boundary using the iam:PermissionsBoundary condition.
C.Allow developers to keep creating roles, but add a CloudTrail rule that alerts security after a privileged policy is attached.
D.Move the delegated IAM workflow into a separate VPC and restrict it with security groups and network ACLs.
AnswerB

A permissions boundary creates an upper limit on what any developer-created role can ever do, even if someone later attaches broader policies. Requiring the boundary during role creation prevents privilege escalation while still allowing delegated self-service for approved application roles. This is the standard AWS pattern when teams need to create roles but must remain inside a strict security envelope.

Why this answer

Option B is correct because it uses a permissions boundary to enforce the maximum permission set that any developer-created role can have. By attaching a permissions boundary to the delegated workflow and using the `iam:PermissionsBoundary` condition in the trust policy, every role created by developers is automatically constrained to the approved boundary, preventing any role from exceeding the approved permission set even if the developer tries to attach additional policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive controls (like permissions boundaries), leading them to choose option C, which only alerts after a violation has already occurred.

How to eliminate wrong answers

Option A is wrong because it removes all IAM permissions from AppProvisioner and requires manual role creation by a central security team, which eliminates the delegation and automation that the platform team wants, and does not scale or meet the requirement for developers to create roles. Option C is wrong because adding a CloudTrail rule to alert after a privileged policy is attached is a detective control, not a preventive one; it does not prevent a developer-created role from exceeding the approved permission set, only notifies after the fact. Option D is wrong because moving the delegated IAM workflow into a separate VPC and restricting it with security groups and network ACLs addresses network-level access control, not IAM permissions or role creation boundaries, and has no effect on the permission set of roles created by developers.

774
MCQhard

A dev sandbox currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first?

A.Disabling route tables
B.Replacing every NAT gateway with an internet gateway attached to private subnets
C.Moving all workloads to public subnets
D.Whether one NAT gateway per AZ is sufficient for the required private subnets
AnswerD

NAT gateways are normally deployed per AZ for resilience; duplicate NAT gateways in the same AZ may be unnecessary.

Why this answer

The question states that only one private subnet per AZ needs outbound internet access, so using two NAT gateways per AZ is likely over-provisioned and costly. The architect should first review whether one NAT gateway per AZ is sufficient, as NAT gateways are billed per hour and per gigabyte of data processed, and reducing from two to one per AZ can cut costs without sacrificing availability. This aligns with the cost-optimized design principle of right-sizing resources to actual demand.

Exam trap

The trap here is that candidates may assume more NAT gateways always improve availability or performance, but the question tests cost optimization by recognizing that one per AZ is often enough for low-traffic private subnets, and the first step is to verify sufficiency before making changes.

How to eliminate wrong answers

Option A is wrong because disabling route tables would break all routing for the subnets, not just optimize costs, and is not a valid review step for reducing NAT gateway count. Option B is wrong because internet gateways cannot be attached to private subnets; they are used for public subnets and do not provide outbound-only internet access for private resources. Option C is wrong because moving workloads to public subnets would expose them directly to the internet, violating security best practices and the sandbox's likely need for private, isolated environments.

775
MCQmedium

An application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB). Security groups allow inbound HTTPS (443) from the ALB’s security group to the instance security group, and outbound from instances is set to allow ephemeral ports. Despite this, clients see connection timeouts. After reviewing network ACLs, you find the NACL associated with the instance subnet has an inbound allow for destination port 443, but it does not have a corresponding outbound allow for ephemeral ports. What is the most likely reason the traffic fails, and what should be updated?

A.NACLs are stateless, so you must update the NACL to allow the return (outbound) ephemeral port range; security groups alone cannot override a blocked NACL.
B.NACLs are stateful and automatically track connections; the fix is to add a new inbound rule to the security group for client source ports.
C.The issue is caused by ALB health checks; configure a new target group health check on port 80 so traffic can be routed.
D.Because instances are in private subnets, add a NAT gateway so return traffic can reach the internet over dynamic routing.
AnswerA

Stateless NACLs require both inbound and outbound rules. Missing outbound for ephemeral ports will block return traffic even if SG rules are correct.

Why this answer

Network ACLs are stateless, meaning they do not automatically allow return traffic. Even though the security group allows inbound HTTPS from the ALB, the NACL blocks the return traffic because it lacks an outbound rule for ephemeral ports (typically 1024-65535). Since NACLs are evaluated before security groups, a missing outbound allow rule causes the response packets to be dropped, resulting in connection timeouts.

Exam trap

The trap here is that candidates assume security groups' stateful nature applies to NACLs, or they confuse the direction of the missing rule (inbound vs. outbound) and overlook the need for an outbound ephemeral port rule in the NACL.

How to eliminate wrong answers

Option B is wrong because NACLs are stateless, not stateful; they require explicit rules for both inbound and outbound traffic, and the fix involves the NACL, not the security group. Option C is wrong because the issue is not related to ALB health checks; health checks would cause target registration failures, not client connection timeouts, and the described symptom matches a missing NACL outbound rule. Option D is wrong because the instances are in private subnets behind an ALB, and return traffic to the ALB does not require a NAT gateway; the ALB handles routing within the VPC, and the problem is purely a NACL misconfiguration.

776
MCQeasy

A company runs Amazon EC2 instances in private subnets. Those instances only need to access Amazon S3 (read/write) and Amazon DynamoDB. The VPC currently routes all outbound traffic through a NAT Gateway, increasing monthly cost. What change most directly reduces NAT Gateway usage for these AWS services?

A.Remove the NAT Gateway path for S3 and DynamoDB by creating S3 Gateway VPC endpoints and DynamoDB Gateway VPC endpoints, and updating the private subnet route tables to route S3/DynamoDB traffic to those endpoints.
B.Keep the NAT Gateway but disable any cross-region routing settings for the route table entries that point to the NAT Gateway.
C.Create interface VPC endpoints for all services (including S3) and route S3 traffic to the interface endpoint network interfaces (ENIs).
D.Add an IAM policy that denies requests unless they originate from the public subnet, so the application sends fewer requests through the NAT Gateway.
AnswerA

S3 and DynamoDB Gateway VPC endpoints keep traffic inside AWS without sending it to the internet, so requests don’t traverse the NAT Gateway (avoiding NAT hourly charges and per-GB NAT data processing).

Why this answer

Option A is correct because S3 Gateway VPC endpoints and DynamoDB Gateway VPC endpoints allow EC2 instances in private subnets to access these services directly over the AWS network without traversing a NAT Gateway. This eliminates NAT Gateway data processing charges for S3 and DynamoDB traffic, directly reducing costs. The route tables in the private subnets are updated to direct S3 and DynamoDB traffic to the gateway endpoints, bypassing the NAT Gateway entirely.

Exam trap

The trap here is that candidates may confuse gateway endpoints with interface endpoints, assuming all AWS services require interface endpoints, or they may overlook that DynamoDB also supports gateway endpoints, leading them to choose the more expensive interface endpoint option for S3.

How to eliminate wrong answers

Option B is wrong because disabling cross-region routing settings does not reduce NAT Gateway usage; the NAT Gateway is still used for all outbound traffic, including S3 and DynamoDB, so costs remain unchanged. Option C is wrong because while interface VPC endpoints can be used for DynamoDB, S3 does not support interface endpoints natively (S3 uses gateway endpoints or interface endpoints via AWS PrivateLink, but the gateway endpoint is more cost-effective and direct for S3 access); additionally, interface endpoints incur hourly charges and data processing fees, which may not reduce costs compared to a NAT Gateway. Option D is wrong because adding an IAM policy that denies requests unless they originate from the public subnet does not change the routing path; traffic from private subnets still goes through the NAT Gateway, and the policy would block legitimate access, not reduce NAT Gateway usage.

777
MCQmedium

A CI pipeline in account A uploads build artifacts to an S3 bucket (arn:aws:s3:::build-artifacts-prod) under the prefix teamA/. The pipeline must not be able to list other prefixes, and it must only upload objects under teamA/. Which IAM policy design best enforces least privilege for this requirement?

A.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/* and allow s3:ListBucket on arn:aws:s3:::build-artifacts-prod with no condition.
B.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:ListBucket on arn:aws:s3:::build-artifacts-prod with a condition that requires s3:prefix equals 'teamA/'.
C.Allow s3:PutObject on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:GetBucketLocation on arn:aws:s3:::build-artifacts-prod/teamA/.
D.Allow s3:* on arn:aws:s3:::build-artifacts-prod/teamA/* and allow s3:ListAllMyBuckets for easier auditing.
AnswerB

This scopes uploads to exactly the teamA/ object path by using the object ARN arn:aws:s3:::build-artifacts-prod/teamA/*. For listing, it targets the bucket ARN (arn:aws:s3:::build-artifacts-prod) and restricts listing results to only the requested prefix using the s3:prefix condition key.

Why this answer

Option B is correct because it grants the minimal permissions required: s3:PutObject is scoped to the specific prefix teamA/*, preventing uploads to other prefixes, and s3:ListBucket is allowed only with a condition that restricts the s3:prefix to 'teamA/', ensuring the pipeline cannot list objects under other prefixes. This enforces least privilege by combining resource-level and condition-based access control.

Exam trap

The trap here is that candidates often assume that scoping the resource ARN to a prefix (e.g., arn:aws:s3:::bucket/prefix/*) alone is sufficient to restrict listing, but without a condition on s3:ListBucket, the ListBucket action still returns all objects in the bucket, bypassing the intended restriction.

How to eliminate wrong answers

Option A is wrong because it allows s3:PutObject on the entire bucket (arn:aws:s3:::build-artifacts-prod/*) without restricting the prefix, so the pipeline could upload to any prefix, violating the requirement to only upload under teamA/. Option C is wrong because it allows s3:GetBucketLocation on the prefix path, which is not a valid ARN for that action (GetBucketLocation operates on the bucket, not a prefix) and does not grant the necessary s3:ListBucket permission to list objects, so the pipeline cannot verify uploads or list objects under teamA/. Option D is wrong because it allows s3:* on the prefix, granting excessive permissions like s3:DeleteObject or s3:GetObject, and s3:ListAllMyBuckets is irrelevant for restricting access to a specific bucket and prefix, violating least privilege.

778
MCQeasy

An application uses an Amazon Aurora cluster. The workload becomes read-heavy, but the team cannot change the database schema. They need higher read throughput while keeping writes on the primary. What should they do?

A.Create Aurora read replicas and use the reader endpoint for read traffic
B.Switch the cluster to a single-AZ Aurora configuration to reduce coordination overhead
C.Increase DynamoDB capacity units instead of modifying the database layer
D.Enable CloudFront caching for database queries to serve results from edge locations
AnswerA

Aurora read replicas (reader instances) scale read throughput without requiring schema changes. The cluster provides a reader endpoint to route read queries to replica instances while the writer endpoint continues to handle writes.

Why this answer

Aurora read replicas are designed to offload read traffic from the primary instance, and the reader endpoint automatically load-balances connections across all replicas. Since the workload is read-heavy and the schema cannot change, adding read replicas directly increases read throughput without modifying the application's database schema. The reader endpoint ensures that read queries are directed to the replicas while writes continue to hit the primary instance.

