AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 676750

1746 questions total · 24pages · All types, answers revealed

Page 9

Page 10 of 24

Page 11
676
Matchingmedium

Match each AWS migration service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Track migration progress across multiple tools

Automate migration of on-premises servers to AWS

Migrate databases to AWS with minimal downtime

Rehost applications from physical or virtual servers

Simplify, automate, and accelerate moving data to AWS

Why these pairings

AWS provides services to simplify and automate migration tasks.

677
MCQhard

A company is migrating a legacy monolithic application to AWS. They plan to use Amazon ECS with Fargate for containerized microservices. The application requires sticky sessions and SSL termination. What should the company use to meet these requirements?

A.Network Load Balancer (NLB) with target group stickiness.
B.Application Load Balancer (ALB) with stickiness and SSL termination.
C.Classic Load Balancer (CLB) with SSL termination at the instance.
D.AWS Lambda with API Gateway.
AnswerB

ALB supports both session stickiness and SSL termination.

Why this answer

Option C is correct because ALB supports sticky sessions (session affinity) and SSL termination. Option A is wrong because NLB does not support sticky sessions natively. Option B is wrong because CLB is legacy and less recommended.

Option D is wrong because Lambda is not a load balancer.

678
MCQhard

A company is migrating a critical application to AWS. The application must be highly available across two Availability Zones. The migration plan includes rehosting the application on EC2 instances in an Auto Scaling group behind an ALB. Which configuration ensures that the application remains available during an Availability Zone failure?

A.Use an Auto Scaling group with a minimum of 2 across two Availability Zones, with a distribution strategy of 'balanced best effort'
B.Use an Auto Scaling group with a minimum of 1 and maximum of 10 across two AZs
C.Launch instances in a single Availability Zone with multiple subnets
D.Launch instances in two Availability Zones but place all instances in the same subnet
AnswerA

Auto Scaling group with minimum 2 across two AZs ensures at least one instance per AZ.

Why this answer

Option D is correct because spreading instances across two AZs with a minimum of one per AZ ensures that if one AZ fails, the other still has capacity. Option A is wrong because a single AZ does not provide AZ-level fault tolerance. Option B is wrong because a single instance per AZ with a minimum of 1 would allow scaling down to 0.

Option C is wrong because placing all instances in one subnet is a single point of failure.

679
MCQmedium

A company uses AWS Organizations and wants to centrally manage AWS Config rules across all member accounts. They have enabled AWS Config in the management account and used AWS Config aggregator to view compliance status across accounts. However, they want to enforce a specific Config rule in all accounts automatically. Which solution should they use?

A.Use AWS Config conformance packs with AWS Organizations to deploy the rule across all accounts.
B.Use the AWS Config aggregator to manually enable the rule in each account.
C.Use AWS CloudFormation StackSets to deploy a Config rule template to each account.
D.Create an SCP that requires all accounts to enable AWS Config.
AnswerA

Conformance packs can be deployed organization-wide.

Why this answer

Option B is correct because AWS Config rules can be deployed across accounts using AWS Organizations by enabling the rule with 'All accounts' option. Option A is wrong because SCPs cannot enforce Config rules. Option C is wrong because CloudFormation StackSets can deploy rules but requires manual management.

Option D is wrong because Config aggregator only aggregates, not enforces.

680
Multi-Selectmedium

A company is migrating a multi-tier application to AWS and wants to modernize by using containers and serverless technologies. The application consists of a Node.js frontend, a Java backend, and a PostgreSQL database. The company wants to reduce operational overhead and improve scalability. Which TWO strategies should the company use? (Choose two.)

Select 2 answers
A.Refactor the Node.js frontend to run on AWS Lambda with Amazon API Gateway
B.Migrate the database to Amazon RDS for PostgreSQL
C.Migrate the database to Amazon DynamoDB
D.Deploy the Java backend on Amazon ECS with AWS Fargate
E.Deploy the Java backend on Amazon EC2 with Auto Scaling
AnswersB, D

RDS reduces operational overhead compared to managing PostgreSQL on EC2.

Why this answer

Option B is correct because Amazon RDS for PostgreSQL reduces operational overhead by managing backups, patching, and replication, while providing scalability through read replicas and storage auto-scaling. This aligns with the goal of modernizing the database layer without changing the database engine, avoiding the need to refactor the application to use a NoSQL database like DynamoDB.

Exam trap

The trap here is that candidates often assume that any use of containers or serverless must involve Lambda, but for stateful or long-running Java backends, ECS with Fargate is more appropriate than Lambda, and DynamoDB is not a drop-in replacement for PostgreSQL without significant application changes.

681
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. The team wants to automatically remediate any non-compliant buckets created in the future. Which solution is MOST effective and requires the least ongoing maintenance?

A.Use AWS Config rules with auto-remediation using SSM Automation.
B.Use an AWS Lambda function triggered by S3 bucket creation events to enable encryption.
C.Enable AWS CloudTrail and create a metric filter to alert on non-encrypted bucket creation.
D.Apply a service control policy (SCP) that denies s3:PutBucketEncryption actions unless encryption is set.
AnswerD

SCP proactively denies non-compliant actions, enforcing encryption at creation time.

Why this answer

Option D is correct because a service control policy (SCP) can deny the creation of S3 buckets without encryption, enforcing compliance across all accounts. Option A is wrong because it relies on Lambda execution after bucket creation, which may have a delay. Option B is wrong because AWS Config rules can detect but not automatically remediate without additional automation.

Option C is wrong because CloudTrail logs events but does not prevent non-compliant actions.

682
MCQeasy

A company is designing a new application that requires a fully managed NoSQL database with single-digit millisecond latency. The application needs to handle sudden spikes in read traffic without manual intervention. Which AWS service should the company choose?

A.Amazon RDS for MySQL
B.Amazon ElastiCache
C.Amazon Aurora
D.Amazon DynamoDB
AnswerD

DynamoDB is a fully managed NoSQL database with low latency and auto-scaling.

Why this answer

DynamoDB is a fully managed NoSQL database with single-digit millisecond latency and supports auto-scaling to handle traffic spikes. Option A (Aurora) is relational and not NoSQL. Option B (ElastiCache) is a caching layer, not a primary database.

Option C (RDS) is relational. Option D is correct.

683
Multi-Selecteasy

A company is designing a new application that requires a highly available and durable NoSQL database. Which TWO services should be considered? (Choose TWO.)

Select 2 answers
A.Amazon DocumentDB
B.Amazon DynamoDB
C.Amazon Neptune
D.Amazon RDS
E.Amazon Keyspaces (for Apache Cassandra)
AnswersB, E

DynamoDB provides high availability and durability.

Why this answer

Options A and D are correct. DynamoDB is fully managed NoSQL with multi-AZ replication and Global Tables. Keyspaces is managed Cassandra.

Option B is wrong because Neptune is graph. Option C is wrong because RDS is relational. Option E is wrong because DocumentDB is MongoDB-compatible, but not as fully managed NoSQL as the others.

684
MCQmedium

A company uses AWS Organizations with a multi-account strategy. The security team wants to restrict the use of specific instance types across all accounts. What is the MOST effective way to enforce this policy?

A.Create an IAM policy in each account that denies launching non-approved instance types.
B.Use AWS Config rules to detect non-compliant instances and trigger an AWS Lambda function to terminate them.
C.Create a Service Control Policy (SCP) that denies ec2:RunInstances for all users and then attach it to the root OU.
D.Create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not allowed, and attach it to the root organizational unit.
AnswerD

SCPs apply to all accounts in the OU.

Why this answer

Option A is correct because SCPs can deny EC2 RunInstances actions with conditions on instance type across all accounts in the organization. Option B is wrong because IAM policies are account-specific and cannot be applied across accounts. Option C is wrong because Config rules only detect non-compliance, they do not enforce.

Option D is wrong because Service Control Policies cannot be applied to individual IAM users.

685
MCQeasy

A company is building a new data lake on AWS. The data is stored in Amazon S3 and will be queried using Amazon Athena. The company wants to minimize query costs. Which S3 storage class should the company use for the data?

A.S3 Intelligent-Tiering
B.S3 Standard
C.S3 Glacier Deep Archive
D.S3 One Zone-IA
AnswerA

S3 Intelligent-Tiering automatically moves data between tiers to optimize costs.

Why this answer

Option B is correct because S3 Intelligent-Tiering automatically optimizes costs for data with changing access patterns. Option A is wrong because S3 Standard is for frequent access, not cost-optimized. Option C is wrong because S3 Glacier is for archival, not querying.

Option D is wrong because S3 One Zone-IA is for infrequent access but lacks durability and may not be cost-effective for queries.

686
MCQmedium

A company has a multi-account AWS environment with a centralized logging account. The security team wants to ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the logging account. The logging account's S3 bucket policy allows CloudTrail to write logs from other accounts. The CloudTrail trail in each account is configured to deliver to the centralized bucket. However, logs from some accounts are not appearing. The security team has verified that the IAM permissions for CloudTrail are correct. What is the most likely reason for the missing logs?

A.CloudTrail cannot deliver logs to a bucket in a different AWS account
B.The S3 bucket policy does not include a condition for aws:SourceOrgID
C.The S3 bucket policy does not grant CloudTrail write access from the source accounts
D.The accounts need to enable VPC endpoints for S3 to communicate with the logging account
AnswerC

The bucket policy must allow the CloudTrail service principal from each source account to write logs.

Why this answer

Option C is correct because the most likely reason for missing logs is that the S3 bucket policy in the logging account does not explicitly grant CloudTrail write access from the source accounts. Even though the bucket policy allows CloudTrail to write logs, it must include a principal that identifies the source account's CloudTrail service (e.g., `AWS:SourceAccount` or `AWS:SourceArn`) to authorize cross-account writes. Without this, CloudTrail from other accounts cannot deliver logs to the centralized bucket, regardless of correct IAM permissions in the source accounts.

