SAA-C03 (SAA-C03) — Questions 301375

1040 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable S3 Transfer Acceleration
B.Create an IAM policy that denies s3:GetObject to anonymous users
C.Enable S3 Block Public Access at the account or bucket level
D.Enable server access logging on the bucket
AnswerC

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option C is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects regardless of other policies. When enabled at the account or bucket level, it blocks all public access settings, including those from bucket policies, access control lists (ACLs), or object ACLs, ensuring that even if a developer later adds an overly broad bucket policy, the objects remain private. This is the only mechanism that cannot be overridden by a bucket policy, making it the appropriate choice for a strict no-public-access requirement.

Exam trap

The trap here is that candidates often choose an IAM policy (Option B) thinking it can block public access, but they miss that bucket policies can grant permissions to anonymous users independently of IAM, making S3 Block Public Access the only guaranteed safeguard.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations and has no effect on access control or public accessibility. Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users only applies to IAM principals; it does not block access granted by a bucket policy that explicitly allows public access, as bucket policies can grant permissions to anonymous principals (e.g., `"Principal": "*"`) independently of IAM. Option D is wrong because server access logging records requests made to the bucket for auditing purposes but does not enforce any access restrictions or prevent public access.

302
Multi-Selectmedium

An organization lets application teams create IAM roles in member accounts. Security wants every newly created role to stay within an approved permission ceiling, and teams must not be able to remove that ceiling later. Which two controls best meet the requirement? Select two.

Select 2 answers
A.Attach the approved permissions boundary to every role created by the teams.
B.Use an SCP that denies iam:CreateRole or iam:PutRolePermissionsBoundary unless the approved boundary ARN is specified.
C.Use an S3 bucket policy to prevent the roles from gaining extra privileges.
D.Rely on a role trust policy to limit the permissions the role can have.
E.Use a session policy attached to one assumed-role session to enforce the ceiling permanently.
AnswersA, B

A permissions boundary caps the maximum permissions a role can ever receive, even if the role's inline or managed policies are broader. It is the right mechanism for defining a permission ceiling.

Why this answer

Option A is correct because a permissions boundary is an IAM feature that sets the maximum permissions a role can have. By attaching an approved permissions boundary to every newly created role, the organization enforces a permission ceiling that cannot be exceeded, even if the role has additional policies attached. This directly meets the requirement of keeping roles within an approved ceiling.

Exam trap

The trap here is that candidates may think a session policy or trust policy can permanently restrict permissions, but session policies are temporary and trust policies only control who can assume the role, not the role's maximum permissions.

303
Multi-Selectmedium

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Select 2 answers
A.Create an S3 gateway VPC endpoint and update the route tables for the private subnets.
B.Place a NAT gateway in the public subnet so the private instances can reach AWS services.
C.Create an interface VPC endpoint for AWS Secrets Manager and allow the workload security group to reach it.
D.Assign public IPv4 addresses to the instances and restrict them with security groups.
E.Use VPC peering to the AWS service endpoints instead of VPC endpoints.
AnswersA, C

An S3 gateway endpoint provides private access to S3 without sending traffic over the internet. It is the correct endpoint type for S3 and integrates through route tables.

Why this answer

Option A is correct because an S3 gateway VPC endpoint allows private subnet instances to access S3 via AWS's private network without needing internet access or a NAT gateway. The endpoint uses route table entries to direct S3 traffic through the gateway, which is a horizontally scaled, redundant component that does not require public IPs.

Exam trap

The trap here is that candidates often confuse gateway VPC endpoints (which work only for S3 and DynamoDB) with interface VPC endpoints (which work for most other AWS services), and may incorrectly assume a NAT gateway is required for all private subnet outbound traffic.

304
MCQeasy

A retail analytics app uses Amazon RDS for PostgreSQL. Read traffic is growing, and the database CPU spikes mainly due to SELECT-heavy workloads. Writes are less frequent, and the app can tolerate eventually consistent reads for the reports. What is the most appropriate AWS-native way to improve read performance with minimal application changes?

A.Create an RDS read replica and point the reporting queries to the replica endpoint.
B.Switch the cluster to DynamoDB without redesigning the data model.
C.Enable S3 event notifications to trigger a Lambda function after each write to the database.
D.Replace the RDS instance class with a smaller size to reduce cost and improve performance.
AnswerA

Read replicas offload reads from the primary and can speed up SELECT-heavy workloads with minimal changes.

Why this answer

Creating an RDS read replica is the most appropriate AWS-native solution because it offloads SELECT-heavy workloads from the primary database instance to a read-only copy, reducing CPU spikes on the primary. The application can tolerate eventually consistent reads for reports, which is exactly the consistency model of RDS read replicas (typically sub-second replication lag). This requires minimal application changes—only updating the reporting queries to point to the replica endpoint—and fully leverages PostgreSQL's built-in replication capabilities.

Exam trap

The trap here is that candidates might assume read replicas require application changes to handle eventual consistency, but the question explicitly states the app can tolerate eventually consistent reads, making the replica endpoint swap a minimal-change solution.

How to eliminate wrong answers

Option B is wrong because switching to DynamoDB without redesigning the data model would require significant application changes, including re-architecting the schema, query patterns, and transaction handling, which contradicts the requirement for minimal application changes. Option C is wrong because enabling S3 event notifications to trigger a Lambda function after each write does not directly improve read performance on the RDS database; it adds complexity and latency without addressing the CPU spikes from SELECT queries. Option D is wrong because replacing the RDS instance class with a smaller size would reduce compute capacity, likely worsening CPU spikes and degrading performance, not improving it.

305
MCQmedium

A company hosts a public API using two AWS regions behind a single custom domain. Route 53 is configured with latency-based routing and health checks. During a regional outage, application metrics confirm the primary API is unhealthy, but clients still resolve to the primary region for most requests. Which DNS configuration change will most directly ensure automatic failover to the secondary region when the primary fails?

A.Change the record type to A/AAAA alias with an active-active routing policy so both regions always receive equal traffic.
B.Switch to Route 53 failover routing: configure the primary record with the primary health check and the secondary record with the secondary failover health check.
C.Keep latency-based routing but shorten the health check interval to 5 seconds.
D.Use geolocation routing so requests from each country route to the nearest region.
AnswerB

Failover routing is designed for disaster recovery-style behavior using health checks. Route 53 returns the primary record when its health check is passing, and it automatically switches resolution to the secondary record when the primary health check fails. This directly matches the requirement that clients should mostly move to the secondary region during a primary regional outage.

Why this answer

Option B is correct because Route 53 failover routing with health checks explicitly directs traffic to the secondary region when the primary health check fails. This ensures automatic failover at the DNS level, whereas latency-based routing does not guarantee failover even with health checks—it only reduces latency and may still return unhealthy records if no healthier alternative exists.

Exam trap

The trap here is that candidates assume latency-based routing with health checks will automatically fail over, but it only routes to the lowest-latency healthy endpoint—if no healthy endpoint exists, it may still return unhealthy records, whereas failover routing explicitly switches to the secondary record on health check failure.

How to eliminate wrong answers

Option A is wrong because an active-active routing policy distributes traffic equally regardless of health, failing to provide automatic failover during an outage. Option C is wrong because shortening the health check interval does not change the fundamental behavior of latency-based routing; it still may return unhealthy records if the primary region has the lowest latency. Option D is wrong because geolocation routing routes based on client location, not health, and does not automatically fail over to a secondary region when the primary is unhealthy.

306
MCQhard

A patient portal must process every event at least once, but duplicate processing is acceptable if the consumer handles idempotency. Which eventing approach is most suitable? The team wants the control to be enforceable during normal operations.

A.Use an in-memory queue on one EC2 instance
B.Use UDP messages sent directly to workers
C.Use Amazon SQS standard queue and design consumers to be idempotent
D.Use CloudFront signed URLs
AnswerC

SQS standard queues provide at-least-once delivery and high throughput; consumers must handle occasional duplicates.

Why this answer

Amazon SQS standard queues provide at-least-once delivery, ensuring every event is processed at least once, which matches the requirement. Duplicate processing is acceptable because the team can design consumers to be idempotent, handling duplicates without side effects. SQS is a fully managed, scalable, and durable service that enforces this behavior during normal operations without requiring custom infrastructure.

Exam trap

The trap here is that candidates may confuse 'at-least-once' delivery with 'exactly-once' delivery, or incorrectly assume that UDP or in-memory queues can provide reliable event processing, when in fact only a managed queue service like SQS with idempotent consumers meets the stated requirement for enforceability during normal operations.

How to eliminate wrong answers

Option A is wrong because an in-memory queue on a single EC2 instance is not durable, cannot survive instance failures, and does not provide at-least-once delivery guarantees across restarts or scaling events. Option B is wrong because UDP is a connectionless, unreliable protocol that does not guarantee message delivery, order, or duplicate detection, making it unsuitable for at-least-once processing. Option D is wrong because CloudFront signed URLs are used for access control to content delivery, not for event processing or messaging, and they do not provide any delivery guarantee or queue semantics.

307
MCQmedium

A team accidentally updates critical rows in an Amazon RDS for PostgreSQL database. Automated backups are enabled. They need to recover the data to the exact state as of 90 minutes ago. They also cannot risk interrupting the current production database instance while investigators validate the restored data. Which recovery strategy best meets these constraints?

A.Use point-in-time recovery (PITR) to restore to a new RDS DB instance as of 90 minutes ago, then validate and cut over after approval.
B.Restore a manual snapshot and overwrite the existing production DB instance so the data matches exactly 90 minutes ago.
C.Wait for the next automated backup window and then restart the current DB instance to roll back changes automatically.
D.Use cross-region read replicas to rewind changes and promote the replica to become the writer immediately.
AnswerA

PITR can restore a new DB instance to a specific timestamp using automated backups and transaction logs. Restoring to a separate instance avoids overwriting or interrupting the existing production instance during validation.

Why this answer

Point-in-time recovery (PITR) for Amazon RDS allows you to restore a DB instance to any second within the backup retention period, using automated backups and transaction logs. By restoring to a new RDS instance as of 90 minutes ago, you create an isolated copy for validation without affecting the production database. This meets both the recovery point objective (RPO) of 90 minutes and the constraint of no interruption to the current production instance.

Exam trap

The trap here is that candidates confuse point-in-time recovery with snapshot restoration or assume that read replicas can be used for time-based rollbacks, but only PITR provides the exact time-targeted restore without affecting the production instance.

How to eliminate wrong answers

Option B is wrong because restoring a manual snapshot and overwriting the existing production DB instance would interrupt the production database and cannot target an exact point 90 minutes ago—snapshots are point-in-time captures at the moment they were taken, not a time-shift. Option C is wrong because waiting for the next automated backup window does not roll back changes; automated backups are for restoration, not for in-place rollback, and the database would continue to operate with the erroneous data. Option D is wrong because cross-region read replicas replicate data asynchronously and cannot rewind changes; promoting a replica does not revert data to a past state, and the replica would contain the same erroneous updates.

308
Multi-Selecthard

A SaaS vendor has a steady 24/7 control plane on ECS and several small event-driven tasks that currently run on a separate always-on service. Management wants the billing discount that applies across both ECS and Lambda usage without committing to a specific instance family. Which two actions are best? Select two.

Select 2 answers
A.Buy a Compute Savings Plan for the predictable baseline usage.
B.Move the event-driven tasks to AWS Lambda instead of keeping a separate always-on service.
C.Buy an EC2 Instance Savings Plan tied to one instance family for all workloads.
D.Use Spot Instances for the control plane because it is the largest bill.
E.Increase the ECS desired count so Lambda can be removed.
AnswersA, B

Correct. A Compute Savings Plan discounts predictable compute spend across ECS and Lambda without binding the team to one instance family. That flexibility matches a mixed compute estate and avoids overcommitting.

Why this answer

A Compute Savings Plan offers the largest discount (up to 66%) across both ECS and Lambda usage without committing to a specific instance family, which matches the requirement for a flexible discount. It applies to any EC2 instance, including those used by ECS, and also covers AWS Lambda compute usage, making it ideal for mixed workloads with predictable baseline usage.

Exam trap

The trap here is that candidates often confuse Compute Savings Plans with EC2 Instance Savings Plans, assuming any Savings Plan covers Lambda, or they overlook that Compute Savings Plans are the only option that spans both ECS and Lambda without instance family restrictions.

309
Multi-Selecthard

A company runs a steady inventory API on AWS Fargate and AWS Lambda during the day, plus a nightly batch render farm on EC2 that can be interrupted and retried. The finance team wants the lowest predictable discount for the always-on compute and the lowest possible cost for the batch jobs. Which two purchasing choices should the architect recommend? Select two.

Select 2 answers
A.Purchase a Compute Savings Plan for the steady Fargate and Lambda usage.
B.Purchase Standard Reserved Instances for the steady Fargate and Lambda usage.
C.Run the batch render farm on Spot Instances.
D.Use On-Demand Instances for the batch render farm to avoid interruptions.
E.Move the render farm to Dedicated Hosts to improve price predictability.
AnswersA, C

Compute Savings Plans apply across EC2, Fargate, Lambda, and other supported compute services, so they fit steady mixed compute well.

Why this answer

Option A is correct because a Compute Savings Plan offers the lowest predictable discount (up to 66% compared to On-Demand) and automatically applies to Fargate and Lambda usage, covering the always-on inventory API without requiring instance family or region commitments. This provides flexibility while still delivering significant savings over On-Demand pricing.

Exam trap

The trap here is that candidates often confuse Reserved Instances (which apply only to EC2) with Savings Plans (which cover Fargate and Lambda), leading them to select Standard Reserved Instances for serverless workloads, which is incorrect.

310
MCQeasy

A company has a steady, predictable workload that must run continuously (24/7) in a single AWS Region. The team wants the lowest cost option available for this steady usage, but also expects they may choose different EC2 instance families in the future (without re-buying compute discounts). Which AWS purchase option best meets these goals?

A.On-Demand Instances only, because they automatically adjust to future needs
B.Compute Savings Plans, committed for a 1- to 3-year term in the Region
C.Standard Reserved Instances tied to a single instance type and Availability Zone
D.EC2 Spot Instances, because they are always cheaper than savings programs
AnswerB

Compute Savings Plans provide discounted pricing in exchange for committing to a consistent hourly spend (scoped to a Region). They apply to EC2 usage and are flexible enough that you can change EC2 instance families over time while still receiving the Savings Plans discount within the commitment scope.

