AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 175

1746 questions total · 24pages · All types, answers revealed

Page 1 of 24

Page 2
1
MCQhard

A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?

A.Enable AWS Config aggregator and use advanced queries to search for trust policies.
B.Use AWS Trusted Advisor to check for overly permissive roles.
C.Write a script using AWS SDK to list roles in each account and analyze trust policies.
D.Use IAM Access Analyzer to generate findings for each account.
AnswerA

Config aggregator allows querying across all accounts.

Why this answer

Option D is correct because using AWS Config advanced queries across accounts with aggregation is scalable. Option A is wrong because manual review is not scalable. Option B is wrong because Trusted Advisor does not cover custom policies.

Option C is wrong because IAM Access Analyzer identifies external access but does not provide a full audit of trust policies.

2
MCQmedium

A company is designing a real-time analytics pipeline to process streaming data from IoT devices. The solution must be serverless and handle data transformation before storage. Which combination of services is most cost-effective?

A.Amazon Kinesis Data Streams, AWS Lambda, and Amazon Kinesis Data Firehose to Amazon S3
B.Amazon Kinesis Data Streams, Amazon EC2 instances for transformation, and Amazon S3
C.Amazon Simple Queue Service (SQS), AWS Lambda, and Amazon S3
D.Amazon Kinesis Data Analytics for real-time SQL and Amazon S3
AnswerA

Serverless, cost-effective for streaming transformation.

Why this answer

Option B is correct because Kinesis Data Streams ingests data, Lambda transforms it, and Firehose delivers to S3. Option A (Kinesis Analytics) is for SQL analytics, not transformation. Option C (Kinesis Data Streams to EC2) is not serverless.

Option D (SQS to Lambda to S3) misses streaming ingestion.

3
MCQmedium

A company is designing a new microservices architecture using Amazon ECS with Fargate. Each service must be isolated within its own VPC and communicate via AWS PrivateLink. The company expects variable traffic and wants to minimize costs. Which solution meets these requirements?

A.Use separate VPCs and connect them via VPC peering with NAT gateways.
B.Deploy all services in a single VPC with security groups to isolate traffic.
C.Use separate VPCs per service and create VPC endpoint services for each.
D.Use a single VPC with Transit Gateway to route between services.
AnswerC

VPC endpoints provide isolated, private connectivity without extra cost.

Why this answer

Option D is correct because using VPC endpoints per service provides isolated connectivity without internet gateways or NAT gateways, reducing costs. Option A is wrong because a shared VPC compromises isolation. Option B is wrong because NAT gateways incur costs and are not needed for PrivateLink.

Option C is wrong because Transit Gateway adds cost and complexity.

4
Multi-Selectmedium

A company wants to implement a cost-effective disaster recovery strategy for a production Amazon RDS for PostgreSQL database. The solution must provide a recovery point objective (RPO) of less than 5 minutes and a recovery time objective (RTO) of less than 15 minutes. Which strategies meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable automated backups with point-in-time recovery.
B.Deploy the database in a Multi-AZ configuration.
C.Take manual snapshots and copy them to another Region.
D.Use AWS Database Migration Service (DMS) for continuous replication to a target in another Region.
E.Create a cross-Region read replica in a different Region.
AnswersB, C, E

Multi-AZ provides automatic failover to a standby in another AZ, meeting RTO <1 minute, but does not protect against region failure.

Why this answer

Option B is correct because a Multi-AZ deployment for Amazon RDS provides automatic failover to a standby instance in a different Availability Zone, which can achieve an RTO of typically 1-2 minutes and an RPO of effectively zero (synchronous replication). This meets the sub-5-minute RPO and sub-15-minute RTO requirements without additional cost for cross-region data transfer.

Exam trap

The trap here is that candidates often confuse cross-Region read replicas (asynchronous, higher RPO/RTO) with Multi-AZ (synchronous, low RPO/RTO), or assume manual snapshots can meet sub-5-minute RPO, but snapshot frequency is typically hours or daily, not minutes.

5
MCQeasy

A company is designing a new microservices-based application on AWS. They need to decouple services and ensure asynchronous communication. Which AWS service should they use?

A.Amazon Kinesis
B.Amazon SQS
C.AWS Lambda
D.Amazon SNS
AnswerB

SQS provides a message queue that decouples services.

Why this answer

Amazon SQS is a fully managed message queuing service that enables decoupling of application components. Option A (Amazon SNS) is for pub/sub messaging, Option C (Amazon Kinesis) is for real-time streaming, and Option D (AWS Lambda) is for serverless compute.

6
MCQeasy

A company has multiple AWS accounts and wants to centralize the management of security policies. The security team needs to enforce that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. The solution must be centrally managed and automatically applied to new accounts as they are added. Which approach should be taken?

A.Use AWS Config to detect IAM users without MFA and send alerts.
B.Create an SCP that denies console access for IAM users if MFA is not present.
C.Use AWS IAM Identity Center to enforce MFA for all users accessing the console.
D.Create an IAM policy in each account that denies console access without MFA.
AnswerB

SCPs are centrally managed and apply to all accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) can centrally deny AWS API actions (including console access) for all IAM users across multiple accounts if the `aws:MultiFactorAuthPresent` condition key is false. This approach is centrally managed from the management account and automatically applies to new accounts added to the organization, meeting the requirement for centralized enforcement and scalability.

Exam trap

The trap here is that candidates confuse IAM Identity Center (federated users) with native IAM users, or they assume AWS Config can enforce policies when it only detects and alerts, leading them to pick a non-preventive or non-centralized solution.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect and alert on IAM users without MFA, but it does not enforce or deny access; it only provides detective controls, not preventive enforcement. Option B is wrong because AWS IAM Identity Center (formerly AWS SSO) manages access for federated users, not for IAM users in individual accounts; it cannot enforce MFA on native IAM users created directly in member accounts. Option D is wrong because creating an IAM policy in each account requires manual per-account deployment and does not automatically apply to new accounts, failing the central management and automatic application requirements.

7
MCQeasy

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

A.Close the AWS account from the management account.
B.Create a support ticket to AWS to remove the account.
C.Remove the account's payment method.
D.The management account can directly remove the account without any prerequisites.
AnswerC

An account must be suspended before removal; removing payment method effectively suspends it.

Why this answer

Option C is correct because, before an AWS account can be removed from an AWS Organization, the account must have its payment method removed. This is a prerequisite enforced by AWS to ensure the account is not left in a state where it cannot be billed independently after leaving the organization. The management account cannot directly remove an account that still has an active payment method associated with it.

Exam trap

The trap here is that candidates often assume the management account has full authority to remove any account without prerequisites, overlooking the specific billing prerequisite that AWS enforces to ensure the account can function independently after removal.

How to eliminate wrong answers

Option A is wrong because closing the AWS account from the management account is not a prerequisite for removal; closing an account is a separate action that permanently terminates the account, whereas removal from the organization simply detaches it. Option B is wrong because AWS does not require a support ticket to remove an account from an organization; the management account can remove accounts programmatically via the AWS Organizations API or CLI without contacting support. Option D is wrong because the management account cannot directly remove an account without prerequisites; the account must have its payment method removed first, as per AWS Organizations requirements.

8
MCQmedium

A company has a multi-account AWS environment with hundreds of accounts. The central IT team needs to audit all API calls made in the organization. The solution must be cost-effective and capture events from all regions and accounts, including future accounts. Which solution should the company use?

A.Create an organization trail in the management account that logs all events to an S3 bucket with a bucket policy granting access to all accounts.
B.Use AWS Config to record API calls and deliver to a central S3 bucket.
C.Enable CloudTrail in each account and configure each trail to deliver logs to a central S3 bucket.
D.Use VPC Flow Logs to capture API calls and send to a central S3 bucket.
AnswerA

Organization trail automatically captures all accounts and future accounts.

Why this answer

Option C is correct because AWS CloudTrail can be enabled at the organization level, which automatically creates a trail for all accounts and regions, including future accounts. Option A is wrong because it requires individual setup. Option B is wrong because enabling CloudTrail per account is operationally heavy.

Option D is wrong because security groups do not log API calls.

9
MCQeasy

A company is designing a new CI/CD pipeline for a web application that will be deployed on Amazon ECS. Which AWS service should the company use to build and test the application code?

A.AWS CodePipeline
B.AWS CodeDeploy
C.AWS CodeCommit
D.AWS CodeBuild
AnswerD

CodeBuild is a managed build service for compiling and testing code.

Why this answer

Option B is correct because AWS CodeBuild is a fully managed build service. Option A is wrong because CodeCommit is a source control service. Option C is wrong because CodeDeploy is a deployment service.

Option D is wrong because CodePipeline is a continuous delivery service.

10
MCQmedium

A company uses AWS Organizations and has a central security account. They want to use AWS Security Hub to aggregate findings from all member accounts. They have enabled Security Hub in the security account and invited all member accounts. However, findings from member accounts are not appearing in the Security Hub console of the security account. What is the most likely cause?

A.The member accounts have not configured Security Hub to send findings to the security account.
B.The IAM role used by Security Hub in the security account does not have permissions to read findings from member accounts.
C.Security Hub cannot aggregate findings from member accounts in different regions.
D.The member accounts have not enabled Security Hub and accepted the invitation.
AnswerD

Each member account must enable Security Hub.

Why this answer

Option D is correct because each member account must enable Security Hub and accept the invitation before findings are aggregated. Option A is wrong because Security Hub supports cross-region aggregation. Option B is wrong because IAM permissions are needed but not the primary cause.