Exam trap

The trap here is that candidates often assume IAM permissions in the source account are sufficient, but they overlook that cross-account S3 access requires explicit permission in the destination bucket's resource-based policy, not just the source's identity-based policy.

How to eliminate wrong answers

Option A is wrong because CloudTrail can deliver logs to an S3 bucket in a different AWS account when the bucket policy grants the necessary cross-account permissions; this is a supported feature. Option B is wrong because `aws:SourceOrgID` is an optional condition key used for additional security (e.g., to prevent confused deputy issues) but is not required for basic cross-account log delivery; its absence would not prevent logs from appearing. Option D is wrong because VPC endpoints for S3 are not required for CloudTrail log delivery across accounts; CloudTrail communicates with S3 over the public internet or via AWS PrivateLink, but the issue here is policy-based, not network connectivity.

687
MCQhard

A company is modernizing a legacy application by refactoring it into microservices. The application uses a monolithic database. The company wants to adopt a microservices architecture with independent data stores. What pattern should the company use?

A.Data lake with Amazon S3
B.Centralized database with an API layer
C.Database per Service
D.Shared database with read replicas
AnswerC

Each microservice owns its own database, enabling decoupling and independence.

Why this answer

Option C is correct because the Database per Service pattern ensures each microservice owns its data and can choose the appropriate database technology. Option A is wrong because sharing a single database creates coupling. Option B is wrong because a shared database is the opposite of decoupling.

Option D is wrong because data lakes are for analytics, not transactional microservices.

688
MCQhard

A company is designing a multi-region disaster recovery solution for a stateful web application on Amazon EC2 with an Amazon Aurora MySQL database. The RPO must be less than 1 second and RTO less than 5 minutes. The application uses a custom TCP port 8080. What is the MOST cost-effective architecture?

A.Use Amazon RDS Multi-AZ with synchronous replication. Use Elastic Load Balancing with cross-zone load balancing.
B.Use Amazon DynamoDB global tables. Use an Application Load Balancer in each region with Route 53 weighted routing.
C.Use Amazon RDS for MySQL with a cross-region read replica. Use Amazon Route 53 failover routing with a health check on port 8080.
D.Use Amazon Aurora Global Database. Use Amazon Route 53 failover routing with a health check on port 8080.
AnswerD

Aurora Global Database offers sub-second replication; Route 53 failover routing provides fast DNS failover.

Why this answer

Amazon Aurora Global Database provides replication with sub-second RPO. Route 53 failover routing with health checks on port 8080 enables fast RTO. Option A (cross-region read replica) has higher RPO.

Option C (RDS Multi-AZ) is single-region. Option D (Application Load Balancer) is not cross-region.

689
MCQmedium

A company is migrating a Windows-based .NET application to AWS. The application uses SQL Server for its database and stores documents on a Windows file share. The company wants to adopt a hybrid model initially, where the application runs on AWS but still connects to on-premises resources for legacy integration. The migration must use a phased approach: first move the compute to AWS, then the database, and finally the file storage. The company has high latency to the internet and wants to optimize data transfer. You have set up a Direct Connect connection. During the first phase, you migrate the web and application servers to Amazon EC2 Windows instances. You need to ensure that the EC2 instances can access the on-premises SQL Server and file share securely. Which combination of actions should be taken?

A.Place the EC2 instances in a private subnet. Create a VPN connection or use Direct Connect virtual interface to connect to on-premises. Configure security groups to allow traffic to on-premises SQL Server and file share.
B.Place the EC2 instances in a private subnet with a NAT gateway. Use VPC peering to on-premises.
C.Place the EC2 instances in a public subnet. Use an internet gateway and configure security groups to allow inbound traffic from on-premises IPs.
D.Use Amazon EC2-Classic and link the instances to on-premises via ClassicLink.
AnswerA

Provides secure, low-latency access via Direct Connect.

Why this answer

Option A is correct because placing EC2 instances in a private subnet with a VPN or Direct Connect VIF to on-premises allows secure access. Option B is wrong because public subnet and internet gateway is not secure. Option C is wrong because ClassicLink is outdated and not recommended.

Option D is wrong because NAT gateway is for outbound internet access, not for on-premises connectivity.

690
Multi-Selectmedium

A company is planning to migrate a three-tier web application to AWS. The application consists of a web server, an application server, and a MySQL database. The company wants to minimize operational overhead and improve scalability. Which THREE AWS services should the company use to modernize the architecture? (Choose THREE.)

Select 3 answers
A.AWS Lambda
B.Elastic Load Balancing (ELB)
C.Amazon EC2 instances
D.Amazon ECS with Fargate
E.Amazon RDS for MySQL
AnswersB, D, E

ELB distributes traffic to improve availability.

Why this answer

Option A (ELB), Option C (Amazon RDS), and Option D (Amazon ECS) are correct. ELB distributes traffic, RDS manages MySQL, and ECS runs containers with minimal overhead. Option B (Amazon EC2) adds operational overhead.

Option E (AWS Lambda) is not suitable for long-running application servers.

691
MCQmedium

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

A.Use AWS PrivateLink to connect each VPC to the security VPC via interface endpoints.
B.Set up AWS Direct Connect gateway and route all traffic through the security account.
C.Create VPC peering connections between each VPC and the security VPC, then configure route tables to route traffic through the firewall.
D.Use AWS Transit Gateway with a central appliance VPC, and configure route tables to send traffic to the firewall for inspection.
AnswerD

Correct: Centrally managed and scales well.

Why this answer

Option D is correct because AWS Transit Gateway (TGW) allows you to centralize network traffic through a security appliance VPC. By attaching all VPCs to a single TGW and configuring route tables to route inter-VPC traffic to the firewall appliance in the security VPC, you meet the inspection requirement without manual route table manipulation in each spoke VPC. This design minimizes complexity by using a hub-and-spoke topology with centralized routing control.

Exam trap

The trap here is that candidates often choose VPC peering (Option C) because it is familiar, but they overlook the requirement to avoid route table manipulation and the lack of transitive routing, which makes peering unsuitable for centralized inspection across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink interface endpoints are used for private connectivity to specific services, not for routing all inter-VPC traffic through a firewall; they do not support traffic inspection between VPCs. Option B is wrong because AWS Direct Connect gateway is a managed service for connecting on-premises networks to multiple VPCs, not for routing traffic between VPCs in different accounts, and it does not inherently force traffic through a centralized firewall. Option C is wrong because VPC peering connections require explicit route table entries in every VPC to direct traffic through the firewall, which violates the requirement to minimize complexity and avoid route table manipulation; peering also does not support transitive routing, so you would need a full mesh of peering connections.

692
MCQmedium

Refer to the exhibit. A company has created a CloudTrail trail named 'my-trail' in the management account of AWS Organizations. The trail is configured to deliver logs to a central S3 bucket. The security team wants to capture all management events from all accounts in the organization. Based on the exhibit, what is the most likely issue?

A.The trail is not a multi-region trail
B.The trail does not include global service events
C.The trail has log file validation enabled, which prevents cross-account delivery
D.The trail is not an organization trail
AnswerD

Only organization trails automatically capture events from all accounts in the organization.

Why this answer

Option D is correct because the trail is not an organization trail (IsOrganizationTrail: false). Organization trails automatically apply to all accounts in the organization. Without that, each account must create its own trail.

Option A is wrong because global service events are enabled. Option B is wrong because multi-region is not required for management events if the trail is in the correct region, but organization trail is the key. Option C is wrong because log file validation does not affect coverage.

693
Multi-Selecteasy

A company is using an AWS Lambda function to process records from an Amazon Kinesis stream. The function stores results in an Amazon DynamoDB table. The team notices that the Lambda function sometimes fails due to throttling from DynamoDB. Which TWO actions should the team take to improve the continuous processing of records? (Choose TWO.)

Select 2 answers
A.Increase the number of shards in the Kinesis stream to reduce data per Lambda invocation.
B.Configure reserved concurrency for the Lambda function to limit its maximum concurrency.
C.Increase the concurrency limit for the Lambda function to allow more parallel executions.
D.Switch the DynamoDB table to on-demand capacity mode.
E.Enable DynamoDB auto scaling for the table to adjust read/write capacity automatically.
AnswersD, E

On-demand mode eliminates throttling by scaling automatically.

Why this answer

Option D is correct because switching the DynamoDB table to on-demand capacity mode eliminates the need to provision read/write capacity, allowing the table to automatically scale to handle any throttling caused by sudden spikes in Lambda writes. This directly addresses the throttling issue without requiring manual capacity management.

Exam trap

The trap here is that candidates often choose to increase Lambda concurrency or shards, thinking more parallelism will improve processing, but they fail to recognize that the bottleneck is DynamoDB capacity, and increasing Lambda concurrency only worsens the throttling.

694
Multi-Selecthard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce encryption at rest for all Amazon S3 buckets across the organization. The solution must be automated and should not prevent existing compliant buckets from being used. Which TWO services should be combined to achieve this?

Select 2 answers
A.AWS Lambda
B.AWS Config
C.AWS Trusted Advisor
D.Service control policy (SCP)
E.AWS CloudFormation StackSets
AnswersB, E

Config can evaluate bucket encryption compliance.

Why this answer

Options A and C are correct because AWS Config can detect non-compliant buckets, and AWS CloudFormation StackSets can deploy a bucket policy to enforce encryption. Option B is wrong because SCPs cannot enforce encryption settings on existing buckets. Option D is wrong because AWS Trusted Advisor only provides recommendations, not enforcement.

Option E is wrong because AWS Lambda alone cannot deploy policies across accounts without additional orchestration.

695
MCQmedium

A company runs a critical application on Amazon RDS for PostgreSQL. The database performance has degraded over time. The Solutions Architect notices that read queries are slow and the DB instance's ReadIOPS metric is consistently high. Which action would improve read performance with minimal operational overhead?