Exam trap

The trap here is that candidates may confuse Aurora read replicas with RDS read replicas, which have different replication mechanics and lag characteristics, or they may think that switching to a single-AZ configuration improves performance by reducing overhead, when in fact it only reduces availability.

How to eliminate wrong answers

Option B is wrong because switching to a single-AZ configuration reduces availability and does not increase read throughput; it only eliminates the standby replica, which does not serve read traffic. Option C is wrong because DynamoDB is a different database service with a different API and data model; the question explicitly states the application uses an Aurora cluster, and migrating to DynamoDB would require schema changes, which are not allowed. Option D is wrong because CloudFront caches static content at edge locations, not dynamic database query results; database queries are typically dynamic and cannot be cached effectively at edge locations without complex application-level caching logic.

779
MCQmedium

A containerized web service on Amazon ECS reads a database password at startup. Today, the password is stored in a plain environment variable and updated manually. Auditors require that credentials: (1) are encrypted at rest using AWS-managed controls, (2) can be rotated without redeploying the task definition, and (3) are accessible only to the running task via least-privilege permissions. Which solution best meets these requirements?

A.Store the password in Systems Manager Parameter Store as a SecureString and grant the ECS task role GetParameter only for that parameter ARN. Have the application call GetParameter on each request or on a short refresh interval.
B.Store the password in AWS Secrets Manager. Configure rotation for the secret. Grant the ECS task role secretsmanager:GetSecretValue for only that secret ARN. Update the application to fetch the secret at runtime and cache it briefly.
C.Store the password in a local file within the container image and mount it as a Docker secret at build time to avoid environment variables.
D.Store the password in an S3 bucket with server-side encryption and allow all ECS tasks to read it using a broad IAM policy on the bucket prefix.
AnswerB

Secrets Manager provides encrypted-at-rest storage and supports managed rotation. ECS task roles provide least-privilege access without static keys. Fetching at runtime with brief caching supports rotation without redeploying the task definition.

Why this answer

Option B is correct because AWS Secrets Manager encrypts secrets at rest using AWS KMS (AWS-managed key by default), supports automatic rotation without requiring a task definition redeploy, and allows least-privilege access by granting the ECS task role only secretsmanager:GetSecretValue for the specific secret ARN. The application fetches the secret at runtime and caches it briefly, satisfying all three auditor requirements.

Exam trap

The trap here is that candidates may choose Option A (Parameter Store) because it also supports SecureString and IAM policies, but they overlook that Secrets Manager is the only service that natively provides automatic rotation without additional custom infrastructure, which is explicitly required by the auditors.

How to eliminate wrong answers

Option A is wrong because Systems Manager Parameter Store SecureString encrypts the password at rest, but it does not natively support automatic rotation; rotation would require a custom solution, and the requirement to rotate without redeploying the task definition is not fully met. Option C is wrong because storing the password in a local file within the container image at build time violates the requirement to rotate without redeploying the task definition, and it does not use AWS-managed encryption controls for the secret at rest in transit. Option D is wrong because S3 with server-side encryption encrypts at rest, but allowing all ECS tasks to read the password using a broad IAM policy on the bucket prefix violates the least-privilege requirement, and rotating the password would require updating the S3 object and potentially redeploying the task definition.

780
MCQmedium

A service runs in private subnets. It must call AWS APIs (for example, S3 and Secrets Manager). The team currently sends all outbound traffic through a NAT Gateway, and NAT charges have become a major cost driver. The workload must not traverse the public internet. What change most directly reduces NAT Gateway cost while maintaining private connectivity to those AWS services?

A.Continue using the NAT Gateway but reduce CloudWatch log retention to 1 day.
B.Replace the NAT Gateway route with VPC endpoints: use a Gateway VPC endpoint for S3 and an Interface VPC endpoint for Secrets Manager.
C.Launch a bastion host in a public subnet and force private instances to use SSH tunneling for API calls.
D.Switch to public subnets and attach security groups with the same rules to limit inbound access.
AnswerB

VPC endpoints provide private connectivity to AWS services without sending traffic through the internet or through NAT. A Gateway endpoint is used for S3, and an Interface endpoint is used for services like Secrets Manager. Traffic to those services stays within the AWS network, reducing or eliminating NAT charges for those API calls.

Why this answer

Option B is correct because VPC endpoints allow private connectivity to AWS services without traversing the internet or a NAT Gateway. A Gateway VPC endpoint for S3 uses route table entries to reach S3 privately, and an Interface VPC endpoint for Secrets Manager uses an elastic network interface with a private IP. This eliminates NAT Gateway data processing charges entirely while keeping traffic within the AWS network.

Exam trap

The trap here is that candidates may think NAT Gateway is the only way to provide outbound connectivity, overlooking that VPC endpoints can provide private, cost-effective access to AWS services without internet routing.

How to eliminate wrong answers

Option A is wrong because reducing CloudWatch log retention does not affect NAT Gateway data processing costs, which are based on volume of traffic passing through the gateway, not log storage. Option C is wrong because forcing private instances to use SSH tunneling through a bastion host would still require outbound internet access for API calls, and SSH tunneling adds complexity, latency, and security risks without eliminating NAT costs. Option D is wrong because switching to public subnets would expose instances to the internet, violating the requirement that the workload must not traverse the public internet, and it would not reduce costs related to NAT Gateway.

781
MCQhard

A payments API uses Amazon SQS. Poison messages are repeatedly failing and blocking useful retries. What should the architect configure? The architecture review board prefers a managed AWS-native control.

A.A FIFO queue without a redrive policy
B.A dead-letter queue with an appropriate maxReceiveCount
C.A larger message retention period only
D.Short polling instead of long polling
AnswerB

A DLQ isolates messages that fail repeatedly so they can be investigated without disrupting normal processing.

Why this answer

A dead-letter queue (DLQ) with an appropriate maxReceiveCount is the correct AWS-native solution for handling poison messages. When a message is repeatedly received from an SQS queue but fails processing, it is considered a poison message. By configuring a DLQ and setting a maxReceiveCount (e.g., 3 or 5), the message is automatically moved to the DLQ after exceeding that threshold, preventing it from blocking further retries and allowing the main queue to process valid messages.

Exam trap

The trap here is that candidates may confuse poison message handling with ordering or polling optimizations, and incorrectly choose FIFO queues or short polling, not realizing that only a DLQ with a redrive policy isolates repeatedly failing messages.

How to eliminate wrong answers

Option A is wrong because a FIFO queue without a redrive policy does not automatically handle poison messages; it only ensures strict ordering and exactly-once processing, but failed messages remain in the queue and continue to block retries. Option C is wrong because increasing the message retention period only keeps messages longer in the queue, but does nothing to isolate or remove poison messages that are repeatedly failing. Option D is wrong because short polling (returning immediately even if no messages are available) versus long polling (waiting for messages) affects latency and cost, but does not address the poison message problem; poison messages are a content/processing issue, not a polling mechanism issue.

782
MCQeasy

Your organization hosts an internet-facing application behind an Amazon CloudFront distribution. You want to mitigate common web exploits (for example, SQL injection and XSS) at the edge. Which action is the most appropriate way to do this using AWS services?

A.Create an AWS WAF web ACL using managed rule sets and associate it with the CloudFront distribution.
B.Add inbound rules to the security group so that only port 443 is open from the internet.
C.Enable AWS Shield Advanced to block SQL injection and XSS.
D.Restrict IAM permissions for the application’s EC2 instances so that SQL injection payloads cannot be executed.
AnswerA

AWS WAF examines incoming HTTP/HTTPS requests at the edge (when associated to CloudFront) and applies rule logic to detect common exploit patterns. Managed rule sets provide pre-built protections for threats like SQL injection and XSS before requests reach your origin.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS). By creating a web ACL with managed rule sets (e.g., the AWS Managed Rules for SQL injection and XSS) and associating it with your CloudFront distribution, you can inspect incoming HTTP/HTTPS requests at the edge and block malicious payloads before they reach your origin. This is the most appropriate and scalable way to mitigate these threats at the edge.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups) or DDoS-specific services (Shield Advanced) with application-layer filtering, or mistakenly think IAM permissions can block malicious request payloads, when only a WAF can inspect and filter HTTP/HTTPS content at the edge.

How to eliminate wrong answers

Option B is wrong because security groups operate at the network layer (L3/L4) and can only filter based on IP addresses, ports, and protocols; they cannot inspect application-layer payloads to detect SQL injection or XSS. Option C is wrong because AWS Shield Advanced provides DDoS protection and enhanced detection, but it does not include rule-based inspection for application-layer attacks like SQL injection or XSS; that requires AWS WAF. Option D is wrong because IAM permissions control what actions an AWS resource (like an EC2 instance) can perform, not the content of incoming HTTP requests; restricting IAM permissions does not prevent SQL injection payloads from being processed by the application.

783
MCQmedium

A log archive serves infrequently accessed user documents that must be available immediately when requested. Which S3 storage class is likely the best cost fit? The design must avoid adding custom operational scripts.

A.Instance store volumes
B.S3 Standard-IA or S3 One Zone-IA depending on resilience requirements
C.S3 Standard for all objects
D.S3 Glacier Deep Archive
AnswerB

Infrequent Access classes reduce storage cost while keeping millisecond retrieval.

Why this answer

S3 Standard-IA or S3 One Zone-IA is the best cost fit because the workload involves infrequently accessed documents that require immediate retrieval. These storage classes offer lower storage costs than S3 Standard while maintaining low-latency access (milliseconds), and they avoid custom operational scripts since retrieval is automatic via standard S3 GET requests. The choice between Standard-IA and One Zone-IA depends on whether the data requires multi-AZ resilience or can tolerate a single-AZ failure.

Exam trap

AWS often tests the misconception that 'infrequently accessed' automatically means Glacier or Deep Archive, but the key differentiator is the 'immediate availability' requirement, which eliminates any cold storage class with retrieval delays.

How to eliminate wrong answers

Option A is wrong because instance store volumes are ephemeral block storage attached to EC2 instances, not a durable S3 storage class, and they lose data on instance stop/termination, making them unsuitable for long-term log archives. Option C is wrong because S3 Standard is designed for frequently accessed data with higher storage costs, making it cost-inefficient for infrequently accessed documents, even though it provides immediate availability. Option D is wrong because S3 Glacier Deep Archive has retrieval times of 12-48 hours (not immediate), which violates the requirement for documents to be available immediately when requested.

784
Multi-Selecthard

A startup has three sandbox accounts and one production account. The CTO wants lower cost and operational overhead while keeping central purchasing and spend visibility. Which two actions are best? Select two.

Select 2 answers
A.Enable consolidated billing under AWS Organizations so discounts and shared purchasing apply across accounts.
B.Move each sandbox to its own payer account to isolate spend from the rest.
C.Use managed services such as Amazon RDS or Amazon S3 instead of self-managed EC2-based databases and file servers where practical.
D.Buy Dedicated Hosts for sandbox workloads to get a lower blended rate.
E.Disable AWS Budgets because consolidated billing already solves visibility.
AnswersA, C

Correct. Consolidated billing centralizes purchasing and can improve discount usage across linked accounts. It also gives the company one payer view, which simplifies governance and visibility.

