AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 751825

1746 questions total · 24pages · All types, answers revealed

Page 10

Page 11 of 24

Page 12
751
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?

Select 2 answers
A.Use AWS Service Catalog to enforce S3 bucket encryption and public access settings.
B.Define a tag policy that requires encryption and public access tags on all S3 buckets.
C.Create an SCP to deny PutBucketAcl, PutBucketPolicy, and PutBucketPublicAccessBlock actions that do not meet the requirements.
D.Use IAM policies in the management account to restrict S3 permissions for all users.
E.Enable AWS Config and create rules to detect and automatically remediate non-compliant S3 buckets.
AnswersC, E

SCPs can centrally deny actions across all accounts.

Why this answer

Option A is correct because SCPs can deny actions that do not meet encryption or public access requirements. Option D is correct because AWS Config rules can be used to detect and remediate non-compliant buckets. Option B is wrong because IAM permissions are per-account and not centrally enforced.

Option C is wrong because tagging does not enforce security requirements. Option E is wrong because it does not enforce across all accounts; it only sets defaults for new buckets.

752
MCQeasy

A company uses AWS Organizations and has a requirement that all Amazon S3 buckets must have versioning enabled. The company wants to automatically enable versioning on any bucket that is created without it. Which solution should be implemented?

A.Use AWS Config with a managed rule s3-bucket-versioning-enabled and configure auto-remediation using an AWS Systems Manager Automation document to enable versioning.
B.Use an SCP to deny s3:CreateBucket unless versioning is enabled.
C.Use AWS Config to detect buckets without versioning and send an SNS notification.
D.Use AWS CloudFormation StackSets to deploy a bucket with versioning enabled in each account.
AnswerA

Config rule detects and auto-remediates by enabling versioning.

Why this answer

Option A is correct because AWS Config can detect S3 buckets without versioning using the managed rule `s3-bucket-versioning-enabled`, and then automatically remediate the noncompliant resource by invoking an AWS Systems Manager Automation document that enables versioning on the bucket. This provides a fully automated, event-driven solution that meets the requirement without manual intervention or blocking bucket creation.

Exam trap

The trap here is that candidates often choose Option B (SCP) because they assume SCPs can enforce API-level conditions like versioning, but SCPs cannot evaluate request parameters that are not supported as condition keys in the IAM policy context.

How to eliminate wrong answers

Option B is wrong because SCPs cannot conditionally deny `s3:CreateBucket` based on whether versioning is enabled at creation time; the `s3:CreateBucket` API call does not support a condition key for versioning, so the SCP would either block all bucket creation or be ineffective. Option C is wrong because sending an SNS notification only alerts administrators but does not automatically enable versioning, failing the requirement to 'automatically enable versioning'. Option D is wrong because AWS CloudFormation StackSets can only deploy resources in accounts where they are explicitly applied; they cannot retroactively fix buckets created outside the StackSet or in accounts not included in the stack instance, leaving gaps in coverage.

753
Multi-Selecthard

A company is migrating a legacy application to AWS. The application uses a custom authentication mechanism that relies on LDAP. The company wants to minimize changes to the application. Which THREE services should the company consider for integrating LDAP authentication? (Choose THREE.)

Select 3 answers
A.AWS Directory Service Simple AD
B.AWS Directory Service AD Connector
C.AWS Directory Service for Microsoft Active Directory
D.Amazon Cognito user pools
E.AWS Identity and Access Management (IAM)
AnswersA, B, C

Simple AD is a low-cost LDAP directory.

Why this answer

A, C, and D are correct because AWS Managed Microsoft AD provides LDAP, Simple AD is a low-cost LDAP-compatible directory, and AD Connector relays LDAP requests to on-premises AD. B is wrong because Cognito is for external identity providers. E is wrong because IAM does not provide LDAP authentication.

754
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The operations team notices that stack updates frequently fail because of updates to resources that are not supported for updates. What is the BEST way to handle this?