A.Increase the allocated storage of the DB instance.
B.Enable Multi-AZ deployment for the DB instance.
C.Migrate the database to Amazon Aurora with PostgreSQL compatibility.
D.Create an RDS read replica and redirect read queries to it.
AnswerD

Read replicas offload read traffic from the primary, reducing IOPS and improving performance.

Why this answer

Option A is correct because adding a read replica distributes read traffic off the primary instance, reducing ReadIOPS and improving query performance. Option B is wrong because increasing storage size does not directly improve IOPS or read performance. Option C is wrong because Multi-AZ is for high availability, not read scaling.

Option D is wrong because switching to a different engine is unnecessary and would require application changes.

696
MCQmedium

A company is migrating a legacy on-premises application to AWS. The application uses a proprietary database that is not supported by Amazon RDS. The migration must minimize downtime and require minimal changes to the application. Which migration strategy should the company use?

A.Migrate the database to Amazon RDS with a compatible engine and modify connection strings.
B.Rehost the application on Amazon EC2 instances and migrate the database using AWS Database Migration Service (DMS) with ongoing replication.
C.Refactor the application to use Amazon Aurora and modify the code to use the Aurora query interface.
D.Replace the database with Amazon DynamoDB and rewrite database access layer.
AnswerB

Rehosting on EC2 allows the same database engine, and DMS with replication minimizes downtime.

Why this answer

Option B is correct because rehosting (lift-and-shift) involves moving the application as-is to Amazon EC2, which can host any database engine, and can minimize changes and downtime using tools like AWS Server Migration Service. Option A is incorrect because refactoring would require significant application changes. Option C is incorrect because replacing the database with a new one would require application modifications.

Option D is incorrect because the database is not supported by RDS, so RDS cannot be used.

697
MCQmedium

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no IAM role in any member account can be assumed by a user from outside the organization. Which policy should be used?

A.Enable AWS CloudTrail to log role assumptions and send alerts when external assumptions occur.
B.Use AWS Config to detect roles with external trust relationships and automatically delete them.
C.Modify the trust policy of each IAM role to allow only principals from the organization.
D.Attach a service control policy (SCP) that denies sts:AssumeRole if the aws:PrincipalOrgID condition is not set.
AnswerD

SCPs with aws:PrincipalOrgID condition can restrict role assumption to principals within the organization.

Why this answer

Option D is correct because a service control policy (SCP) can centrally enforce that all IAM role trust policies in member accounts require the `aws:PrincipalOrgID` condition key. This condition ensures that only principals within the organization can assume roles, blocking any external user from assuming a role even if the role's trust policy is misconfigured. SCPs apply to all accounts in an OU or organization, providing a preventive control that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often choose Option C (modifying trust policies) because it seems direct, but they overlook that SCPs provide a centralized, scalable, and preventive control that enforces the policy across all accounts without requiring per-role changes.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records events but does not prevent external role assumptions; it only provides visibility after the fact. Option B is wrong because AWS Config can detect roles with external trust relationships but cannot automatically delete them; it can trigger remediation actions via Systems Manager Automation, but deletion is not a native Config action and would require custom logic, and this approach is reactive rather than preventive. Option C is wrong because modifying the trust policy of each IAM role individually is impractical at scale across many accounts and roles, and it does not prevent a future role from being created with an overly permissive trust policy; it also lacks centralized enforcement.

698
MCQeasy

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a 100 Mbps internet connection. The migration must be completed within a week and have minimal downtime. Which AWS service should the company use to transfer the initial database dump to AWS?

A.Upload the database dump directly to an S3 bucket using multipart upload.
B.Use AWS Database Migration Service (DMS) with ongoing replication to migrate the data with minimal downtime.
C.Use AWS Snowball Edge to transfer the data offline.
D.Use S3 Transfer Acceleration to speed up the upload of the dump file.
AnswerB

DMS can perform a full load and then continuously replicate changes, allowing a cutover with minimal downtime.

Why this answer

Option B is correct because AWS DMS can perform a live migration with minimal downtime by replicating ongoing changes. Option A is wrong because direct upload via internet would take too long given bandwidth. Option C is wrong because Snowball is for offline data transfer, but would not meet the time constraint if shipping takes days.

Option D is wrong because S3 Transfer Acceleration speeds up uploads but still limited by internet bandwidth.

699
Multi-Selecteasy

A company is planning to migrate a workload to AWS and needs to estimate the total cost of ownership (TCO) compared to on-premises. Which TWO AWS tools can be used to perform this analysis?

Select 2 answers
A.AWS Pricing Calculator
B.AWS Organizations
C.AWS Cost Explorer
D.AWS TCO Calculator
E.AWS Budgets
AnswersA, D

Estimates monthly costs for AWS services.

Why this answer

Options A and C are correct. AWS Pricing Calculator estimates costs of AWS services. AWS TCO Calculator compares on-premise costs to AWS.

Option B is wrong because AWS Budgets tracks spending. Option D is wrong because AWS Cost Explorer analyzes existing AWS spending. Option E is wrong because AWS Organizations manages accounts.

700
MCQmedium

A global company uses AWS Organizations with multiple business units. Each business unit has its own OU and VPCs that need to communicate with a central shared services VPC. The network team wants to minimize latency and maximize throughput. Which design should they use?

A.Create a VPN connection from each business unit VPC to the shared services VPC.
B.Deploy an AWS Transit Gateway and attach all VPCs (business unit and shared services) to it.
C.Use AWS PrivateLink to connect services in the shared services VPC to the business unit VPCs.
D.Set up VPC peering between each business unit VPC and the shared services VPC.
AnswerB

Transit Gateway acts as a hub for transitive routing, simplifying network management and providing high bandwidth.

Why this answer

AWS Transit Gateway acts as a hub-and-spoke router, allowing all VPCs (business units and shared services) to connect through a single gateway. This minimizes latency by using the AWS global network backbone and maximizes throughput with up to 50 Gbps per VPC attachment, scaling horizontally across multiple attachments. It simplifies management compared to mesh peering and avoids the bandwidth limitations of VPN or PrivateLink for inter-VPC routing.

Exam trap

The trap here is that candidates often choose VPC peering (D) due to its simplicity and zero additional cost, overlooking the management overhead and lack of transitive routing when scaling across many VPCs, while Transit Gateway provides a centralized, high-performance solution that aligns with the requirements for minimizing latency and maximizing throughput.

How to eliminate wrong answers

Option A is wrong because VPN connections introduce encryption overhead, higher latency, and throughput limits (typically up to 1.25 Gbps per tunnel), making them unsuitable for minimizing latency and maximizing throughput. Option C is wrong because AWS PrivateLink is designed for exposing specific services (e.g., via NLB) rather than full IP-level routing between VPCs, and it adds per-connection costs and does not support transitive routing or high-throughput bulk data transfer. Option D is wrong because VPC peering requires a full mesh of connections (each business unit VPC must peer individually with the shared services VPC), does not support transitive routing, and can hit the default limit of 125 peering connections per VPC, creating management overhead and potential scaling issues.

701
Multi-Selecteasy

A company is designing a cost-effective architecture for a batch processing job that runs nightly. The job can tolerate interruptions and requires significant compute power for a few hours. The company wants to minimize costs. Which TWO strategies should the company use?

Select 2 answers
A.Use Spot Instances for compute.
B.Purchase Reserved Instances (RI) for a 1-year term.
C.Configure Auto Scaling to scale out during the job and scale in after.
D.Use On-Demand Instances to ensure availability.
E.Use Dedicated Hosts for compliance.
AnswersA, C

Spot Instances are cost-effective and suitable for fault-tolerant batch jobs.

Why this answer

Using Spot Instances reduces cost, and Auto Scaling adjusts capacity. Option B (On-Demand) is more expensive. Option C (RI) requires commitment.

Option D (Dedicated Hosts) is expensive.

702
Multi-Selectmedium

A company runs a production AWS environment with Amazon EC2 instances managed by Auto Scaling groups. The operations team notices that after a recent deployment, the application is returning higher error rates. Which TWO steps should the team take to enable a quick rollback and improve future deployments?

Select 2 answers
A.Configure Auto Scaling lifecycle hooks to automatically terminate new instances if health checks fail.
B.Implement canary deployments using AWS CodeDeploy to shift traffic gradually and monitor error rates.
C.Use AWS CloudFormation change sets to automatically roll back failed deployments.
D.Use AWS Elastic Beanstalk to perform a blue/green deployment, swapping the environment URL after testing.
E.Enable AWS CloudTrail to track deployment API calls and automatically revert if errors exceed a threshold.
AnswersB, D

Canary deployments allow early detection and rollback if errors increase.

Why this answer

Option A (use Elastic Beanstalk for blue/green deployment) allows rollback by swapping environments. Option D (implement canary deployments in CodeDeploy) reduces blast radius and allows monitoring before full rollout. Option B (CloudFormation change sets) is for previewing changes, not rollback.

Option C (CloudTrail) is for auditing, not deployment control. Option E (Lifecycle hooks) are for custom actions during instance launch/termination, not rollback.

703
MCQeasy

A company uses AWS Lambda functions to process files uploaded to an S3 bucket. The processing time varies, but some files fail with a timeout error. The function has the default timeout setting. What is the MOST cost-effective way to resolve this issue?

A.Increase the memory allocation for the Lambda function.
B.Use an SQS queue to buffer the S3 events.
C.Use AWS Step Functions to orchestrate the processing.
D.Increase the Lambda function timeout.
AnswerD

Increasing timeout allows the function to run longer without timing out.

Why this answer

Option C is correct because increasing the timeout allows longer-running functions to complete without failing. Option A is wrong because increasing memory also increases cost and may not be needed. Option B is wrong because SQS is for decoupling, not for fixing timeouts.

Option D is wrong because Step Functions add complexity and cost; simpler is to adjust the timeout.