Option C is wrong because there is no such requirement.

11
MCQmedium

A company is migrating a .NET application from Windows Server to AWS. The application uses SQL Server and needs to run on Amazon EC2. The company wants to reduce licensing costs. Which Amazon EC2 instance type should the company use?

A.C5
B.T3
C.A1
D.I3
AnswerB

T3 instances are burstable and cost-effective for moderate workloads.

Why this answer

Option C is correct because T3 instances are burstable and cost-effective for workloads with moderate CPU usage. Option A is wrong because A1 instances are ARM-based and may not support .NET. Option B is wrong because C5 instances are compute-optimized and may be overkill.

Option D is wrong because I3 instances are storage-optimized and not cost-effective.

12
MCQmedium

A company is modernizing its monolithic application by breaking it into microservices. The application uses a shared MySQL database. The team wants to implement a database per microservice pattern. Which AWS service should be used to manage multiple databases efficiently?

A.Amazon RDS for MySQL with multiple DB instances
B.Amazon ElastiCache for Redis
C.Amazon DynamoDB
D.Amazon EFS
AnswerA

RDS can manage multiple MySQL instances for each microservice.

Why this answer

Option C is correct because Amazon RDS supports multiple database instances for different microservices with managed backups and scaling. Option A is wrong because DynamoDB is NoSQL, not suitable for all microservices. Option B is wrong because EFS is file storage, not a database.

Option D is wrong because ElastiCache is a caching layer, not a primary database.

13
Multi-Selectmedium

A company has a multi-account AWS environment with 50 accounts. They need to implement a centralized logging solution for VPC Flow Logs, CloudTrail, and AWS Config logs. The logs must be stored in a central S3 bucket and encrypted with a customer-managed KMS key. Which THREE steps should be taken to meet these requirements?

Select 3 answers
A.Create an S3 bucket policy that grants permissions to the CloudTrail and AWS Config service principals from all accounts to write logs.
B.Use AWS Config aggregator to collect configuration data from all accounts into a central account.
C.Configure CloudTrail in each account to send logs to the central S3 bucket.
D.Create a customer-managed KMS key with a key policy that allows the CloudTrail and AWS Config service principals to use the key for encryption.
E.Enable VPC Flow Logs in each account and deliver them to a central CloudWatch Logs group.
AnswersA, C, D

Bucket policy must allow cross-account delivery.

Why this answer

Option A is correct because the central S3 bucket must allow log delivery from all accounts via bucket policy. Option B is correct because CloudTrail trails can be configured to deliver to a central bucket across accounts. Option D is correct because KMS key policy must grant permissions to the log delivery services across accounts.

Option C is wrong because VPC Flow Logs cannot be directly aggregated to a central account without third-party tools or cross-account delivery. Option E is wrong because AWS Config data is per-account; aggregation is done via Aggregator, not direct log delivery.

14
Multi-Selecthard

A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?

Select 2 answers
A.Attach a Service Control Policy (SCP) to the production OU that denies sts:AssumeRole unless the request source IP is within the corporate range.
B.Use a VPC endpoint for STS and restrict access to the endpoint.
C.Configure AWS WAF to block requests from IPs outside the corporate range.
D.Add a condition to the trust policy of each IAM role that requires the source IP to be in the corporate range.
E.Attach a Service Control Policy (SCP) to each IAM role that denies assume role unless the source IP is corporate.
AnswersA, D

SCPs can enforce conditions on API calls.

Why this answer

Options A and C are correct. Option A: An SCP can be used to deny the sts:AssumeRole action if the request does not come from the corporate IP range. Option C: An IAM policy with a condition on the source IP can be attached to the roles.

Option B is wrong because SCPs cannot be attached to roles. Option D is wrong because AWS WAF is for web traffic, not IAM. Option E is wrong because VPC endpoints do not enforce source IP.

15
MCQmedium

A company is migrating a monolithic e-commerce application to a microservices architecture on AWS. The migration must minimize downtime and allow rollback. Which migration strategy should the company use?

A.Refactor
B.Big bang migration
C.Strangler fig pattern
D.Rehost (lift and shift)
AnswerC

Gradually replaces monolith with microservices, allowing rollback.

Why this answer

Option C is correct because the strangler fig pattern allows incremental replacement of monolithic components with microservices, minimizing risk and enabling rollback. Option A (big bang) risks extended downtime. Option B (rehost) does not modernize.

Option D (refactor) is correct but not a pattern name.

16
MCQmedium

A company is migrating a monolithic application to AWS. They want to minimize refactoring effort while gaining some benefits of the cloud. Which migration strategy is most appropriate?

A.Refactor / Re-architect
B.Repurchase
C.Rehost (lift-and-shift)
D.Replatform (lift-tinker-and-shift)
AnswerC

Minimal changes; move as-is to EC2 or VMware Cloud on AWS.

Why this answer

Option D is correct because Rehost (lift-and-shift) requires minimal changes to the application code. Option A is wrong because Refactor/Re-architect requires significant code changes. Option B is wrong because Replatform (lift-tinker-and-shift) involves some modifications.

Option C is wrong because Repurchase involves switching to a different product.

17
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets are encrypted using AES-256. What is the MOST effective way to enforce this requirement?

A.Create an SCP that denies s3:CreateBucket unless encryption is specified.
B.Use CloudTrail to monitor bucket creation and alert security team.
C.Create an SCP that denies s3:PutBucketPublicAccessBlock without encryption.
D.Use AWS Config rules to detect non-compliant buckets and auto-remediate.
AnswerA

SCPs can deny actions based on conditions like encryption.

Why this answer

Option A is correct because a service control policy (SCP) can deny creation of S3 buckets without encryption. Options B, C, and D are not effective at enforcing across all accounts.

18
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The deployment pipeline includes a source stage, a build stage using CodeBuild, and a deploy stage. Recently, deployments have been failing in the deploy stage with the error: 'The environment is in an invalid state for this operation.' The developer confirms the build artifacts are correct. What is the MOST likely cause?

A.The environment's load balancer is not available
B.The environment's Auto Scaling group has insufficient capacity
C.The Elastic Beanstalk environment uses a t2.micro instance type which is not supported by CodePipeline
D.Another deployment or configuration update is already in progress on the environment
AnswerD

Elastic Beanstalk locks the environment during updates.

Why this answer

Option C is correct because if there is an ongoing update or configuration change, Elastic Beanstalk prevents concurrent operations. Option A is wrong because CodePipeline does not require a specific instance type. Option B is wrong because insufficient capacity would cause a different error.

Option D is wrong because the environment URL being unavailable is a symptom, not cause.

19
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application needs to access an S3 bucket. The ECS task role has the necessary S3 permissions. However, the application is unable to upload files to S3. What is the MOST likely cause?

A.The Task execution role is missing S3 permissions
B.The S3 bucket policy denies access to the task role
C.The VPC does not have an S3 VPC endpoint
D.The task definition does not specify the correct task role ARN
AnswerD

The task role must be correctly specified in the task definition.

Why this answer

Option D is correct because Fargate tasks require 'Task execution role' for pulling images and logging, but for S3 access they need 'Task role' with proper IAM permissions. The task role is set, but maybe the task definition is not using the correct role ARN. Option A is wrong because VPC endpoints for S3 are not required if the task can route to S3 via internet or NAT.

Option B is wrong because 'Task execution role' is for ECS agent, not for application. Option C is wrong because S3 Bucket Policy could block access, but the question states the task role has permissions.

20
MCQhard

A company is building a serverless application using AWS Lambda. The function needs to access a private Amazon RDS MySQL database. The Lambda function and the RDS instance are in the same VPC. What is the correct way to configure the Lambda function to connect to the database?

A.Configure the Lambda function to run in the same VPC, subnets, and security group as the RDS instance.
B.Use a NAT Gateway to allow Lambda to access RDS through the internet.
C.Assign an IAM role that allows Lambda to access RDS and configure the security group to allow traffic from the Lambda service.
D.Attach an Elastic Network Interface (ENI) to the Lambda function in the same subnet as the RDS instance.
AnswerA

This allows Lambda to connect to RDS over the network. The security group must allow inbound from Lambda's security group.

Why this answer

Option A is correct because Lambda functions in a VPC must be configured with the same VPC, subnets, and security group as the RDS instance to establish direct network connectivity. By placing the Lambda function in the same security group, you can allow inbound traffic from the security group itself (self-referencing rule) or explicitly open the database port (e.g., 3306 for MySQL) to the Lambda's security group. This ensures traffic stays within the VPC and does not traverse the internet, meeting security and latency requirements.

Exam trap

The trap here is that candidates often assume IAM roles or NAT Gateways provide network access, but AWS Lambda requires explicit VPC configuration with subnets and security groups to route traffic to private resources like RDS within the same VPC.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway is used to allow outbound internet access from a private subnet, not to enable Lambda to connect to RDS within the same VPC; using a NAT Gateway would route traffic through the internet, which is unnecessary and insecure for private database access. Option C is wrong because an IAM role alone does not provide network connectivity; Lambda still needs to be attached to the VPC via an ENI, and security group rules must explicitly allow traffic from the Lambda function's ENI, not from the Lambda service itself. Option D is wrong because Lambda automatically creates and attaches an ENI when configured with VPC settings; you cannot manually attach an ENI to a Lambda function, and the ENI is placed in the specified subnets, not directly attached as a separate step.