A.Use AWS Config rules to prevent updates.
B.Delete the stack and create a new one for each update.
C.Use AWS Service Catalog to enforce version control.
D.Use a change set to review the proposed changes before executing the update.
AnswerD

Change sets allow you to see what changes will be made and if any resources will be replaced.

Why this answer

The best practice is to use a change set to preview changes and identify unsupported updates before executing the update.

755
MCQeasy

A company has an Amazon S3 bucket that stores sensitive data. The company wants to ensure that all data in the bucket is encrypted at rest. Which action should the Solutions Architect take?

A.Enable default encryption on the S3 bucket using SSE-S3, SSE-KMS, or SSE-C.
B.Use AWS CloudHSM to manage encryption keys.
C.Configure a bucket policy that denies unencrypted uploads.
D.Require the use of pre-signed URLs for uploads.
AnswerA

Default encryption encrypts all objects stored.

Why this answer

Option A is correct because enabling default encryption on the bucket ensures all objects are encrypted. Option B is wrong because bucket policies do not encrypt data. Option C is wrong because CloudHSM is not required.

Option D is wrong because pre-signed URLs do not enforce encryption.

756
MCQeasy

A company uses AWS Lambda functions to process events from an SQS queue. The Lambda function is configured with a reserved concurrency of 5. The SQS queue has a high volume of messages, and the Lambda function is experiencing throttling errors. What is the most cost-effective solution to reduce throttling?

A.Create multiple Lambda functions each processing a subset of the queue.
B.Decrease the reserved concurrency to force the function to process messages more efficiently.
C.Increase the reserved concurrency for the Lambda function.
D.Increase the batch size of the SQS event source mapping.
AnswerC

This allows more concurrent executions, reducing throttling.

Why this answer

Option A is correct because increasing reserved concurrency allows more concurrent invocations. Option B is wrong because adding more Lambda functions is not how concurrency works. Option C is wrong because increasing batch size may cause timeouts.

Option D is wrong because decreasing concurrency worsens the problem.

757
MCQhard

Refer to the exhibit. An EC2 instance in subnet-11111 (10.0.1.0/24) cannot access the internet. The route table for the subnet is shown. What is the MOST likely cause?

A.The route table does not have a default route (0.0.0.0/0).
B.The VPC does not have a local route.
C.The route table is not associated with the subnet.
D.The NAT gateway is not in a public subnet with an internet gateway.
AnswerD

NAT gateway requires a public subnet and internet gateway to function.

Why this answer

Option C is correct. The route table has a route to a NAT gateway in the same subnet, but the NAT gateway must be in a public subnet with an internet gateway. If the NAT gateway is in a private subnet, it cannot route to the internet.

Option A is wrong because there is a default route. Option B is wrong because the local route is present. Option D is wrong because the route table is associated with the subnet.

758
MCQeasy

A company is using Amazon RDS for MySQL and needs to capture slow query logs for performance tuning. The logs must be stored for 30 days for analysis. What is the MOST cost-effective way to achieve this?

A.Enable slow query logging and use an RDS event subscription to send logs to an SQS queue for processing.
B.Enable slow query logging and store logs in an S3 bucket with lifecycle policy to delete after 30 days.
C.Enable slow query logging and store logs on the RDS instance's EBS volume, then take daily snapshots.
D.Enable slow query logging and stream logs to Amazon CloudWatch Logs with a retention policy of 30 days.
AnswerD

RDS can publish logs to CloudWatch Logs, where retention is configurable.

Why this answer

Option B is correct because CloudWatch Logs can stream RDS slow query logs and retain them for 30 days at low cost. Option A is wrong because storing in S3 directly is not a built-in RDS feature. Option C is wrong because RDS doesn't write logs to EBS volumes by default.

Option D is wrong because it requires additional infrastructure and cost.

759
Multi-Selectmedium

A company is planning to migrate a legacy application to AWS. The application runs on a single server with a monolithic architecture and uses an Oracle database. The migration team wants to reduce licensing costs and improve scalability. Which TWO strategies should the team consider?