Why this answer

Compute Savings Plans offer the lowest cost for steady, predictable workloads while providing instance family flexibility within a Region. Unlike Reserved Instances, they automatically apply discounts to any EC2 instance family (and even Fargate/Lambda) in the chosen Region, so the company can switch instance families in the future without losing the discount. A 1- or 3-year commitment yields significant savings (up to 66%) compared to On-Demand, making it the optimal choice for this scenario.

Exam trap

The trap here is that candidates often confuse Reserved Instances (which lock instance family and AZ) with Savings Plans (which offer regional flexibility), leading them to choose Standard Reserved Instances despite the stated requirement for future instance family changes.

How to eliminate wrong answers

Option A is wrong because On-Demand Instances have no upfront commitment and are the most expensive pricing model, failing the 'lowest cost' requirement for a steady 24/7 workload. Option C is wrong because Standard Reserved Instances are tied to a specific instance type and Availability Zone, so changing instance families would forfeit the discount, directly contradicting the requirement for future flexibility. Option D is wrong because Spot Instances can be interrupted with a 2-minute warning and are not suitable for a continuous 24/7 workload; they are also not always cheaper than savings programs when considering the risk of interruption and potential need for fallback capacity.

311
Multi-Selecthard

A company is encrypting sensitive S3 data for a order processing API with AWS KMS. Which two controls help prevent accidental use of the KMS key by unauthorized principals?

Select 2 answers
A.A larger KMS key rotation period
B.A key policy that limits key administrators and key users
C.IAM policies that grant kms:Decrypt only to required application roles
D.S3 Transfer Acceleration
AnswersB, C

The KMS key policy is the primary resource policy that controls who can administer or use the key.

Why this answer

Option B is correct because a KMS key policy explicitly defines which principals (IAM users, roles, or AWS accounts) are allowed to administer or use the key. By limiting key administrators and key users in the key policy, you prevent unauthorized principals from accidentally invoking KMS operations on the key, even if they have broad IAM permissions. This is a fundamental resource-based control that overrides any IAM policy that would otherwise grant access.

Exam trap

The trap here is that candidates often confuse key rotation (a cryptographic hygiene control) with access control, or they think S3 Transfer Acceleration somehow affects KMS authorization, when in reality it only optimizes network transfer performance.

312
MCQeasy

You want to protect an Application Load Balancer (ALB) from common web exploits using AWS WAF. The application is not using CloudFront. Which AWS WAF deployment scope should you choose so the WAF rules apply to the ALB?

A.Use AWS WAF regional scope (associate the web ACL with the ALB resource)
B.Use AWS WAF CloudFront (global) scope and associate the web ACL with the ALB
C.Use AWS Shield Advanced and rely on it to inspect payloads for SQL injection and XSS
D.Use security groups only, because they can detect SQL injection patterns in HTTP requests
AnswerA

ALBs are regional resources. When you protect an ALB without CloudFront, you should use the regional WAF scope and associate the web ACL directly with the ALB, so WAF can inspect incoming requests destined for that ALB.

Why this answer

AWS WAF offers two deployment scopes: regional and CloudFront (global). Since the application is using an Application Load Balancer (ALB) without CloudFront, you must choose the regional scope. This allows you to associate the web ACL directly with the ALB resource, enabling AWS WAF to inspect HTTP/HTTPS requests for common web exploits like SQL injection and cross-site scripting (XSS) at the regional endpoint.

Exam trap

The trap here is that candidates may assume AWS WAF always requires CloudFront or that Shield Advanced provides application-layer inspection, but the exam tests the specific requirement that regional WAF is the only option for ALB without CloudFront.

How to eliminate wrong answers

Option B is wrong because AWS WAF CloudFront (global) scope can only be associated with Amazon CloudFront distributions, not with an ALB directly; attempting to associate a global web ACL with an ALB is not supported. Option C is wrong because AWS Shield Advanced provides DDoS protection and does not inspect application-layer payloads for SQL injection or XSS; that is the function of AWS WAF. Option D is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect HTTP request payloads or detect application-layer attack patterns like SQL injection or XSS.

313
MCQhard

A mobile banking backend uses Amazon RDS for PostgreSQL. Application credentials must not be stored on the EC2 instances, and authentication should use short-lived credentials. What should the architect recommend? The design must avoid adding custom operational scripts.

A.Store the database password in user data
B.IAM database authentication for RDS with an EC2 instance role
C.Use a security group rule that allows only application instances
D.Embed the database password in the AMI
AnswerB

IAM database authentication allows the application to use temporary AWS credentials instead of stored database passwords.

Why this answer

IAM database authentication for RDS allows EC2 instances to authenticate to PostgreSQL using a short-lived token generated via the IAM instance profile, eliminating the need to store credentials on the instance. The token is obtained by calling the RDS generate_db_auth_token API with the instance's IAM role, and it is valid for 15 minutes by default. This approach satisfies the requirement for short-lived credentials and avoids custom operational scripts.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups) with authentication mechanisms, or assume that storing credentials in user data or AMIs is acceptable because they are 'hidden' from the OS, when in fact they are still long-lived and accessible via metadata or AMI inspection.

How to eliminate wrong answers

Option A is wrong because storing the database password in user data leaves it in plaintext on the instance metadata, which is accessible to any process or user with access to the instance, and it does not provide short-lived credentials. Option C is wrong because security group rules only control network access at the transport layer; they do not handle authentication or credential management, so credentials would still need to be stored on the instance. Option D is wrong because embedding the database password in the AMI hard-codes a long-lived credential into the image, which violates the requirement to avoid storing credentials on EC2 and does not provide short-lived credentials.

314
Multi-Selecthard

A private application in two private subnets must download objects from S3 and read parameters from Systems Manager Parameter Store without routing traffic through the public internet. Which two components should the architect use? The business wants to avoid a reactive-only remediation approach.

Select 2 answers
A.Interface VPC endpoint for Systems Manager
B.Internet gateway attached to the VPC
C.NAT gateway in each Availability Zone
D.Gateway VPC endpoint for Amazon S3
AnswersA, D

Systems Manager/Parameter Store access uses interface endpoints powered by AWS PrivateLink.

Why this answer

An Interface VPC endpoint for Systems Manager (using AWS PrivateLink) allows the private application to securely read parameters from Parameter Store without traversing the internet. A Gateway VPC endpoint for S3 provides a private, highly available route to download objects from S3 using the S3 service's prefix list and route table entries, avoiding NAT or internet gateways. Together, these endpoints ensure all traffic stays within the AWS network, meeting the requirement to avoid public internet routing.

Exam trap

The trap here is that candidates often confuse Gateway VPC endpoints (which only work for S3 and DynamoDB) with Interface VPC endpoints (which work for many AWS services like Systems Manager), and they may incorrectly select NAT gateways as a 'private' solution, not realizing NAT gateways still require an internet gateway and public IPs, making them a reactive, internet-dependent approach.

315
MCQmedium

A production log archive runs continuously on EC2 with predictable usage for the next three years. The team wants a discount while retaining some instance-family flexibility. What should they buy? The architecture review board prefers a managed AWS-native control.

A.S3 Intelligent-Tiering
B.Dedicated Instances
C.Compute Savings Plan
D.Spot Instances only
AnswerC

Compute Savings Plans provide discounts for a committed spend while allowing flexibility across instance families, sizes, Regions, and compute services.

Why this answer

A Compute Savings Plan offers the lowest prices on EC2 compute usage (up to 66% off On-Demand) in exchange for a 1- or 3-year commitment, while allowing instance-family flexibility across any region, OS, or tenancy. This matches the predictable three-year workload and the team's requirement for instance-family flexibility, and it is a managed AWS-native offering (no manual reservation management).

Exam trap

The trap here is confusing Savings Plans (which offer flexibility across instance families) with Reserved Instances (which lock to a specific instance family), or assuming Spot Instances can be used for a continuous production workload despite their interruption risk.

How to eliminate wrong answers

Option A is wrong because S3 Intelligent-Tiering is an object storage class for data with changing access patterns, not a compute discount mechanism for EC2 instances. Option B is wrong because Dedicated Instances provide physical isolation but do not offer any discount; they are a billing configuration, not a savings plan. Option D is wrong because Spot Instances are designed for fault-tolerant, interruptible workloads and cannot guarantee continuous availability for a production log archive that must run continuously.

316
Multi-Selecthard

Multiple teams share one AWS Organization. Finance wants chargeback by project, alerts before overspend, and monthly views by account without manually opening each account. Which three actions best fit? Select three.

Select 3 answers
A.Enforce cost allocation tags on resources and activate them for billing reports.
B.Use AWS Budgets to create alerts and budget actions for each project.
C.Use Cost Explorer or Cost and Usage Reports to analyze spend by account, tag, and service.
D.Put every team in a separate AWS account and ignore tagging.
E.Use CloudTrail trails to estimate spend by resource because it records API calls.
AnswersA, B, C

Correct. Cost allocation tags are the foundation for project-level chargeback. Once activated for billing, they let finance group spend by business unit, application, or environment.

Why this answer

Option A is correct because cost allocation tags allow you to tag resources with project-specific metadata (e.g., 'Project: Alpha'), and activating them for billing reports ensures that AWS Cost Explorer and Cost and Usage Reports can group and filter costs by those tags. This directly enables chargeback by project without manual account inspection, as the tags are propagated into the billing data.

Exam trap

The trap here is that candidates may confuse CloudTrail (an API auditing service) with cost tracking tools, or assume that separate accounts alone solve chargeback without needing tags for project-level granularity.

317
MCQmedium

A team runs an application on Amazon EC2 that connects to an Aurora database. The database password must rotate automatically every 30 days, and the application should retrieve the current secret at runtime using an IAM role. Which AWS service is the best fit?

A.AWS Systems Manager Parameter Store standard parameters.
B.AWS Secrets Manager with rotation enabled.
C.AWS KMS, because KMS stores credentials and rotates them automatically.
D.Amazon S3 with server-side encryption and versioning.
AnswerB

Secrets Manager is designed for secure secret storage with built-in rotation support and fine-grained access through IAM. In this case, the application can retrieve the current database credentials at runtime with its EC2 role, while the secret is rotated on a schedule without embedding passwords in code. This reduces operational risk, improves auditability, and avoids manual password changes that often cause outages.

Why this answer

AWS Secrets Manager is the best fit because it natively supports automatic rotation of database credentials on a schedule (e.g., every 30 days) and integrates directly with Amazon RDS/Aurora to update the password. The application can retrieve the current secret at runtime using an IAM role attached to the EC2 instance, without hardcoding credentials. Secrets Manager also provides built-in secret rotation with Lambda, ensuring zero downtime during password changes.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with Secrets Manager, or incorrectly assume KMS can store and rotate credentials because it handles encryption keys.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store standard parameters do not support automatic rotation of secrets; they are designed for static configuration data and require custom automation to rotate passwords. Option C is wrong because AWS KMS is a key management service for encryption keys, not a service for storing or rotating credentials; it does not store secrets or provide rotation capabilities. Option D is wrong because Amazon S3 with server-side encryption and versioning is a storage service that lacks native rotation scheduling and secret retrieval via IAM roles; it would require custom application logic to manage password rotation and retrieval, adding complexity and security risks.

318
Matchinghard

Match each database availability event to the AWS failover behavior that best describes it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The standby in another Availability Zone is promoted, and the same database endpoint remains in use after a brief reconnect.

Aurora promotes another healthy instance to writer while the shared storage layer stays intact across Availability Zones.

A manual failover can be triggered so the standby becomes primary before the reboot finishes.

Only that reader is removed from the reader set; the cluster can still serve read traffic through the remaining healthy readers.

Why these pairings

Multi-AZ RDS automatically fails over to standby; read replicas require manual redirect; Aurora uses replicas for failover; without replicas, Aurora recovers in-place.

319
MCQhard

Based on the exhibit, the company wants to lower CloudWatch and EC2 monitoring costs. Auditors require logs to be retained for 90 days, but operations only uses detailed per-instance metrics during rare troubleshooting events. Which change best reduces recurring cost while preserving the required visibility?

A.Disable CloudWatch Logs entirely and rely on application local files for 90 days.
B.Increase the number of CloudWatch alarms so that metrics are collected less expensively.
C.Set CloudWatch Logs retention to 90 days for all log groups, and switch EC2 monitoring from detailed to basic except during incidents.
D.Export all logs to Amazon S3 immediately and keep detailed monitoring enabled on every instance.
AnswerC

This directly addresses the two visible recurring cost drivers. Applying a 90-day retention policy stops indefinite log storage growth while still meeting the audit requirement. Basic monitoring is sufficient when 1-minute metrics are not required all the time, and detailed monitoring can be enabled selectively during incidents instead of paying for it across all 200 instances continuously.

Why this answer

Option C is correct because it directly addresses the two cost drivers: CloudWatch Logs storage costs are minimized by setting a 90-day retention policy (matching the audit requirement), and EC2 detailed monitoring (1-minute metrics) is replaced with basic monitoring (5-minute metrics) during normal operations, with the ability to switch back to detailed only when needed for troubleshooting. This preserves the required log retention and the ability to obtain high-resolution metrics on demand, while eliminating the recurring cost of storing logs indefinitely and paying for detailed monitoring on every instance.

Exam trap

The trap here is that candidates may think increasing alarms or exporting logs to S3 reduces costs, but they fail to recognize that detailed monitoring is a per-instance hourly charge independent of alarms, and that S3 storage and API costs can exceed CloudWatch Logs costs if not managed carefully.

How to eliminate wrong answers

Option A is wrong because disabling CloudWatch Logs entirely and relying on application local files violates the auditor's requirement for centralized, durable log retention and makes logs inaccessible if the instance fails or is terminated. Option B is wrong because increasing the number of CloudWatch alarms does not reduce metric collection costs; alarms are billed separately and do not change the underlying cost of detailed monitoring (per-instance per-minute charges). Option D is wrong because exporting logs to S3 immediately does not reduce costs—it adds S3 storage and PUT request costs—and keeping detailed monitoring enabled on every instance continues to incur the higher per-instance monitoring fee.

320
MCQeasy

A service performs many repeated read requests for the same DynamoDB items. The reads are latency-sensitive, but the application can tolerate slightly stale data. Which AWS service is the best fit to reduce read latency?