Why this answer

Option A is correct because enabling consolidated billing under AWS Organizations aggregates usage across all accounts, allowing the startup to benefit from volume discounts, Reserved Instance sharing, and Savings Plans across the sandbox and production accounts. This reduces operational overhead by centralizing payment and provides a single view of spend, meeting the CTO's requirements for cost and visibility.

Exam trap

The trap here is that candidates might think Dedicated Hosts (Option D) reduce costs for sandbox workloads, but they actually increase costs due to per-host billing and are intended for specific licensing scenarios, not general cost optimization.

785
MCQeasy

Based on the exhibit, what change best reduces Lambda cold-start impact for a predictable user-upload workflow?

A.Set a reserved concurrency limit for the function to protect it from throttling.
B.Enable provisioned concurrency for the function.
C.Increase the function timeout to give more time for initialization.
D.Move the function to a larger memory setting only to eliminate all initialization time.
AnswerB

Provisioned concurrency keeps a pre-initialized pool of Lambda execution environments ready to respond immediately. The exhibit shows long init duration after inactivity, which is the classic symptom of cold starts affecting user experience. Because the traffic pattern is predictable during launches, provisioned concurrency is the most direct way to reduce startup latency and smooth response times.

Why this answer

Provisioned concurrency initializes a specified number of execution environments in advance, so when a user upload triggers the Lambda function, there is no cold-start delay. This directly addresses the predictable, user-upload workflow by ensuring warm containers are ready to handle requests immediately.

Exam trap

The trap here is confusing reserved concurrency (which limits concurrency to prevent throttling) with provisioned concurrency (which pre-warms instances to eliminate cold starts), leading candidates to choose a throttling protection mechanism instead of a cold-start mitigation solution.

How to eliminate wrong answers

Option A is wrong because reserved concurrency limits the maximum number of concurrent executions to protect downstream resources, but it does not pre-warm containers or reduce cold-start latency. Option C is wrong because increasing the function timeout only extends the maximum execution duration, not the initialization time; it does not eliminate the cold-start delay. Option D is wrong because larger memory settings can reduce initialization time by providing more CPU, but they do not eliminate all initialization time; the function still incurs a cold start when no pre-warmed instances exist.

786
MCQmedium

A internal reporting portal serves infrequently accessed user documents that must be available immediately when requested. Which S3 storage class is likely the best cost fit? The architecture review board prefers a managed AWS-native control.

A.Instance store volumes
B.S3 Glacier Deep Archive
C.S3 Standard for all objects
D.S3 Standard-IA or S3 One Zone-IA depending on resilience requirements
AnswerD

Infrequent Access classes reduce storage cost while keeping millisecond retrieval.

Why this answer

S3 Standard-IA or S3 One Zone-IA is the best cost fit because the data is infrequently accessed but requires immediate availability when requested. These storage classes offer lower storage costs than S3 Standard while providing millisecond first-byte latency, meeting the 'immediately available' requirement. The choice between Standard-IA and One Zone-IA depends on the resilience needs (e.g., multi-AZ vs. single-AZ durability).

Exam trap

The trap here is that candidates often confuse 'infrequently accessed' with 'archival' and incorrectly choose S3 Glacier Deep Archive, overlooking the critical requirement for immediate availability on request.

How to eliminate wrong answers

Option A is wrong because instance store volumes are ephemeral, tied to a specific EC2 instance, and not a managed AWS-native control for object storage; they lose data on instance stop/termination and are not suitable for durable document storage. Option B is wrong because S3 Glacier Deep Archive has retrieval times of 12 hours or more (expedited retrieval is not available), which violates the 'immediately available when requested' requirement. Option C is wrong because S3 Standard is designed for frequently accessed data and would incur higher storage costs than necessary for infrequently accessed documents, making it not cost-optimal.

787
MCQhard

Based on the exhibit, which storage design best supports the application servers' shared working directory requirement?

A.Mount Amazon EFS on every EC2 instance and use it as the shared workspace.
B.Attach one gp3 EBS volume to each instance and synchronize the files with cron jobs.
C.Store the artifacts in S3 and have each node read them directly from S3 as a filesystem.
D.Use instance store on each instance because it provides the fastest local file access.
AnswerA

EFS provides shared, persistent, POSIX-compliant file access across multiple EC2 instances and Availability Zones. That matches the requirement that all nodes see the same workspace immediately and that files survive instance replacement. It is the right choice when the application needs a common filesystem rather than an object store or local-only disk.

Why this answer

Amazon EFS provides a fully managed, NFS-based shared file system that can be mounted concurrently on multiple EC2 instances across multiple Availability Zones. This directly satisfies the requirement for a shared working directory where all application servers can read and write files simultaneously without additional synchronization logic.

Exam trap

The trap here is confusing shared file storage (EFS) with block storage (EBS) or object storage (S3), leading candidates to choose EBS with synchronization or S3 as a filesystem, both of which lack the native shared file system semantics required for concurrent read/write access across multiple instances.

How to eliminate wrong answers

Option B is wrong because attaching a separate gp3 EBS volume to each instance creates isolated file systems; synchronizing files via cron jobs introduces latency, complexity, and potential data inconsistency, failing to provide a true real-time shared workspace. Option C is wrong because Amazon S3 is an object storage service, not a POSIX-compliant file system; mounting S3 as a filesystem (e.g., via s3fs) incurs significant performance overhead, lacks file locking, and does not support concurrent read/write semantics required for a shared working directory. Option D is wrong because instance store volumes are ephemeral and tied to the lifecycle of the EC2 instance; data is lost on stop/termination, and instance stores cannot be shared across multiple instances, making them unsuitable for a persistent shared workspace.

788
MCQhard

Based on the exhibit, a distributed analytics workload runs on 12 EC2 instances in one Availability Zone. The nodes exchange thousands of small messages per second and require the lowest possible intra-cluster latency and jitter. Which EC2 placement strategy is the best fit?

A.Spread placement group, because it places each instance on distinct underlying hardware.
B.Partition placement group, because it isolates nodes across rack partitions.
C.Cluster placement group, because it places instances physically close together in one Availability Zone.
D.Move the workload behind an Application Load Balancer so node-to-node traffic is balanced more efficiently.
AnswerC

Cluster placement groups are designed for workloads that need very low network latency, low jitter, and high packet-per-second performance. Placing the instances physically close together within the same Availability Zone reduces network hop distance and is the best match for a message-heavy distributed analytics cluster.

Why this answer

A cluster placement group is the best choice because it places all 12 EC2 instances in a single Availability Zone within the same high-bandwidth, low-latency logical segment of the network. This minimizes the physical distance and network hops between nodes, achieving the lowest possible intra-cluster latency and jitter required for the thousands of small messages exchanged per second.

Exam trap

The trap here is that candidates confuse 'spread' or 'partition' placement groups as providing better performance due to isolation, but they fail to recognize that cluster placement groups are the only strategy designed specifically for the lowest latency and jitter within a single AZ.

How to eliminate wrong answers

Option A is wrong because a spread placement group places each instance on distinct underlying hardware (different racks and often different AZs), which increases network distance and latency, making it unsuitable for high-frequency, low-latency messaging. Option B is wrong because a partition placement group isolates nodes across rack partitions to reduce correlated failures, but it does not guarantee the tight physical proximity needed for the lowest latency and jitter; it is designed for large distributed systems like HDFS or Cassandra, not for latency-sensitive micro-batch workloads. Option D is wrong because moving the workload behind an Application Load Balancer (ALB) would introduce an intermediary that adds significant latency and jitter for node-to-node traffic, and ALBs are designed for client-to-server load balancing, not for optimizing internal cluster communication.

789
MCQeasy

An ECS service runs on EC2 capacity. During peak traffic, tasks frequently wait for available container instances. The team wants faster scale-out for the underlying EC2 capacity when tasks increase. What is the best first architectural step?

A.Tune the container health check settings so tasks stop failing and stay running.
B.Use an ECS capacity provider (or Auto Scaling integration) to scale the EC2 instances based on ECS demand.
C.Pin all tasks to a single Availability Zone to reduce placement overhead.
D.Switch the tasks to run only on Fargate so EC2 scaling is no longer relevant.
AnswerB

When ECS tasks need compute, capacity must scale at the EC2 layer so there are enough container instances to place tasks. Integrating ECS with an Auto Scaling capacity provider allows the cluster to scale out in response to pending tasks. This reduces waiting time and improves responsiveness under load.

Why this answer

Option B is correct because an ECS capacity provider (or Auto Scaling integration) directly links ECS task-level demand to EC2 instance scaling. When tasks are pending due to insufficient container instances, the capacity provider triggers a scale-out event on the Auto Scaling group, adding EC2 instances to accommodate the workload. This is the most direct and efficient architectural step to reduce the wait time for available container instances during peak traffic.

Exam trap

The trap here is that candidates may think tuning health checks (Option A) or switching to Fargate (Option D) are simpler fixes, but the question specifically asks for the best first architectural step to scale EC2 capacity faster, which is directly addressed by the capacity provider integration.

How to eliminate wrong answers

Option A is wrong because tuning health check settings does not address the root cause of insufficient EC2 capacity; it only affects task lifecycle management, not the number of available container instances. Option C is wrong because pinning tasks to a single Availability Zone increases risk of failure and does not solve the capacity shortage; placement overhead is negligible compared to the lack of instances. Option D is wrong because switching to Fargate is a migration, not an architectural step for the existing EC2-based service, and it does not address the immediate need for faster scale-out of the underlying EC2 capacity.

790
MCQhard

A document portal needs low-latency full-text search across product descriptions and filtered attributes. Which managed service is most suitable? The design must avoid adding custom operational scripts.

A.Amazon OpenSearch Service
B.AWS Config
C.Amazon EFS
D.Amazon SQS
AnswerA

OpenSearch is designed for search and analytics over indexed text and structured fields.

Why this answer

Amazon OpenSearch Service is the correct choice because it is a fully managed service that provides low-latency full-text search and filtering capabilities, ideal for indexing and searching product descriptions and attributes. It eliminates the need for custom operational scripts by handling cluster management, scaling, and backups automatically, aligning with the requirement to avoid custom operational overhead.

Exam trap

The trap here is that candidates may confuse AWS Config (a compliance tool) with a search service due to its name, or mistakenly think Amazon EFS or SQS can be adapted for search with custom scripts, ignoring the requirement to avoid custom operational scripts.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it is a service for auditing and evaluating resource configurations against compliance rules, not for full-text search or indexing. Option C (Amazon EFS) is wrong because it is a scalable file storage service for shared access to files, not a search engine or indexing solution. Option D (Amazon SQS) is wrong because it is a message queuing service for decoupling application components, not designed for search or querying of product data.

791
MCQmedium

A startup runs an HTTP/2 API that also supports WebSocket connections. They need path-based routing to separate microservices (for example, /api/* to Service A and /metrics/* to Service B) and want TLS terminated at the load balancer. Which AWS option best meets these requirements while maintaining high request performance?