21
MCQeasy

A company is using Amazon API Gateway to expose a REST API. The API backend is a Lambda function that queries an Amazon DynamoDB table. During peak hours, the API returns HTTP 429 (Too Many Requests) errors. What is the MOST cost-effective way to reduce these errors?

A.Enable API caching in API Gateway.
B.Enable DynamoDB auto-scaling.
C.Increase the throttling limits in API Gateway.
D.Increase the reserved concurrency of the Lambda function.
AnswerC

Higher throttling limits reduce 429 errors by allowing more requests.

Why this answer

Option A is correct because increasing the API Gateway throttling limits allows more requests to pass through to the backend. Option B is wrong because increasing Lambda concurrency may help but is more expensive than adjusting throttling limits. Option C is wrong because DynamoDB auto-scaling addresses database capacity, not API throttling.

Option D is wrong because API caching reduces backend calls for repeated requests but does not address throttling limits.

22
MCQeasy

A company is migrating a monolithic application to a microservices architecture on AWS. They want to decouple the services and ensure that messages between services are processed asynchronously and durably. Which AWS service should they use for this purpose?

A.Amazon Kinesis Data Streams
B.Amazon Simple Queue Service (SQS)
C.Amazon Simple Notification Service (SNS)
D.AWS Step Functions
AnswerB

SQS is a fully managed message queue for decoupling and asynchronous processing.

Why this answer

Option A is correct because Amazon SQS provides a fully managed message queue for asynchronous communication between microservices. Option B is incorrect because Amazon SNS is a pub/sub service, not a queue. Option C is incorrect because Amazon Kinesis is for real-time streaming.

Option D is incorrect because AWS Step Functions is for orchestrating workflows.

23
MCQmedium

A company is migrating 50 TB of data from on-premises to Amazon S3 over a 100 Mbps internet connection. The migration must complete within 30 days. What should they do?

A.Use AWS Snowball Edge devices
B.Use AWS DataSync to transfer data
C.Use AWS Direct Connect to increase bandwidth
D.Use S3 Transfer Acceleration
AnswerA

Snowball Edge provides physical data transfer, overcoming bandwidth limitations.

Why this answer

At 100 Mbps, transferring 50 TB would take approximately 48 days (50 TB * 1024 GB/TB * 1024 MB/GB * 8 bits/byte / (100 Mbps) / 86400 sec/day ≈ 48 days), exceeding the 30-day window. AWS Snowball Edge can transfer data faster via physical shipment. Option A (increase bandwidth) may not be feasible.

Option C (S3 Transfer Acceleration) still uses internet. Option D (AWS DataSync) also uses network.

24
MCQhard

A company is migrating a legacy monolithic e-commerce platform to AWS. The platform consists of a Java-based web application, an Oracle database, and a file server storing product images. The company's migration requirements are: (1) minimize downtime during cutover, (2) reduce operational overhead for the database, (3) enable future migration to microservices. The current on-premises environment experiences high I/O latency for the file server. The company has already set up a VPN connection to AWS and has installed the AWS Application Discovery Service agent on all servers. During the assessment, you discover that the Oracle database is 2 TB and the file server holds 5 TB of images. The web application is tightly coupled with the database and uses stored procedures. You need to design the migration approach. Which combination of actions should be taken?

A.Use AWS Snowball Edge to transfer the database and files. After data is loaded, cut over DNS to AWS.
B.Use AWS DMS for continuous replication of the database to Amazon RDS for Oracle. Use AWS DataSync to copy files to Amazon EFS. Then cut over.
C.Use AWS DMS with ongoing replication to Amazon RDS for Oracle. Use S3 Transfer Acceleration to upload files to Amazon S3. Then cut over.
D.Refactor the application into microservices using Amazon ECS. Use Amazon RDS for Oracle and Amazon S3 for images. Then cut over gradually.
AnswerC

Minimizes downtime, reduces operational overhead, and addresses high latency.

Why this answer

Option C is correct because using AWS DMS with ongoing replication minimizes downtime, RDS for Oracle reduces operational overhead, and S3 with Transfer Acceleration addresses high latency for file transfer. Option A is wrong because Snowball is offline and may cause longer cutover. Option B is wrong because EFS is not the best for image storage; S3 is better.

Option D is wrong because refactoring to microservices during migration increases risk and complexity.

25
MCQmedium

A company is using AWS Lambda functions to process data from an S3 bucket. Recently, the function has been timing out. The function has a 5-minute timeout configured. What is the most likely cause of the timeout?

A.The Lambda function was moved to a different VPC.
B.The Lambda function's reserved concurrency is set too low.
C.The Lambda function's memory is too low.
D.The Lambda function is processing larger files than before.
AnswerD

Larger files increase processing time, causing timeout.

Why this answer

Option B is correct because if the Lambda function is processing larger files, it may exceed the 5-minute timeout. Option A is incorrect because increasing memory does not affect timeout. Option C is incorrect because reserved concurrency does not affect execution time.

Option D is incorrect because a new VPC configuration would not cause a timeout by itself.

26
MCQmedium

A company is planning to migrate its on-premises data warehouse to AWS. The data warehouse runs on a large Oracle RAC cluster with complex stored procedures and ETL jobs. The company wants to minimize migration effort while gaining cloud benefits. Which AWS service should be used as the target?

A.Amazon DynamoDB
B.Amazon RDS for Oracle
C.Amazon Redshift
D.Amazon Aurora PostgreSQL
AnswerC

Redshift is AWS's data warehouse service, suitable for migrating from Oracle.

Why this answer

Option C is correct because Amazon Redshift is the AWS data warehouse that can migrate from Oracle with minimal changes using SCT. Option A is wrong because RDS is not a data warehouse. Option B is wrong because Aurora is a relational database, not a data warehouse.

Option D is wrong because DynamoDB is a NoSQL database.

27
MCQhard

A solutions architect is reviewing the above IAM policy attached to an S3 bucket. A user from IP address 10.0.1.5 makes a request over HTTP (not HTTPS). Will the user be able to download an object?

A.No, because the IP address is not in the allowed range.
B.Yes, because the IP address is allowed.
C.No, because the request is not using HTTPS.
D.Yes, because the Allow statement is evaluated first.
AnswerC

The Deny statement blocks non-HTTPS requests.

Why this answer

The Deny statement with aws:SecureTransport=false explicitly denies requests that are not using HTTPS. Even though the Allow statement permits the IP range, the Deny overrides it. Therefore, the request is denied.

28
MCQhard

A company is planning to migrate a 50 TB Oracle database to Amazon Aurora PostgreSQL. The company requires minimal downtime and wants to use AWS DMS for the migration. The source database is currently running on a dedicated server with high transaction volume. The network bandwidth between on-premises and AWS is 1 Gbps. What additional step should the company take to accelerate the migration and reduce downtime?

A.Use AWS Snowball to transfer an initial full load of the database to Amazon S3, then use AWS DMS for ongoing replication
B.Migrate the database in smaller batches by moving individual schemas sequentially
C.Use AWS DMS with a single task and disable validation to speed up the process
D.Increase the network bandwidth to 10 Gbps for the duration of the migration
AnswerA

Correct. Snowball handles large data transfer without network constraints, reducing time for the initial load.

Why this answer

Using AWS DMS with multiple parallel tasks and CDC can accelerate the migration. Reducing the data size by archiving old data before migration reduces the initial load. Increasing bandwidth may help but is not always feasible.

Using Snowball for initial load bypasses network limitations for large datasets.

29
Multi-Selectmedium

A company is designing a multi-account AWS environment with a centralized logging account. Which TWO services should be used to aggregate logs from all accounts?

Select 2 answers
A.AWS CloudTrail with cross-account S3 bucket
B.Amazon CloudWatch Logs with cross-account subscription
C.Amazon S3 cross-region replication
D.Amazon VPC Flow Logs
E.Amazon Kinesis Data Firehose
AnswersA, B

CloudTrail can deliver logs to a centralized S3 bucket in another account.

Why this answer

Options A and D are correct. CloudTrail logs can be delivered to a centralized S3 bucket in the logging account using cross-account delivery. CloudWatch Logs can be aggregated using cross-account subscription filters to a central account.

Option B is wrong because Kinesis Data Firehose can be used but is not the primary aggregator for logs. Option C is wrong because S3 is a storage destination, not an aggregation service. Option E is wrong because VPC Flow Logs are sent to S3 or CloudWatch Logs, not directly to a central account.

30
MCQmedium

A company is using AWS CodePipeline with an S3 source action. After a successful deployment, the latest commit ID is stored as an environment variable in the CodeBuild project. The team notices that subsequent pipeline executions are not triggering when new commits are pushed to the S3 bucket. What is the most likely cause?

A.The CodePipeline service role lacks permissions to poll the S3 bucket.
B.The S3 bucket policy does not allow CodePipeline to read objects.
C.The S3 bucket does not have an event notification configured to trigger the pipeline.
D.The CodePipeline webhook is misconfigured.
AnswerC

Without event notification, CodePipeline won't automatically start on new commits.

Why this answer

Option B is correct because S3 event notifications for PUT and POST operations require the bucket to be configured to send events to CodePipeline. Option A is wrong because the bucket policy is not relevant for event notifications. Option C is wrong because CodePipeline can use S3 as a source without a webhook.

Option D is wrong because the pipeline execution role is not the cause.

31
MCQmedium

A company is migrating a monolithic application to microservices on Amazon ECS. The application needs to communicate with external partners via HTTPS. The company wants to use mTLS for mutual authentication. Which AWS service should be used to handle the mTLS termination?