704
MCQmedium

A security engineer created the above bucket policy on the central-logging-bucket in account 111111111111. They want account 222222222222 to deliver CloudTrail logs to this bucket. What is missing?

A.The prefix AWSLogs/111111111111 is incorrect; it should use the source account ID 222222222222.
B.The role CrossAccountRole does not exist in account 222222222222.
C.The bucket policy must grant s3:PutObject to the CloudTrail service principal, not to a role.
D.The bucket must be in the same account as CloudTrail.
AnswerC

CloudTrail uses its own service principal to write logs.

Why this answer

The bucket policy grants PutObject to a specific role, but CloudTrail requires a bucket policy that grants PutObject to the CloudTrail service principal for cross-account delivery. Option A is wrong because the role exists. Option C is wrong because bucket already exists.

Option D is wrong because the prefix is correct for CloudTrail.

705
MCQhard

Refer to the exhibit. A CloudFormation template is used to create an S3 bucket with versioning enabled and a DeletionPolicy of Retain. The stack is deleted. What happens to the bucket and its objects?

A.The bucket and all its objects are deleted
B.The bucket and its objects are retained
C.The bucket is deleted only if it is empty
D.The bucket is deleted, but versioning information is retained
AnswerB

DeletionPolicy Retain preserves the resource.

Why this answer

Option D is correct. With DeletionPolicy set to Retain, the bucket is preserved along with all its objects when the stack is deleted. Option A is wrong because the bucket is not deleted.

Option B is wrong because versioning status remains as set. Option C is wrong because buckets with versioning enabled can be deleted via console with force delete option, but CloudFormation respects DeletionPolicy.

706
MCQeasy

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required?

A.Enable IAM Identity Center in the management account and then register the member account as a delegated administrator.
B.Create a service control policy that allows the member account to manage IAM Identity Center.
C.Use AWS CloudFormation StackSets to deploy IAM Identity Center configurations to the member account.
D.Set up AWS Config rules to enforce IAM Identity Center settings in the member account.
AnswerA

This is the standard process to delegate administration.

Why this answer

To delegate administration of IAM Identity Center to a member account, you must first enable IAM Identity Center in the management account. Then, you can register the member account as a delegated administrator using the IAM Identity Center console or the RegisterDelegatedAdministrator API. This allows the member account to manage IAM Identity Center settings, users, and groups without requiring management account credentials.

Exam trap

The trap here is that candidates often confuse service control policies (SCPs) with delegation mechanisms, assuming an SCP can grant administrative rights, when in fact SCPs only deny or allow existing permissions and cannot delegate IAM Identity Center administration.

How to eliminate wrong answers

Option B is wrong because service control policies (SCPs) can only deny or allow actions at the account level, but they cannot delegate administrative permissions for IAM Identity Center; delegation requires explicit registration via the management account. Option C is wrong because AWS CloudFormation StackSets can deploy resources across accounts but cannot register a delegated administrator for IAM Identity Center, which is a management-plane operation. Option D is wrong because AWS Config rules can only evaluate and enforce compliance of resource configurations, not grant administrative delegation or manage IAM Identity Center settings.

707
Multi-Selecthard

A company is designing a new multi-tier web application on AWS. The application consists of a public-facing Application Load Balancer, a fleet of EC2 instances in private subnets, and an RDS database in a private subnet. The security team requires that all traffic between the ALB and EC2 instances be encrypted, and that the EC2 instances have no direct internet access. Which TWO actions should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure the ALB to use HTTPS listeners and the target group to use HTTPS.
B.Place the EC2 instances in private subnets and use a NAT gateway for outbound internet access.
C.Attach an Internet Gateway to the VPC and route traffic through it.
D.Enable VPC Flow Logs on the private subnets.
E.Configure network ACLs to deny all inbound traffic from the internet.
AnswersA, B

This encrypts traffic between the client and ALB, and between ALB and EC2 instances if the target group uses HTTPS.

Why this answer

The correct answers are A and B. Option A is correct because using HTTPS listeners on the ALB encrypts traffic between the client and ALB, and by using HTTPS as the protocol for the target group, the traffic between ALB and EC2 instances is also encrypted. Option B is correct because placing EC2 instances in private subnets ensures they have no direct internet access, and using a NAT gateway for outbound access allows them to reach the internet for updates if needed, but not inbound.

Option C is wrong because Network ACLs are stateless and need rules for both inbound and outbound, but they do not encrypt traffic. Option D is wrong because VPC Flow Logs are for monitoring, not for encryption or internet access control. Option E is wrong because an Internet Gateway provides internet access, which is not allowed.

708
MCQeasy

A company is using Amazon CloudFront to deliver static content from an S3 bucket. The company wants to ensure that users can only access content through CloudFront and not directly from the S3 bucket. What should the company do?

A.Use CloudFront Origin Access Control (OAC) and update the bucket policy to only allow access from the CloudFront distribution.
B.Set S3 Object Ownership to BucketOwnerPreferred.
C.Configure the S3 bucket policy to allow public read access.
D.Generate CloudFront key pairs and require signed URLs for all content.
AnswerA

Restricts direct access.

Why this answer

Option C is correct by using Origin Access Control (OAC) to restrict S3 bucket access to only CloudFront. Option A is wrong because it does not restrict direct access. Option B is wrong because Object Ownership is not a security feature.

Option D is wrong because CloudFront key pairs are for signed URLs, not bucket access.

709
MCQeasy

A company is migrating a web application to AWS and wants to use a containerized architecture. The application consists of multiple microservices that communicate via REST APIs. The company needs a solution that minimizes operational overhead for managing containers and orchestrating microservices. Which AWS service should the company use?

A.Amazon EKS with managed node groups.
B.AWS Lambda functions for each microservice.
C.Amazon EC2 with Docker installed on each instance.
D.Amazon ECS with AWS Fargate launch type.
AnswerD

Fargate is serverless and reduces overhead.

Why this answer

Option B is correct because Amazon ECS with Fargate is a serverless container orchestration service that reduces operational overhead. Option A is wrong because EC2 requires manual management. Option C is wrong because EKS also requires management of the control plane.

Option D is wrong because Lambda is for functions, not containers.

710
MCQeasy

A startup needs a serverless compute service to run code in response to S3 events. The code should execute within milliseconds and require no server management. Which AWS service should be used?

A.Amazon ECS
B.AWS Lambda
C.Amazon EC2
D.AWS Fargate
AnswerB

Lambda is event-driven and serverless.

Why this answer

Option B is correct because AWS Lambda is serverless and can be triggered by S3 events. Option A is wrong because ECS manages containers, not serverless. Option C is wrong because Fargate is serverless but still container-based.

Option D is wrong because EC2 is virtual servers.

711
MCQmedium

A company is using AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have a specific AWS Config rule enabled and that any drift is automatically remediated. Which approach should be used?

A.Use EC2 Auto Scaling to apply the Config rule to all accounts.
B.Use AWS Control Tower lifecycle events and customizations to deploy the Config rule and set up automatic remediation.
C.Use AWS CloudTrail to monitor for accounts without the Config rule and trigger a Lambda function to add it.
D.Use AWS Config to create a conformance pack that applies the rule, and use an SCP to require it.
AnswerB

Control Tower provides governance and drift detection.

Why this answer

Option A is correct because Control Tower uses lifecycle events and customizations (like AWS Config rules) to detect and remediate drift. Option B is wrong because EC2 Auto Scaling is unrelated. Option C is wrong because AWS Config cannot enforce rules across all accounts without additional configuration like Control Tower.

Option D is wrong because CloudTrail does not enforce rules.

712
MCQhard

A company is migrating a legacy monolithic application to AWS. The application uses a proprietary binary protocol over TCP. The company wants to modernize the architecture using microservices while minimizing changes to the client. Which approach should the company use?

A.Use a Network Load Balancer with TCP listener and route traffic based on destination port to different target groups.
B.Use AWS Global Accelerator with a TCP listener and endpoint groups for microservices.
C.Use an Application Load Balancer with path-based routing to direct traffic to separate microservices.
D.Use Amazon API Gateway with a custom authorizer to route requests to AWS Lambda functions.
AnswerA

NLB can handle TCP traffic and route based on port to different services.

Why this answer

Networking Load Balancer with TCP listener and target groups allows routing based on protocol without modifying clients. Option A (ALB) requires HTTP. Option C (API Gateway) requires REST.

Option D (AWS Global Accelerator) uses anycast IP but still needs TCP routing.

713
Multi-Selectmedium

A company uses AWS Organizations and wants to establish a central logging solution. They need to collect CloudTrail logs from all accounts and store them in a central S3 bucket in the management account. Which THREE steps are required to achieve this?

Select 3 answers
A.Create an AWS Config rule to monitor CloudTrail configuration.
B.Apply a service control policy (SCP) to enforce CloudTrail logging.
C.Create a new CloudTrail trail in the management account with organization trail enabled.
D.Configure the trail to deliver logs to a central S3 bucket in the management account.
E.Enable CloudTrail in each member account individually.
AnswersC, D, E

An organization trail automatically applies to all accounts.

Why this answer

Option C is correct because enabling organization trail in the management account allows CloudTrail to automatically create a trail that logs events for all accounts in the AWS Organization, eliminating the need to manually enable CloudTrail in each member account. This is the only way to centrally collect CloudTrail logs from all accounts without individual account configuration.

Exam trap

The trap here is that candidates often think they must enable CloudTrail in each member account individually (Option E) or use SCPs to enforce logging (Option B), but the organization trail feature in the management account handles both the creation and central delivery automatically.

714
MCQhard

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The Lambda function processes messages from an SQS queue and writes to DynamoDB. The company expects unpredictable traffic spikes and must ensure that messages are not lost. Which configuration should the company use to meet these requirements?

A.Use an SQS queue as a Lambda event source with reserved concurrency on the Lambda function
B.Enable DynamoDB Accelerator (DAX) for the Lambda function
C.Provisioned Concurrency on the Lambda function
D.Increase the SQS queue visibility timeout and retention period
AnswerA

Reserved concurrency prevents throttling, and SQS acts as a buffer.