A.Use an Amazon NLB and configure target groups with HTTP health checks and listener rules for path-based routing.
B.Use an Amazon ALB with HTTP/2 support, WebSocket upgrades enabled, and listener rules for host/path-based routing.
C.Use Amazon API Gateway with a single backend integration and rely on the client to route requests to different microservices.
D.Use Amazon CloudFront without an ALB, and route requests to microservices using only custom origin headers.
AnswerB

An ALB supports Layer 7 features needed here: it can terminate TLS on an HTTPS listener, evaluate HTTP host/path routing rules, and it supports WebSocket by allowing HTTP Upgrade behavior through the ALB to the targets. ALBs also support HTTP/2 on HTTPS listeners, which helps maintain high request performance.

Why this answer

An Application Load Balancer (ALB) natively supports HTTP/2, WebSocket upgrades, and path-based routing via listener rules. It terminates TLS at the load balancer, offloading encryption from backend services, and maintains high performance for both HTTP/2 and WebSocket traffic. This makes ALB the correct choice for the startup's requirements.

Exam trap

The trap here is that candidates may confuse NLB's Layer 4 capabilities with ALB's Layer 7 features, incorrectly assuming NLB can handle path-based routing or WebSocket upgrades, when in fact it cannot inspect application-layer data.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) operates at Layer 4 and does not support path-based routing or HTTP/2; it cannot inspect HTTP paths or handle WebSocket upgrades natively. Option C is wrong because Amazon API Gateway does not natively support WebSocket connections in the same manner as an ALB, and relying on the client to route requests bypasses the requirement for server-side path-based routing. Option D is wrong because CloudFront without an ALB cannot perform path-based routing to separate microservices; custom origin headers alone do not provide the necessary listener rules for path-based traffic distribution.

792
Multi-Selectmedium

A central security account stores encrypted log files in S3 using a customer managed AWS KMS key. A partner account already has S3 bucket access through an assumed role and now must also be able to encrypt and decrypt objects that use the same KMS key. Which two actions are required? Select two.

Select 2 answers
A.Update the KMS key policy to allow the partner role or account to use the key.
B.Enable automatic key rotation to solve the cross-account access requirement.
C.Attach IAM permissions in the partner account for kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey on the CMK.
D.Replace the CMK with the AWS managed key alias/aws/s3.
E.Export the KMS key material and share it with the partner account.
AnswersA, C

KMS evaluates the key policy before permitting use of a customer managed key. Cross-account use requires the key policy to trust the external principal or a grant to that principal.

Why this answer

Option A is correct because the KMS key policy must explicitly grant the partner account or its assumed role permission to use the key for cryptographic operations. Without this cross-account policy statement, the partner account cannot access the key even if it has IAM permissions, as KMS key policies are the primary access control mechanism for cross-account usage.

Exam trap

The trap here is that candidates often think IAM permissions alone are sufficient for cross-account KMS access, forgetting that KMS key policies must explicitly allow the external account, and vice versa, that key policy alone is not enough without corresponding IAM permissions in the partner account.

793
MCQeasy

Your AWS Organizations environment has an SCP that explicitly denies kms:Decrypt for principals in the Production OU. A member account IAM policy for a user grants kms:Decrypt on the required KMS key. If that user attempts kms:Decrypt, what happens?

A.The request succeeds because the IAM policy explicitly allows kms:Decrypt
B.The request is denied because the SCP explicit deny overrides IAM allows
C.The request succeeds, but only when using the KMS key policy to allow the user
D.The request succeeds for read-only actions and fails only for writes
AnswerB

SCPs are evaluated as a permissions filter for the member account. When an SCP contains an explicit Deny matching kms:Decrypt, that Deny takes precedence over any IAM Allow decisions in the account, and the action is blocked.

Why this answer

In AWS Organizations, Service Control Policies (SCPs) act as a guardrail that sets the maximum available permissions for all accounts in an OU. An explicit deny in an SCP overrides any allow in an IAM policy, even if the IAM policy explicitly grants the action. Therefore, the user's kms:Decrypt request is denied because the SCP's explicit deny takes precedence over the IAM allow.

Exam trap

The trap here is that candidates often assume IAM policy allows are sufficient, forgetting that SCPs act as a higher-level permission boundary that can override those allows with an explicit deny.

How to eliminate wrong answers

Option A is wrong because it ignores the hierarchical nature of AWS authorization: an explicit deny in an SCP at the OU level overrides any allow in an IAM policy, so the request cannot succeed. Option C is wrong because even if the KMS key policy grants kms:Decrypt to the user, the SCP explicit deny still applies and blocks the action; SCPs are evaluated before resource-based policies. Option D is wrong because kms:Decrypt is a single action, not a read or write category, and SCPs apply uniformly to all actions they specify; there is no distinction between read-only and write actions in this context.

794
MCQmedium

A patient portal receives bursts of orders that sometimes overwhelm a downstream fulfilment service. The architecture must absorb spikes and retry processing without losing requests. Which service should be placed between the web tier and fulfilment workers? The design must avoid adding custom operational scripts.

A.AWS WAF
B.Amazon CloudFront
C.Amazon SQS queue
D.Amazon Route 53 weighted routing
AnswerC

SQS decouples producers and consumers, buffers bursts, and supports retries through visibility timeout and dead-letter queues.

Why this answer

Amazon SQS is the correct choice because it acts as a durable, fully managed message buffer that decouples the web tier from the fulfilment workers. When bursts of orders arrive, SQS queues the messages and allows workers to poll at their own pace, absorbing spikes without data loss. The built-in retry logic (visibility timeout and dead-letter queue) ensures failed processing attempts are automatically retried, and no custom operational scripts are needed.

Exam trap

The trap here is that candidates often confuse decoupling with caching or DNS-level distribution, picking CloudFront or Route 53 because they think 'absorbing spikes' means scaling web servers, but the question specifically requires buffering and retry without custom scripts, which only a queue service like SQS provides.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that filters HTTP/S traffic based on rules (e.g., SQL injection, XSS); it does not buffer or retry messages between tiers. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and accelerates static/dynamic content at edge locations; it cannot queue or retry asynchronous order processing. Option D is wrong because Amazon Route 53 weighted routing distributes DNS traffic across multiple endpoints based on weights; it provides load balancing at the DNS level but does not absorb spikes or provide retry mechanisms for message processing.

795
MCQmedium

An Auto Scaling group for a background worker runs EC2 instances continuously. Over the last 30 days, CloudWatch shows sustained CPU utilization around 6% with no memory pressure, and queue processing latency meets all SLAs. The team wants to lower monthly cost with minimal risk. What is the best next action?

A.Increase the instance size to reduce CPU throttling risk
B.Perform right sizing by downsizing to a smaller instance family/size and validate SLAs
C.Switch the group to Spot Instances to reduce cost without changing instance sizing
D.Buy Reserved Instances with a long term commitment before making any sizing changes
AnswerB

Right sizing uses actual utilization to remove overprovisioning. With low CPU and no memory pressure and SLAs already met, downsizing (while validating under load and during a controlled rollout) is the safest way to reduce waste.

Why this answer

The current instance type is over-provisioned, as sustained CPU utilization is only 6% with no memory pressure and all SLAs are met. Right-sizing to a smaller instance family or size directly reduces compute cost while maintaining performance, making it the lowest-risk, cost-optimization action. This aligns with the AWS Well-Architected Framework's cost optimization pillar, which recommends matching instance capacity to actual workload requirements.

Exam trap

The trap here is that candidates may assume Spot Instances are always the cheapest option, but they ignore the risk of interruption for a continuously running workload where SLAs must be met, making right-sizing the safer and more appropriate first step.

How to eliminate wrong answers

Option A is wrong because increasing instance size would raise costs and is unnecessary given the low CPU utilization and no performance issues. Option C is wrong because switching to Spot Instances introduces the risk of interruption, which is not minimal risk for a continuously running background worker that must meet SLAs. Option D is wrong because buying Reserved Instances before right-sizing locks in a commitment for an over-provisioned instance type, increasing cost without addressing the root cause of waste.

796
MCQeasy

A company stores private report PDFs in an S3 bucket. They want users to access PDFs only through CloudFront. Even if someone knows the S3 object URL, direct S3 access must fail. What is the best S3 bucket policy approach?

A.Keep the bucket private and allow s3:GetObject only to the CloudFront origin access identity (OAI) or origin access control (OAC) principal (optionally restricting with aws:SourceArn for the specific distribution).
B.Allow s3:GetObject to "Principal": "*" but rely on CloudFront signed URLs to prevent access.
C.Allow s3:GetObject to the CloudFront distribution using a Condition on aws:SourceIp without restricting the Principal.
D.Only enable default encryption (SSE-KMS) and leave bucket permissions unchanged.
AnswerA

CloudFront is granted permission to read the objects from S3 using its OAI/OAC principal. Because no other principals are allowed s3:GetObject, direct requests to the S3 object URL are denied even if the URL is known.

Why this answer

Option A is correct because it uses an Origin Access Identity (OAI) or Origin Access Control (OAC) to grant CloudFront exclusive read access to the S3 bucket. By setting a bucket policy that allows s3:GetObject only to the CloudFront OAI/OAC principal (and optionally restricting with aws:SourceArn for the specific distribution), direct S3 object URL requests are denied, ensuring users can only access PDFs through CloudFront.

Exam trap

The trap here is that candidates often think encryption (SSE-KMS) or IP-based restrictions are sufficient to block direct S3 access, but they fail to understand that only a bucket policy explicitly denying access to all principals except CloudFront's OAI/OAC can enforce the requirement.

How to eliminate wrong answers

Option B is wrong because allowing s3:GetObject to 'Principal': '*' makes the bucket publicly readable, bypassing CloudFront entirely; anyone with the S3 URL can access the PDFs directly, violating the requirement. Option C is wrong because restricting by aws:SourceIp without specifying a Principal still leaves the bucket open to any principal, and CloudFront's IP addresses are not a reliable way to enforce exclusive access (they can change and be spoofed). Option D is wrong because enabling SSE-KMS encryption does not restrict access; it only encrypts data at rest, leaving the bucket policy unchanged and allowing direct S3 access if the URL is known.

797
MCQeasy

A microservice runs on an EC2 instance using an instance role. It must retrieve exactly one secret value from AWS Secrets Manager. The secret ARN is arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf. The secret is encrypted with the default AWS-managed Secrets Manager KMS key (alias/aws/secretsmanager). Which IAM policy statement provides the best least-privilege access?

A.Allow secretsmanager:GetSecretValue on all secrets: Resource "*".
B.Allow secretsmanager:GetSecretValue only for the specific secret ARN: Resource "arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/dbPassword-AbCdEf".
C.Allow secretsmanager:DescribeSecret on the secret ARN, but not secretsmanager:GetSecretValue.
D.Allow secretsmanager:GetSecretValue on all secrets with the prefix: Resource "arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/*".
AnswerB

The microservice only needs to call secretsmanager:GetSecretValue for that one secret. Scoping the action and resource to exactly that secret provides least-privilege access.

Why this answer

Option B is correct because it grants the least-privilege access by restricting the secretsmanager:GetSecretValue action to the exact secret ARN required. Since the secret is encrypted with the default AWS-managed KMS key (alias/aws/secretsmanager), no additional kms:Decrypt permission is needed because Secrets Manager automatically handles decryption with the default key when using GetSecretValue. This policy ensures the microservice can retrieve only the intended secret and no others.