A.Application Load Balancer (ALB) with mutual TLS
B.Amazon CloudFront with a custom origin
C.Network Load Balancer (NLB) with TLS termination
D.Amazon API Gateway HTTP API
AnswerA

ALB supports mTLS for mutual authentication.

Why this answer

Option D is correct because Application Load Balancer supports mTLS authentication. Option A is incorrect because CloudFront does not natively support mTLS. Option B is incorrect because Network Load Balancer does not support mTLS.

Option C is incorrect because API Gateway supports mTLS only in REST API mode, not HTTP API, and is less suitable for ECS.

32
MCQmedium

A company is migrating its on-premises NoSQL database (MongoDB) to Amazon DocumentDB. The migration must have minimal downtime. The company uses AWS DMS with ongoing replication. After starting the replication, the target DocumentDB cluster shows a lag of several minutes. The source MongoDB has high write throughput. What should the company do to reduce replication lag?

A.Increase the DMS replication instance size.
B.Increase the DocumentDB cluster instance size.
C.Disable CDC and perform a full load only.
D.Enable Parallel Apply in DMS task settings.
AnswerA

More resources improve replication speed.

Why this answer

Option A is correct because larger DMS instances handle higher throughput. Option B is wrong because increasing DocumentDB size doesn't help DMS. Option C is wrong because CDC captures changes.

Option D is wrong because Parallel Apply is not a DMS setting.

33
MCQeasy

A company uses AWS Lambda to process events from an SQS queue. The Lambda function has a reserved concurrency of 5. During peak hours, messages are being backed up in the queue. The function's duration is well within the 15-minute limit. What is the fastest way to increase throughput?

A.Increase the function's maximum thread count.
B.Increase the reserved concurrency to 20.
C.Create additional SQS queues and distribute messages.
D.Increase the SQS batch size to 100.
AnswerB

More concurrency allows more messages to be processed in parallel.

Why this answer

Option A is correct because increasing reserved concurrency allows more simultaneous invocations, processing more messages in parallel. Option B is wrong because Lambda functions don't have a 'thread count' setting. Option C is wrong because batch size is already maxed at 10 for SQS.

Option D is wrong because adding more queues would require code changes and doesn't directly help.

34
MCQeasy

A company wants to centralize management of IAM users and groups across multiple AWS accounts. The solution should allow users to access resources in any account without needing separate credentials. Which AWS service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Organizations
C.AWS IAM Identity Center (AWS SSO)
D.AWS Directory Service for Microsoft Active Directory
AnswerC

Provides centralized user management and single sign-on.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized identity source that allows users to sign in once with a single set of credentials and then access multiple AWS accounts and applications. It integrates with AWS Organizations to manage user and group permissions across accounts, eliminating the need for separate IAM users in each account.

Exam trap

The trap here is that candidates often confuse AWS Organizations with a user management service, but Organizations only manages accounts and policies, not user identities or authentication.

How to eliminate wrong answers

Option A is wrong because IAM is account-scoped and cannot centralize user management across multiple AWS accounts; it requires creating separate IAM users in each account, which defeats the goal of single sign-on. Option B is wrong because AWS Organizations provides policy-based management and consolidated billing but does not itself offer a user directory or authentication mechanism; it relies on IAM Identity Center or other identity providers for user access. Option D is wrong because AWS Directory Service for Microsoft Active Directory is a managed AD service that can be used as an identity source, but it is not the AWS-native service for centralizing IAM user and group management across accounts; IAM Identity Center is the recommended service for this purpose.

35
MCQmedium

A company has a multi-account AWS environment with a central security account. They want to enable Amazon GuardDuty in all accounts and centrally view findings. The security team has already enabled GuardDuty in the security account and invited all member accounts. However, the security account is not receiving findings from all member accounts. Upon investigation, some member accounts show that GuardDuty is not enabled, and some show that they have not accepted the invitation. The team needs a scalable solution to enable GuardDuty across all accounts and ensure findings are sent to the security account. What should the team do?

A.Use AWS Config rules to detect accounts without GuardDuty and send alerts.
B.Use AWS CloudFormation StackSets to deploy GuardDuty resources in each account.
C.Use AWS Control Tower to enable GuardDuty in all accounts via a custom blueprint.
D.Use the GuardDuty delegated administrator feature with AWS Organizations to automatically enable GuardDuty in all accounts and centralize findings.
AnswerD

Automates enablement and centralization.

Why this answer

Option D is correct because the GuardDuty delegated administrator feature integrated with AWS Organizations allows the security account to be designated as the GuardDuty administrator, which can then automatically enable GuardDuty for all existing and future member accounts in the organization. This eliminates the need for manual invitations and acceptances, ensuring that findings are centrally aggregated in the security account without requiring per-account configuration.

Exam trap

The trap here is that candidates may choose CloudFormation StackSets (Option B) thinking it can deploy GuardDuty resources across accounts, but they overlook that StackSets cannot automatically accept GuardDuty invitations or leverage the Organizations delegated administrator model to bypass the manual acceptance step.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect noncompliant resources and trigger alerts or remediation actions, but they cannot automatically enable GuardDuty across accounts or manage the invitation/acceptance workflow required for centralized findings. Option B is wrong because CloudFormation StackSets can deploy resources across accounts, but they require the member accounts to already have accepted the GuardDuty invitation or be part of the same organization; they do not automate the invitation acceptance process or leverage the delegated administrator model to bypass manual steps. Option C is wrong because AWS Control Tower custom blueprints are used to deploy additional governance controls or resources, but they do not natively support the GuardDuty delegated administrator feature; enabling GuardDuty across all accounts in Control Tower is better achieved through Organizations integration, not a custom blueprint.

36
Drag & Dropmedium

Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the S3 bucket, then create the trail, configure events, enable security features, and verify delivery.

37
MCQmedium

A company has a multi-account AWS environment and wants to enforce that all EC2 instances are launched with a specific AMI ID. The AMI ID is maintained by the security team in a central account. What is the MOST effective way to enforce this across all accounts?

A.Create an EC2 launch template with the approved AMI and share it with all accounts
B.Use AWS CloudTrail to monitor instance launches and trigger a Lambda function to terminate non-compliant instances
C.Use AWS Config rules in each account to detect non-compliant instances and send alerts
D.Apply a service control policy (SCP) that denies ec2:RunInstances if the ami parameter does not match the approved AMI ID
AnswerD

SCPs enforce at the API level across all accounts in the organization.

Why this answer

Option D is correct because an SCP can centrally deny the ec2:RunInstances action unless the request includes a specific AMI ID parameter, enforced across all accounts in the AWS Organization. This preventive control blocks non-compliant launches at the API level, ensuring no instance can be created with an unapproved AMI, regardless of account-level permissions.

Exam trap

The trap here is that candidates confuse detective controls (Config, CloudTrail/Lambda) with preventive controls (SCPs), assuming that alerting or terminating non-compliant instances is as effective as blocking the launch entirely.

How to eliminate wrong answers

Option A is wrong because sharing an EC2 launch template does not enforce its use; users can still launch instances with other AMIs by ignoring the template. Option B is wrong because CloudTrail monitoring with Lambda termination is a reactive, detective control that allows non-compliant instances to run temporarily, incurring cost and risk before termination. Option C is wrong because AWS Config rules are also detective, only alerting or triggering remediation after a non-compliant instance exists, not preventing the launch.

38
MCQeasy

A DevOps engineer notices that a CloudFormation stack update fails with the error: 'UPDATE_ROLLBACK_FAILED'. The stack is in a state where some resources were updated, but others failed to update. The engineer needs to fix the stack and complete the update. What should the engineer do FIRST?

A.Add a new resource to the stack to force a new update
B.Manually correct the resources that are preventing rollback, then use 'ContinueUpdateRollback'
C.Submit another stack update with the original template to overwrite the changes
D.Delete the stack and recreate it with the same template
AnswerB

This is the standard procedure to recover from rollback failure.

Why this answer

Option B is correct because when a stack update fails and rollback fails, you must manually fix the resources that prevent rollback (e.g., delete a resource that is stuck) and then continue the rollback. Option A is wrong because you cannot update a stack in UPDATE_ROLLBACK_FAILED state without first completing the rollback. Option C is wrong because you cannot add resources while in failure state.

Option D is wrong because you cannot delete the stack without first fixing the rollback.

39
Multi-Selecthard

A company uses AWS Organizations with a dedicated security account. They want to centralize the management of AWS Config rules and ensure that all accounts are compliant with the same set of rules. Which THREE steps should they take?

Select 3 answers
A.Apply a service control policy (SCP) that requires AWS Config to be enabled.
B.Create an AWS Config aggregator in the security account to view compliance status across accounts.
C.Use AWS CloudFormation StackSets to deploy the desired AWS Config rules to all accounts.
D.Enable AWS Config in all accounts across the organization.
E.Use AWS CloudTrail to monitor compliance status.
AnswersB, C, D

Centralized dashboard.

Why this answer

Option B is correct because an AWS Config aggregator in the security account collects compliance data from all member accounts, providing a centralized view of rule compliance across the organization. This enables the security team to monitor and audit compliance without logging into each account individually.

Exam trap

The trap here is confusing service control policies (SCPs) with service enablement; SCPs restrict permissions but cannot automatically enable AWS Config, leading candidates to incorrectly select option A as a way to enforce compliance.

40
MCQmedium

Refer to the exhibit. A solutions architect runs the AWS CLI command to check the state of an EC2 instance. The output shows the instance is running. However, the application team reports that the instance is unreachable over SSH. What is the MOST likely cause?