Why this answer

Option A is correct because using an SQS queue as a Lambda event source with reserved concurrency ensures that messages are not lost during traffic spikes. SQS acts as a durable buffer, and reserved concurrency prevents the Lambda function from being throttled, which would otherwise cause messages to remain in the queue or be sent to a dead-letter queue. This combination guarantees that every message is processed without loss, even under unpredictable load.

Exam trap

The trap here is that candidates confuse Provisioned Concurrency (which reduces cold starts) with reserved concurrency (which guarantees processing capacity), and overlook that SQS alone cannot prevent message loss if Lambda is throttled.

How to eliminate wrong answers

Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance, but it does not prevent message loss or handle Lambda throttling. Option C is wrong because Provisioned Concurrency keeps a set number of Lambda instances warm to reduce cold starts, but it does not protect against throttling during extreme spikes; reserved concurrency is needed to guarantee capacity. Option D is wrong because increasing the SQS queue visibility timeout and retention period only delays message reprocessing and extends storage time, but does not address the root cause of message loss due to Lambda throttling.

715
MCQhard

A company is migrating a large-scale, stateful application to AWS. The application maintains session state in memory on the current on-premises servers. The company needs a solution that preserves session state during migration and minimizes latency for users worldwide. Which strategy should the company use?

A.Use AWS Global Accelerator to gradually shift traffic, and use Amazon ElastiCache for Redis to centralize session state
B.Use Amazon Route 53 weighted routing to shift traffic to new EC2 instances, and store session state in Amazon S3
C.Use AWS CloudFront to cache static content, and use Amazon DynamoDB for session state
D.Use AWS Global Accelerator to shift traffic, and deploy AWS WAF to protect the application
AnswerA

Global Accelerator provides anycast IP and traffic shifting; ElastiCache provides low-latency state sharing.

Why this answer

Option A is correct because AWS Global Accelerator allows you to gradually shift traffic from on-premises to AWS using endpoint weights, minimizing disruption during migration. Amazon ElastiCache for Redis provides a centralized, in-memory session store that preserves session state across the migration, ensuring low-latency access for users worldwide by leveraging Global Accelerator's anycast IP and AWS edge locations.

Exam trap

The trap here is that candidates often confuse Route 53 weighted routing with Global Accelerator's traffic-shifting capabilities, overlooking that Global Accelerator provides both performance optimization and gradual traffic migration, while Route 53 alone lacks the anycast edge network and fine-grained endpoint weight management needed for low-latency stateful migration.

How to eliminate wrong answers

Option B is wrong because Amazon S3 is not designed for low-latency session state storage; its eventual consistency and higher latency make it unsuitable for real-time session management, and Route 53 weighted routing lacks the traffic-shifting granularity and performance optimization of Global Accelerator. Option C is wrong because CloudFront caching static content does not address session state preservation; DynamoDB can store session state but introduces higher latency compared to in-memory solutions like ElastiCache for Redis, and CloudFront does not provide traffic shifting for migration. Option D is wrong because AWS WAF is a web application firewall that protects against web exploits, not a mechanism for preserving session state or shifting traffic; Global Accelerator alone without a centralized session store does not solve the stateful migration requirement.

716
MCQeasy

A company needs to provide temporary, limited-privilege credentials to mobile app users to access AWS resources. Which AWS service should the architect recommend?

A.Create IAM users for each mobile user and distribute access keys.
B.Use AWS Security Token Service (STS) directly from the mobile app.
C.Create an IAM role and have the mobile app assume it directly.
D.Use Amazon Cognito with an identity pool to issue temporary credentials.
AnswerD

Cognito Identity Pools are designed for this purpose.

Why this answer

AWS Cognito Identity Pools (option C) provide temporary credentials for authenticated users. Option A (IAM users) is not for mobile users. Option B (STS) is for federated users, not directly for mobile.

Option D (IAM roles) cannot be assumed directly by mobile apps.

717
MCQeasy

A company is designing a new application that will store sensitive user data in an Amazon RDS for PostgreSQL database. The data must be encrypted at rest and in transit. The company also requires automated backups with a retention period of 35 days. What is the MOST secure and cost-effective configuration?

A.Enable RDS encryption at rest using AWS KMS, and use client-side encryption for data in transit.
B.Use an AWS KMS key to encrypt the RDS instance, and configure the DB instance to use SSL/TLS for connections.
C.Store the data in Amazon S3 with server-side encryption, and use an RDS database for metadata only.
D.Enable encryption at rest for the RDS instance, and enforce SSL/TLS connections by setting the rds.force_ssl parameter to 1.
AnswerD

RDS encryption at rest is enabled with a single checkbox; SSL/TLS is enforced via parameter group. Automated backups are enabled by default with 35-day retention.

Why this answer

Option C is correct because enabling encryption at rest (via RDS encryption) and in transit (SSL/TLS) meets both requirements; automated backups are included and retained up to 35 days. Option A is wrong because client-side encryption adds unnecessary complexity. Option B is wrong because AWS KMS is part of RDS encryption, not an additional service.

Option D is wrong because RDS encryption at rest is sufficient; no need for separate S3 encryption.

718
Multi-Selecthard

A company has a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences occasional timeouts during peak hours. After reviewing AWS X-Ray traces, the team finds that DynamoDB queries are slow. Which THREE actions should the team take to improve performance and continuously optimize the solution?

Select 3 answers
A.Optimize DynamoDB queries by using global secondary indexes and reducing the number of separate queries.
B.Configure DynamoDB auto scaling to adjust read and write capacity based on demand.
C.Use Amazon ElastiCache for Redis to cache DynamoDB query results.
D.Implement Lambda function warmers to keep containers initialized and reduce cold starts.
E.Enable Amazon DynamoDB Accelerator (DAX) for read-heavy workloads.
AnswersA, B, E

GSIs and efficient query patterns reduce latency and consumed capacity.

Why this answer

Option A (DAX) reduces read latency. Option B (read capacity auto scaling) adapts to demand. Option E (connection pooling) reduces cold start overhead.

Option C (ElastiCache) is for external caching, not DynamoDB. Option D (warm containers) is for Lambda optimization but not directly addressing DynamoDB performance.

719
MCQhard

A multinational corporation is migrating to AWS and needs to manage permissions across multiple accounts using AWS IAM Identity Center (successor to AWS SSO). The company has a central identity source in Microsoft Active Directory. They need to grant different levels of access to users based on their job function. Which combination of AWS services will provide the most scalable and maintainable solution?

A.Create a permission set in IAM Identity Center for each job function and assign to appropriate groups.
B.Use AWS Organizations to attach SCPs that grant permissions based on user tags.
C.Use attribute-based access control (ABAC) with IAM Identity Center and session tags from Active Directory.
D.Use IAM roles directly in each account and manage trust policies centrally.
AnswerC

ABAC with session tags allows permissions to be based on user attributes, simplifying management.

Why this answer

Option C is correct because it uses attribute-based access control (ABAC) with IAM Identity Center, which allows permissions to be dynamically granted based on user attributes (e.g., job function) passed as session tags from Active Directory. This approach scales seamlessly as users and accounts grow, since policies reference tags rather than individual users or groups, and it centralizes identity management without requiring per-account role updates.

Exam trap

The trap here is that candidates often choose Option A (permission sets per job function) because it seems straightforward, but they overlook the scalability and maintenance benefits of ABAC, which AWS explicitly recommends for large, dynamic environments with a central identity source.

How to eliminate wrong answers

Option A is wrong because creating a permission set per job function and assigning to groups still requires manual updates when job functions change or new accounts are added, leading to maintenance overhead and reduced scalability. Option B is wrong because AWS Organizations SCPs cannot grant permissions based on user tags; SCPs only provide coarse-grained guardrails (allow/deny) at the account level and cannot evaluate user-specific attributes like tags from Active Directory. Option D is wrong because managing IAM roles directly in each account with centralized trust policies becomes unmanageable as the number of accounts grows, requiring cross-account trust updates and increasing the risk of misconfiguration.

720
MCQhard

A company has a multi-account AWS environment with a shared services account that hosts Active Directory for authentication. Developers need to launch EC2 instances in development accounts and join them to the domain. What is the most secure way to allow this?

A.Establish VPC peering between the shared services VPC and each developer VPC
B.Create a shared secret for the domain and store it in AWS Secrets Manager in each developer account
C.Use AWS Systems Manager to automate domain join with a custom document
D.Use AWS Managed Microsoft AD in the shared services account and set up a trust relationship with each developer account
AnswerD

Trust relationships allow domain join across accounts securely.

Why this answer

Option D is correct because AWS Managed Microsoft AD in the shared services account can establish a one-way or two-way forest trust with a separate AWS Managed Microsoft AD directory in each developer account. This allows EC2 instances in the developer VPCs to authenticate against the shared Active Directory without exposing the directory directly across accounts, maintaining security boundaries while enabling seamless domain join.

Exam trap

The trap here is that candidates often assume VPC peering (Option A) is sufficient for cross-account domain join, but they overlook the need for a trust relationship between Active Directory domains and the complexities of DNS resolution across accounts.

How to eliminate wrong answers

Option A is wrong because VPC peering alone does not enable domain join; it only provides network connectivity between VPCs. The developer EC2 instances would still need to resolve and reach the Active Directory domain controller, and without proper DNS resolution and security group rules, domain join would fail. Option B is wrong because storing a shared secret (e.g., domain admin password) in Secrets Manager in each developer account violates the principle of least privilege and creates a security risk; it also does not automate the domain join process or handle the necessary DNS and network configuration.

Option C is wrong because AWS Systems Manager can automate domain join using a custom document, but it still requires the EC2 instances to have network access to the Active Directory domain controller and proper DNS resolution; it does not solve the cross-account authentication and trust challenge.