A.Amazon DAX (DynamoDB Accelerator)
B.Amazon S3 Select
C.Amazon SQS FIFO queue
D.AWS Lambda provisioned concurrency
AnswerA

Amazon DAX is an in-memory cache for DynamoDB. It reduces latency for repeated reads by caching results and serving subsequent read requests from the DAX cluster rather than repeatedly calling DynamoDB. Because it provides cached reads that may be slightly stale, it matches the scenario’s tolerance.

Why this answer

Amazon DAX (DynamoDB Accelerator) is an in-memory cache specifically designed for DynamoDB. It reduces read latency from single-digit milliseconds to microseconds by caching frequently accessed items, and it supports eventually consistent reads, which aligns with the application's tolerance for slightly stale data. DAX handles repeated read requests without additional DynamoDB read capacity unit consumption, making it the optimal choice for this latency-sensitive workload.

Exam trap

The trap here is that candidates often confuse caching services (DAX) with data retrieval services (S3 Select) or assume that a queue (SQS) or compute optimization (Lambda provisioned concurrency) can solve read latency issues, when only a purpose-built in-memory cache like DAX directly addresses repeated DynamoDB reads with stale data tolerance.

How to eliminate wrong answers

Option B (Amazon S3 Select) is wrong because it retrieves subsets of data from objects stored in S3 using SQL-like queries, not from DynamoDB items, and it does not provide a caching layer to reduce read latency for repeated DynamoDB reads. Option C (Amazon SQS FIFO queue) is wrong because it is a message queuing service for decoupling and ordering messages, not a caching or read-acceleration service for DynamoDB; it adds latency rather than reducing it for repeated reads. Option D (AWS Lambda provisioned concurrency) is wrong because it pre-warms Lambda execution environments to reduce cold starts, but it does not cache DynamoDB items or reduce read latency for repeated database queries.

321
Drag & Dropmedium

Order the steps to create a static website using Amazon S3 and CloudFront.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

S3 bucket with hosting, upload files, CloudFront distribution, configure CloudFront, then DNS.

322
MCQmedium

A Lambda function for a claims portal needs to read a database password. The password must rotate automatically every 30 days and should not be stored in environment variables. Which service should be used?

A.AWS Systems Manager Parameter Store SecureString without automation
B.An encrypted object in Amazon S3
C.A KMS-encrypted Lambda environment variable
D.AWS Secrets Manager with rotation enabled
AnswerD

Secrets Manager stores secrets securely and supports automatic rotation using a rotation Lambda function.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, automatically rotating, and managing secrets like database passwords. It supports automatic rotation every 30 days via a built-in Lambda rotation function, and it avoids storing the password in environment variables, which are visible in the Lambda console and logs.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store SecureString with Secrets Manager, assuming Parameter Store can also handle automatic rotation, but Parameter Store lacks native rotation capabilities and requires custom automation.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store SecureString can store encrypted secrets but does not support automatic rotation without additional custom automation (e.g., a scheduled Lambda function). Option B is wrong because an encrypted object in Amazon S3 requires manual management of encryption keys and rotation, and the Lambda function would need to download and decrypt the object each time, adding complexity and latency. Option C is wrong because a KMS-encrypted Lambda environment variable, while encrypted at rest, is still stored as an environment variable that can be exposed in the Lambda function's configuration, logs, or error messages, and it does not support automatic rotation.

323
MCQmedium

An application runs on EC2 instances in private subnets in a VPC. There is no NAT gateway. The instances need to download objects from S3 over HTTPS and also call DynamoDB. The security group outbound rules allow TCP 443 to the VPC endpoint addresses. After deployment, the app times out when connecting to S3, but it can reach DynamoDB. Which single change is most likely to restore S3 connectivity?

A.Create a Gateway VPC endpoint for S3 and associate it with the private subnet route tables that contain the instances.
B.Replace the security group egress rule to allow all outbound traffic to 0.0.0.0/0 on TCP 443.
C.Add an Internet Gateway to the VPC and route the private subnet’s 0.0.0.0/0 to the IGW.
D.Switch from network ACLs to security groups by removing the existing NACL allow rules for ephemeral ports.
AnswerA

S3 connectivity without NAT typically requires a Gateway VPC endpoint. For a gateway endpoint, you must update the route tables to direct S3 traffic to the endpoint. If DynamoDB works but S3 times out, it often means DynamoDB has the required endpoint while S3 is missing or not routed via the correct route tables.

Why this answer

The application runs in private subnets without a NAT Gateway, so it cannot reach the internet. A Gateway VPC Endpoint for S3 allows private subnet instances to access S3 over the AWS network without internet connectivity. The security group already permits outbound TCP 443 to the endpoint addresses, so the missing piece is the route table association that directs S3 traffic to the endpoint.

Exam trap

The trap here is that candidates often assume a security group egress rule to 0.0.0.0/0 is sufficient, forgetting that private subnets without a NAT Gateway have no internet path, so the traffic is silently dropped.

How to eliminate wrong answers

Option B is wrong because allowing all outbound traffic to 0.0.0.0/0 on TCP 443 does not help; the instances are in private subnets with no internet path, so traffic to the internet will still be dropped. Option C is wrong because adding an Internet Gateway and routing 0.0.0.0/0 to it would require a NAT Gateway or assigning public IPs to the instances, which is not mentioned and would break the private subnet design. Option D is wrong because network ACLs are stateless and must allow ephemeral ports for return traffic, but the issue is about outbound connectivity to S3, not NACL misconfiguration; security groups already handle stateful filtering.

324
Matchinghard

Match each data-retention scenario to the most cost-effective Amazon S3 storage class. Assume the retrieval pattern and access-latency requirement are the most important constraints.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Amazon S3 Standard

Amazon S3 Standard-IA

Amazon S3 Glacier Instant Retrieval

Amazon S3 Glacier Deep Archive

Why these pairings

S3 Standard is for frequent access; Intelligent-Tiering optimizes cost for unknown patterns; Standard-IA for infrequent but rapid access; Glacier Flexible Retrieval for minutes; Glacier Deep Archive for hours.

325
MCQmedium

Based on the exhibit, the business needs Regional disaster recovery with an RTO of 45 minutes and an RPO of 15 minutes. The solution should keep cost lower than running two fully active production environments. Which DR strategy is the best fit?

A.Backup and restore only, because the existing daily backups are already in another Region.
B.Pilot light, because the recovery Region only needs minimal resources and can be scaled after a disaster.
C.Warm standby, because a scaled-down but fully functional copy can take traffic quickly while keeping costs below full duplication.
D.Active-active, because it minimizes RTO by keeping both Regions fully live all the time.
AnswerC

Warm standby keeps a functional copy of the environment running in the recovery Region at reduced capacity. That shortens failover time compared with backup and restore or pilot light, while still costing less than a fully scaled second production stack. With continuous or near-continuous data replication and automated cutover, it can satisfy an RTO of 45 minutes and an RPO of 15 minutes.

Why this answer

Warm standby is the best fit because it maintains a scaled-down but fully functional copy of the production environment in the recovery Region, which can be quickly scaled up to handle production traffic. This meets the RTO of 45 minutes and RPO of 15 minutes by keeping the standby environment ready with replicated data (e.g., using Amazon RDS Multi-AZ or cross-Region read replicas with synchronous replication), while costing less than two fully active environments since the standby runs on smaller instances or fewer resources until failover.

Exam trap

The trap here is that candidates often confuse pilot light with warm standby, assuming minimal resources can be scaled quickly enough to meet a 45-minute RTO, but pilot light requires provisioning and configuring additional resources (e.g., launching EC2 instances, attaching volumes) which typically exceeds that time window, whereas warm standby already has a running (though scaled-down) environment ready to accept traffic.

How to eliminate wrong answers

Option A is wrong because backup and restore only cannot achieve an RTO of 45 minutes or RPO of 15 minutes; restoring from daily backups would take hours and lose up to 24 hours of data, far exceeding the required RPO. Option B is wrong because pilot light uses minimal resources (e.g., core services like a small database and a few EC2 instances) but requires provisioning and scaling of full infrastructure after a disaster, which typically takes longer than 45 minutes to become fully operational, thus failing the RTO requirement. Option D is wrong because active-active keeps both Regions fully live all the time, which incurs the cost of two fully active production environments, contradicting the requirement to keep costs lower than full duplication.

326
MCQmedium

An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?

A.Update the application code to supply the correct encryption context "purpose" = "myapp-secrets" when calling decrypt (and encrypt if rotating).
B.Add kms:Decrypt to the IAM role attached to the application without changing the key policy.
C.Disable the encryption context condition in the KMS key policy to avoid future failures.
D.Rotate the KMS key immediately and re-encrypt all secrets with a different key ID.
AnswerA

If the KMS key policy enforces an encryption context match, decrypt must provide the same context keys and values used during encryption. Aligning the encryption context fixes policy enforcement without weakening the key policy.

Why this answer

Option A is correct because the decryption failure is directly caused by the application not supplying the required encryption context in the decrypt call. The KMS key policy condition explicitly requires the encryption context to include 'purpose'='myapp-secrets' for kms:Decrypt. Without this context, the request is denied regardless of IAM permissions.

Updating the application code to pass the correct encryption context during both encrypt and decrypt operations resolves the issue.

Exam trap

The trap here is that candidates may think IAM permissions alone can override key policy conditions, but KMS requires both IAM and key policy to allow an action, and conditions in the key policy are evaluated strictly.

How to eliminate wrong answers

Option B is wrong because adding kms:Decrypt to the IAM role does not override the key policy condition; KMS requires both IAM permissions and key policy to allow the action, and the key policy condition explicitly denies decryption without the correct encryption context. Option C is wrong because disabling the encryption context condition weakens security by removing a critical access control that ensures only authorized applications with the correct context can decrypt data. Option D is wrong because rotating the KMS key does not address the root cause—the encryption context mismatch—and re-encrypting with a different key ID would still fail if the application does not supply the required context.

327
Multi-Selectmedium

A distributed simulation launches 40 EC2 instances that exchange small packets frequently and are sensitive to cross-instance latency. The workload stays in one Availability Zone and can use the same instance family across nodes. Which two choices improve network performance the most? Select two.

Select 2 answers
A.Launch all instances in a cluster placement group.
B.Place the instances across several Availability Zones for higher aggregate resilience.
C.Choose an instance family with high network bandwidth and enhanced networking support.
D.Use a spread placement group to pack the instances tightly together.
E.Put the workload behind CloudFront so internal node communication is faster.
AnswersA, C

A cluster placement group places instances physically close together within one Availability Zone, which reduces inter-node latency and jitter. This is the standard AWS pattern for tightly coupled distributed workloads such as simulations, MPI-style jobs, and HPC clusters.

Why this answer

A cluster placement group provides low-latency, high-bandwidth network connectivity by placing instances in a single Availability Zone within the same logical rack or cluster. This minimizes cross-instance latency and maximizes throughput for frequent small-packet exchanges, which is ideal for tightly coupled distributed simulations.

Exam trap

The trap here is confusing a spread placement group (which is for high availability by isolating instances on different hardware) with a cluster placement group (which is for low latency by grouping instances closely together).

328
Matchinghard

A media platform serves global users through Amazon CloudFront and an S3 origin. Match each requirement on the left to the CloudFront configuration or behavior on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use CloudFront Origin Access Control and allow only the distribution in the bucket policy.

Use versioned object filenames or hashed asset names with a long TTL.

Exclude the tracking query string from the cache key with a cache policy.

Use CloudFront signed URLs or signed cookies.

Why these pairings

Geo restriction blocks countries; Lambda@Edge can inspect User-Agent for device; cache behaviors set caching rules; referer header prevents hotlinking; origin shield caches dynamic content; origin groups allow multiple origins per behavior.

329
MCQeasy

Based on the exhibit, the database must fail over automatically if the primary Availability Zone goes down. Which solution should the architect choose?

A.Create a read replica in the same Availability Zone as the primary database.
B.Convert the database to a Multi-AZ RDS deployment.
C.Increase the backup retention period to 35 days.
D.Move the database to an EC2 instance with an attached EBS volume.
AnswerB

A Multi-AZ RDS deployment keeps a synchronous standby in another Availability Zone and automatically fails over when the primary fails. This matches the requirement for minimal manual intervention and preserves the same database endpoint, so the application does not need connection string changes. It is the standard AWS choice for resilient relational databases.

Why this answer

Option B is correct because a Multi-AZ RDS deployment automatically provisions and maintains a synchronous standby replica in a different Availability Zone. If the primary AZ fails, Amazon RDS automatically fails over to the standby, typically within 60–120 seconds, without requiring manual intervention or changes to the application connection string.

Exam trap

The trap here is that candidates confuse read replicas (which are asynchronous and require manual promotion) with Multi-AZ deployments (which provide automatic synchronous failover), often selecting a read replica in the same AZ because they think it offers high availability without understanding the fundamental replication mode difference.

How to eliminate wrong answers

Option A is wrong because a read replica in the same AZ does not provide automatic failover; it is designed for read scaling, not high availability, and requires manual promotion. Option C is wrong because increasing the backup retention period to 35 days only affects point-in-time recovery and automated backups, not failover capability. Option D is wrong because moving the database to an EC2 instance with an attached EBS volume requires custom scripting or third-party tools to implement automatic failover, and EBS volumes are AZ-specific, so they cannot survive an AZ outage without manual intervention.

330
MCQmedium

A ticket booking system uses Aurora MySQL. The company wants fast cross-Region disaster recovery with low RPO. Which architecture should be considered?

A.Aurora Global Database
B.A single-AZ Aurora cluster
C.An ElastiCache Redis replica
D.Manual snapshots copied monthly
AnswerA

Aurora Global Database replicates with low latency to secondary Regions and supports faster disaster recovery than snapshot-only approaches.

Why this answer

Aurora Global Database is designed for cross-Region disaster recovery with a typical RPO of 1 second or less, using storage-based replication that does not impact database performance. This meets the requirement for fast failover and low data loss, unlike manual snapshot-based approaches which have higher RPO and slower recovery.

Exam trap

The trap here is that candidates may confuse cross-Region read replicas (which have higher lag and manual promotion) with Aurora Global Database, or assume that ElastiCache or single-AZ deployments can provide adequate DR, when only Aurora Global Database meets the low RPO and fast cross-Region recovery requirements.

How to eliminate wrong answers

Option B is wrong because a single-AZ Aurora cluster lacks any cross-Region replication or failover capability, providing no disaster recovery across Regions. Option C is wrong because ElastiCache Redis is an in-memory cache, not a persistent database, and cannot serve as the primary data store for ticket booking transactions or provide cross-Region DR for the Aurora MySQL data. Option D is wrong because manual snapshots copied monthly result in an RPO of up to one month, which is far too high for the low RPO requirement, and recovery would require provisioning a new cluster from the snapshot, leading to significant downtime.