A.The CLI command is querying the wrong instance
B.A security group rule blocks inbound SSH traffic
C.The instance is in a 'stopped' state
D.The instance does not have EBS optimization enabled
AnswerB

Security groups control inbound traffic.

Why this answer

Option C is correct. The instance state is 'running', so it's not stopped or terminated. The issue is likely a security group or network ACL blocking SSH.

Option A is wrong because the instance is running. Option B is wrong because the instance ID is not shown but the query is correct. Option D is wrong because EBS optimization does not affect network connectivity.

41
Multi-Selecthard

A company is designing a new application that will process streaming data from thousands of IoT devices. The data must be ingested in real time and then processed using Apache Flink. Which services should be used? (Choose TWO.)

Select 2 answers
A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon Kinesis Data Analytics for Apache Flink
D.Amazon Kinesis Data Firehose
E.Amazon Simple Queue Service (SQS)
AnswersA, C

Kinesis Data Streams is designed for real-time data ingestion.

Why this answer

Amazon Kinesis Data Streams is the correct ingestion service because it provides a durable, scalable, real-time data streaming platform that can handle the high throughput from thousands of IoT devices. It stores data in shards for up to 365 days, enabling Apache Flink to consume and process the data with exactly-once semantics and low latency.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose with Kinesis Data Streams, not realizing that Firehose is a delivery service that does not support Apache Flink's requirement for per-record replay and checkpointing, while Data Streams provides the necessary persistent, ordered stream.

42
MCQhard

A company is running a stateful web application on EC2 instances behind an ALB. Users report that when they refresh a page, they are logged out. What is the best solution to fix this issue?

A.Enable cross-zone load balancing on the ALB.
B.Enable sticky sessions on the ALB.
C.Replace the ALB with a Classic Load Balancer.
D.Use ElastiCache to store session data.
AnswerB

Sticky sessions route user to the same instance.

Why this answer

Option C is correct because enabling stickiness (session affinity) ensures requests from the same user go to the same instance. Option A is incorrect because a Classic Load Balancer doesn't solve statefulness. Option B is incorrect because ElastiCache doesn't solve routing.

Option D is incorrect because cross-zone load balancing doesn't affect session persistence.

43
MCQhard

Refer to the exhibit. An SCP is attached to an OU. A developer in an account under this OU tries to launch a t3.large EC2 instance. What will happen?

A.The instance launch is allowed because the condition uses StringNotEquals, which is not evaluated correctly.
B.The instance launch is denied because the SCP denies any instance type not in the allowed list.
C.The instance launch is denied, but only if the account's IAM policy also denies it.
D.The instance launch is allowed because the SCP has an explicit deny, but it only applies to certain instance types.
AnswerB

Correct: the deny effect applies when the condition is true.

Why this answer

The SCP explicitly denies any EC2 instance launch where the instance type does not match the allowed list using `StringNotEquals`. Since `t3.large` is not in the allowed list (`t2.micro`, `t2.small`, `t2.medium`), the condition evaluates to true, triggering the explicit deny. SCPs act as a guardrail that overrides any IAM permissions, so the launch is denied regardless of the account's IAM policies.

Exam trap

The trap here is that candidates may think `StringNotEquals` is a misconfiguration or that SCPs only apply if the IAM policy also denies, but in reality, an explicit deny in an SCP is absolute and cannot be bypassed by IAM allows.

How to eliminate wrong answers

Option A is wrong because `StringNotEquals` is evaluated correctly by AWS; it denies actions when the specified value does not match the allowed list, not the other way around. Option C is wrong because SCPs are evaluated before IAM policies and can deny actions even if the IAM policy allows them; an explicit deny in an SCP cannot be overridden by an IAM allow. Option D is wrong because the SCP's explicit deny applies to all instance types not in the allowed list, and `t3.large` is not in that list, so the deny is triggered.

44
MCQeasy

A company has multiple AWS accounts that are centrally managed using AWS Organizations. The security team requires that all API activity be logged and retained for 7 years. The logs must be stored in a central Amazon S3 bucket that is in the management account. Which solution meets these requirements with the least operational overhead?

A.Enable CloudTrail in each account and use S3 Cross-Region Replication to copy logs to a central bucket.
B.Use Amazon Kinesis Data Firehose to stream CloudTrail logs from each account to a central S3 bucket.
C.Enable CloudTrail in each account individually and configure log file delivery to a bucket in that account.
D.Enable AWS CloudTrail in the management account with organization trail, and configure the trail to deliver logs to an S3 bucket in the management account.
AnswerD

Organization trail delivers logs from all accounts to a central bucket.

Why this answer

Option D is correct because enabling an organization trail in the management account automatically applies CloudTrail to all accounts in the AWS Organization, delivering logs to a single S3 bucket in the management account without any per-account configuration or additional replication mechanisms. This meets the 7-year retention requirement with the least operational overhead, as the trail is centrally managed and logs are stored directly in the central bucket.

Exam trap

The trap here is that candidates often assume they must enable CloudTrail in each account individually or use replication/streaming services, failing to recognize that an organization trail in the management account automatically centralizes log delivery from all accounts with minimal configuration.

How to eliminate wrong answers

Option A is wrong because S3 Cross-Region Replication adds operational complexity and cost, and it does not address the need to centrally collect logs from all accounts without per-account CloudTrail setup. Option B is wrong because Amazon Kinesis Data Firehose requires setting up a delivery stream in each account and adds unnecessary complexity and potential data transformation overhead, whereas an organization trail provides direct log delivery. Option C is wrong because it requires enabling CloudTrail individually in each account and then manually aggregating logs from separate buckets, which increases operational overhead and does not leverage the centralized management capabilities of AWS Organizations.

45
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application experiences intermittent timeouts when calling an external API. The ECS tasks are in a private subnet with a NAT gateway. How can the company improve the reliability of outbound traffic?

A.Place the tasks in a public subnet with auto-assign public IP.
B.Deploy a NAT gateway in each Availability Zone and update the route tables.
C.Increase the NAT gateway's bandwidth by using a larger instance type.
D.Use AWS Transit Gateway to route traffic through a central VPC.
AnswerB

Eliminates single point of failure for outbound traffic.

Why this answer

Option B is correct because a NAT Gateway in each AZ provides high availability; without it, a single NAT Gateway failure causes timeouts. Option A is wrong because it reduces security. Option C is wrong because it does not address NAT redundancy.

Option D is wrong because it adds complexity without directly fixing NAT issues.

46
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences periodic spikes in traffic. The operations team wants to ensure that the application can handle the spikes without manual intervention. What is the MOST cost-effective solution?

A.Use a scheduled scaling policy to add instances during predicted peak hours.
B.Create a target tracking scaling policy using the ALB RequestCountPerTarget metric.
C.Manually add instances when traffic spikes are expected.
D.Use a simple scaling policy based on CPU utilization.
AnswerB

This automatically scales based on request count per target.

Why this answer

Option C is correct because a target tracking scaling policy automatically adjusts capacity based on a metric, and using the ALB RequestCountPerTarget metric is appropriate for web traffic spikes. Option A uses the wrong metric, B requires manual intervention, and D is not cost-effective.

47
Drag & Dropmedium

Drag and drop the steps to deploy a serverless application using AWS SAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First write the template, then build, package, deploy, and test.

48
MCQeasy

A company is migrating a stateful application to AWS. The application maintains session state in memory on the application server. Which AWS service should be used to store session state for high availability?

A.Amazon RDS
B.Amazon S3
C.Amazon ElastiCache
D.Amazon EBS
AnswerC

ElastiCache (Memcached or Redis) is purpose-built for session state.

Why this answer

Option B is correct because ElastiCache is an in-memory data store ideal for session state. Option A is wrong because RDS is relational database, slower for session state. Option C is wrong because S3 is object storage, not suitable for low-latency session state.

Option D is wrong because EBS is block storage attached to a single instance.

49
MCQeasy

A company is using AWS Elastic Beanstalk to deploy a web application. The application's performance degrades over time due to increasing database connections. The company wants to implement a solution that automatically scales the database tier based on connection count. Which action should be taken?

A.Migrate the database to Amazon DynamoDB with auto scaling.
B.Use Amazon RDS Proxy to manage database connections and enable connection pooling.
C.Enable Multi-AZ on the RDS instance and modify the DB instance class.
D.Configure the Auto Scaling group to scale based on CPU utilization.
AnswerB

RDS Proxy reduces connection overhead and scales.

Why this answer

Option B is correct because Amazon RDS Proxy manages connection pooling and can scale with application, reducing load on database. Option A is wrong because DynamoDB is a different database. Option C is wrong because scaling EC2 instances does not address database connections.

Option D is wrong because modifying RDS instance type is manual and not automatic.

50
MCQmedium

A solutions architect is troubleshooting an issue where an EC2 instance cannot connect to the internet. The output of the describe-instances CLI command is shown in the exhibit. The instance is in a VPC with a public subnet that has a route table with a default route pointing to an internet gateway. The security group allows outbound traffic to 0.0.0.0/0. What is the MOST likely cause of the problem?

A.The subnet's route table does not have a route to the internet gateway.
B.The instance does not have a public IP address.
C.The instance is not in a running state.
D.The security group is blocking outbound traffic.
AnswerA

Even with a public IP, the subnet must have a route to the internet gateway.

Why this answer

Option B is correct. The instance has a public IP (54.123.45.67), so it should be able to reach the internet. However, if the subnet does not have a route to the internet gateway, the instance cannot connect.