721
MCQmedium

A company is building a new data analytics platform on AWS. The platform ingests streaming data from multiple sources, processes it in real time, and stores the results in Amazon S3 for later analysis. The data volume is expected to be up to 50 GB per day. The company needs to choose a service for real-time stream processing. Which AWS service is most appropriate for this use case?

A.Amazon Kinesis Data Firehose
B.Amazon Kinesis Data Streams
C.Amazon Kinesis Data Analytics
D.Amazon EMR
AnswerC

Kinesis Data Analytics processes streaming data in real time.

Why this answer

Option A is correct because Amazon Kinesis Data Analytics enables real-time stream processing using SQL or Apache Flink. Option B: Kinesis Data Streams is for data ingestion, not processing. Option C: Kinesis Data Firehose is for loading data into stores, not for real-time processing.

Option D: Amazon EMR is for batch processing, not real-time.

722
MCQmedium

A company has a central IT team that manages AWS Organizations. The development team needs to create and manage their own AWS accounts for new projects. What is the BEST way to automate account creation while maintaining governance?

A.Create an AWS Service Catalog product that uses AWS Organizations APIs to create a new account, applies a baseline CloudFormation template, and moves the account to the correct OU.
B.Use AWS CloudFormation StackSets to create accounts in bulk.
C.Use the AWS Organizations console to manually create accounts and assign them to the appropriate OU.
D.Give the development team the credentials to the management account and let them create accounts directly.
AnswerA

Service Catalog provides a self-service portal for end users with governance controls.

Why this answer

Option A is correct because it uses AWS Service Catalog to provide a self-service portal for the development team, while the central IT team retains governance by embedding AWS Organizations API calls to create accounts, apply a baseline CloudFormation template for security and compliance, and automatically move the account to the correct Organizational Unit (OU). This approach enforces guardrails without granting direct management account access.

Exam trap

The trap here is that candidates often confuse CloudFormation StackSets with account creation, but StackSets only operate on existing accounts, not create new ones.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets deploy resources across existing accounts and regions; they cannot create new AWS accounts. Option C is wrong because manual creation via the AWS Organizations console is not automated and does not scale for new projects, violating the requirement for automation. Option D is wrong because giving development team credentials to the management account violates the principle of least privilege and central governance, exposing the organization to security risks and accidental changes.

723
MCQhard

A media company uses S3 for storing video files and CloudFront for distribution. They implemented a Lambda@Edge function to add copyright headers. After deployment, some users report that older videos still lack the headers. What is the most likely reason?

A.The Lambda@Edge function is not triggered for viewer request events.
B.The CloudFront behavior for older videos does not include the Lambda function association.
C.The S3 bucket policy denies access to the Lambda function.
D.The videos are cached in CloudFront and the function runs only on cache misses.
AnswerB

If the distribution has multiple behaviors (e.g., based on path pattern), the function may only be associated with the behavior for newer videos.

Why this answer

Lambda@Edge functions can be associated with CloudFront behaviors. If the function is only triggered for specific behaviors (e.g., only for certain file extensions or cache behaviors), older videos served under other behaviors may not get the headers. Option C is correct.

Options A and B are less likely because the function is invoked on every request, and S3 permissions do not affect Lambda@Edge execution. Option D is incorrect because the issue is about missing headers, not caching of old content.

724
MCQmedium

A company is building a new microservices architecture on AWS using Amazon ECS with Fargate. The services need to communicate with each other using RESTful APIs. The company wants to implement an API gateway to handle authentication, rate limiting, and request routing. Which AWS service should be used as the API gateway?

A.Network Load Balancer
B.Application Load Balancer
C.Amazon API Gateway
D.Amazon CloudFront
AnswerC

API Gateway provides full API management including auth, throttling, and routing.

Why this answer

Option C is correct because Amazon API Gateway provides authentication, rate limiting, and request routing for RESTful APIs. Option A: ALB is a load balancer, not an API gateway. Option B: CloudFront is a CDN.

Option D: NLB is for TCP/UDP traffic.

725
MCQhard

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The directory will be used for authentication across multiple VPCs in different accounts. The company needs to ensure that resources in all VPCs can resolve DNS names from the directory. What is the MOST scalable and secure solution?

A.Create a VPN connection between each VPC and the on-premises AD, then use DNS forwarders.
B.Use Amazon Route 53 private hosted zones and associate them with all VPCs.
C.Deploy the directory in each VPC and use AWS Managed Microsoft AD multi-region replication.
D.Deploy the directory in a shared services VPC in the management account. Use AWS Transit Gateway to connect all VPCs and configure the directory's DNS as a forwarder via Amazon Route 53 Resolver.
AnswerD

Transit Gateway provides scalable connectivity, and Route 53 Resolver can forward DNS to the directory.

Why this answer

Option A is correct because using AWS Transit Gateway with a shared services VPC allows centralized DNS resolution via VPC Peering or DNS forwarding. Option B (Route 53 Resolver endpoints) is also a good solution but is more complex and costly. Option C (Direct Connect) is not needed.

Option D (VPN) is less scalable.

726
Multi-Selecthard

A company is migrating a legacy application to AWS. The application runs on Windows Server and uses a shared file system for storage. The company wants to modernize the application by using a managed file storage service that is POSIX-compliant and can be accessed by multiple EC2 instances concurrently. Which TWO AWS services meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon EBS
B.Amazon FSx for Lustre
C.Amazon S3
D.Amazon S3 Glacier
E.Amazon EFS
AnswersB, E

FSx for Lustre is POSIX-compliant and supports concurrent access.

Why this answer

Option B (Amazon EFS) and Option D (Amazon FSx for Lustre) are both POSIX-compliant file systems that can be accessed concurrently by multiple EC2 instances. Option A (Amazon S3) is object storage, not POSIX-compliant. Option C (Amazon EBS) is block storage that can be attached to one instance at a time (unless using multi-attach, but that is limited).

Option E (Amazon S3 Glacier) is archival storage.

727
MCQhard

A company is designing a multi-region active-active application using Amazon Route 53 latency-based routing. The application runs on Amazon EC2 instances behind Application Load Balancers (ALBs) in two AWS Regions. The company needs to ensure that if one region becomes unavailable, traffic is automatically routed to the healthy region with minimal disruption. Which configuration meets these requirements?

A.Use Route 53 failover routing instead of latency-based routing.
B.Configure Route 53 latency-based routing without health checks.
C.Use Route 53 weighted routing with weights set to 50 for each region.
D.Configure Route 53 latency-based routing with health checks attached to each ALB endpoint.
AnswerD

Health checks allow Route 53 to automatically route traffic away from unhealthy endpoints.

Why this answer

Option B is correct because Route 53 health checks can monitor ALB endpoints. When a health check fails, Route 53 removes the unhealthy endpoint from latency-based routing, directing traffic to the healthy region. Option A is wrong because latency-based routing alone does not failover.

Option C is wrong because failover routing requires a primary/secondary setup, not active-active. Option D is wrong because weighted routing does not automatically failover based on health.

728
MCQmedium

A company is migrating its application stack from on-premises to AWS using a rehost strategy. The stack includes a web server, an application server, and a MySQL database. The company wants to automate the migration using AWS Application Migration Service (MGN). After configuring MGN, the web server test instance fails to start because the boot volume is missing the boot sector. What is the most likely cause?

A.The EBS volume size is smaller than the source volume.
B.The source volume was not shut down cleanly before replication.
C.The source web server uses an unsupported instance type.
D.The source OS is not supported by MGN.
AnswerB

Dirty shutdown can corrupt boot sector.

Why this answer

Option C is correct because MGN requires consistent volumes. Option A is wrong because instance type does not affect boot sector. Option B is wrong because volume size is not an issue.

Option D is wrong because source OS is supported.

729
MCQeasy

A company is deploying a web application on AWS that requires a relational database. The application is read-heavy and expects sudden spikes in traffic. The database must be highly available and perform well under load. Which database configuration meets these requirements?

A.Use Amazon ElastiCache for Memcached as the primary database.
B.Deploy Amazon RDS in a Multi-AZ configuration without read replicas.
C.Deploy Amazon RDS in a single Availability Zone with a large instance size.
D.Deploy Amazon RDS in a Multi-AZ configuration and use read replicas to offload read traffic.
AnswerD

Multi-AZ provides failover, and read replicas improve read performance.

Why this answer

Amazon RDS Multi-AZ provides high availability, and read replicas offload read traffic. Option A (Single-AZ) is not highly available. Option C (Multi-AZ without replicas) does not help with read performance.

Option D (Memcached) is not a relational database.

730
Multi-Selecthard

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Select 2 answers
A.Attach an S3 bucket policy that denies access unless the aws:SourceVpce condition matches the approved VPC endpoint IDs.
B.Enable S3 Block Public Access at the account level.
C.Configure AWS Network Firewall in the central security account to inspect traffic to the S3 endpoints and allow only encrypted traffic.
D.Use AWS Certificate Manager to issue certificates for S3 bucket access.
E.Attach an S3 bucket policy that denies access unless the aws:SourceVpc condition matches the approved VPC IDs.
AnswersA, C

Correct: Restricts access to specific endpoints.

Why this answer

Option A is correct because the `aws:SourceVpce` condition key in an S3 bucket policy allows you to restrict access to traffic originating from specific VPC endpoints (interface or gateway endpoints). This ensures that only requests coming through approved VPC endpoints can access the data lake, directly enforcing the mandate that access must originate from approved VPCs.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` with `aws:SourceVpce`, not realizing that `aws:SourceVpc` does not work when traffic goes through a VPC endpoint, and they may overlook the need for a separate encryption-in-transit control like Network Firewall because S3 supports HTTPS by default but does not enforce it without a bucket policy or inspection.

731
MCQhard

A company is designing a new multi-region disaster recovery solution for a critical database. The database runs on Amazon RDS for MySQL in us-east-1. The recovery point objective (RPO) is 1 second, and the recovery time objective (RTO) is 1 minute. Which strategy meets these requirements?