331
MCQeasy

A web service runs on an Auto Scaling group (ASG). The team updates configuration (AMIs, environment variables) in a Launch Template and wants new instances created during scale-out to use the latest Launch Template version. What should the architect do?

A.Leave the ASG attached to the previous Launch Template version so scale-out is stable.
B.Set the ASG to use the latest Launch Template version and optionally start an instance refresh for existing instances.
C.Manually SSH into each new instance and reconfigure it after it launches.
D.Move the configuration changes into a security group rule so the ASG updates them automatically.
AnswerB

ASG scale-out uses the configured Launch Template version at instance launch time. Switching the ASG to the latest version ensures new instances are consistent. An instance refresh helps apply changes to running instances safely and predictably.

Why this answer

Option B is correct because the Auto Scaling group can be configured to use the latest version of a launch template by specifying the `$Latest` version. This ensures that any new instances launched during scale-out automatically use the most recent configuration. Additionally, an instance refresh can be initiated to update existing instances to the latest template version without manual intervention.

Exam trap

The trap here is that candidates may think the ASG automatically updates existing instances when the launch template is updated, but in reality, only new instances launched after the update use the new version unless an instance refresh is explicitly triggered.

How to eliminate wrong answers

Option A is wrong because leaving the ASG attached to a previous launch template version means new instances will not receive the updated configuration, defeating the purpose of updating the template. Option C is wrong because manually SSHing into each new instance is not scalable, violates infrastructure-as-code principles, and is error-prone in an auto-scaling environment. Option D is wrong because security group rules control network traffic, not instance configuration (such as AMIs or environment variables), and cannot propagate launch template changes.

332
Multi-Selecthard

A claims workflow requires point-in-time recovery and accidental-delete protection for a DynamoDB table. Which two settings should the architect enable?

Select 2 answers
A.Point-in-time recovery
B.DAX
C.Deletion protection or tightly controlled delete permissions
D.Global secondary indexes
AnswersA, C

PITR allows restoration to a specific second within the supported recovery window.

Why this answer

Point-in-time recovery (PITR) for DynamoDB enables continuous backups with 35-day granularity, allowing restoration to any second within that window. This directly satisfies the requirement for point-in-time recovery by providing the ability to restore the table to a specific state before a data corruption or accidental write event.

Exam trap

The trap here is that candidates often confuse DAX or GSIs as data protection mechanisms, but neither provides backup, recovery, or deletion prevention—they are performance and query optimization features, not resilience controls.

333
MCQhard

A warehouse integration service must use shared file storage across Linux EC2 instances in multiple Availability Zones. The storage must remain available during an AZ failure. Which service should be used? The architecture review board prefers a managed AWS-native control.

A.Amazon EFS with mount targets in multiple Availability Zones
B.S3 mounted as a POSIX file system without a file gateway
C.Instance store volumes
D.An EBS volume attached to all instances
AnswerA

EFS is regional file storage and supports mount targets across AZs.

Why this answer

Amazon EFS provides a fully managed, NFS-based shared file system that can be mounted concurrently by multiple Linux EC2 instances across different Availability Zones. By creating mount targets in each AZ, the file system remains accessible even if one AZ fails, as traffic is automatically routed to the surviving mount targets. This meets the requirement for shared, resilient storage with a managed AWS-native control plane.

Exam trap

The trap here is that candidates often confuse EBS Multi-Attach (which is limited to a single AZ and specific instance types) with the cross-AZ shared file system capability of EFS, or incorrectly assume S3 with a FUSE mount can replace a POSIX-compliant file system.

How to eliminate wrong answers

Option B is wrong because mounting S3 as a POSIX file system (e.g., using s3fs-fuse) does not provide true POSIX compliance, lacks strong consistency guarantees, and introduces performance and locking issues unsuitable for shared file workloads; it also requires a third-party tool, not a fully managed AWS-native service. Option C is wrong because instance store volumes are ephemeral, tied to the lifecycle of a single EC2 instance, and cannot be shared across instances or survive an AZ failure. Option D is wrong because an EBS volume can only be attached to a single EC2 instance at a time (unless using multi-attach, which is limited to specific EBS types and still not designed for cross-AZ shared file systems), and it cannot be simultaneously mounted by instances in multiple Availability Zones.

334
MCQmedium

A document portal requires consistent high IOPS for a transactional database on EC2. Which EBS volume type is most suitable? The design must avoid adding custom operational scripts.

A.sc1 Cold HDD
B.Instance store only
C.Provisioned IOPS SSD such as io2
D.st1 Throughput Optimized HDD
AnswerC

io2 is designed for business-critical workloads requiring consistent high IOPS and durability.

Why this answer

Provisioned IOPS SSD volumes (io2) are designed for latency-sensitive transactional workloads that require consistent, high IOPS. They deliver a predictable performance level with a 99.9% durability guarantee, making them ideal for a database on EC2 without needing custom scripts to manage performance.

Exam trap

The trap here is that candidates often confuse throughput-optimized HDD (st1) with IOPS-optimized SSD, failing to recognize that transactional databases require low-latency random I/O, not high sequential throughput.

How to eliminate wrong answers

Option A is wrong because sc1 Cold HDD volumes are optimized for large, sequential workloads with low cost, not for high IOPS or transactional databases. Option B is wrong because instance store volumes are ephemeral and data is lost on instance stop/termination, requiring custom operational scripts to manage data persistence. Option D is wrong because st1 Throughput Optimized HDD volumes are designed for high-throughput, sequential access patterns (e.g., big data, log processing) and cannot deliver the consistent low-latency IOPS required for transactional databases.

335
Multi-Selectmedium

A company is hosting a web application on Amazon ECS Fargate behind an Application Load Balancer. The application needs to authenticate users using Amazon Cognito and store session data in Amazon ElastiCache for Redis. The security team mandates that all traffic between the ALB and ECS tasks must not traverse the public internet, and that session data in ElastiCache is encrypted at rest. Which three steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
.Configure the ALB to be internal-facing and place the ECS tasks in public subnets.
.Deploy the ECS tasks in private subnets and configure the ALB as an internal load balancer.
.Enable encryption at rest on the ElastiCache for Redis cluster using a customer-managed key in AWS KMS.
.Use a security group on the ECS tasks that allows inbound traffic only from the ALB's security group.
.Place the ECS tasks in a public subnet and use network ACLs to block inbound traffic from the internet.
.Configure the ElastiCache cluster to use in-transit encryption only.

Why this answer

Deploying ECS tasks in private subnets with an internal ALB ensures traffic between the ALB and tasks does not traverse the public internet, as internal load balancers have only private IP addresses. Enabling encryption at rest on ElastiCache for Redis with a customer-managed KMS key meets the security mandate for encrypted session data. Using a security group on ECS tasks that allows inbound traffic only from the ALB's security group provides a precise, stateful firewall rule that enforces the traffic flow restriction.

Exam trap

The trap here is that candidates often confuse 'encryption at rest' with 'in-transit encryption' or think that placing tasks in public subnets with network ACLs is sufficient to prevent public internet traffic, but network ACLs are stateless and cannot guarantee traffic only from the ALB, and public subnets still have a route to the internet gateway.

336
MCQeasy

A worker service consumes messages from an Amazon SQS queue. Some messages are malformed and always fail validation. The worker retries, but it keeps reprocessing the same bad messages and consumes processing capacity that should be used for valid work. What is the best solution to prevent “poison messages” from blocking progress?

A.Configure a Dead-Letter Queue (DLQ) and set a redrive policy so messages move to the DLQ after a maximum number of receives.
B.Increase the visibility timeout so the worker gets fewer retries per hour.
C.Disable SQS retries by deleting messages immediately on any processing error.
D.Create a second worker that polls the queue less frequently until the malformed message is processed successfully.
AnswerA

DLQs isolate repeatedly failing messages so they stop consuming worker capacity and can be analyzed later.

Why this answer

A Dead-Letter Queue (DLQ) with a redrive policy is the standard AWS mechanism for handling poison messages. By setting a maximum receive count (e.g., 5), the SQS queue automatically moves messages that fail processing repeatedly to the DLQ, isolating them from the main queue. This prevents the worker from wasting capacity on invalid messages and allows the main queue to continue processing valid work without interruption.

Exam trap

The trap here is that candidates may think increasing the visibility timeout or deleting messages on error is a valid solution, but AWS specifically designed the DLQ pattern to isolate poison messages without losing data or impacting throughput.

How to eliminate wrong answers

Option B is wrong because increasing the visibility timeout only delays the retry, it does not prevent the worker from eventually reprocessing the same bad message, so the poison message still consumes processing capacity. Option C is wrong because SQS does not support disabling retries; deleting messages immediately on error would lose the message entirely without any chance for recovery or analysis, which is not a best practice. Option D is wrong because creating a second worker that polls less frequently does not solve the problem—the malformed message will still be retried and block progress, and a slower poll rate only reduces throughput without addressing the root cause.

337
MCQeasy

A team runs a CPU-intensive image processing service on Amazon EC2. The service spends most of its time resizing and compressing images, and the team wants the best price-performance starting point for compute-heavy work. Which EC2 instance family should they choose?

A.Memory optimized instances
B.Compute optimized instances
C.Storage optimized instances
D.General purpose instances
AnswerB

These instances are designed for workloads that need strong CPU performance and efficient compute price-performance.

Why this answer

Compute optimized instances (C family) are designed for workloads that benefit from high-performance processors, such as batch processing, media transcoding, and image processing. Since the team's service is CPU-intensive (resizing and compressing images), the C family provides the best price-performance starting point for compute-heavy work.

Exam trap

The trap here is that candidates may confuse 'CPU-intensive' with 'memory-intensive' or 'storage-intensive' and choose a general purpose instance (D) thinking it is a safe default, but the question specifically asks for the best price-performance starting point for compute-heavy work, which is the compute optimized family.

How to eliminate wrong answers

Option A is wrong because memory optimized instances (R, X families) are designed for workloads that require large amounts of memory, such as in-memory databases or real-time big data analytics, not CPU-intensive image processing. Option C is wrong because storage optimized instances (I, D families) are designed for workloads that require high sequential read/write access to large datasets on local storage, such as data warehousing or distributed file systems, not CPU-bound tasks. Option D is wrong because general purpose instances (M, T families) offer a balanced mix of compute, memory, and networking, but for CPU-intensive workloads, compute optimized instances provide better price-performance due to their higher clock speeds and optimized processor features.

338
MCQmedium

A Lambda function behind an API needs consistent low latency. Traffic normally drops to near zero, then spikes several times per hour. During spikes, the p95 latency often spikes above 800 ms due to cold starts. The team wants to keep using Lambda (no containers) but minimize cold start impact during predictable spikes. What is the best AWS configuration to meet this goal?

A.Enable Lambda provisioned concurrency on a published function alias and set the minimum provisioned instances to the baseline expected during spikes.
B.Increase the function memory size to the maximum and rely on the larger memory to eliminate cold starts.
C.Configure an ALB with target group health checks to keep Lambda warm by sending periodic requests.
D.Turn on AWS CloudTrail data events to monitor cold start frequency and tune the runtime accordingly.
AnswerA

Provisioned concurrency pre-initializes Lambda execution environments for a specific alias, reducing cold start latency.

Why this answer

Provisioned concurrency initializes a specified number of execution environments in advance, keeping them warm and ready to handle requests instantly. By setting the minimum provisioned instances to the baseline expected during spikes, the function avoids cold starts for those requests, ensuring p95 latency stays low even when traffic surges from near zero.

Exam trap

The trap here is that candidates may confuse provisioned concurrency with reserved concurrency, or assume that increasing memory or using health checks can eliminate cold starts, when only provisioned concurrency guarantees pre-warmed environments for predictable spikes.

How to eliminate wrong answers

Option B is wrong because increasing memory size can improve CPU performance but does not eliminate cold starts; cold starts still occur when a new execution environment is created. Option C is wrong because ALB health checks send requests to the Lambda function, but they do not guarantee that the function stays warm for all concurrent invocations during spikes, and the health check interval (e.g., every 30 seconds) is insufficient to prevent cold starts when traffic spikes from zero. Option D is wrong because CloudTrail data events log API calls but do not prevent cold starts; they only provide monitoring data, not a solution to reduce latency.

339
Multi-Selecthard

A media company runs a 24/7 ingestion API on EC2 behind an Application Load Balancer and a nightly transcoding job that can resume from checkpoints. The API fleet runs at roughly 65 percent CPU all day, while the batch workers sit idle most of the time. The company wants to cut compute cost without risking the API. Which two changes should they make? Select two.

Select 2 answers
A.Purchase a Compute Savings Plan for the always-on API fleet.
B.Move the transcoding workers to EC2 Spot Instances and checkpoint progress.
C.Replace the API fleet with Dedicated Hosts to lock in lower rates.
D.Buy Standard Reserved Instances for the batch workers and keep them running 24/7.
E.Increase the worker Auto Scaling minimum to prevent Spot interruptions.
AnswersA, B

Correct. Compute Savings Plans discount steady usage across EC2 and other compute services without forcing a specific instance family. The API has predictable 24/7 demand, so a commitment fits the usage pattern and lowers cost safely.

Why this answer

A is correct because a Compute Savings Plan offers the largest discount (up to 66%) in exchange for a 1- or 3-year commitment to a consistent amount of compute usage (measured in $/hour), regardless of instance family, region, or OS. The API fleet runs at a steady 65% CPU 24/7, making it an ideal candidate for this flexible, cost-saving commitment without locking into a specific instance type.

Exam trap

The trap here is that candidates often confuse Dedicated Hosts with cost savings (they are for licensing, not cost reduction) and assume Reserved Instances are always the best choice for any workload, ignoring that Spot Instances are far more cost-effective for interruptible batch jobs.

340
MCQmedium

A warehouse integration service receives bursts of orders that sometimes overwhelm a downstream fulfilment service. The architecture must absorb spikes and retry processing without losing requests. Which service should be placed between the web tier and fulfilment workers? The design must avoid adding custom operational scripts.

A.AWS WAF
B.Amazon Route 53 weighted routing
C.Amazon SQS queue
D.Amazon CloudFront
AnswerC

SQS decouples producers and consumers, buffers bursts, and supports retries through visibility timeout and dead-letter queues.