Option A is wrong because the instance has a public IP. Option C is wrong because the security group allows outbound traffic. Option D is wrong because the instance state is running.

51
MCQmedium

Refer to the exhibit. A company has an IAM policy that allows s3:GetObject on all objects in 'my-bucket' but denies access to objects in the 'confidential' folder. A user tries to access 's3://my-bucket/confidential/report.pdf'. What will happen?

A.Access is denied because the Deny statement explicitly matches the resource.
B.Access is allowed because the Deny statement is not evaluated.
C.Access is denied only if the user is not authorized by other policies.
D.Access is allowed because the Allow statement is broader.
AnswerA

An explicit Deny always overrides an Allow.

Why this answer

Option B is correct because an explicit Deny overrides any Allow. The user will be denied access. Option A is wrong because the Deny takes precedence.

Option C is wrong because the Deny is explicit. Option D is wrong because the policy applies to the user.

52
Multi-Selectmedium

A company is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. The company wants to implement service discovery and load balancing at the application layer. Which TWO services should the company use?

Select 2 answers
A.Amazon API Gateway
B.Network Load Balancer (NLB)
C.AWS Cloud Map
D.Application Load Balancer (ALB)
E.Amazon Route 53
AnswersC, D

Cloud Map provides service discovery for dynamic resources.

Why this answer

AWS Cloud Map provides service discovery, and Application Load Balancer provides application-layer load balancing. Option B (NLB) is layer 4. Option C (Route 53) is for DNS.

Option D (API Gateway) is for API management.

53
Multi-Selectmedium

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

Select 3 answers
A.The management account must have an IAM role (StackSetsAdminRole) with permissions to create stack instances in member accounts.
B.The management account must have an AWS Organizations SCP that allows CloudFormation StackSets operations.
C.The execution role in member accounts must have permissions to create the resources defined in the CloudFormation template (e.g., VPC, subnets).
D.Each member account must have a self-managed IAM role named 'AWSCloudFormationStackSetExecutionRole' with a trust policy allowing the management account to assume it.
E.The management account must have permission to assume the execution role in member accounts (via IAM trust policy).
AnswersA, C, E

This is the admin role that assumes the execution role in member accounts.

Why this answer

Option A is correct because StackSets require the management account to have an IAM role (commonly named 'AWSCloudFormationStackSetAdministrationRole') that grants permission to create and manage stack instances in member accounts. This role is assumed by CloudFormation to perform operations across accounts, and it must have a trust policy allowing the CloudFormation service to assume it.

Exam trap

The trap here is that candidates often confuse the optional self-managed execution role (option D) as a requirement, when in fact service-managed StackSets eliminate the need for manual role creation in member accounts.

54
MCQeasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users are created in member accounts. All access must be through federated roles. Which approach should they use?

A.Apply an SCP to the root OU that denies the iam:CreateUser action.
B.Set an IAM password policy in each account that requires strong passwords.
C.Use AWS Config rules to detect IAM users and automatically delete them.
D.Use AWS CloudTrail to monitor for CreateUser and alert the security team.
AnswerA

SCPs prevent user creation entirely.

Why this answer

Option C is correct because an SCP can deny the iam:CreateUser action across all member accounts. Option A is wrong because IAM password policies do not prevent user creation. Option B is wrong because AWS Config can detect but not prevent.

Option D is wrong because CloudTrail only logs.

55
MCQmedium

A company is designing a new container-based application using Amazon EKS. The application requires persistent storage for stateful workloads, such as databases. The storage must be highly available and durable across multiple Availability Zones. Which storage solution should be used?

A.Use Amazon EBS volumes with the EBS CSI driver.
B.Use Amazon FSx for Lustre as a shared file system.
C.Use Amazon EFS with the EFS CSI driver.
D.Use Amazon S3 with the S3 CSI driver.
AnswerC

EFS is a regional, highly available file system that can be mounted by containers across AZs.

Why this answer

Amazon EFS provides a fully managed, elastic NFS file system that is accessible from multiple Amazon EKS worker nodes across different Availability Zones simultaneously. The EFS CSI driver enables Kubernetes pods to mount EFS as a persistent volume, delivering the required high availability and durability for stateful workloads like databases without single-AZ dependency.

Exam trap

The trap here is that candidates often confuse EBS's single-AZ attachment with multi-AZ availability, or mistakenly think S3's CSI driver provides file-level access, when in fact EFS is the only AWS managed file system that natively supports multi-AZ access and the Kubernetes CSI standard for stateful workloads.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are bound to a single Availability Zone and cannot be shared across multiple AZs, making them unsuitable for multi-AZ highly available storage. Option B is wrong because Amazon FSx for Lustre is optimized for high-performance computing and large-scale data processing, not for general-purpose persistent storage for databases, and it lacks native integration with Kubernetes CSI for stateful workloads. Option D is wrong because Amazon S3 is an object storage service, not a file system; it does not support standard file system semantics like POSIX locks or concurrent read/write from multiple pods, and the S3 CSI driver is not an official or widely supported solution for persistent volume claims in EKS.

56
MCQmedium

A company is designing a new application that requires a relational database with automated backups and multi-AZ redundancy. The database workload is predictable with occasional read replicas for reporting. Which AWS service should be used?

A.Amazon RDS
B.Amazon Redshift
C.Amazon DynamoDB
D.Amazon ElastiCache
AnswerA

RDS provides managed relational databases with multi-AZ and backups.

Why this answer

Option C is correct because Amazon RDS offers managed relational databases with automated backups and multi-AZ deployments. Option A is wrong because DynamoDB is NoSQL, not relational. Option B is wrong because Redshift is a data warehouse.

Option D is wrong because ElastiCache is for caching.

57
MCQmedium

A company receives a Trusted Advisor recommendation to reduce costs by deleting unused Amazon EBS snapshots. The company has hundreds of snapshots. Which approach should the company use to identify and delete snapshots that are no longer needed?

A.Enable detailed billing reports and analyze costs.
B.Use the AWS CLI to list all snapshots and manually check each one.
C.Use AWS Backup to manage snapshots and set retention rules.
D.Use Amazon S3 Lifecycle policies to expire snapshots automatically.
AnswerC

AWS Backup can automate snapshot lifecycle and identify old snapshots.

Why this answer

Option C is correct because AWS Backup provides lifecycle policies and centralized snapshot management, making it easy to identify orphaned snapshots. Option A is wrong because it doesn't help identify unused snapshots. Option B is wrong because it's for storage class, not snapshot deletion.

Option D is wrong because it's for billing, not operations.

58
MCQhard

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

A.Use AWS PrivateLink to connect each VPC to the network account.
B.Create VPC peering connections between each VPC and the network account.
C.Set up a NAT gateway in each VPC and route traffic through the transit gateway using private IP addresses from a separate CIDR block.
D.Assign new non-overlapping CIDR ranges to each VPC and update all resources.
AnswerC

NAT translates overlapping IPs to unique addresses, enabling communication.

Why this answer

Option C is correct because it uses a NAT gateway in each VPC to translate overlapping private IPs to unique private IPs from a separate CIDR block before routing through the Transit Gateway. This allows the Transit Gateway to forward traffic without conflict, as the NAT gateway performs source network address translation (SNAT) to eliminate IP overlap. This approach is highly scalable because it avoids re-architecting existing VPCs and can be applied incrementally as new VPCs are added.

Exam trap

The trap here is that candidates assume Transit Gateway can handle overlapping CIDRs natively, but it cannot; the NAT gateway is required to perform address translation before traffic enters the Transit Gateway, and this is the most scalable solution without renumbering VPCs.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink creates point-to-point connections via Network Load Balancers and endpoint services, which does not resolve overlapping CIDR conflicts between VPCs; it only provides private connectivity to specific services, not full network routing. Option B is wrong because VPC peering requires non-overlapping CIDR ranges to route traffic, and overlapping CIDRs will cause routing conflicts and prevent successful peering connections. Option D is wrong because assigning new non-overlapping CIDR ranges to each VPC is not scalable; it requires extensive reconfiguration of all resources, downtime, and is impractical for a large number of accounts with existing workloads.

59
Multi-Selectmedium

A company wants to implement a cost allocation strategy using tags across multiple accounts in AWS Organizations. Which TWO practices should be followed?

Select 2 answers
A.Define a standardized set of tags (e.g., CostCenter, Owner, Project) and enforce them using AWS Config rules.
B.Enable AWS-generated tags automatically for all resources.
C.Use service control policies (SCPs) to require tags on all resources.
D.Apply tags only at the resource creation time; they cannot be added later.
E.Use AWS Cost Explorer to filter costs by tags across accounts.
AnswersA, E

Standardization and enforcement are key for cost allocation.

Why this answer

Option A is correct because defining a standardized set of tags and enforcing them with AWS Config rules ensures consistent cost allocation tagging across all accounts in AWS Organizations. AWS Config rules can evaluate resources for tag compliance and trigger remediation actions, such as automatically tagging resources or sending notifications, which is essential for accurate cost tracking. This approach aligns with the AWS Well-Architected Framework's cost optimization pillar by enabling granular cost allocation and chargeback.

Exam trap

The trap here is confusing service control policies (SCPs) with tag enforcement mechanisms; SCPs control permissions, not resource configurations, so candidates often incorrectly select SCPs for tagging requirements instead of AWS Config rules or tag policies.