Exam trap

The trap here is that candidates often assume they need to add a separate kms:Decrypt permission for the default KMS key, or they mistakenly think DescribeSecret returns the secret value, leading them to choose Option C.

How to eliminate wrong answers

Option A is wrong because using Resource '*' grants access to all secrets in the account, violating the least-privilege principle and potentially exposing other secrets. Option C is wrong because secretsmanager:DescribeSecret only retrieves metadata (e.g., secret version IDs, rotation status) but does not allow retrieving the actual secret value, which is the required action. Option D is wrong because using a wildcard prefix (arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/*) would match any secret under the 'prod/' path, granting access to more secrets than needed, which is not least-privilege.

798
Multi-Selecthard

A regional web application for a content publishing system must fail over automatically to a secondary Region if the primary endpoint becomes unhealthy. Which two services or features are required? The design must avoid adding custom operational scripts.

Select 2 answers
A.AWS Organizations service control policies
B.Route 53 failover routing with health checks
C.S3 Transfer Acceleration
D.A deployed standby application stack in the secondary Region
AnswersB, D

Route 53 can monitor endpoint health and return the standby endpoint when the primary is unhealthy.

Why this answer

Route 53 failover routing with health checks is required because it automatically directs traffic away from an unhealthy primary endpoint to a secondary endpoint, enabling cross-region failover without custom scripts. A deployed standby application stack in the secondary Region is necessary to serve traffic when the primary fails, as Route 53 can only route to healthy endpoints that are actually running.

Exam trap

The trap here is that candidates often assume Route 53 alone is sufficient, forgetting that the secondary Region must have a fully deployed and running application stack to receive traffic after failover.

799
MCQmedium

A media archive requires consistent high IOPS for a transactional database on EC2. Which EBS volume type is most suitable? The design must avoid adding custom operational scripts.

A.Provisioned IOPS SSD such as io2
B.st1 Throughput Optimized HDD
C.Instance store only
D.sc1 Cold HDD
AnswerA

io2 is designed for business-critical workloads requiring consistent high IOPS and durability.

Why this answer

A Provisioned IOPS SSD (io2) volume is the correct choice because it delivers consistent, high IOPS required for transactional databases, with a 99.999% durability guarantee and the ability to provision IOPS independently of storage capacity. This avoids custom operational scripts by providing predictable performance natively through the EBS volume type.

Exam trap

The trap here is that candidates may choose instance store (Option C) thinking it provides the highest performance, but they overlook its lack of persistence and the requirement for custom scripts to manage data durability, which violates the 'no custom operational scripts' constraint.

How to eliminate wrong answers

Option B (st1 Throughput Optimized HDD) is wrong because it is designed for throughput-intensive workloads like big data and log processing, not for consistent high IOPS; its performance is burst-based and degrades under sustained small random I/O. Option C (Instance store only) is wrong because instance store volumes are ephemeral and data is lost on instance stop or termination, making them unsuitable for a persistent transactional database without custom backup scripts. Option D (sc1 Cold HDD) is wrong because it is optimized for infrequently accessed data with the lowest cost per GB, offering very low IOPS that cannot meet the demands of a transactional database.

800
Multi-Selectmedium

A company is designing a highly available web application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses an Amazon RDS Multi-AZ DB instance. Which three design choices would improve the application's resilience against an AWS Availability Zone failure? (Choose three.)

Select 3 answers
.Deploy EC2 instances across at least two Availability Zones in the same AWS Region.
.Configure the ALB as a Network Load Balancer for faster failover.
.Enable Amazon RDS Multi-AZ deployment for automatic failover to a standby in a different Availability Zone.
.Use Amazon Route 53 health checks with a failover routing policy to redirect traffic to a different Region.
.Store application session data in Amazon ElastiCache for Redis with replication across two Availability Zones.
.Provision EC2 instances in a single Availability Zone and use Auto Scaling to replace failed instances.

Why this answer

Deploying EC2 instances across at least two Availability Zones (AZs) ensures that if one AZ fails, the ALB can route traffic to healthy instances in the other AZ, maintaining application availability. This is a fundamental pattern for building resilient architectures on AWS, as it eliminates the single point of failure at the AZ level.

Exam trap

The trap here is that candidates often confuse AZ-level failures with Regional failures and incorrectly select cross-Region solutions like Route 53 failover routing, which is unnecessary and adds latency for an AZ-level scenario.

801
MCQmedium

A team serves image files from S3 through CloudFront. During a performance review, they notice that CloudFront cache hit ratio is low and the S3 origin receives many repeated requests for the same images. Request URLs include a volatile query parameter called 'sessionId' that changes for each user, but the image content is identical regardless of 'sessionId'. What configuration change will most effectively increase cache hit ratio?

A.Update the CloudFront cache policy so that 'sessionId' is not included in the cache key (and only stable query parameters are used).
B.Enable origin request policy to forward all query strings to S3 so responses are always correct for every sessionId.
C.Set the CloudFront minimum TTL to 0 seconds so cached objects expire quickly and fetch fresh content more often.
D.Disable caching by using CloudFront managed caching disabled so that every request validates with the origin.
AnswerA

Removing volatile query parameters from the cache key prevents unique URLs from generating separate cache entries.

Why this answer

The low cache hit ratio is caused by the volatile 'sessionId' query parameter being included in the CloudFront cache key, which creates a unique cache entry for every user request even though the image content is identical. By updating the cache policy to exclude 'sessionId' from the cache key, CloudFront will treat all requests for the same image as the same cached object, dramatically increasing the cache hit ratio and reducing load on the S3 origin.

Exam trap

The trap here is that candidates may confuse the purpose of cache policies (which control the cache key) with origin request policies (which control what is forwarded to the origin), leading them to incorrectly choose Option B thinking that forwarding query strings will fix the issue, when in fact it does not affect the cache key.

How to eliminate wrong answers

Option B is wrong because forwarding all query strings to S3 via an origin request policy would still include the volatile 'sessionId' in the request to the origin, but it does not change the cache key — the cache key is controlled by the cache policy, not the origin request policy, so the cache hit ratio would remain low. Option C is wrong because setting the minimum TTL to 0 seconds would cause CloudFront to treat every object as immediately expired, forcing frequent revalidation with the origin and actually decreasing the cache hit ratio further. Option D is wrong because disabling caching entirely would eliminate any cache hits, making every request go to the S3 origin, which is the opposite of increasing the cache hit ratio.

802
MCQmedium

Your web application is deployed in two AWS Regions (Region A and Region B). You want Route 53 to automatically fail over DNS traffic from Region A to Region B when Region A is unhealthy. The failover decision must be based on health checks that verify whether the application in Region A is reachable. Which Route 53 routing configuration best meets these requirements?

A.Latency-based routing with regional aliases to split traffic based on measured latency.
B.Geolocation routing using country-based routing policies.
C.Failover routing using a primary record with an associated health check for Region A and a secondary record for Region B.
D.Weighted routing with weights set to 100 for Region A and 0 for Region B.
AnswerC

Route 53 failover routing is designed for active/standby patterns. You configure the Region A record as primary with a health check. When that health check fails, Route 53 automatically returns the Region B (secondary) record, enabling health-check-driven regional failover.

Why this answer

Option C is correct because Route 53 failover routing allows you to create a primary record with an associated health check for Region A and a secondary record for Region B. When the health check for Region A fails, Route 53 automatically returns the secondary record's IP address, directing traffic to Region B. This directly meets the requirement for automatic failover based on application reachability.

Exam trap

The trap here is that candidates often confuse failover routing with weighted routing, mistakenly thinking that setting weights to 100/0 will achieve failover, but weighted routing does not automatically adjust weights based on health checks.

How to eliminate wrong answers

Option A is wrong because latency-based routing directs traffic to the region with the lowest latency, not based on health checks or failover logic; it does not automatically fail over when a region becomes unhealthy. Option B is wrong because geolocation routing directs traffic based on the geographic location of the user, not on the health of the application endpoint; it cannot perform automatic failover between regions. Option D is wrong because weighted routing distributes traffic based on assigned weights; setting weights to 100 for Region A and 0 for Region B would send all traffic to Region A and never fail over to Region B, even if Region A is unhealthy.

803
MCQmedium

A test environment has EC2 instances that are oversized based on CPU, memory, and network utilisation. Which AWS service should identify rightsizing recommendations? The architecture review board prefers a managed AWS-native control.

A.AWS DataSync
B.AWS Shield
C.AWS Artifact
D.AWS Compute Optimizer
AnswerD

Compute Optimizer analyses utilisation metrics and recommends rightsizing for supported resources.

Why this answer

AWS Compute Optimizer is a managed service that uses machine learning to analyze historical utilization metrics (CPU, memory, network, and storage) and provides rightsizing recommendations for EC2 instances. It identifies over-provisioned resources and suggests instance types that better match workload requirements, directly addressing the oversized EC2 instances in the test environment.

Exam trap

The trap here is that candidates may confuse AWS Compute Optimizer with other monitoring or cost tools (like AWS Trusted Advisor or Cost Explorer), but the question specifically asks for a managed AWS-native service that identifies rightsizing recommendations, which is Compute Optimizer's primary function.

How to eliminate wrong answers

Option A is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises storage and AWS services (e.g., S3, EFS), not a tool for analyzing EC2 utilization or providing rightsizing recommendations. Option B is wrong because AWS Shield is a managed DDoS protection service that safeguards applications against distributed denial-of-service attacks, unrelated to cost optimization or instance sizing. Option C is wrong because AWS Artifact is a self-service portal for downloading AWS compliance reports and agreements (e.g., SOC, PCI), not a service for monitoring or recommending EC2 instance changes.

804
MCQmedium

An application in account A needs to use an encrypted EBS volume whose snapshots were copied from account B. The EBS volume is encrypted with a customer-managed KMS key in account B. After attaching the volume, the instance fails to mount it and logs show KMS access errors (kms:Decrypt) for the instance role. The instance role in account A already has an IAM policy allowing kms:Decrypt on that key ARN, but the mount still fails. What must be updated in account B to allow the mount to succeed?

A.Enable KMS automatic key rotation for the customer-managed key in account B.
B.Update the KMS key policy in account B to allow the instance role’s principal from account A to call kms:Decrypt and kms:CreateGrant.
C.Attach the key policy as an IAM permissions policy to the instance role in account A only; key policies are not evaluated cross-account.
D.Disable encryption on the EBS volume until authorization is fixed, then re-enable encryption after mount.
AnswerB

Customer-managed KMS keys use resource-based key policies to control cross-account usage. Even if the IAM role in account A has kms:Decrypt permissions, the account B key policy must also allow that principal to use the key. Including kms:Decrypt (and often kms:CreateGrant) resolves cross-account mount authorization.