Why this answer

Amazon SQS is the correct choice because it acts as a durable, scalable message buffer that decouples the web tier from the fulfilment workers. When order bursts arrive, messages are stored reliably in the queue, and workers can poll at their own pace, retrying failed messages automatically without any custom scripts. This pattern absorbs spikes and ensures no requests are lost, meeting the requirement for a fully managed, serverless integration.

Exam trap

The trap here is that candidates often confuse load-balancing or traffic-routing services (like Route 53 or CloudFront) with message queuing, mistakenly thinking they can absorb processing spikes, whereas only a queue like SQS provides durable storage and asynchronous decoupling for request bursts.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that filters HTTP/S traffic based on rules (e.g., SQL injection, XSS) and does not provide message buffering, decoupling, or retry capabilities for downstream services. Option B is wrong because Amazon Route 53 weighted routing distributes DNS traffic across multiple endpoints based on weights, but it operates at the DNS level and cannot absorb processing spikes or retry failed requests; it simply routes new connections. Option D is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations to reduce latency, but it does not offer message queuing, buffering, or retry logic for backend processing workloads.

341
MCQeasy

You use a customer managed AWS KMS key (CMK) to encrypt objects in an S3 bucket using SSE-KMS. A specific IAM role must be able to decrypt objects. Where should you grant kms:Decrypt permissions so that the role can decrypt data encrypted with that CMK?

A.In the KMS key policy, allowing kms:Decrypt (and any other required KMS permissions) for the role’s principal ARN.
B.Only in the S3 bucket policy by granting s3:GetObject, because S3 bucket policy controls decryption.
C.Only in the IAM role identity policy; the KMS key policy does not need changes for SSE-KMS.
D.By enabling S3 default encryption; KMS permissions are automatically granted to all IAM roles in the account.
AnswerA

With SSE-KMS, KMS decryption is authorized by KMS for the specific CMK. The CMK key policy is a primary authorization layer; if the key policy does not allow kms:Decrypt for the role (or a matching principal), S3 requests that require KMS decryption will fail even if the S3 or IAM identity policies allow s3:GetObject.

Why this answer

When using a customer managed KMS key (CMK) with SSE-KMS, the KMS key policy is the primary access control mechanism. To allow a specific IAM role to decrypt objects, you must grant kms:Decrypt (and typically kms:DescribeKey) in the key policy for that role's principal ARN. Without this explicit permission in the key policy, the role will be denied decryption even if it has s3:GetObject permissions, because KMS enforces its own authorization.

Exam trap

The trap here is that candidates assume S3 bucket policies or IAM identity policies alone are sufficient for decryption, forgetting that KMS enforces its own authorization layer and the key policy is the gatekeeper for all KMS operations.

How to eliminate wrong answers

Option B is wrong because S3 bucket policies control access to S3 operations (like s3:GetObject) but do not grant KMS permissions; decryption with SSE-KMS requires separate KMS authorization. Option C is wrong because an IAM role identity policy alone is insufficient if the KMS key policy does not grant access to the role; the key policy must explicitly allow the role (or the account) to use the key. Option D is wrong because enabling S3 default encryption does not automatically grant KMS permissions to IAM roles; KMS key policies and IAM policies must still be configured to allow decryption.

342
MCQmedium

A test environment stores logs in S3. Logs are queried for 30 days, rarely accessed for one year, and then retained for compliance. What should reduce storage cost?

A.Keep all logs in S3 Standard indefinitely
B.Move all logs immediately to S3 Glacier Deep Archive
C.S3 lifecycle policy that transitions objects to lower-cost storage classes over time
D.Use EBS snapshots for the logs
AnswerC

Lifecycle rules automate transitions based on age, matching storage cost to access patterns.

Why this answer

Option C is correct because an S3 Lifecycle policy automates the transition of objects from S3 Standard (for frequent access) to S3 Standard-IA (infrequent access) after 30 days, then to S3 Glacier Deep Archive (for long-term retention) after one year, minimizing storage costs while maintaining data accessibility as needed.

Exam trap

The trap here is that candidates may choose immediate transition to Glacier Deep Archive (Option B) without considering the 30-day query period, failing to match the lifecycle to the access pattern described in the question.

How to eliminate wrong answers

Option A is wrong because keeping all logs in S3 Standard indefinitely incurs the highest storage cost, ignoring the cost savings from transitioning to lower-cost storage classes for data that is rarely accessed or retained for compliance. Option B is wrong because moving all logs immediately to S3 Glacier Deep Archive is impractical for logs queried frequently in the first 30 days, as retrieval times (hours) and costs would be excessive, and it violates the access pattern described. Option D is wrong because EBS snapshots are designed for block-level backups of EC2 instances, not for storing log files; they are more expensive and less suitable for object-based log storage in S3.

343
MCQmedium

Your AWS Organization uses a Service Control Policy (SCP) that includes a Deny statement for secretsmanager:GetSecretValue for all member accounts in the "Finance" OU when requests are made outside us-east-1. An application role has an IAM policy that allows secretsmanager:GetSecretValue for the required secret in us-west-2. In us-west-2, requests fail with AccessDenied. What is the most appropriate action?

A.Update the application role IAM policy to include us-west-2 in the resource ARN.
B.Create a permission boundary that removes the deny behavior for the member account.
C.Modify the SCP to allow secretsmanager:GetSecretValue in us-west-2 for the Finance OU (if that aligns with policy intent), or move the workload to us-east-1.
D.Use sts:AssumeRole into another account that is not in the Finance OU to bypass the SCP.
AnswerC

Because the SCP contains an explicit Deny based on region and OU, the correct remedy is to change the SCP conditions (or operate within allowed regions). SCP evaluation is performed before/independent of IAM identity policies for the permission decision.

Why this answer

SCPs are deny-by-default and act as an outer boundary on all IAM policies in member accounts. Even if the application role's IAM policy allows secretsmanager:GetSecretValue in us-west-2, the SCP's explicit Deny for requests outside us-east-1 overrides that allow. The correct fix is either to modify the SCP to permit the action in us-west-2 (if that aligns with organizational intent) or to relocate the workload to us-east-1, because SCPs cannot be overridden by any IAM policy within the account.

Exam trap

The trap here is that candidates assume IAM policies alone control access and forget that SCPs act as a global deny filter that cannot be bypassed by any IAM-level configuration, leading them to incorrectly choose options that modify IAM policies or use cross-account roles.

How to eliminate wrong answers

Option A is wrong because the IAM policy already allows the action for the secret in us-west-2 (the resource ARN is not the issue); the failure is caused by the SCP's Deny, not a missing resource ARN. Option B is wrong because permission boundaries restrict the maximum permissions an IAM role can have, but they cannot override an SCP Deny; SCPs are evaluated before permission boundaries and a Deny in an SCP always takes precedence. Option D is wrong because assuming a role in another account does not bypass SCPs; the SCP applies to all principals in the member account, and the assumed role would still be subject to the SCP of the target account if it is also in the Finance OU, or the SCP of the source account if the trust policy is evaluated.

344
Multi-Selectmedium

A company stores customer invoices in an Amazon S3 bucket. The application must keep the bucket private, ACLs should not be used, and customers should receive temporary download links for individual invoices. Which three changes should the architect make? Select three.

Select 3 answers
A.Enable S3 Block Public Access on both the bucket and the AWS account.
B.Continue using object ACLs so each customer invoice can be made public briefly.
C.Configure Bucket owner enforced object ownership to disable ACLs.
D.Generate presigned URLs for customers to download specific invoices for a limited time.
E.Move the bucket to another AWS Region to isolate it from the internet.
AnswersA, C, D

Block Public Access prevents accidental public exposure through bucket policies, ACLs, and other public settings. It is a strong baseline control when the data must remain private.

Why this answer

Option A is correct because enabling S3 Block Public Access at both the bucket and account level ensures that no public access is granted to the bucket or its objects, which aligns with the requirement to keep the bucket private. This setting overrides any other permissions that might inadvertently allow public access, providing a strong security baseline.

Exam trap

The trap here is that candidates may think moving a bucket to a different region or making objects public briefly are valid solutions, but the exam tests the understanding that S3 Block Public Access and presigned URLs are the correct mechanisms for private, temporary access without ACLs.

345
MCQeasy

A company runs its customer-facing web app on EC2 behind an Application Load Balancer. The database is Amazon RDS for PostgreSQL. The requirement is that if a single Availability Zone fails, the database must automatically fail over within the same AWS Region with minimal application changes. Which database setup best meets this requirement?

A.Use an RDS single-AZ instance and periodically restore from automated backups if needed.
B.Deploy the RDS PostgreSQL instance as Multi-AZ with automatic failover enabled.
C.Create a read replica in a different AZ and use it only when the primary fails.
D.Use RDS with Multi-AZ disabled, but increase storage IOPS to prevent failover.
AnswerB

Multi-AZ RDS maintains a standby instance in a different AZ. If the primary fails, RDS performs automatic failover, preserving the same database endpoint behavior.

Why this answer

Option B is correct because RDS Multi-AZ for PostgreSQL automatically provisions and maintains a synchronous standby replica in a different Availability Zone. If the primary AZ fails, Amazon RDS automatically fails over to the standby, typically within 60–120 seconds, with no changes required to the application's connection string (the DNS name remains the same). This meets the requirement for minimal application changes and automatic failover within the same Region.

Exam trap

The trap here is that candidates often confuse a read replica (which requires manual promotion and DNS changes) with a Multi-AZ standby (which provides automatic, transparent failover), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because restoring from automated backups is a manual process that can take hours, not an automatic failover, and it does not meet the requirement for minimal application changes. Option C is wrong because a read replica is designed for read scaling, not automatic failover; promoting a read replica to primary requires manual intervention and a DNS change, which violates the 'minimal application changes' requirement. Option D is wrong because disabling Multi-AZ and increasing IOPS does not provide any failover capability; it only improves performance and does not protect against an AZ failure.

346
MCQmedium

A web application for a order processing API is behind an Application Load Balancer. The application must be protected from common SQL injection and cross-site scripting attacks with minimum operational overhead. What should the architect deploy?

A.Security groups on the application instances
B.Network ACLs on the public subnets
C.AWS WAF associated with the Application Load Balancer
D.AWS Shield Advanced only
AnswerC

AWS WAF can inspect HTTP requests and block common web exploits when associated with an ALB.

Why this answer

AWS WAF is a web application firewall that helps protect web applications from common web exploits like SQL injection and cross-site scripting (XSS) attacks. By associating an AWS WAF web ACL with the Application Load Balancer, you can filter and monitor HTTP/HTTPS requests based on customizable rules, providing application-layer protection with minimal operational overhead since AWS manages the underlying infrastructure and rule updates.

Exam trap

The trap here is that candidates often confuse network-layer controls (security groups and network ACLs) with application-layer protection, assuming they can filter HTTP-level attacks, when in fact only AWS WAF can inspect and block SQL injection and XSS at the application layer.

How to eliminate wrong answers

Option A is wrong because security groups act as a virtual firewall at the instance level, controlling inbound and outbound traffic based on IP addresses and ports; they do not inspect application-layer payloads and cannot detect or block SQL injection or XSS attacks. Option B is wrong because network ACLs are stateless, subnet-level filters that evaluate traffic based on IP addresses, ports, and protocols; they lack the ability to parse HTTP request bodies or headers for malicious patterns. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric attacks but does not include application-layer filtering for SQL injection or XSS; it must be combined with AWS WAF for such threats.

347
MCQmedium

A company hosts application servers in private subnets. They must access Amazon S3 and read secrets from AWS Secrets Manager, but they want to avoid internet egress. They currently use a NAT gateway and see high NAT-related costs. What change most directly reduces cost while keeping traffic on the AWS network?

A.Keep the NAT gateway and reduce instance size to lower NAT throughput charges
B.Create a Gateway VPC endpoint for S3 and an Interface VPC endpoint for Secrets Manager, then route requests via those endpoints instead of NAT
C.Switch Secrets Manager to use S3 as a storage backend so both services can use the S3 endpoint only
D.Move the private subnets to public subnets and attach an Internet Gateway to eliminate NAT
AnswerB

VPC endpoints allow private connectivity to specific AWS services without sending traffic through a NAT gateway. S3 uses a Gateway endpoint type, while Secrets Manager uses an Interface endpoint type. This directly targets and reduces NAT gateway costs while meeting the “no internet egress” requirement.

Why this answer

Option B is correct because it replaces the NAT gateway with VPC endpoints, which are free of data processing charges and keep all traffic within the AWS network. A Gateway VPC endpoint for S3 uses prefix lists and route table entries to send S3 traffic directly over the AWS backbone, while an Interface VPC endpoint for Secrets Manager uses AWS PrivateLink to provide private connectivity without internet egress. This eliminates NAT gateway hourly and data processing costs, directly addressing the cost concern.

Exam trap

The trap here is that candidates may think NAT gateway costs can be reduced by scaling down instances, or that Secrets Manager can be accessed via an S3 endpoint, when in fact VPC endpoints are the only way to eliminate NAT costs while keeping traffic private and on the AWS network.

How to eliminate wrong answers

Option A is wrong because reducing instance size does not lower NAT gateway throughput charges; NAT gateway pricing is based on hourly usage and per-GB data processing, not instance size, and the underlying instances are managed by AWS. Option C is wrong because Secrets Manager cannot use S3 as a storage backend; it is a separate managed service that stores secrets in its own encrypted infrastructure, and there is no supported configuration to route Secrets Manager traffic through an S3 endpoint. Option D is wrong because moving private subnets to public subnets and attaching an Internet Gateway would expose the application servers directly to the internet, violating security best practices and not eliminating egress costs (IGW data processing charges still apply).

348
MCQmedium

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

A.Enable server access logging on the bucket
B.Enable S3 Transfer Acceleration
C.Create an IAM policy that denies s3:GetObject to anonymous users
D.Enable S3 Block Public Access at the account or bucket level
AnswerD

S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.

Why this answer

Option D is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects, regardless of bucket policies or object ACLs. When enabled at the account or bucket level, it blocks all public access settings, ensuring that even if a developer later adds an overly broad bucket policy, the objects remain inaccessible to anonymous users. This is essential for compliance with healthcare regulations like HIPAA, where data must never be publicly exposed.

Exam trap

The trap here is that candidates often think an IAM policy can block anonymous users, but IAM policies never apply to unauthenticated requests—only bucket policies and S3 Block Public Access can control anonymous access.