60
MCQmedium

A company is building a new serverless application using AWS Lambda functions. The application processes images uploaded to an Amazon S3 bucket. Each image triggers a Lambda function that resizes the image and stores the result in another S3 bucket. The company expects a high volume of uploads, up to 10,000 images per minute. The current Lambda function is configured with a timeout of 5 minutes and 1024 MB of memory. During testing, the Lambda function times out for large images. What should the company do to ensure the function can process large images without timing out?

A.Increase the Lambda function timeout to 15 minutes.
B.Use Amazon SQS to decouple the S3 event and Lambda invocation, allowing Lambda to pull messages in batches.
C.Migrate the image processing to Amazon ECS on Fargate with a long-running task.
D.Increase the Lambda function memory to 3008 MB to get more CPU and network throughput.
AnswerD

More memory allocates more vCPU, speeding up image processing.

Why this answer

Option C is correct because increasing Lambda memory also increases CPU and network throughput, which can speed up processing and reduce the chance of timeout. Option A: Increasing timeout may not help if the function is CPU-bound; also max timeout is 15 minutes. Option B: Lambda is not ideal for long-running tasks; moving to ECS would require significant rework.

Option D: SQS does not help with processing speed; it only decouples invocation.

61
MCQhard

A company is migrating a legacy application that uses TCP on port 8080 to AWS. The application must be accessible from the internet. The company wants to use an Application Load Balancer. What must the company do to ensure the load balancer can accept traffic on port 8080?

A.Configure the security group to allow inbound traffic on port 80 and 443 only.
B.Change the ALB's default port to 8080.
C.Assign an Elastic IP address to the ALB.
D.Create a listener for port 8080 on the ALB.
AnswerD

You can create a listener for any port.

Why this answer

Option D is correct because ALB supports custom ports; you create a listener for port 8080. Option A is wrong because ALB does not require a specific security group port; you can configure any port. Option B is wrong because you cannot change the ALB's default ports; you add a listener.

Option C is wrong because ALB itself does not need a public IP; it uses a DNS name.

62
MCQhard

A healthcare company runs a HIPAA-compliant web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS for PostgreSQL database with Multi-AZ. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The current setup uses an SSL certificate on the ALB to terminate HTTPS, but traffic between the ALB and EC2 instances is over HTTP. The company wants to enforce end-to-end encryption without changing the application code. Which solution meets these requirements?

A.Replace the ALB with a Network Load Balancer, configure a TLS listener, and use target group health checks over HTTPS.
B.Configure the ALB to use a TLS listener and forward traffic to the target group using the TCP protocol on port 443.
C.Install a self-signed certificate on each EC2 instance, configure the ALB target group to use HTTPS, and upload the self-signed certificate to AWS Certificate Manager (ACM) for the ALB to trust.
D.Place AWS CloudFront in front of the ALB and configure CloudFront to use TLS 1.2, with the ALB still using HTTP.
AnswerA

NLB with TLS passthrough allows end-to-end encryption if instances have certificates installed; health checks over HTTPS verify encryption.

Why this answer

Option D (network load balancer with target group health checks over HTTPS) is not correct because it requires code change on instances. Actually, the correct solution is to terminate TLS at the ALB and re-encrypt using a self-signed certificate on the EC2 instances, but that requires application support. However, the best option is to use a Network Load Balancer with TLS termination and forward to instances with a self-signed certificate (which doesn't require code change if the app listens on HTTPS).

However, among the options, Option D is most plausible but still flawed. Let me reconsider: The correct answer should be to use a Network Load Balancer with TLS passthrough to instances that have certificates installed. Since the application cannot be changed, use a self-signed certificate on the instances for the internal traffic.

Option B (self-signed certificate on EC2 and ALB re-encrypt) often requires code changes to trust the self-signed cert. Option D is the closest: NLB with TLS listener and target group with HTTPS health check. But the correct answer is actually to use an NLB with TLS listener and target group health checks over HTTPS, but the application must support HTTPS.

Since the problem says no code change, the application likely already listens on HTTPS? Actually, the problem says traffic between ALB and EC2 is HTTP, so the application listens on HTTP. So we need to enable HTTPS on the instances without code change. That's not possible.

The only way is to use a reverse proxy on the instance or use a self-signed certificate that the ALB can trust. But ALB can terminate TLS and re-encrypt to target group with a self-signed certificate if the target group protocol is HTTPS and the ALB trusts the self-signed certificate (by uploading it to ACM as a private certificate?). ACM does not accept self-signed certificates.

So the correct solution is to use a Network Load Balancer with TLS passthrough and install a certificate on the instances. The application must support HTTPS. Since the application currently uses HTTP, the only way is to modify the application to listen on HTTPS.

However, the problem says 'without changing the application code'. So the only feasible solution is to use a reverse proxy like NGINX on the instance in front of the application. That is not listed.

Among the options, Option B is the least bad because you can upload a private CA-signed certificate to ACM and use it on ALB to re-encrypt to instances. But the instances need to have the corresponding certificate. That might require manual installation but not code change.

Option A (NLB with TLS listener and target group protocol TCP) does not encrypt traffic to instances. Option C (CloudFront in front of ALB) adds complexity. Option D is similar to B but uses NLB.

So the best answer is B. Actually, the correct answer is D: use a Network Load Balancer with TLS listener and target group health checks over HTTPS. Wait, NLB does not terminate TLS; it passes through.

So the instances must handle TLS. That requires code change. So B is better because ALB can re-encrypt.

But ALB re-encryption requires the target group protocol to be HTTPS and the ALB to trust the target's certificate. If the target uses a self-signed certificate, ALB will reject it. So you need a certificate signed by a CA that ALB trusts.

That can be a private CA from ACM Private CA. So you can install a certificate from ACM Private CA on the instances. That is a configuration change, not code change.

So B is feasible.

63
Multi-Selectmedium

A company is implementing a new multi-account strategy using AWS Organizations. The central IT team wants to delegate management of certain AWS services to individual account administrators while maintaining centralized governance. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Create IAM roles in each account that can be assumed from the central account with limited permissions.
B.Create SCPs that allow all actions except those managed centrally.
C.Use AWS CloudFormation StackSets to deploy baseline resources across accounts.
D.Share the root user credentials of each account with the respective administrator.
E.Grant each account administrator full access to the management account.
AnswersA, C

Cross-account roles allow central team to perform actions in delegated accounts.

Why this answer

Option A is correct because AWS CloudFormation StackSets allows central deployment of resources across accounts. Option D is correct because IAM roles with cross-account trust allow delegated administration. Option B is incorrect because root user access should be restricted, not granted.

Option C is incorrect because SCPs can restrict actions but cannot delegate management. Option E is incorrect because sharing root credentials violates security best practices.

64
MCQmedium

A company is designing a multi-account AWS environment for different business units. They need to share a central Amazon RDS database with read replicas in each account for disaster recovery. What architecture minimizes cross-region data transfer costs while maintaining high availability?

A.Use a VPC endpoint to share the database across accounts without data transfer costs.
B.Create a cross-region read replica in the central account and grant access to other accounts.
C.Share a snapshot of the RDS instance with each account and restore it as a read replica in the same region.
D.Create an IAM role in each account to access the central RDS instance directly.
AnswerC

Snapshots can be shared across accounts and restored without cross-region data transfer costs.

Why this answer

Option D is correct because sharing the RDS snapshot with each account and restoring as a read replica in the same region avoids data transfer costs. Option A is wrong because a single cross-region replica incurs data transfer costs. Option B is wrong because direct cross-account access is not supported for read replicas.

Option C is wrong because a VPC endpoint does not eliminate data transfer costs for RDS replication.

65
MCQhard

A company is migrating an on-premises .NET application to AWS. The application uses a SQL Server database with a large number of stored procedures and triggers. The company wants to reduce licensing costs by moving to an open-source database. Which AWS service should the solutions architect use to automate the database conversion?

A.AWS Database Migration Service (DMS)
B.AWS App2Container
C.AWS Schema Conversion Tool (SCT)
D.AWS Application Migration Service (CloudEndure)
AnswerC

Correct: SCT automates schema and code conversion to target databases.

Why this answer

AWS Schema Conversion Tool (SCT) automates the conversion of database schema and code to a target database like PostgreSQL or MySQL. DMS handles data migration, not schema conversion. App2Container is for containerizing applications.

CloudEndure is for server migration.

66
Multi-Selectmedium

A company is designing a disaster recovery strategy for a production database running on Amazon RDS for MySQL. The RTO is 15 minutes and RPO is 1 hour. Which TWO solutions meet these requirements? (Choose two.)

Select 2 answers
A.Export the database to Amazon S3 using AWS DMS and import in another Region
B.Deploy Multi-AZ RDS instance and enable automatic failover
C.Use automated backups with point-in-time recovery in the same Region
D.Take manual snapshots every hour and restore in another Region
E.Create a cross-Region read replica and promote it during disaster
AnswersB, E

Multi-AZ provides synchronous replication, RPO ~seconds, RTO ~minutes.

Why this answer

Multi-AZ with automatic failover provides RTO of minutes and RPO of seconds, meeting requirements. Cross-Region read replica with promotion provides RPO of seconds and RTO of minutes (promotion time). Option C (manual snapshot) has RPO > 1 hour and RTO > 15 minutes.

Option D (export to S3) has high RTO. Option E (single instance backup) has high RTO.

67
MCQhard

A company is designing a new web application that will be deployed on Amazon ECS with Fargate. The application must scale based on the number of requests per container. The company wants to use a service that can automatically adjust the number of tasks based on a custom metric. Which solution should the company use?