A.Single-AZ RDS instance with cross-Region snapshot copy
B.Multi-AZ RDS instance in us-east-1
C.Multi-AZ RDS instance with a cross-Region read replica in us-west-2
D.Amazon Aurora Global Database
AnswerC

Synchronous replication within region, asynchronous to replica, fast failover.

Why this answer

Option C is correct because Multi-AZ with a cross-Region read replica provides low RPO (via synchronous replication within the region and asynchronous to the replica) and fast failover (RTO ~1 minute). Option A (single-AZ with cross-Region snapshot) has higher RPO/RTO. Option B (Multi-AZ only) does not cover another region.

Option D (Aurora Global Database) is for Aurora, not RDS MySQL.

732
MCQmedium

A company needs to design a disaster recovery (DR) solution for a critical database running on Amazon RDS for MySQL. The RTO is 15 minutes and RPO is 5 minutes. The primary region is us-east-1. Which solution meets these requirements?

A.Enable Multi-AZ deployment with a DB cluster.
B.Use automated backups with 5-minute retention.
C.Take manual snapshots every 5 minutes and copy to another region.
D.Create a cross-region read replica in us-west-2.
AnswerA

Synchronous replication and automatic failover meet RTO/RPO.

Why this answer

Option A is correct because a Multi-AZ DB cluster deployment for Amazon RDS for MySQL provides automatic failover to a standby instance in a different Availability Zone within the same region, achieving an RTO of typically 1–2 minutes and an RPO of effectively zero (synchronous replication). This meets the 15-minute RTO and 5-minute RPO requirements without any manual intervention or cross-region latency.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides high availability within a region) with cross-region replication (which is asynchronous and cannot meet tight RPO/RPO), or they assume automated backups or snapshots can achieve sub-15-minute RTO, ignoring the restore time overhead.

How to eliminate wrong answers

Option B is wrong because automated backups with 5-minute retention only provide point-in-time recovery within the retention period, but the RTO for restoring from a backup is significantly longer than 15 minutes (often 30+ minutes for a large database), and the RPO is limited to the backup interval, not the 5-minute requirement. Option C is wrong because manual snapshots taken every 5 minutes cannot be copied to another region quickly enough to meet the 15-minute RTO; snapshot copy times are unpredictable and often exceed 15 minutes, and the RPO would be compromised by the copy delay. Option D is wrong because a cross-region read replica in us-west-2 is asynchronous, meaning replication lag can exceed 5 minutes, and promoting a read replica to a primary instance typically takes several minutes, failing the 15-minute RTO; additionally, cross-region failover introduces latency and potential data loss beyond the 5-minute RPO.

733
MCQhard

A company uses a cross-account IAM role 'LogDelivery' in account 111122223333 to write logs to an S3 bucket 'my-company-logs' in a logging account. The bucket policy is shown above. Logs are not being delivered. What is the MOST likely issue?

A.The bucket policy lacks s3:GetObject permission.
B.The bucket policy restricts access to a specific account only.
C.The IAM role is not trusted by the bucket policy.
D.The bucket policy has an explicit deny that overrides the allow.
AnswerB

The resource pattern includes account 111122223333, so logs from other accounts would be denied.

Why this answer

Option D is correct because the bucket policy only allows the LogDelivery role from account 111122223333, but the logs may be coming from a different account (e.g., the source account of the logs). Option A is wrong because the policy does not deny, it allows. Option B is wrong because the policy is correct for the given role.

Option C is wrong because the policy allows PutObject, not GetObject.

734
MCQhard

A company has a legacy application that runs on an EC2 instance with a large attached EBS volume. The application writes log files to the volume, and the volume is frequently full, causing application errors. The Solutions Architect needs to implement a solution to automatically manage disk space without application changes. Which solution meets these requirements?

A.Configure an S3 Lifecycle policy to transition log files to Amazon S3 Glacier after 30 days.
B.Increase the EBS volume size and enable auto-scaling.
C.Use a script with Amazon Data Lifecycle Manager to snapshot the volume and delete old snapshots.
D.Install the CloudWatch Logs agent and stream logs to CloudWatch Logs, then delete local logs.
AnswerC

Data Lifecycle Manager automates snapshots, but the script can move old logs and free space.

Why this answer

Option D is correct because using a lifecycle policy to move old logs to S3 Glacier and delete from volume automates space management. Option A is wrong because S3 Lifecycle policies apply to S3 objects, not EBS volumes. Option B is wrong because CloudWatch Logs agent requires application changes to send logs.

Option C is wrong because increasing volume size does not automatically manage space.

735
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS MySQL instance. The stack template defines the DBInstanceClass as db.t3.medium. After deployment, the database performance is insufficient for the workload. The company wants to change the instance class to db.r5.large without recreating the database. What should they do?

A.Create a new stack with the new instance class and migrate the data.
B.Use AWS Database Migration Service to perform a blue/green deployment.
C.Delete the stack and create a new one with the new instance class.
D.Update the CloudFormation stack with the new instance class and apply the change.
AnswerD

CloudFormation will modify the DB instance in-place with minimal downtime.

Why this answer

Option B is correct because RDS supports modifying the DB instance class without recreating the database; the update will cause a brief downtime but preserves data. Option A is wrong because deleting the stack would destroy the database. Option C is wrong because creating a new stack would create a new database, not modify the existing one.

Option D is wrong because RDS does not support blue/green deployments for instance class changes as a standard feature.

736
MCQmedium

A company deploys the above CloudFormation template. After deployment, an EC2 instance launched in mySubnet can access the internet. However, the instance cannot receive inbound traffic from the internet. What is the MOST likely reason?

A.The subnet does not have auto-assign public IP enabled.
B.No security group or network ACL allows inbound traffic.
C.The VPC does not have an internet gateway attached.
D.The route table does not have a route to the internet gateway.
AnswerB

Inbound traffic is blocked by default.

Why this answer

Option B is correct because the template does not configure a security group or network ACL to allow inbound traffic. The route table and internet gateway are correctly set up for outbound traffic. Option A is wrong because the subnet has MapPublicIpOnLaunch: true.

C is wrong because the route exists. D is wrong because the VPC is not missing an internet gateway.

737
MCQeasy

Refer to the exhibit. A company configured an Amazon Route 53 alias record for a domain name pointing to an Application Load Balancer (ALB). Users report that occasionally they are directed to an unhealthy ALB node. Which change should the company make to improve availability?

A.Change the record type to CNAME.
B.Configure the ALB health check to mark unhealthy nodes.
C.Use weighted routing policy.
D.Use multi-value answer routing.
AnswerB

Proper health checks ensure unhealthy nodes are not used.

Why this answer

Option D is correct because setting EvaluateTargetHealth to true ensures that Route 53 only returns IP addresses of healthy ALB nodes. The exhibit shows EvaluateTargetHealth: true, so it is already set. But the question says users are directed to unhealthy nodes, so perhaps the ALB health check is misconfigured.

However, the correct answer is to ensure health checks are properly configured. Option A is wrong because changing to a simple record does not provide health checking. Option B is wrong because weighted routing is for distributing traffic, not for health.

Option C is wrong because multi-value answer routing can return multiple values, but it does not inherently improve health checking beyond what alias records provide. Actually, the issue is that the ALB health check might be misconfigured; the best solution is to configure the ALB health check correctly. Among the options, D is the most relevant.

738
MCQeasy

A company has a centralized IT team that manages AWS accounts for multiple departments. They need to grant the team permissions to create and manage IAM roles in all accounts, but without giving them full administrator access. What should they use?

A.Use AWS Single Sign-On with permission sets.
B.Create an IAM user in each account with AdministratorAccess.
C.Use AWS Organizations with a delegated administrator for IAM.
D.Use cross-account roles with a policy that allows iam:CreateRole.
AnswerC

Delegated administrator can manage IAM across accounts.

Why this answer

Option B is correct because AWS Organizations allows you to create service-linked roles and delegate administration. Option A is wrong because it gives full admin. Option C is wrong because it does not scale across accounts.

Option D is wrong because it is not for role creation.

739
MCQeasy

A startup wants to deploy a web application on AWS with a serverless architecture. The application includes static content (HTML, CSS, JS) and a REST API backend using Lambda and DynamoDB. The company wants low latency and high availability globally. Which combination of services should they use?

A.Amazon CloudFront for static content, Application Load Balancer for API, and Lambda for compute.
B.AWS Lambda@Edge for both static content and API.
C.Amazon CloudFront for static content, Amazon API Gateway for the REST API, and AWS Lambda for compute.
D.Amazon S3 for static content with Transfer Acceleration, and AWS Lambda for API.
AnswerC

CloudFront provides CDN, API Gateway manages APIs, Lambda runs code serverlessly.

Why this answer

Option A is correct because CloudFront serves static content with low latency, API Gateway provides a REST API endpoint, and Lambda integrates with DynamoDB. Option B is wrong because S3 Transfer Acceleration is for uploads, not global content delivery. Option C is wrong because ALB is not serverless.

Option D is wrong because Lambda Edge runs at edge locations but is not needed for API backend.

740
MCQmedium

A company runs a production web application on EC2 instances in an Auto Scaling group behind an ALB. The application logs are stored on an EBS volume attached to each instance. The operations team notices that the logs are not being sent to a central location. What is the MOST efficient way to centralize log collection with minimal code changes?

A.Modify the application to use the AWS SDK to send logs to CloudWatch Logs via PutLogEvents API.
B.Use Amazon Kinesis Agent to send logs to Kinesis Data Firehose and then to S3.
C.Set up an S3 bucket with a lifecycle policy to transition logs to Glacier.
D.Install the CloudWatch Logs agent on each EC2 instance and configure it to stream the log files to CloudWatch Logs.
AnswerD

Minimal code changes, efficient centralized logging.