How to eliminate wrong answers

Option A is wrong because enabling server access logging only records requests made to the bucket; it does not prevent public access or enforce any security controls. Option B is wrong because S3 Transfer Acceleration is a performance feature that speeds up uploads over long distances using AWS edge locations; it has no impact on access permissions or public accessibility. Option C is wrong because an IAM policy that denies s3:GetObject to anonymous users is not effective—IAM policies apply only to authenticated IAM principals, not to anonymous (unauthenticated) users; anonymous access is controlled by bucket policies and ACLs, not IAM.

349
Multi-Selectmedium

A company is deploying a stateless web application on Amazon ECS with Fargate. The application must be resilient to individual task failures and Availability Zone failures. Which three steps should the company take to achieve this resilience? (Choose three.)

Select 3 answers
.Configure the ECS service to use a spread placement strategy across Availability Zones.
.Set a minimum healthy percent of 50 and a maximum percent of 200 in the ECS service deployment configuration.
.Place all ECS tasks in a single subnet to minimize network latency.
.Use an Application Load Balancer (ALB) in front of the ECS service to distribute traffic across tasks.
.Store application session data in an attached EFS file system shared across all tasks.
.Disable automatic task replacement to avoid unnecessary task churn during failures.

Why this answer

Configuring the ECS service with a spread placement strategy across Availability Zones ensures tasks are distributed across multiple AZs, providing resilience against AZ failures. Setting a minimum healthy percent of 50 and a maximum percent of 200 allows the service to maintain at least half of the desired tasks during deployments or failures while scaling up to replace failed tasks without downtime. Using an Application Load Balancer (ALB) in front of the ECS service distributes incoming traffic across healthy tasks in different AZs, automatically rerouting traffic if a task or AZ fails.

Exam trap

The trap here is that candidates may confuse stateless applications with stateful ones and incorrectly choose to store session data in EFS, or they may think placing tasks in a single subnet improves performance without considering the single point of failure risk.

350
MCQeasy

Your company hosts an internal API in two AWS Regions. You want Amazon Route 53 to automatically send traffic to the secondary Region if the primary Region’s endpoint becomes unhealthy. Which Route 53 configuration best meets this requirement?

A.Latency-based routing with health checks for both Regions.
B.Failover routing with a primary record associated with a health check, and a secondary (failover) record associated with its own health check settings.
C.Weighted routing to distribute traffic evenly across both Regions.
D.Geolocation routing based on the client’s country to choose a Region.
AnswerB

Route 53 failover routing is explicitly designed for primary/secondary behavior. When the primary record’s health check fails, Route 53 automatically routes to the secondary (failover) record, matching the stated requirement.

Why this answer

Failover routing in Route 53 is specifically designed for active-passive configurations where traffic is directed to a primary resource unless a health check indicates it is unhealthy, at which point traffic is automatically routed to the secondary (failover) record. By associating a health check with the primary record, Route 53 can monitor the endpoint's health and perform the failover seamlessly. This directly meets the requirement to send traffic to the secondary Region when the primary endpoint becomes unhealthy.

Exam trap

The trap here is that candidates often confuse failover routing with latency-based routing, assuming that latency-based routing with health checks will automatically redirect traffic to the next best Region when one is unhealthy, but in reality, latency-based routing only selects the lowest-latency healthy endpoint and does not enforce a strict primary-secondary failover order.

How to eliminate wrong answers

Option A is wrong because latency-based routing directs traffic to the Region with the lowest latency for the client, not based on health status; while health checks can be associated, they only mark records as unhealthy without automatically failing over to a specific secondary Region. Option C is wrong because weighted routing distributes traffic based on assigned weights, not health; if the primary endpoint is unhealthy, traffic would still be sent to it according to the weight, unless the record is marked unhealthy, but there is no automatic failover to a designated secondary. Option D is wrong because geolocation routing directs traffic based on the client's geographic location, not on endpoint health; it does not provide automatic failover to a secondary Region when the primary is unhealthy.

351
MCQmedium

A ticket booking system runs on EC2 instances behind an Application Load Balancer. The design must tolerate the failure of one Availability Zone. What should the Auto Scaling group configuration include? The team wants the control to be enforceable during normal operations.

A.Subnets in at least two Availability Zones with health checks enabled
B.All instances in one larger subnet
C.A Network Load Balancer in one subnet
D.A single EC2 instance with detailed monitoring
AnswerA

An Auto Scaling group spanning multiple AZs can replace unhealthy instances and maintain capacity during an AZ failure.

Why this answer

Option A is correct because distributing subnets across at least two Availability Zones ensures that if one AZ fails, the Auto Scaling group can launch replacement instances in the remaining AZ(s) to maintain capacity. Enabling health checks on the Application Load Balancer allows the Auto Scaling group to detect and replace unhealthy instances, enforcing resilience during normal operations without manual intervention.

Exam trap

The trap here is that candidates often assume a single larger subnet or a Network Load Balancer provides high availability, but they overlook the requirement for multi-AZ distribution and application-layer health checks to enforce resilience during normal operations.

How to eliminate wrong answers

Option B is wrong because placing all instances in one larger subnet within a single Availability Zone creates a single point of failure; if that AZ goes down, all instances are lost. Option C is wrong because a Network Load Balancer operates at Layer 4 and does not provide the HTTP/HTTPS health checks needed for a ticket booking system; also, placing it in one subnet does not address multi-AZ fault tolerance. Option D is wrong because a single EC2 instance, even with detailed monitoring, cannot survive an AZ failure; Auto Scaling requires at least two instances across multiple AZs to maintain availability.

352
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a e-learning platform. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Copy the objects to a public website bucket
B.Create an IAM user in the company account and share the access keys
C.Create a bucket policy that grants the partner role least-privilege access to the required prefix
D.Make the objects public and rely on difficult-to-guess object names
AnswerC

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option C is correct because it uses a resource-based bucket policy that grants the partner's AWS account (via its root user or an IAM role) least-privilege read-only access to a specific prefix. This approach avoids sharing long-term credentials, leverages AWS's cross-account trust mechanism, and scales securely without managing additional IAM users.

Exam trap

The trap here is that candidates often choose Option B (sharing IAM user credentials) because it seems straightforward, but AWS recommends cross-account roles with bucket policies for secure, auditable, and scalable access without managing external users.

How to eliminate wrong answers

Option A is wrong because copying objects to a public website bucket removes all access control, exposing data to the internet and violating the principle of least privilege. Option B is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be rotated, can be leaked, and do not scale across multiple partner accounts. Option D is wrong because making objects public with difficult-to-guess names relies on security through obscurity, which is not a secure pattern—objects can be discovered via enumeration or leaks, and S3 does not enforce access control based on name complexity.

353
MCQeasy

A company keeps daily database backups in an S3 bucket. They may restore from backups during the first 30 days if there is an issue. After 30 days, backups are rarely restored, but must be retained for 2 years. Which lifecycle strategy most cost-effectively meets these requirements?

A.Delete backups after 30 days to avoid storage costs, since restores are rare.
B.Keep all backups in S3 Standard for the entire 2-year retention period.
C.Use an S3 lifecycle policy to keep backups in S3 Standard for 30 days, then transition them to S3 Glacier Deep Archive for the remainder of the 2-year retention period.
D.Move backups to S3 Glacier Deep Archive immediately after creation, even for the first 30 days.
AnswerC

A lifecycle transition after the initial restore window reduces cost while still meeting the 2-year retention requirement.

Why this answer

Option C is correct because it uses an S3 lifecycle policy to store backups in S3 Standard for the first 30 days when restores are likely, then transitions them to S3 Glacier Deep Archive for the remaining retention period. S3 Glacier Deep Archive offers the lowest storage cost for long-term, rarely accessed data, making this the most cost-effective strategy while meeting the 2-year retention requirement.

Exam trap

The trap here is that candidates may choose Option A, thinking that deleting old backups saves money, but they overlook the explicit retention requirement, or they may choose Option D, assuming immediate archiving is always cheapest, without considering the need for quick access during the first 30 days.

How to eliminate wrong answers

Option A is wrong because deleting backups after 30 days violates the requirement to retain backups for 2 years. Option B is wrong because keeping all backups in S3 Standard for the entire 2 years incurs unnecessary high storage costs for data that is rarely accessed after 30 days. Option D is wrong because moving backups immediately to S3 Glacier Deep Archive would incur retrieval costs and delays (typically 12-48 hours) during the first 30 days when restores may be needed, and does not optimize for the access pattern.

354
Multi-Selecthard

A media company runs a 24/7 ingestion API on EC2 behind an Application Load Balancer and a nightly transcoding job that can resume from checkpoints. The API fleet runs at roughly 65 percent CPU all day, while the batch workers sit idle most of the time. The company wants to cut compute cost without risking the API. Which two changes should they make? Select two.

Select 2 answers
A.Purchase a Compute Savings Plan for the always-on API fleet.
B.Move the transcoding workers to EC2 Spot Instances and checkpoint progress.
C.Replace the API fleet with Dedicated Hosts to lock in lower rates.
D.Buy Standard Reserved Instances for the batch workers and keep them running 24/7.
E.Increase the worker Auto Scaling minimum to prevent Spot interruptions.
AnswersA, B

Correct. Compute Savings Plans discount steady usage across EC2 and other compute services without forcing a specific instance family. The API has predictable 24/7 demand, so a commitment fits the usage pattern and lowers cost safely.

Why this answer

A is correct because a Compute Savings Plan offers the largest discount (up to 66%) in exchange for a 1- or 3-year commitment to a consistent amount of compute usage (measured in $/hour), which perfectly matches the always-on API fleet that runs at a steady 65% CPU utilization. This plan applies to any EC2 instance family, region, or compute service (including Fargate and Lambda), giving flexibility while reducing costs for the predictable baseline load.

Exam trap

The trap here is that candidates often confuse Savings Plans with Reserved Instances, or assume Dedicated Hosts are a cost-saving measure, when in fact they are a premium isolation feature; the key is recognizing that Spot Instances are ideal for fault-tolerant, checkpointable batch workloads, while a Compute Savings Plan covers the predictable baseline without locking into a specific instance type.

355
MCQmedium

A partner company needs read-only access to reports in an S3 bucket for a customer analytics portal. The partner has its own AWS account. What is the most secure scalable access pattern?

A.Make the objects public and rely on difficult-to-guess object names
B.Create a bucket policy that grants the partner role least-privilege access to the required prefix
C.Copy the objects to a public website bucket
D.Create an IAM user in the company account and share the access keys
AnswerB

A resource policy can grant cross-account access to a specific external role and prefix.

Why this answer

Option B is correct because a bucket policy that grants the partner's IAM role (from the partner's AWS account) least-privilege access to a specific prefix is the most secure and scalable pattern. This uses cross-account IAM roles, avoiding long-term credentials and allowing the partner to manage their own users and permissions. The bucket policy explicitly trusts the partner's AWS account, and the partner assumes the role to access only the required objects, following the principle of least privilege.

Exam trap

The trap here is that candidates often choose Option D (sharing IAM user access keys) because it seems straightforward, but the exam tests the understanding that cross-account IAM roles are more secure and scalable than sharing static credentials.

How to eliminate wrong answers

Option A is wrong because making objects public with difficult-to-guess names relies on security through obscurity, which is not a secure pattern; objects can be discovered via enumeration or accidental exposure, and it violates AWS's shared responsibility model. Option C is wrong because copying objects to a public website bucket exposes the data to the internet without any access control, which is insecure and does not scale for read-only access by a specific partner. Option D is wrong because creating an IAM user in the company account and sharing access keys introduces long-term static credentials that must be rotated and managed, increasing the risk of leakage; it also does not scale across multiple partners and violates the principle of using IAM roles for cross-account access.

356
MCQeasy

A startup has a stable production web service that runs continuously (24/7) on AWS. They have consistent compute requirements for the next 1 year, but the instance size and family might change as they optimize performance. To reduce cost while maintaining flexibility across instance types, which purchasing option should they consider?

A.Compute Savings Plans
B.Reserved Instances with a fixed instance type
C.Spot Instances
D.On-Demand Instances
AnswerA

Compute Savings Plans discount compute usage while allowing flexibility across instance families, sizes, and even some services.

Why this answer

Compute Savings Plans offer the lowest prices for EC2 compute usage (up to 66% off On-Demand) while allowing flexibility to change instance family, size, OS, and region (within a region). This matches the startup's need for consistent 1-year compute requirements with potential instance type changes during performance optimization.

Exam trap

The trap here is that candidates often choose Reserved Instances with a fixed instance type because they see a 1-year commitment, but they overlook the requirement for flexibility across instance types, which only Compute Savings Plans provide.

How to eliminate wrong answers

Option B is wrong because Reserved Instances with a fixed instance type lock you into a specific instance family and size, which contradicts the requirement for flexibility across instance types. Option C is wrong because Spot Instances are designed for fault-tolerant, interruptible workloads and are not suitable for a stable production web service that must run continuously 24/7. Option D is wrong because On-Demand Instances provide no cost savings (they are the most expensive option) and do not offer a discount for a 1-year commitment.

357
MCQmedium

Company A runs an internal app in account A. The app needs to upload objects to an S3 bucket in account B. When the app calls S3, it receives AccessDenied for s3:PutObject. The team already created an IAM role in account B named UploadRole with a policy allowing s3:PutObject. They did not yet set up any trust relationship. Which change most directly fixes the access problem with least privilege?

A.Create IAM user access keys in account A and attach the UploadRole policy directly to those keys.
B.Update the trust policy on UploadRole (account B) to allow sts:AssumeRole from the app’s IAM role or principal in account A.
C.Add s3:PutObject permissions to the bucket policy in account B for all principals in account A.
D.Attach an SCP (service control policy) in AWS Organizations to deny sts:AssumeRole unless the caller uses an MFA device.
AnswerB

A cross-account role requires both an IAM permissions policy and a trust policy. The trust policy must allow the specific principal in account A to call sts:AssumeRole into account B’s role. With that trust in place, the app can obtain temporary credentials and then use the UploadRole permissions for s3:PutObject.

Why this answer

The app in account A needs to assume the UploadRole in account B to gain s3:PutObject permissions. Without a trust policy on UploadRole that allows sts:AssumeRole from the app's IAM principal in account A, the role cannot be assumed, resulting in AccessDenied. Updating the trust policy directly establishes the cross-account trust relationship with least privilege, as it grants only the necessary assume-role capability.

Exam trap

The trap here is that candidates often think bucket policies alone can solve cross-account access, but without a trust policy on the IAM role, the app cannot assume the role to obtain the required permissions.