A.Configure an ECS Service Auto Scaling policy with a target tracking scaling policy based on a custom CloudWatch metric.
B.Configure Amazon DynamoDB auto scaling to adjust the read capacity based on the request count.
C.Use Application Auto Scaling to register the ECS service and create a step scaling policy.
D.Use the AWS Auto Scaling console to create a scaling plan that includes the ECS service.
AnswerA

ECS Service Auto Scaling supports target tracking for custom metrics.

Why this answer

Option A is correct because ECS Service Auto Scaling can use target tracking with a custom CloudWatch metric. Option B is wrong because DynamoDB auto scaling is for tables. Option C is wrong because Application Auto Scaling is the underlying service, but the question asks for the specific solution; ECS Service Auto Scaling is the direct feature.

Option D is wrong because AWS Auto Scaling is a broader console feature, but the scaling policy is applied via ECS Service Auto Scaling.

68
Multi-Selecthard

A company is using AWS CodePipeline to automate deployments of a web application. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS CodeDeploy to an Auto Scaling group. Recently, deployments have been failing during the deploy stage with an error indicating that the target instances are not in a healthy state. The CodeDeploy agent logs show that the agent is running but the application validation scripts are failing. Which THREE actions should the solutions architect take to troubleshoot and resolve the issue?

Select 3 answers
A.Test the validation script manually on a healthy instance to confirm it works as expected.
B.Increase the deployment timeout in the CodeDeploy deployment group to allow more time for validation.
C.Review the CodeDeploy agent logs on a failing instance to identify the specific error in the validation script.
D.Verify that the AppSpec file includes the correct lifecycle event hooks (e.g., ValidateService).
E.Configure an Auto Scaling lifecycle hook to perform health checks before the instance is placed in service.
AnswersA, C, D

Manual testing helps isolate whether the script itself is faulty.

Why this answer

Options A, C, and D are correct. Checking AppSpec hooks ensures the validation scripts are correctly defined. Reviewing CodeDeploy agent logs helps identify script failures.

Testing the validation script manually on a healthy instance verifies its functionality. Option B is wrong because increasing the deployment timeout does not fix the script failure. Option E is wrong because CodeDeploy does not use Auto Scaling lifecycle hooks for instance health; it uses its own deployment lifecycle.

69
Multi-Selecteasy

A company is migrating a batch processing workload to AWS. The workload runs daily and processes large files. Which TWO AWS services are most suitable for this workload? (Choose TWO.)

Select 2 answers
A.AWS Step Functions
B.Amazon ECS
C.Amazon SQS
D.AWS Batch
E.AWS Lambda
AnswersA, D

Step Functions can orchestrate batch workflows.

Why this answer

AWS Batch manages batch computing jobs. AWS Step Functions orchestrates workflows. Option A is wrong because Lambda has time limits.

Option C is wrong because ECS is for containers, not specifically batch. Option D is wrong because SQS is for message queuing.

70
MCQhard

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB). During a recent deployment, users experienced errors. The team wants to automatically roll back the deployment if the error rate exceeds 5% within 10 minutes after deployment. Which solution meets these requirements with minimal operational overhead?

A.Configure the Auto Scaling group to use ELB health checks and replace instances if the error rate increases.
B.Use CodeDeploy with manual approval gates and a script that checks error rates.
C.Use CodeDeploy with a CloudWatch alarm on the ALB error rate that triggers a deployment rollback.
D.Use a custom Lambda function that monitors ALB error rates and triggers a rollback via CodeDeploy API.
AnswerC

CodeDeploy natively supports CloudWatch alarm-based automatic rollback.

Why this answer

Option D is correct because AWS CodeDeploy supports automatic rollback based on CloudWatch alarm metrics, such as error rate, with minimal overhead. Option A is wrong because manual approval does not trigger automatic rollback. Option B is wrong because Lambda functions add complexity and are not the best practice for automatic rollback.

Option C is wrong because modifying ASG health checks does not directly monitor error rate for rollback.

71
MCQhard

A company uses AWS Organizations with hundreds of accounts. The central IT team wants to manage IP address ranges for VPCs across all accounts using a custom AWS Resource Access Manager (RAM) resource share. They have created a resource share containing the IP address CIDR blocks (as managed prefix lists) and shared it with the organization. However, some accounts cannot see the shared prefix lists. What is the MOST likely cause?

A.The organization's sharing feature for Amazon VPC is not enabled in the management account.
B.Managed prefix lists are not supported by AWS RAM.
C.The accounts need to accept the resource share invitation manually.
D.The resource share can only include one type of resource at a time.
AnswerA

RAM requires enabling sharing with AWS Organizations for each service; VPC sharing must be enabled.

Why this answer

Option D is correct because RAM sharing with an organization requires that all accounts have the sharing feature enabled via the Organization's trusted access. Option A is incorrect because RAM supports prefix lists. Option B is incorrect because resource shares can include multiple resources.

Option C is incorrect because RAM sharing with the entire organization does not require individual invites.

72
Matchingmedium

Match each AWS networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connect two VPCs using private IP addresses

Allow private instances to access the internet

Enable communication between VPC and the internet

Stateless firewall for controlling traffic at subnet level

Stateful firewall for controlling traffic at instance level

Why these pairings

Understanding these networking components is crucial for architecting on AWS.

73
MCQhard

A company is designing a new application that will use Amazon DynamoDB as its primary database. The application has two access patterns: one requires strongly consistent reads, and the other requires eventually consistent reads. The company wants to minimize costs while meeting the read consistency requirements. How should the company configure DynamoDB reads?

A.Use strongly consistent reads for all read requests to ensure data accuracy.
B.Use DynamoDB Accelerator (DAX) to cache reads and achieve strong consistency.
C.Use DynamoDB global tables with strongly consistent reads enabled.
D.Use strongly consistent reads for the pattern that requires it, and eventually consistent reads for the other pattern.
AnswerD

Optimizes cost by using the cheaper eventually consistent reads when acceptable.

Why this answer

Option B is correct because DynamoDB offers both strongly consistent and eventually consistent reads. Eventually consistent reads are half the cost of strongly consistent reads. The application should use strongly consistent reads only when needed.

Option A is wrong because using strongly consistent reads for all patterns is more expensive. Option C is wrong because DynamoDB Accelerator (DAX) is for caching, not for consistency. Option D is wrong because there is no option to use both; you choose per request.

74
MCQhard

A company has a legacy application that runs on a single EC2 instance. The application writes logs to a local file. The company wants to centralize log management without modifying the application code. Which solution is MOST operationally efficient?

A.Use AWS CloudTrail to capture log file changes.
B.Modify the application to write logs to stdout and use the awslogs driver.
C.Install and configure the Amazon CloudWatch agent on the EC2 instance.
D.Set up an Amazon S3 bucket and use an AWS Lambda function to periodically copy log files.
AnswerC

CloudWatch agent can collect logs from local files without code changes.

Why this answer

The Amazon CloudWatch agent can be installed on the EC2 instance without modifying application code. It reads the local log file and sends the logs to Amazon CloudWatch Logs for centralized management, making it the most operationally efficient solution.

Exam trap

The trap here is that candidates may think modifying the application to use stdout with the awslogs driver is simpler, but that requires code changes, which the question explicitly prohibits.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail captures API activity and management events, not log file changes on an EC2 instance. Option B is wrong because it requires modifying the application code to write logs to stdout, which violates the requirement to not modify application code. Option D is wrong because setting up an S3 bucket and Lambda function to periodically copy log files introduces unnecessary complexity and latency compared to the real-time streaming provided by the CloudWatch agent.

75
MCQmedium

A company is migrating a legacy monolithic application to AWS. The application currently uses a shared filesystem for storing user-uploaded documents. The company wants to decouple storage and compute, ensure high durability, and minimize operational overhead. Which AWS service should the company use to replace the shared filesystem?

A.Amazon EBS
B.Amazon EFS
C.Amazon S3
D.Amazon FSx for Windows File Server
AnswerC

Amazon S3 provides scalable, durable object storage suitable for user-uploaded documents.

Why this answer

Amazon S3 is the correct choice because it provides a highly durable (99.999999999% durability), scalable, and fully managed object storage service that decouples storage from compute. Unlike a shared filesystem, S3 allows multiple compute instances (e.g., EC2, Lambda) to access the same documents via HTTP/HTTPS APIs without needing a mounted filesystem, minimizing operational overhead. It also supports features like versioning, lifecycle policies, and cross-region replication, making it ideal for user-uploaded documents in a migration scenario.

Exam trap

The trap here is that candidates often confuse shared filesystem requirements with network-attached storage (NAS) services like EFS or FSx, overlooking that object storage (S3) is the most durable, scalable, and operationally lightweight option for user-uploaded documents when compute and storage need to be decoupled.

How to eliminate wrong answers

Option A is wrong because Amazon EBS provides block-level storage that must be attached to a single EC2 instance at a time (or shared via multi-attach with specific constraints), making it unsuitable as a shared filesystem for multiple compute instances and not decoupling storage from compute. Option B is wrong because Amazon EFS is a managed NFS filesystem that, while shared, still requires compute instances to mount it and incurs operational overhead for managing file-level access, and it does not offer the same level of durability (99.999999999% vs 99.999999999% for S3) or cost efficiency for large-scale document storage. Option D is wrong because Amazon FSx for Windows File Server provides a fully managed Windows file server using the SMB protocol, which introduces licensing costs and operational complexity, and is not designed for the high durability and decoupling benefits of object storage for user-uploaded documents.

Page 1 of 24

Page 2