Why this answer

Option C is correct because the CloudWatch Logs agent can be installed on EC2 instances to stream logs to CloudWatch Logs without modifying application code. Option A is wrong because modifying the application to send logs via API requires code changes. Option B is wrong because S3 lifecycle policies do not collect logs.

Option D is wrong because Amazon Kinesis Agent is more complex and not typically used for EC2 log collection.

741
MCQmedium

A company runs a monolithic application on a single EC2 instance. The application is critical and must be highly available. The company wants to migrate to a containerized architecture on Amazon ECS with minimal downtime. Which approach should the company take?

A.Launch a new ECS cluster with the containerized application and use Route 53 weighted routing to shift traffic.
B.Deploy the monolith as a single task in ECS and update the task definition with new container versions.
C.Use AWS CodeStar to automatically deploy the application to ECS with blue/green deployments.
D.Use an Application Load Balancer with blue/green deployment using AWS CodeDeploy and ECS.
AnswerD

CodeDeploy with ECS supports blue/green deployments for minimal downtime.

Why this answer

Option D is correct because a blue/green deployment with ECS minimizes downtime by switching traffic gradually. Option A is wrong because migrating all at once risks downtime. Option B is wrong because launching a separate ECS cluster adds complexity.

Option C is wrong because CodeStar is not a deployment strategy.

742
MCQhard

A company is migrating a 3-tier web application from on-premises to AWS. The application consists of a Linux Apache HTTP server, a Java application server (Tomcat), and a MySQL database. The company wants to use AWS managed services to reduce operational overhead. The migration plan includes using AWS Elastic Beanstalk for the web and application tiers, and Amazon RDS for MySQL for the database. During a test migration, the team notices that the application is experiencing intermittent connection timeouts when the web tier attempts to connect to the application tier. The web and application tiers are deployed in separate Elastic Beanstalk environments, both in the same VPC, same region, and same Availability Zone. The security groups allow traffic from the web tier to the application tier on port 8080. What is the MOST likely cause of the connection timeouts?

A.The application tier is configured with an internal Application Load Balancer, but the web tier is unable to resolve the DNS name of the load balancer.
B.The web tier and application tier are in different Availability Zones, causing increased latency and timeouts.
C.The web tier is trying to connect directly to the application tier instances, but the application tier's security group does not allow inbound traffic from the web tier's security group.
D.The Elastic Beanstalk environment's health check URL is misconfigured, causing the instances to be marked as unhealthy and removed from the load balancer.
AnswerC

The web tier should connect to the application tier's load balancer, but the security group of the load balancer must allow traffic from the web tier.

Why this answer

Option B is correct because Elastic Beanstalk environments are deployed in separate Auto Scaling groups, and the security group that allows traffic from the web tier should reference the web tier's security group, not its instance IDs or IP addresses. However, the most common issue is that the application tier's Elastic Beanstalk environment uses a load balancer, and the web tier should connect to the load balancer, not directly to the instances. The load balancer's security group must allow traffic from the web tier.

Option A is wrong because both environments are in the same AZ; cross-AZ traffic is not the issue. Option C is not the primary cause; health checks are separate. Option D is wrong because the application tier uses Elastic Beanstalk's integrated load balancer, not a standalone ALB.

743
MCQeasy

A company is migrating its on-premises file server to Amazon FSx for Windows File Server. The company has 2 TB of data and a 100 Mbps internet connection. The migration must be completed within 5 days. What should the company do?

A.Order a new AWS Direct Connect connection.
B.Use AWS Snowcone to physically ship the data.
C.Use AWS DataSync over the internet to transfer data.
D.Use AWS Snowball Edge to transfer data.
AnswerB

Fast and cost-effective for 2 TB.

Why this answer

Option B is correct because Snowcone is ideal for small data. Option A is wrong because 100 Mbps is too slow. Option C is wrong because Snowball Edge is oversized.

Option D is wrong because Direct Connect takes too long to provision.

744
MCQmedium

A company is designing a new microservices architecture on AWS. Each microservice is deployed as a containerized application and must be able to scale independently. The company wants to minimize operational overhead for managing the containers and the underlying infrastructure. Which solution should the architect recommend?

A.Amazon EKS with managed node groups
B.Amazon ECS with Fargate launch type
C.Amazon ECS with EC2 launch type and Auto Scaling groups
D.Amazon Lightsail containers
AnswerB

Fargate is serverless, no infrastructure management.

Why this answer

Option D is correct because AWS Fargate is a serverless compute engine for containers that eliminates the need to manage underlying instances. Option A is wrong because ECS with EC2 requires managing EC2 instances. Option B is wrong because EKS with managed node groups still requires managing node groups.

Option C is wrong because Lightsail is for simple applications, not microservices.

745
MCQmedium

A company is designing a multi-region disaster recovery solution for a stateless web application running on Amazon ECS Fargate. The application uses an Application Load Balancer and stores session data in Amazon ElastiCache for Redis. The company needs to achieve an RPO of 15 minutes and an RTO of 30 minutes. What is the MOST cost-effective design that meets these requirements?

A.Deploy a second ECS cluster and ALB in the secondary region with no tasks. Use cross-Region replication for ElastiCache. Use Route 53 to fail over after scaling up tasks.
B.Deploy a second ECS cluster and ALB in the secondary region with a scaled-down number of tasks. Use ElastiCache Global Datastore for Redis to replicate session data. Use Route 53 health checks to fail over.
C.Use a multi-region ECS service with Service Connect and Route 53 latency-based routing. Keep equal capacity in both regions.
D.Use pilot light by replicating ECS task definitions and copying AMIs to the secondary region. Use ElastiCache snapshot and restore. Fail over with Route 53.
AnswerB

Correct: Warm standby with Global Datastore meets RPO and RTO.

Why this answer

Option A is correct because it meets the RPO and RTO with a warm standby approach that keeps a scaled-down copy running in the secondary region. Option B is too slow for RTO. Option C is too expensive (pilot light doesn't match).

Option D is too slow for RTO.

746
MCQhard

A company is migrating a legacy monolithic application to AWS. They want to refactor the application into microservices and use container orchestration. Which AWS service should they use to manage the containers?

A.AWS Lambda
B.Amazon ECS
C.Amazon EKS
D.AWS Fargate
AnswerC

EKS is a managed Kubernetes service.

Why this answer

Option B is correct because Amazon EKS is a managed Kubernetes service for container orchestration. Option A is wrong because ECS is also a container orchestration service but uses AWS proprietary, not Kubernetes. Option D is wrong because Fargate is a compute engine for containers, not an orchestration service.

Option C is wrong because Lambda is serverless, not for containers.

747
MCQmedium

A multinational company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled. The company wants to enforce this policy centrally without modifying each bucket individually. Which solution is MOST effective?

A.Apply a service control policy (SCP) to the root organizational unit that denies s3:PutBucketEncryption unless encryption is set.
B.Create an IAM role that all users must assume to create buckets, and attach a policy requiring encryption.
C.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to enable encryption.
D.Enable default encryption on each S3 bucket using a custom AWS Config rule.
AnswerA

SCPs centrally enforce policies on all accounts in the organization.

Why this answer

Option C is correct because using an SCP at the root OU can deny the creation of S3 buckets without encryption across all accounts. Option A is wrong because S3 default encryption is per-bucket and not centrally enforced. Option B is wrong because IAM roles cannot enforce encryption across accounts.

Option D is wrong because CloudTrail only logs, not enforces.

748
MCQeasy

A company uses AWS Config to record resource changes. The security team wants to be notified when an S3 bucket policy changes to allow public access. What is the most efficient way to achieve this?

A.Create an AWS Config rule that triggers a custom Lambda function to check bucket policies and publish to SNS.
B.Configure S3 event notifications on the bucket to send events to SNS.
C.Set up an AWS Config rule to directly publish to an SNS topic when noncompliant.
D.Enable AWS CloudTrail and create a metric filter for PutBucketPolicy events.
AnswerA

Config rules evaluate resource compliance and can invoke Lambda for remediation or notification.

Why this answer

Option C is correct because AWS Config rules can trigger custom Lambda functions to evaluate resources and send notifications. Option A is wrong because CloudTrail logs API calls but does not directly evaluate resource compliance. Option B is wrong because S3 events do not trigger on policy changes by default.

Option D is wrong because Config rules do not directly publish to SNS.

749
Multi-Selecthard

Which THREE factors should be considered when designing a VPC for a new application that must be compliant with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose three.)

Select 3 answers
A.Encrypt traffic between VPCs using VPN or AWS PrivateLink.
B.Use VPC endpoints to keep traffic within the AWS network.
C.Implement network segmentation using subnets and security groups.
D.Use a single Availability Zone to reduce complexity.
E.Enable VPC Flow Logs to capture network traffic metadata.
AnswersA, C, E

Encryption of cardholder data in transit is required.

Why this answer

PCI DSS requires network segmentation, encryption in transit, and logging of network traffic. VPC endpoints allow private connectivity, but are not a PCI requirement per se.

750
MCQhard

A company has a multi-account AWS environment with a centralized security account. The security team wants to ensure that any IAM role created in any account with a trust policy allowing access from another AWS account must be approved by the security team. Which approach should be used?

A.Use service control policies (SCPs) to deny role creation unless the trust policy meets conditions
B.Use IAM policies to restrict who can create roles
C.Use AWS Lambda to automatically delete non-compliant roles
D.Use AWS Config rules to detect and alert on risky trust policies
AnswerA

SCPs can deny IAM role creation if the trust policy includes a principal that is not part of the organization, effectively requiring approval.

Why this answer

Option D is correct because SCPs can deny creation of roles with trust policies that include a specific condition (like a principal that is not within the organization) unless approved. Option A is wrong because IAM policies cannot prevent role creation. Option B is wrong because AWS Config can detect but not deny.

Option C is wrong because Lambda can revoke but not prevent.

Page 9

Page 10 of 24

Page 11