Why this answer

The instance role in account A has an IAM policy allowing kms:Decrypt on the key ARN, but cross-account KMS access requires the key policy in account B to explicitly grant the external principal (the instance role's ARN) the necessary permissions. Without a key policy statement in account B that allows kms:Decrypt and kms:CreateGrant for the instance role, the KMS service will deny the decryption request, even if the IAM policy in account A permits it. The kms:CreateGrant permission is required because attaching an encrypted EBS volume internally creates a grant to allow the EC2 service to use the key on behalf of the instance.

Exam trap

The trap here is that candidates assume an IAM policy in the consuming account is sufficient for cross-account KMS operations, but AWS requires the key policy in the key-owning account to explicitly grant access to the external principal, and kms:CreateGrant is a commonly overlooked required permission for EBS volume attachments.

How to eliminate wrong answers

Option A is wrong because enabling automatic key rotation does not grant any cross-account permissions; it only rotates the key material periodically and does not affect authorization. Option C is wrong because in cross-account scenarios, the key policy in the key-owning account (account B) is the primary authorization mechanism; IAM policies in the consuming account (account A) are not sufficient on their own, and the key policy must explicitly allow the external principal. Option D is wrong because you cannot disable encryption on an EBS volume that was created from an encrypted snapshot; encryption is a permanent attribute of the volume, and attempting to disable it would fail or require creating an unencrypted copy, which defeats the purpose.

805
MCQeasy

An internal team runs a report-generation job once per day. It typically finishes in a few minutes, and even on its slowest days it still completes in under 15 minutes. The team wants to reduce operational overhead and pay primarily for actual runtime instead of keeping servers running 24/7. Which AWS approach best matches these goals?

A.Deploy the job on EC2 instances and keep them running continuously for the daily schedule.
B.Use AWS Lambda triggered by a schedule (for example, EventBridge) to run the report at the required time.
C.Run the job in an RDS database using stored procedures scheduled by the database engine.
D.Use an Auto Scaling group with a fixed minimum size of one instance and disable scaling.
AnswerB

Lambda runs on demand and charges for execution time, aligning spend with actual job runtime and reducing ops.

Why this answer

AWS Lambda, triggered by Amazon EventBridge (CloudWatch Events), is ideal for short-lived, infrequent jobs like this daily report. It eliminates idle server costs by running only when invoked, and the 15-minute execution timeout comfortably covers the job's maximum runtime. This serverless approach directly reduces operational overhead and aligns with a pay-per-use cost model.

Exam trap

The trap here is that candidates may assume EC2 or Auto Scaling is needed for any scheduled job, overlooking that Lambda's 15-minute timeout and serverless pricing perfectly suit short, infrequent tasks, while the 'pay primarily for actual runtime' requirement explicitly points away from always-on compute.

How to eliminate wrong answers

Option A is wrong because keeping EC2 instances running 24/7 for a job that completes in under 15 minutes daily incurs significant idle costs and unnecessary operational overhead. Option C is wrong because RDS stored procedures are designed for database logic, not for running external report-generation jobs; they lack the compute and runtime environment for such tasks and would incur persistent database instance costs. Option D is wrong because an Auto Scaling group with a fixed minimum of one instance still keeps a server running 24/7, failing to reduce idle costs and operational overhead.

806
MCQhard

A claims portal must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control?

A.Tag encrypted volumes after creation
B.Enable VPC Flow Logs
C.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerC

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

Option C is correct because Service Control Policies (SCPs) are a preventive control that can deny the ec2:CreateVolume action when the encryption condition is false. This ensures that unencrypted EBS volumes cannot be created at all, enforcing encryption at the point of creation across the entire AWS account or organizational unit.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like tagging or Lambda remediation) with preventive controls, failing to recognize that only an SCP or IAM policy with a deny effect on the CreateVolume action can proactively block the creation of unencrypted volumes.

How to eliminate wrong answers

Option A is wrong because tagging encrypted volumes after creation is a detective or corrective control, not preventive; it does not block the creation of unencrypted volumes. Option B is wrong because VPC Flow Logs capture network traffic metadata and have no effect on EBS volume creation or encryption enforcement. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a reactive/corrective control; it does not prevent the initial creation of unencrypted volumes, leaving a window of exposure.

807
MCQmedium

A media company stores original uploads in an S3 bucket. They must recover from accidental overwrites/deletes and also recover quickly from a full Region outage. The required RPO is about 1 hour. Which configuration best meets these requirements?

A.Enable an S3 lifecycle policy to transition objects to Glacier after 7 days without enabling versioning.
B.Enable S3 cross-Region replication (CRR) but leave the bucket without versioning enabled.
C.Enable S3 versioning and configure cross-Region replication to a bucket in another Region.
D.Rely on frequent EBS snapshots of a temporary cache used during uploads.
AnswerC

Versioning enables recovery from accidental overwrites/deletes, and CRR provides near-current copies for Region-level disaster recovery.

Why this answer

Option C is correct because enabling S3 versioning protects against accidental overwrites and deletes by preserving all object versions, while cross-Region replication (CRR) asynchronously replicates objects to a bucket in another Region, enabling recovery from a full Region outage. With an RPO of about 1 hour, CRR meets this requirement as replication typically completes within minutes to a few hours, and versioning ensures point-in-time recovery of previous object states.

Exam trap

The trap here is that candidates often assume CRR alone is sufficient for data protection, overlooking that without versioning, overwrites and deletes are permanent and cannot be recovered, which directly violates the requirement to recover from accidental overwrites/deletes.

How to eliminate wrong answers

Option A is wrong because a lifecycle policy to transition objects to Glacier after 7 days does not protect against accidental overwrites or deletes (no versioning), and Glacier retrieval times (minutes to hours) are too slow for a 1-hour RPO in a Region outage scenario. Option B is wrong because CRR without versioning cannot recover from accidental overwrites or deletes, as overwrites permanently replace the object and deletes remove it entirely, leaving no previous versions to restore. Option D is wrong because EBS snapshots of a temporary cache are not designed for S3 object recovery; they capture block-level changes of an EC2 instance volume, not the S3 bucket's object state, and do not provide cross-Region durability or protection against S3-specific overwrites/deletes.

808
MCQhard

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

A.Re-enable object ACLs and manage access by setting object-level ACLs for each team's prefix.
B.Split the bucket into one bucket per team and keep using a single shared bucket policy for all of them.
C.Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.
D.Make the bucket public and issue presigned URLs for team access so IAM policies are no longer needed.
AnswerC

S3 access points are designed for simplifying access management to shared buckets. A separate access point per team keeps the bucket private, avoids ACLs, and lets each team have a smaller, easier-to-review policy boundary. This reduces the blast radius of a policy mistake and scales far better than a single giant bucket policy with many prefix rules.

Why this answer

Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, as access is managed through IAM policies and access point policies. It also maintains a single shared bucket, simplifying management and cost allocation.

Exam trap

The trap here is that candidates may think splitting the bucket per team (Option B) is simpler, but they overlook that a single shared bucket with access points is more cost-effective and manageable, and that ACLs (Option A) are explicitly disallowed by the requirement.

How to eliminate wrong answers

Option A is wrong because re-enabling object ACLs violates the requirement that ACLs must remain disabled, and managing access at the object level is not scalable for many teams. Option B is wrong because splitting into one bucket per team increases management overhead and does not solve the bucket policy size issue; a single shared bucket policy for all buckets would still be complex and error-prone. Option D is wrong because making the bucket public exposes data to the internet, violating security best practices, and presigned URLs are temporary and not suitable for ongoing team access management.

809
MCQeasy

A team runs a latency-sensitive service on EC2 and needs consistent, low-latency block storage for a database. The application requires predictable performance and should be fast for random reads/writes. Which EBS volume type is the best choice?

A.EBS st1 (throughput optimized HDD)
B.EBS gp3 (general purpose SSD)
C.EBS sc1 (cold HDD)
D.EBS magnetic (legacy magnetic)
AnswerB

gp3 is designed for a broad range of general-purpose workloads with solid low-latency performance. It supports random I/O patterns and offers predictable performance for many latency-sensitive applications. It is a common best-fit choice when you need balanced performance without specialized throughput-focused characteristics.

Why this answer

B is correct because gp3 is a general-purpose SSD that provides consistent, low-latency performance for random read/write operations, making it ideal for latency-sensitive databases. It offers a baseline of 3,000 IOPS and 125 MB/s throughput, with the ability to independently scale IOPS up to 16,000 and throughput up to 1,000 MB/s, ensuring predictable performance without the burst-bucket limitations of gp2.

Exam trap

The trap here is that candidates often confuse throughput-optimized HDDs (st1) with low-latency needs, mistakenly thinking 'throughput' implies fast performance, when in fact HDDs are unsuitable for random I/O and latency-sensitive workloads.

How to eliminate wrong answers

Option A is wrong because st1 is a throughput-optimized HDD designed for large, sequential workloads like big data and log processing, not for low-latency random reads/writes required by databases. Option C is wrong because sc1 is a cold HDD optimized for infrequently accessed data with the lowest cost, offering very low IOPS and high latency, unsuitable for latency-sensitive database workloads. Option D is wrong because magnetic (standard) is a legacy HDD volume type with no performance guarantees, high latency, and low IOPS, making it obsolete for modern database applications.

810
MCQmedium

A trading dashboard uses Aurora MySQL. The company wants fast cross-Region disaster recovery with low RPO. Which architecture should be considered? The design must avoid adding custom operational scripts.

A.A single-AZ Aurora cluster
B.Aurora Global Database
C.Manual snapshots copied monthly
D.An ElastiCache Redis replica
AnswerB

Aurora Global Database replicates with low latency to secondary Regions and supports faster disaster recovery than snapshot-only approaches.

Why this answer

Aurora Global Database is the correct choice because it provides a fully managed cross-Region disaster recovery solution with a typical RPO of 1 second or less, using storage-based replication that does not require custom scripts. This meets the low RPO requirement while avoiding operational overhead, as replication is handled automatically by the Aurora storage layer.

Exam trap

The trap here is that candidates may confuse cross-Region read replicas (which require manual promotion and scripting) with Aurora Global Database, which provides automated, low-latency replication without custom operational scripts.

How to eliminate wrong answers

Option A is wrong because a single-AZ Aurora cluster lacks any cross-Region replication or failover capability, offering no disaster recovery across Regions. Option C is wrong because manual snapshots copied monthly result in an RPO of up to one month, which is far too high for a trading dashboard requiring low RPO. Option D is wrong because an ElastiCache Redis replica is an in-memory cache, not a database with persistent cross-Region replication, and it does not provide the required disaster recovery for Aurora MySQL data.

811
MCQmedium

A internal reporting portal serves infrequently accessed user documents that must be available immediately when requested. Which S3 storage class is likely the best cost fit? The design must avoid adding custom operational scripts.

A.Instance store volumes
B.S3 Glacier Deep Archive
C.S3 Standard for all objects
D.S3 Standard-IA or S3 One Zone-IA depending on resilience requirements
AnswerD

Infrequent Access classes reduce storage cost while keeping millisecond retrieval.

Why this answer

S3 Standard-IA or S3 One Zone-IA is the best cost fit because the data is infrequently accessed but requires immediate availability when requested. These storage classes offer lower storage costs than S3 Standard while providing low-latency retrieval (milliseconds), avoiding the retrieval delays or operational overhead of archival tiers. The choice between Standard-IA and One Zone-IA depends on resilience needs: Standard-IA stores data across multiple AZs, while One Zone-IA stores data in a single AZ at a lower cost.