How to eliminate wrong answers

Option A is wrong because creating IAM user access keys in account A and attaching the UploadRole policy directly to those keys violates least privilege (access keys are long-term credentials) and does not solve the cross-account trust issue—the policy is in account B and cannot be attached to account A keys. Option C is wrong because adding s3:PutObject permissions to the bucket policy in account B for all principals in account A is overly permissive (grants access to all principals in account A) and does not leverage the existing UploadRole, violating least privilege. Option D is wrong because attaching an SCP to deny sts:AssumeRole unless MFA is used would block the legitimate cross-account role assumption entirely, making the problem worse, and SCPs apply only within an organization, not to cross-account access between separate accounts.

358
MCQmedium

A public API for a image sharing application is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used? The design must avoid adding custom operational scripts.

A.A VPC endpoint policy
B.API keys only
C.JWT authorizer configured for the OpenID Connect issuer
D.IAM authorization for all internet users
AnswerC

A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.

Why this answer

C is correct because the scenario requires standards-based token authentication from an external OpenID Connect (OIDC) provider, and API Gateway's JWT authorizer natively validates JWTs issued by OIDC providers without requiring custom code. This authorizer verifies the token's signature, expiry, and issuer against the OIDC discovery endpoint, meeting the requirement to avoid custom operational scripts.

Exam trap

The trap here is that candidates often confuse API keys (simple identification) with token-based authentication (JWT/OIDC), or incorrectly assume IAM authorization can be used for external identity federation without custom Lambda authorizers or STS-based token exchange.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication for internet clients using OIDC tokens. Option B is wrong because API keys only provide simple identification and throttling, not authentication or authorization based on standards-based tokens from an external OIDC provider. Option D is wrong because IAM authorization is designed for AWS-authenticated principals (e.g., IAM users/roles), not for internet users presenting tokens from an external OIDC provider, and it would require custom scripts to map OIDC tokens to IAM roles.

359
Drag & Dropmedium

Arrange the steps to migrate an on-premises database to Amazon RDS using AWS DMS.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Source preparation first, then DMS infrastructure, endpoints, task, and monitoring/cutover.

360
Multi-Selecthard

A distributed analytics engine runs 12 EC2 instances in one Availability Zone. The nodes exchange thousands of tiny messages per second and must keep jitter as low as possible. The current design launches the instances across multiple placement groups and uses general-purpose burstable instances. Which two changes will most directly lower east-west network latency and variability? Select two.

Select 2 answers
A.Move all instances into a cluster placement group.
B.Use instance families that provide high network bandwidth and support enhanced networking.
C.Spread the instances across three Availability Zones for better fault tolerance.
D.Front the nodes with an Application Load Balancer to balance the internal messages.
E.Store the messages on EBS volumes so the nodes avoid network communication.
AnswersA, B

Cluster placement groups pack instances closely together in a single Availability Zone, which minimizes network distance and improves latency consistency. This is the best placement strategy when the workload is highly chatty and needs very low jitter between nodes. It directly targets east-west performance.

Why this answer

A cluster placement group provides a low-latency, high-bandwidth network connection by placing instances in a single Availability Zone within the same logical rack or cluster. This minimizes the physical distance and network hops between instances, directly reducing east-west latency and jitter for the thousands of tiny messages per second.

Exam trap

The trap here is that candidates often confuse 'fault tolerance' (spreading across AZs) with 'performance' (cluster placement group), or they mistakenly think a load balancer can optimize internal node-to-node traffic, when in fact it adds latency and is designed for client-facing traffic.

361
MCQmedium

A ticket booking system uses Aurora MySQL. The company wants fast cross-Region disaster recovery with low RPO. Which architecture should be considered? The architecture review board prefers a managed AWS-native control.

A.Aurora Global Database
B.A single-AZ Aurora cluster
C.An ElastiCache Redis replica
D.Manual snapshots copied monthly
AnswerA

Aurora Global Database replicates with low latency to secondary Regions and supports faster disaster recovery than snapshot-only approaches.

Why this answer

Aurora Global Database is the correct choice because it provides a managed, cross-Region disaster recovery solution with a Recovery Point Objective (RPO) of typically less than 1 second, using storage-based replication that does not impact database performance. This meets the requirement for fast failover and low data loss, while being fully AWS-native and controlled by the architecture review board.

Exam trap

The trap here is that candidates may confuse cross-Region read replicas (which have higher RPO and require manual promotion) with Aurora Global Database, or assume that any caching layer like ElastiCache can substitute for database DR, when in fact only Aurora Global Database provides the required low RPO and managed failover.

How to eliminate wrong answers

Option B is wrong because a single-AZ Aurora cluster lacks any cross-Region replication or failover capability, offering no disaster recovery across Regions. Option C is wrong because ElastiCache Redis is an in-memory cache, not a persistent database, and cannot serve as a primary data store for ticket bookings or provide cross-Region DR with low RPO. Option D is wrong because manual snapshots copied monthly result in an RPO of up to a month, which is far too high for fast disaster recovery requirements.

362
MCQeasy

A production application stores critical data on an Amazon EBS volume. The team wants a simple backup method that allows the volume to be restored later if the server is lost. What should they use?

A.Amazon S3 bucket versioning
B.Amazon EBS snapshots
C.AWS Security Hub
D.Amazon CloudFront invalidations
AnswerB

EBS snapshots are the native backup mechanism for EBS volumes. They capture point-in-time copies that can later be used to create a new volume, making them a simple and reliable way to restore data after a server or volume loss. Snapshots are incremental, so repeated backups are efficient and suitable for ongoing protection.

Why this answer

Amazon EBS snapshots are the correct choice because they provide a simple, incremental backup method for EBS volumes. Snapshots capture the data on the volume at a specific point in time and are stored in Amazon S3, allowing the volume to be restored to a new EC2 instance if the original server is lost. This directly meets the requirement for a backup that enables restoration after server failure.

Exam trap

The trap here is that candidates might confuse EBS snapshots with S3 versioning, thinking that S3 can directly back up EBS volumes, but EBS snapshots are the native, designed service for this purpose.

How to eliminate wrong answers

Option A is wrong because Amazon S3 bucket versioning is designed to protect objects within an S3 bucket by preserving, retrieving, and restoring previous versions, not for backing up EBS volumes attached to EC2 instances. Option C is wrong because AWS Security Hub is a security posture management service that aggregates and prioritizes security findings from various AWS services, not a backup or restore mechanism for EBS volumes. Option D is wrong because Amazon CloudFront invalidations are used to remove cached content from CloudFront edge locations, not for backing up or restoring EBS volumes.

363
MCQmedium

A media processing service runs ECS tasks in multiple Availability Zones. Each task must read and write the same shared filesystem with low latency because tasks stream intermediate artifacts to other tasks. The team currently mounts an EBS volume per task, and cross-AZ tasks frequently cannot see each other’s files. Which option best resolves the shared filesystem requirement while supporting high-performing access?

A.Keep using EBS, but attach the same EBS volume to tasks in multiple Availability Zones using EBS multi-attach so all tasks share the filesystem.
B.Use Amazon EFS with mount targets in each Availability Zone so all tasks mount a common NFS filesystem over the AWS network.
C.Use Amazon S3 for the intermediate artifacts and rely on S3 event notifications to emulate POSIX file operations.
D.Switch to instance store on each task and use SQS messages between tasks to copy intermediate artifacts.
AnswerB

EFS is designed for shared, NFS-like file storage that can be mounted concurrently from compute resources across multiple Availability Zones. By creating mount targets in each AZ used by the ECS tasks, you enable low-latency network access patterns so tasks can read and write the same shared filesystem reliably.

Why this answer

Amazon EFS provides a fully managed, shared NFS filesystem that can be mounted concurrently by ECS tasks across multiple Availability Zones with low latency. It supports POSIX file operations, making it ideal for streaming intermediate artifacts between tasks. EFS mount targets in each AZ ensure local access, meeting the requirement for high-performing shared storage.

Exam trap

The trap here is that candidates may assume EBS multi-attach works across Availability Zones, but it is strictly limited to a single AZ and requires specific instance types, making it unsuitable for multi-AZ shared filesystem requirements.

How to eliminate wrong answers

Option A is wrong because EBS multi-attach is limited to a single Availability Zone and supports only up to 16 Nitro-based instances, not ECS tasks across multiple AZs, and does not provide a shared filesystem for cross-AZ access. Option C is wrong because Amazon S3 is an object store, not a POSIX-compliant filesystem; it lacks low-latency file locking and streaming semantics required for intermediate artifact sharing between tasks. Option D is wrong because instance store is ephemeral and tied to a single EC2 instance, and using SQS for copying artifacts introduces latency and complexity, failing to provide a low-latency shared filesystem.

364
MCQmedium

A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written. They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review. Which CloudTrail configuration change most directly provides the missing object-level visibility?

A.Enable CloudTrail data events for the specific S3 bucket so that GetObject and PutObject operations are logged at the object level.
B.Enable AWS Config delivery to a separate bucket and create a rule to detect noncompliant S3 policies; this will automatically generate GetObject logs.
C.Turn on VPC Flow Logs for the VPC hosting the S3 gateway endpoint, because network logs show S3 object read and write details.
D.Add an S3 bucket policy that denies all GetObject requests unless the caller uses TLS; the denial events will create investigation logs automatically.
AnswerA

CloudTrail management events cover control-plane activity, not per-object access details in S3. Enabling S3 data events (object-level logging) causes CloudTrail to record events like GetObject and PutObject for the targeted bucket and prefixes. This directly addresses the missing visibility symptom described. It also limits logging scope when you specify the bucket/prefix.

Why this answer

CloudTrail management events do not include object-level operations like GetObject or PutObject. By enabling CloudTrail data events for the specific S3 bucket, you capture object-level read (GetObject) and write (PutObject) API calls, including those for encrypted objects, providing the missing visibility for detective controls.

Exam trap

The trap here is that candidates confuse management events (which log bucket-level operations like CreateBucket) with data events (which log object-level operations like GetObject), assuming management events cover all S3 activity.

How to eliminate wrong answers

Option B is wrong because AWS Config evaluates resource compliance and can detect noncompliant policies, but it does not generate GetObject logs; it only records configuration changes and compliance states, not data access events. Option C is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log S3 object-level API operations like GetObject or PutObject; they lack application-layer details. Option D is wrong because adding a bucket policy to deny requests without TLS would only generate denial events for non-TLS requests, not log all GetObject or PutObject operations; it is a preventive control, not a detective one, and does not provide comprehensive object-level visibility.

365
MCQmedium

A trading dashboard stores uploaded documents in S3. The business requires a copy in another AWS Region for disaster recovery. What should be configured? The architecture review board prefers a managed AWS-native control.

A.An EBS snapshot schedule
B.S3 Cross-Region Replication with versioning enabled
C.S3 lifecycle transition to Glacier Flexible Retrieval
D.A CloudFront distribution
AnswerB

CRR asynchronously replicates objects to a bucket in another Region and requires versioning.

Why this answer

S3 Cross-Region Replication (CRR) is the correct AWS-native managed solution for automatically replicating objects from a source S3 bucket in one region to a destination bucket in another region, meeting the disaster recovery requirement. Versioning must be enabled on both source and destination buckets for CRR to function, as replication relies on version IDs to track and copy objects. This provides asynchronous, automatic replication without custom scripting or third-party tools.

Exam trap

The trap here is that candidates may confuse S3 lifecycle policies (which only manage storage tiers within a region) with cross-region replication, or incorrectly assume CloudFront's global edge caching provides durable DR storage in another region.

How to eliminate wrong answers

Option A is wrong because EBS snapshots are for Amazon Elastic Block Store volumes attached to EC2 instances, not for S3 objects; they cannot replicate data across regions for S3-based storage. Option C is wrong because S3 lifecycle transitions to Glacier Flexible Retrieval only change the storage class within the same region for cost optimization, not replicate data to another region for disaster recovery. Option D is wrong because CloudFront is a content delivery network (CDN) that caches content at edge locations for low-latency access, but it does not provide cross-region replication or persistent storage in a secondary region for DR.

366
MCQmedium

A high-frequency trading analytics service runs on several EC2 instances in the same Availability Zone. The application exchanges small messages between nodes and is sensitive to microsecond-level network latency. Which design best meets the requirement?

A.Place the instances in a cluster placement group in one Availability Zone.
B.Place the instances in a spread placement group across multiple Availability Zones.
C.Place the instances in a partition placement group within one Availability Zone.
D.Deploy the instances behind an Application Load Balancer in multiple Availability Zones.
AnswerA

A cluster placement group places instances physically close together within one Availability Zone, which improves network throughput and reduces latency between nodes. That is the right fit for tightly coupled workloads that exchange frequent small messages and need the lowest possible east-west latency. It also keeps the design simple because the application already runs in a single AZ.

Why this answer

A cluster placement group is designed for low-latency, high-throughput scenarios by placing instances in a single Availability Zone with non-blocking, fully bisectioned bandwidth and microsecond-level latency. This meets the requirement for microsecond-sensitive inter-node communication in high-frequency trading.

Exam trap

The trap here is that candidates confuse 'fault isolation' (spread/partition groups) with 'performance optimization' (cluster groups), or assume a load balancer can reduce latency when it actually adds overhead.

How to eliminate wrong answers

Option B is wrong because a spread placement group spreads instances across distinct hardware (or Availability Zones), increasing network latency due to physical distance and cross-AZ data transfer costs, which is unsuitable for microsecond-sensitive traffic. Option C is wrong because a partition placement group isolates instances into logical partitions (e.g., for large distributed systems like HDFS or Cassandra) but does not optimize for the lowest possible latency between all nodes; it focuses on fault isolation, not microsecond-level performance. Option D is wrong because an Application Load Balancer operates at Layer 7 (HTTP/HTTPS) and introduces significant latency overhead (milliseconds), which is incompatible with microsecond-level inter-node messaging; it also does not address direct node-to-node communication.

367
MCQmedium

A marketing site has EC2 instances that are oversized based on CPU, memory, and network utilisation. Which AWS service should identify rightsizing recommendations?

A.AWS Shield
B.AWS Compute Optimizer
C.AWS DataSync
D.AWS Artifact
AnswerB

Compute Optimizer analyses utilisation metrics and recommends rightsizing for supported resources.