Exam trap

The trap here is that candidates often choose S3 Glacier Deep Archive for infrequently accessed data without considering the immediate availability requirement, or they default to S3 Standard assuming all infrequent access needs archival storage, missing the cost-optimized middle ground of Standard-IA or One Zone-IA.

How to eliminate wrong answers

Option A is wrong because instance store volumes are ephemeral block storage attached to EC2 instances, not a durable S3 storage class, and they lose data when the instance stops or terminates, making them unsuitable for long-term document storage. Option B is wrong because S3 Glacier Deep Archive has retrieval times of 12-48 hours, which violates the requirement that documents must be available immediately when requested. Option C is wrong because S3 Standard is designed for frequently accessed data and would incur higher storage costs than necessary for infrequently accessed documents, making it not the best cost fit.

812
MCQmedium

An e-commerce application uses Aurora MySQL. Writes are modest, but the product-detail page generates many read-only queries and the writer instance CPU is high. The application can tolerate a small amount of replication lag on those reads. What should the team do?

A.Add Aurora read replicas and send read-only traffic to the reader endpoint.
B.Increase the writer instance size and keep all traffic on the primary.
C.Replace Aurora with DynamoDB to eliminate replication lag.
D.Enable Multi-AZ failover only, because it increases read throughput automatically.
AnswerA

Aurora read replicas are the right way to scale read-heavy workloads and reduce pressure on the writer instance. By directing read-only traffic to the reader endpoint, the application can offload product-page queries while keeping writes on the primary instance. Because a small amount of replication lag is acceptable, this approach aligns well with the workload's consistency and performance needs.

Why this answer

Adding Aurora read replicas and directing read-only traffic to the reader endpoint offloads SELECT queries from the writer instance, reducing its CPU load. Aurora replicas share the same underlying storage volume, so replication lag is minimal (typically <100ms) and acceptable for the product-detail page. This scales read throughput without increasing writer instance size or cost.

Exam trap

The trap here is confusing Multi-AZ (which only provides failover) with read replicas (which offload reads), leading candidates to pick Option D thinking it improves read performance.

How to eliminate wrong answers

Option B is wrong because increasing the writer instance size only scales the single node vertically, which does not offload read queries and still leaves the writer as a bottleneck; it also costs more than adding replicas. Option C is wrong because replacing Aurora with DynamoDB would require significant application redesign and DynamoDB does not natively support SQL joins or complex queries; replication lag is not eliminated, as DynamoDB global tables have eventual consistency. Option D is wrong because Multi-AZ failover provides high availability, not increased read throughput; the standby instance does not serve read traffic unless it is an Aurora replica.

813
MCQmedium

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use? The design must avoid adding custom operational scripts.

A.A bastion host with SSH open to 0.0.0.0/0
B.AWS Systems Manager Session Manager with the required instance role
C.A public Elastic IP address on each instance
D.An internet gateway attached to the private subnet
AnswerB

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows administrators to establish secure shell access to EC2 instances without opening inbound SSH or RDP ports, using the Systems Manager agent and an IAM instance role. This meets the requirement for no internet-exposed ports and avoids custom operational scripts because Session Manager is a fully managed AWS service.

Exam trap

The trap here is that candidates often assume a bastion host is the only secure way to access private instances, but AWS Systems Manager Session Manager provides a fully managed, agent-based alternative that avoids opening any inbound ports and requires no custom scripts.

How to eliminate wrong answers

Option A is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes a management port to the entire internet, violating the requirement to avoid opening SSH or RDP ports to the internet. Option C is wrong because assigning a public Elastic IP address to each instance directly exposes them to the internet, requiring open SSH or RDP ports for administrative access. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative access; it only enables outbound internet connectivity for instances in that subnet, and administrators still need a way to connect without open ports.

814
MCQmedium

A company hosts a B2B file exchange site on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?

A.A bastion host with SSH open to 0.0.0.0/0
B.AWS Systems Manager Session Manager with the required instance role
C.A public Elastic IP address on each instance
D.An internet gateway attached to the private subnet
AnswerB

Session Manager provides audited shell access without inbound SSH/RDP exposure.

Why this answer

AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent and an IAM instance role to establish a bidirectional connection via the AWS cloud, eliminating the need for a bastion host or public IP. This meets the requirement for administrators to connect without exposing any network ports.

Exam trap

The trap here is that candidates often default to a bastion host (Option A) as the traditional solution, overlooking that AWS Systems Manager Session Manager provides a more secure, port-free alternative that fully meets the 'no open ports' requirement.

How to eliminate wrong answers

Option A is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the instance to the entire internet, violating the requirement to avoid opening SSH or RDP ports. Option C is wrong because assigning a public Elastic IP address to each instance would require opening SSH or RDP ports to the internet for direct access, which is explicitly prohibited. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative connectivity; it only enables outbound internet access for instances, and inbound administrative access would still require open ports or a bastion host.

815
Multi-Selecthard

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals? The design must avoid adding custom operational scripts.

Select 2 answers
A.A larger KMS key rotation period
B.A key policy that limits key administrators and key users
C.IAM policies that grant kms:Decrypt only to required application roles
D.S3 Transfer Acceleration
AnswersB, C

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a KMS key policy explicitly defines which principals (IAM users, roles, or AWS accounts) are allowed to administer or use the key. By restricting key users to only the required application roles, you prevent unauthorized principals from accidentally invoking KMS operations on the key, even if they have broad IAM permissions. This is a fundamental access control that does not require custom scripts.

Exam trap

The trap here is that candidates often think key rotation (Option A) is a security control that prevents unauthorized use, but it only protects against compromised keys over time, not against accidental access by authorized-but-wrong principals.

816
MCQmedium

A order processing API stores audit logs in S3. The compliance team requires that logs cannot be overwritten or deleted for seven years. What should be configured? The design must avoid adding custom operational scripts.

A.S3 server access logging
B.S3 lifecycle expiration after seven years
C.S3 versioning only
D.S3 Object Lock in compliance mode with an appropriate retention period
AnswerD

Object Lock compliance mode enforces write-once-read-many retention that even privileged users cannot bypass during the retention period.

Why this answer

S3 Object Lock in compliance mode prevents any user, including the root user, from overwriting or deleting objects for the specified retention period. This meets the compliance requirement of a seven-year immutable audit log without custom scripts. Compliance mode enforces a legal hold that cannot be removed by any user, ensuring logs remain intact.

Exam trap

The trap here is that candidates often confuse versioning with immutability, thinking versioning alone prevents deletion, but it only preserves overwritten versions while still allowing the current version to be deleted unless combined with Object Lock or MFA Delete.

How to eliminate wrong answers

Option A is wrong because S3 server access logging only records requests made to the bucket, it does not prevent deletion or overwriting of existing logs. Option B is wrong because S3 lifecycle expiration automatically deletes objects after a period, which directly violates the requirement that logs cannot be deleted for seven years. Option C is wrong because S3 versioning alone preserves previous versions of objects but does not prevent deletion of the current version or overwriting; it requires additional controls like MFA Delete or Object Lock to enforce immutability.

817
MCQhard

A dev sandbox currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first? The design must avoid adding custom operational scripts.

A.Disabling route tables
B.Replacing every NAT gateway with an internet gateway attached to private subnets
C.Moving all workloads to public subnets
D.Whether one NAT gateway per AZ is sufficient for the required private subnets
AnswerD

NAT gateways are normally deployed per AZ for resilience; duplicate NAT gateways in the same AZ may be unnecessary.

Why this answer

Option D is correct because the question asks what the architect should review first to optimize costs while maintaining functionality. Using two NAT gateways per AZ when only one private subnet per AZ needs outbound internet access is redundant; a single NAT gateway per AZ can handle the traffic for all private subnets in that AZ. The design must avoid custom operational scripts, so the simplest review is to check if one NAT gateway per AZ is sufficient, which would reduce costs without breaking connectivity.

Exam trap

The trap here is that candidates may assume more NAT gateways are always better for high availability, but the question asks for a cost-optimization review first, and the current setup is over-provisioned for the stated requirement.

How to eliminate wrong answers

Option A is wrong because disabling route tables would break all routing, not just optimize NAT gateway usage, and it would require custom scripts to restore functionality, violating the design constraint. Option B is wrong because internet gateways cannot be attached to private subnets; they are used for public subnets and would expose instances directly to the internet, breaking the private subnet isolation requirement. Option C is wrong because moving all workloads to public subnets would expose them to the internet, which is not suitable for a dev sandbox that likely requires private subnets for security, and it does not address the NAT gateway cost issue.

818
Multi-Selectmedium

A startup runs two EC2-based workloads in the same AWS Region. Its customer-facing API is always on, and its nightly video transcoding fleet can restart jobs from checkpoints if an instance is interrupted. The finance team wants the lowest monthly compute cost without changing the application design. Which two actions should the team take? Select two.

Select 2 answers
A.Purchase an All Upfront Reserved Instance for the transcoding fleet only.
B.Buy a Compute Savings Plan to cover the always-on API baseline usage.
C.Run the transcoding fleet on Spot Instances because interrupted jobs can resume from checkpoints.
D.Increase the API instance size so CPU utilization stays below 30 percent.
E.Move the API tier to Dedicated Hosts to improve isolation and lower spend.
AnswersB, C

Savings Plans reduce cost for consistent compute usage and are well suited to the always-on API.

Why this answer

Option B is correct because a Compute Savings Plan offers the lowest cost for steady-state workloads like the always-on API, providing up to 66% savings over On-Demand in exchange for a 1- or 3-year commitment. It applies to any EC2 instance family within a Region, making it flexible and cost-effective for the baseline usage. Option C is correct because Spot Instances can be up to 90% cheaper than On-Demand and are ideal for fault-tolerant workloads like the transcoding fleet, which can resume from checkpoints if interrupted.

Exam trap

The trap here is that candidates often assume Reserved Instances are always the cheapest option, but for interruptible workloads like transcoding, Spot Instances provide far greater savings, and a Savings Plan better covers the steady-state API usage without locking into a specific instance family.

819
MCQmedium

A read-heavy document portal repeatedly queries the same product catalogue data from DynamoDB with millisecond latency requirements. Which service can reduce read latency and table load? The team wants the control to be enforceable during normal operations.

A.Amazon Kinesis Data Firehose
B.S3 Transfer Acceleration
C.DynamoDB Accelerator (DAX)
D.AWS Glue Data Catalog
AnswerC

DAX is an in-memory cache for DynamoDB that reduces read latency for suitable access patterns.

Why this answer

DynamoDB Accelerator (DAX) is an in-memory cache specifically designed for DynamoDB that can reduce read latency from single-digit milliseconds to microseconds, while offloading read traffic from the underlying table. This directly addresses the read-heavy workload and millisecond latency requirements, and the team can enforce its use during normal operations by configuring the application to route reads through the DAX cluster endpoint.

Exam trap

The trap here is that candidates may confuse DAX with ElastiCache (which is a general-purpose cache but not DynamoDB-native) or assume that S3 Transfer Acceleration can improve DynamoDB read performance, when in fact DAX is the only AWS service purpose-built to cache DynamoDB reads with sub-millisecond latency.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Firehose is a streaming data ingestion service for loading data into data lakes and analytics tools, not a caching layer for DynamoDB reads. Option B is wrong because S3 Transfer Acceleration speeds up uploads to S3 over long distances using AWS edge locations, but it does not cache DynamoDB query results or reduce table load. Option D is wrong because AWS Glue Data Catalog is a metadata repository for ETL jobs and data lake schemas, not a read cache for DynamoDB.

820
Multi-Selecthard

A retailer runs a reporting-heavy relational app on Amazon RDS MySQL. Peak dashboard traffic lasts only three hours each day, but the database is sized for the peak all day. The business wants lower cost without rewriting the application. Which three actions are best? Select three.

Select 3 answers
A.Right-size the writer based on actual utilization instead of peak guesses.
B.Add read replicas and direct dashboard traffic away from the writer.
C.Evaluate Aurora MySQL if the current replica-heavy design would be cheaper there.
D.Migrate to DynamoDB immediately because every relational workload is more expensive.
E.Increase provisioned IOPS permanently so the monthly bill drops.
AnswersA, B, C

Correct. Right-sizing removes waste from the always-on primary instance. If the writer is sized for real load rather than a worst-case assumption, the company pays for less unused compute.

Why this answer

Option A is correct because right-sizing the RDS instance based on actual utilization metrics (e.g., CPU, memory, connections) directly reduces cost by eliminating over-provisioning for the 3-hour peak. This is a fundamental cost-optimization practice that avoids paying for idle capacity during the remaining 21 hours.

Exam trap

The trap here is that candidates assume 'sizing for peak' is always necessary, but AWS cost optimization emphasizes matching capacity to actual average utilization, not peak, and using services like read replicas or Aurora to handle spikes without over-provisioning the writer.

821
MCQmedium

A ticket booking system stores uploaded documents in S3. The business requires a copy in another AWS Region for disaster recovery. What should be configured? The design must avoid adding custom operational scripts.

A.S3 lifecycle transition to Glacier Flexible Retrieval
B.An EBS snapshot schedule
C.S3 Cross-Region Replication with versioning enabled
D.A CloudFront distribution
AnswerC

CRR asynchronously replicates objects to a bucket in another Region and requires versioning.

Why this answer

S3 Cross-Region Replication (CRR) automatically replicates objects from a source bucket in one AWS Region to a destination bucket in another Region, providing a disaster recovery copy without custom scripts. Enabling versioning on both buckets is a prerequisite for CRR, ensuring that all object versions are replicated and that the destination bucket can maintain a complete history of changes.

Exam trap

The trap here is that candidates may confuse S3 Lifecycle policies (which only manage storage tiers within a region) with cross-region replication, or mistakenly think CloudFront's edge caching provides a durable cross-region copy, when in fact CloudFront does not replicate the original S3 object to another region.

How to eliminate wrong answers

Option A is wrong because S3 Lifecycle transitions to Glacier Flexible Retrieval only change the storage class within the same bucket and region; they do not create a cross-region copy for disaster recovery. Option B is wrong because EBS snapshots are for block-level backups of EC2 volumes, not for S3 objects, and they cannot replicate S3 data across regions. Option D is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations for low-latency access; it does not provide persistent cross-region replication or disaster recovery copies of S3 objects.

822
MCQhard

A healthcare document service must ensure that only encrypted EBS volumes can be created in the account. What is the strongest preventive control? The design must avoid adding custom operational scripts.

A.Use an SCP that denies ec2:CreateVolume when the encrypted condition is false
B.Tag encrypted volumes after creation
C.Enable VPC Flow Logs
D.Run a daily Lambda function to encrypt unencrypted volumes
AnswerA

An SCP can prevent noncompliant volume creation across accounts in an organization.

Why this answer

AWS Organizations Service Control Policies (SCPs) provide a preventive guardrail that can deny the ec2:CreateVolume API call when the encryption condition is false, ensuring that no unencrypted EBS volumes can be created in the account. This is the strongest preventive control because it blocks the action at the API level before any resource is created, and it does not require custom scripts or post-creation remediation. The condition key ec2:Encrypted must be set to true in the SCP policy to enforce encryption at creation time.

Exam trap

The trap here is that candidates often confuse detective or corrective controls (like tagging, Lambda remediation, or logging) with preventive controls, and fail to recognize that SCPs can enforce encryption at the API level without custom scripts.

How to eliminate wrong answers

Option B is wrong because tagging encrypted volumes after creation is a detective or reactive control, not preventive; it does not stop unencrypted volumes from being created. Option C is wrong because VPC Flow Logs capture network traffic metadata and have no ability to enforce or audit EBS volume encryption policies. Option D is wrong because running a daily Lambda function to encrypt unencrypted volumes is a corrective/reactive control that relies on custom operational scripts, which the design explicitly avoids, and it does not prevent the initial creation of unencrypted volumes.

823
MCQmedium

Account C wants engineers to access a role (RoleInAccountA) in account A using STS AssumeRole. Security policy requires that (1) only engineers from account C can assume the role, (2) they must provide an external ID value, and (3) the session must be MFA-authenticated. Which change is most appropriate in the RoleInAccountA trust policy to meet all three requirements?

A.Add conditions sts:ExternalId = <value> only; do not include any MFA requirement because MFA can be enforced by the IAM role session policy.
B.Add conditions that (a) restrict the caller principals to account C engineers (for example, aws:PrincipalArn matches a specific engineer role/user pattern from account C), (b) require sts:ExternalId = <value>, and (c) require aws:MultiFactorAuthPresent = true.
C.Add conditions for aws:PrincipalTag:Department = Engineering and sts:ExternalId = <value>; omit MFA because MFA is optional for AssumeRole.
D.Add conditions aws:SecureTransport = true and sts:ExternalId = <value>; rely on IAM permissions in account C to require MFA.
AnswerB

A trust policy can simultaneously (1) restrict who can call AssumeRole via principal-based conditions, (2) require sts:ExternalId to mitigate confused-deputy risk, and (3) enforce MFA by requiring aws:MultiFactorAuthPresent = true when STS issues the temporary credentials.

Why this answer

Option B is correct because it satisfies all three security requirements: it restricts the caller principals to engineers from account C using the `aws:PrincipalArn` condition, enforces the external ID with `sts:ExternalId`, and mandates MFA authentication via `aws:MultiFactorAuthPresent = true`. The trust policy on RoleInAccountA must explicitly include the MFA condition because MFA enforcement cannot be delegated to the session policy or to the calling account's IAM permissions when the role is in a different account.

Exam trap

The trap here is that candidates often assume MFA can be enforced indirectly through session policies or the calling account's permissions, but in cross-account AssumeRole scenarios, the trust policy in the target account must explicitly require `aws:MultiFactorAuthPresent = true` to enforce MFA on the assumed role session.

How to eliminate wrong answers

Option A is wrong because it omits the MFA requirement entirely, incorrectly assuming that MFA can be enforced by the IAM role session policy—session policies cannot enforce MFA; the trust policy must explicitly require `aws:MultiFactorAuthPresent = true`. Option C is wrong because it uses `aws:PrincipalTag:Department = Engineering` to identify engineers, which is unreliable across accounts (tags are not automatically shared) and omits the MFA condition, leaving the session unauthenticated by MFA. Option D is wrong because it relies on `aws:SecureTransport` (which only enforces HTTPS) and assumes MFA can be enforced by IAM permissions in account C—account C's permissions cannot enforce MFA on the assumed role session in account A; the trust policy must include the MFA condition.

824
MCQmedium

A marketing site runs on x86 EC2 instances and uses open-source software with no architecture-specific licensing restriction. What should be evaluated to reduce compute cost? The architecture review board prefers a managed AWS-native control.

A.Cross-Region data replication for all data
B.io2 Block Express volumes for all instances
C.AWS Graviton-based instances after performance testing
D.Dedicated Hosts by default
AnswerC

Graviton instances often provide better price performance for compatible workloads.

Why this answer

Option C is correct because AWS Graviton-based instances use ARM-based custom processors that offer up to 40% better price-performance compared to comparable x86 instances for many workloads. Since the marketing site runs open-source software with no architecture-specific licensing restrictions, migrating to Graviton after performance testing can significantly reduce compute costs while leveraging a managed AWS-native control (e.g., EC2 Auto Scaling groups with Graviton instance types).

Exam trap

The trap here is that candidates may assume Dedicated Hosts (Option D) are cost-effective for all workloads, but they actually increase costs due to per-host billing and are only justified for specific licensing or compliance needs, not general compute cost reduction.

How to eliminate wrong answers

Option A is wrong because cross-Region data replication increases data transfer and storage costs, and it does not directly reduce compute costs; it is a data durability and disaster recovery feature, not a compute optimization. Option B is wrong because io2 Block Express volumes are high-performance EBS volumes designed for latency-sensitive workloads, not for reducing compute costs; they increase storage costs and do not address compute instance pricing. Option D is wrong because Dedicated Hosts incur additional hourly charges for physical server isolation and are typically used for licensing or compliance requirements, not for cost reduction; they increase costs compared to shared tenancy instances.

825
MCQmedium

A finance application stores invoices in Amazon S3. Security requires that the data be encrypted with a key they control, and they want the ability to disable access quickly if the application is suspected of compromise. Developers do not want to manage encryption in application code. Which solution best meets these requirements?

A.Use SSE-S3 with the default Amazon-managed key for all uploads.
B.Use SSE-KMS with a customer-managed AWS KMS key.
C.Encrypt objects on the client side and store the encryption key in the same S3 bucket.
D.Use Amazon S3 replication to a second bucket in another region.
AnswerB

SSE-KMS with a customer-managed KMS key gives the security team explicit control over key policy, grants, auditing, and revocation. The application can upload objects normally while S3 handles encryption and decryption on the service side, so developers do not need custom cryptography code. If compromise is suspected, the key or grants can be disabled to block future access, which is exactly why a customer-managed key is preferable here.

Why this answer

SSE-KMS with a customer-managed AWS KMS key meets the requirements because it allows the finance application to encrypt data at rest using a key that the customer controls, and it provides the ability to quickly disable access by revoking or disabling the KMS key, which immediately blocks any decryption attempts. The developers do not need to manage encryption in application code because encryption is handled server-side by S3 using the KMS key.

Exam trap

The trap here is that candidates often confuse SSE-S3 with customer-managed keys or think S3 replication provides security controls, but the key distinction is that only SSE-KMS with a customer-managed key gives you both customer-controlled keys and the ability to quickly revoke access without changing application code.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses an Amazon-managed key, which the customer does not control, failing the requirement for customer-controlled keys. Option C is wrong because client-side encryption requires developers to manage encryption in application code, which contradicts the requirement that developers do not want to manage encryption in code, and storing the encryption key in the same S3 bucket is a severe security risk. Option D is wrong because S3 replication only copies objects to another bucket and does not provide encryption key control or the ability to quickly disable access; it is a data durability and availability feature, not a security control for encryption or access revocation.

Page 10

Page 11 of 14

Page 12