Why this answer

AWS Compute Optimizer analyzes historical utilization metrics (CPU, memory, network, and storage) from CloudWatch and uses machine learning to identify over-provisioned or under-provisioned EC2 instances. It generates actionable rightsizing recommendations, including instance type changes, to optimize cost and performance. This directly addresses the scenario of oversized EC2 instances.

Exam trap

The trap here is confusing AWS Compute Optimizer with AWS Trusted Advisor, which also provides cost optimization checks but does not offer the same ML-driven, granular rightsizing recommendations for EC2 instances.

How to eliminate wrong answers

Option A is wrong because AWS Shield is a managed DDoS protection service, not a resource optimization or rightsizing tool. Option C is wrong because AWS DataSync is a data transfer service for moving large datasets between on-premises storage and AWS, not for analyzing instance utilization or making rightsizing recommendations. Option D is wrong because AWS Artifact is a self-service portal for downloading compliance reports and agreements (e.g., SOC, PCI), not a cost optimization or rightsizing service.

368
MCQeasy

A startup has a stable production web service that runs continuously (24/7) on AWS. They have consistent compute requirements for the next 1 year, but the instance size and family might change as they optimize performance. To reduce cost while maintaining flexibility across instance types, which purchasing option should they consider?

A.Compute Savings Plans
B.Reserved Instances with a fixed instance type
C.Spot Instances
D.On-Demand Instances
AnswerA

Compute Savings Plans discount compute usage while allowing flexibility across instance families, sizes, and even some services.

Why this answer

Compute Savings Plans offer the lowest prices (up to 66% off On-Demand) while allowing flexibility to change instance family, size, OS, and region. This matches the startup's need for consistent 1-year compute usage with potential instance type changes during optimization.

Exam trap

The trap here is that candidates often choose Reserved Instances for steady-state workloads, overlooking that Compute Savings Plans offer the same discount level with greater flexibility for instance family changes, which is explicitly required in the scenario.

How to eliminate wrong answers

Option B is wrong because Reserved Instances with a fixed instance type lock you into a specific instance family and size, which prevents the flexibility the startup needs if they change instance types during performance optimization. Option C is wrong because Spot Instances can be interrupted with a 2-minute notice, making them unsuitable for a stable production web service that must run continuously 24/7. Option D is wrong because On-Demand Instances have no upfront commitment and are the most expensive option, failing to reduce cost for predictable, steady-state workloads.

369
MCQhard

Based on the exhibit, a development team in member accounts can create IAM roles, but one team created a role without the required permissions boundary. Security wants to ensure that no future role in the organization can exceed the approved boundary, even if a developer has broad IAM permissions. What is the best control to add?

A.Add a permission boundary to the developer role that points to ApprovedAppBoundary.
B.Add an SCP that denies iam:CreateRole and iam:PutRolePermissionsBoundary unless the request specifies the ApprovedAppBoundary ARN.
C.Use an S3 bucket policy to block policy documents that grant AdministratorAccess.
D.Require team members to use STS session policies when they create new roles.
AnswerB

An SCP can enforce organization-wide guardrails so roles cannot be created without the required boundary.

Why this answer

Option B is correct because a Service Control Policy (SCP) at the organization root or in the member account's OU can deny IAM actions unless the required permissions boundary (ApprovedAppBoundary) is specified. This prevents any role creation or modification that would bypass the boundary, even if the developer has full IAM permissions in their account. SCPs are the only control that can enforce this across all principals in an account, including the account root user.

Exam trap

The trap here is that candidates assume an IAM permission boundary on the developer role is sufficient, but SCPs are the only way to enforce a mandatory boundary across all principals in an account, including those with full administrative access.

How to eliminate wrong answers

Option A is wrong because adding a permission boundary to the developer role only restricts that specific role's actions, but a developer with broad IAM permissions could still create a new role without a boundary or with a different boundary, bypassing the restriction. Option C is wrong because an S3 bucket policy controls access to S3 resources, not IAM role creation or permissions boundaries; it cannot enforce IAM policies across the account. Option D is wrong because requiring STS session policies does not prevent a developer from creating a role without a permissions boundary; session policies only apply to temporary credentials and do not restrict the role creation action itself.

370
MCQeasy

You manage multiple AWS accounts under AWS Organizations. A compliance requirement states: no account is allowed to create new IAM access keys for IAM users. Local administrators may attempt to override permissions. Which mechanism should you use to enforce this guardrail across all accounts?

A.An IAM permissions policy attached to a role that only your security team uses
B.An Organizations service control policy (SCP) that explicitly denies CreateAccessKey
C.A KMS key policy that blocks key creation and reuse
D.A permission boundary on a single IAM role
AnswerB

SCPs provide guardrails that apply to all principals in member accounts. By explicitly denying the IAM action at the organization level, you can prevent access key creation even if local IAM policies would otherwise allow it.

Why this answer

An SCP is the correct mechanism because it operates at the AWS Organizations root, OU, or account level to define a central guardrail that cannot be overridden by any IAM principal, including account administrators. By explicitly denying the `iam:CreateAccessKey` action, the SCP ensures that no IAM user in any account can create new access keys, fulfilling the compliance requirement across all accounts.

Exam trap

The trap here is that candidates often confuse SCPs with IAM permission boundaries or think that a restrictive IAM policy on a single role can enforce a global guardrail, but only SCPs provide organization-wide, unoverridable control over all principals.

How to eliminate wrong answers

Option A is wrong because an IAM permissions policy attached to a role used only by the security team does not prevent local administrators from creating access keys; it only restricts what that specific role can do, and local admins with full permissions can still create keys. Option C is wrong because KMS key policies control access to encryption keys, not IAM access keys; they have no effect on the `iam:CreateAccessKey` API action. Option D is wrong because a permission boundary limits the maximum permissions for a single IAM role but does not apply to all users or accounts, and it can be overridden by an account admin who can modify the boundary or create new roles without it.

371
Multi-Selectmedium

A marketing site serves versioned JavaScript and CSS from an Amazon S3 origin through Amazon CloudFront. After each release, the cache hit ratio drops sharply because clients keep sending request headers and query strings that are not needed for asset retrieval. Which two changes should improve cache efficiency the most? Select two.

Select 2 answers
A.Create a CloudFront cache policy that excludes unnecessary headers, query strings, and cookies from the cache key.
B.Use versioned filenames or content hashes for static assets and apply long-lived immutable caching.
C.Move the S3 origin behind an Application Load Balancer so CloudFront can cache responses more effectively.
D.Store the objects in Amazon S3 Standard-IA so repeated requests are cheaper.
E.Lower the CloudFront TTL to zero so viewers always receive the newest content immediately.
AnswersA, B

CloudFront uses the cache key to decide whether two requests can share the same cached object. If irrelevant headers, query strings, or cookies are included, the same file is cached as many variants and the hit ratio drops.

Why this answer

Option A is correct because CloudFront cache policies allow you to explicitly control which headers, query strings, and cookies are included in the cache key. By excluding unnecessary ones (e.g., User-Agent, random query parameters), you prevent cache fragmentation and ensure that identical assets served with different request metadata map to the same cached object, dramatically improving the cache hit ratio.

Exam trap

The trap here is that candidates often confuse cache invalidation strategies (like lowering TTL) with cache efficiency improvements, not realizing that excluding unnecessary cache key components is the direct mechanism to reduce cache misses.

372
Multi-Selecthard

A regional web application for a content publishing system must fail over automatically to a secondary Region if the primary endpoint becomes unhealthy. Which two services or features are required? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.AWS Organizations service control policies
B.Route 53 failover routing with health checks
C.S3 Transfer Acceleration
D.A deployed standby application stack in the secondary Region
AnswersB, D

Route 53 can monitor endpoint health and return the standby endpoint when the primary is unhealthy.

Why this answer

Route 53 failover routing with health checks (Option B) is required because it monitors the primary endpoint's health and automatically reroutes traffic to a secondary Region when the primary becomes unhealthy. This is the managed AWS-native control for DNS-based failover, meeting the architecture review board's preference.

Exam trap

The trap here is that candidates often think DNS failover alone is sufficient, forgetting that you must also have a running application stack in the secondary Region to receive traffic after failover.

373
MCQhard

Based on the exhibit, a DynamoDB-backed event processing system is throttling during a promotion. The table uses tenantId as the partition key and eventTime as the sort key. One tenant accounts for most of the write traffic, and the application must preserve fast lookups for that tenant without relying on a single hot partition. What change is the best fix?

A.Add a sharding suffix to the partition key, such as tenantId#shardId, and query across the tenant's shards.
B.Enable DynamoDB Streams so the table can process writes more quickly.
C.Switch the table to on-demand capacity mode and keep the same key design.
D.Add a global secondary index on eventTime and query the index instead of the base table.
AnswerA

Sharding the partition key spreads ACME traffic across multiple partitions, which removes the hot key problem. Because the application still needs tenant-scoped time-range queries, it can fan out across the shard values and merge results.

Why this answer

Option A is correct because adding a sharding suffix (e.g., tenantId#shardId) to the partition key distributes write traffic for the hot tenant across multiple partitions, eliminating the single-partition bottleneck while preserving fast lookups by querying across all shards for that tenant. DynamoDB's partition key determines physical storage; without sharding, all writes for the hot tenant land on one partition, causing throttling even if the table has sufficient total capacity.

Exam trap

The trap here is that candidates often assume on-demand mode (Option C) eliminates all throttling, but it does not resolve the physical partition limit—a single hot partition still caps at 1,000 WCU/3,000 RCU, so throttling persists regardless of capacity mode.

How to eliminate wrong answers

Option B is wrong because enabling DynamoDB Streams does not increase write throughput; it captures item-level changes asynchronously and does not alleviate throttling caused by a hot partition. Option C is wrong because switching to on-demand capacity mode only removes the need to provision capacity manually, but it does not solve the underlying hot partition issue—DynamoDB still throttles if a single partition exceeds 1,000 WCU or 3,000 RCU, regardless of capacity mode. Option D is wrong because adding a GSI on eventTime does not distribute write load; the base table's partition key remains tenantId, so the hot tenant still causes throttling on the base table, and the GSI inherits the same write patterns.

374
MCQeasy

A microservice needs to read exactly one secret value from AWS Secrets Manager. Which IAM permission statement provides the best least-privilege approach to allow the microservice to retrieve that secret value?

A.Allow secretsmanager:GetSecretValue on all secrets using Resource: "*"
B.Allow secretsmanager:GetSecretValue only on the specific secret ARN required by the service
C.Allow secretsmanager:* on the secret name prefix using a wildcard pattern
D.Allow secretsmanager:GetSecretValue on the AWS account root ARN
AnswerB

Restricting the Resource to the exact Secrets Manager secret ARN limits retrieval to only that secret. This minimizes exposure and follows least-privilege practices. (If the secret is encrypted with a customer-managed KMS key, additional KMS permissions may be required for decrypting the ciphertext, but the Secrets Manager permission itself should still be scoped tightly.)

Why this answer

Option B is correct because it grants the minimum necessary permission—secretsmanager:GetSecretValue—scoped to the exact Amazon Resource Name (ARN) of the secret the microservice needs. This follows the AWS least-privilege principle by restricting access to a single action on a single resource, preventing the microservice from reading other secrets even if compromised.

Exam trap

The trap here is that candidates often choose a broad wildcard or 'all resources' permission (Option A or C) thinking it simplifies management, but the SAA-C03 exam consistently tests the principle of least privilege by requiring the most restrictive resource and action scope.

How to eliminate wrong answers

Option A is wrong because using Resource: '*' allows the microservice to retrieve any secret in the account, violating least privilege by granting broad read access. Option C is wrong because allowing secretsmanager:* on a wildcard prefix grants all Secrets Manager actions (including rotation, deletion, and tagging) on multiple secrets, far exceeding the single read requirement. Option D is wrong because the AWS account root ARN is not a valid resource ARN for Secrets Manager; secrets are identified by their own ARNs, not the root account ARN.

375
MCQmedium

A web application runs on an Auto Scaling group (ASG) behind an Application Load Balancer (ALB). The ASG uses the ALB target group health checks to decide when instances are healthy (for example, by using the ELB/target-group health check integration). During a deployment, the ASG performs instance replacement. Shortly after the deployment starts and while new instances are still bootstrapping, CloudWatch shows the ALB target group briefly has zero healthy targets, and users intermittently receive 502 responses. Which ASG deployment configuration best reduces the chance that there will be a period with zero healthy ALB targets, while still keeping failover behavior resilient?

A.Set the target group HealthCheckGracePeriod to a very short value so the ALB quickly declares instances healthy or unhealthy.
B.Use an ASG rolling update approach that launches replacement instances first, ensures the new instances pass the ALB target group health checks, and only then terminates the old instances (for example, by configuring sufficient minimum healthy capacity and waiting on ALB health).
C.Disable ALB target group health checks and route traffic to any registered targets so replacements do not depend on health check status.
D.Reduce the ASG desired capacity by one instance during deployments so the replacement happens faster.
AnswerB

This sequencing avoids a “no healthy targets” window. By keeping capacity stable (or maintaining a minimum healthy percentage) and waiting for the new instances to be marked healthy by the ALB, traffic is only sent to healthy targets during replacement.

Why this answer

Option B is correct because it describes a rolling update strategy that launches new instances first, waits for them to pass ALB target group health checks, and only then terminates old instances. This ensures that at all times during the deployment, there is a sufficient number of healthy instances to serve traffic, preventing the ALB target group from ever having zero healthy targets. The ASG's minimum healthy capacity setting and the wait for ALB health check integration guarantee that failover remains resilient because the old instances continue to handle requests until the new ones are fully ready.

Exam trap

The trap here is that candidates often think reducing the health check grace period or disabling health checks will speed up recovery, but in reality, these actions either cause premature removal of healthy instances or allow traffic to unhealthy instances, both of which increase the likelihood of 502 errors and reduce resilience.

How to eliminate wrong answers

Option A is wrong because setting the HealthCheckGracePeriod to a very short value does not prevent zero healthy targets; it merely reduces the delay before the ALB marks instances as unhealthy, which could actually cause the ALB to prematurely remove instances and exacerbate the problem. Option C is wrong because disabling ALB target group health checks would cause the ALB to route traffic to any registered targets regardless of their actual health, leading to increased 502 errors and no failover resilience. Option D is wrong because reducing the ASG desired capacity by one instance during deployments does not address the root cause of zero healthy targets; it only reduces the number of instances being replaced, but the replacement process still creates a gap where old instances are terminated before new ones are healthy.

Page 4

Page 5 of 14

Page 6