Select 2 answers
A.Replatform the application to use AWS Elastic Beanstalk and Amazon RDS for PostgreSQL.
B.Refactor the application into microservices and use Amazon DynamoDB for data storage.
C.Replatform the database to Amazon RDS for PostgreSQL and refactor the application to use it.
D.Rehost the application on Amazon EC2 and use Amazon RDS for Oracle with license-included.
E.Rehost the application on Amazon EC2 and use Amazon RDS for Oracle with BYOL.
AnswersA, C

Reduces operational overhead and licensing costs.

Why this answer

Option A is correct because replatforming the application to AWS Elastic Beanstalk reduces operational overhead by automating capacity provisioning, load balancing, and scaling, while migrating from Oracle to Amazon RDS for PostgreSQL eliminates Oracle licensing costs and provides a managed database service with built-in high availability and scalability. This approach directly addresses the company's goals of reducing licensing costs and improving scalability without requiring a full application rewrite.

Exam trap

The trap here is that candidates may confuse 'replatforming' (option A and C) with 'refactoring' (option B) or assume that rehosting with Oracle BYOL (option E) reduces costs, when in fact BYOL still requires existing licenses and does not eliminate licensing expenses.

760
MCQmedium

A company is using AWS Organizations with multiple accounts. The central IT team wants to enforce that all EC2 instances are launched with specific tags (e.g., CostCenter and Environment). The solution should prevent any untagged instances from being created. Which approach should be taken?

A.Use AWS Service Catalog to provision EC2 instances only from pre-configured products that include required tags.
B.Use an AWS Config rule to detect untagged instances and trigger a Lambda function to terminate them.
C.Create an SCP that denies the ec2:RunInstances action if the required tags are not specified in the request.
D.Create an IAM policy for each account that requires tags on instance creation.
AnswerC

SCPs can enforce tagging requirements at the organization level.

Why this answer

Option D is correct because an SCP can deny the ec2:RunInstances action if the required tags are not present. Option A is wrong because AWS Config rules can detect non-compliance but cannot prevent the action. Option B is wrong because IAM policies in each account would require manual management.

Option C is wrong because tagging is not enforced at launch.

761
MCQmedium

A company is deploying a containerized application on Amazon EKS. The application needs to access an Amazon RDS database. The security team requires that database credentials be rotated automatically and never stored in plaintext. Which solution should the architect use?

A.Use AWS Secrets Manager to store and rotate credentials, and grant the EKS pod access via an IAM role
B.Use IAM database authentication for RDS and assign an IAM role to the pod
C.Hardcode the credentials in the container image and rotate the image regularly
D.Store credentials in AWS Systems Manager Parameter Store and grant the EKS pod access via an IAM role
AnswerA

Secrets Manager rotates credentials automatically and integrates with IAM for access.

Why this answer

AWS Secrets Manager can rotate RDS credentials automatically and provide them to applications via IAM roles. Option A (Parameter Store) does not support automatic rotation. Option B (environment variables) exposes credentials in plaintext.

Option D (IAM database authentication) avoids passwords but does not rotate credentials; it uses tokens.

762
MCQeasy

A company is designing a centralized logging solution for multiple AWS accounts. They need to aggregate VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts into a single S3 bucket. Which AWS service should be used to centralize the log collection?

A.Amazon S3 cross-region replication
B.Amazon Kinesis Data Firehose
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail organization trail can deliver logs from all accounts to a single S3 bucket.

Why this answer

AWS CloudTrail can be configured to deliver logs from multiple accounts to a single S3 bucket by setting up a trail in the management account and using CloudTrail's organization trail feature. This automatically aggregates VPC Flow Logs, CloudTrail logs, and DNS logs from all member accounts into the designated centralized S3 bucket without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse CloudTrail's log aggregation capability with other services like Kinesis Data Firehose or S3 replication, but CloudTrail is the only service that natively supports centralized log collection from multiple accounts via organization trails.

How to eliminate wrong answers

Option A is wrong because S3 cross-region replication replicates objects between buckets in different regions but does not collect or aggregate logs from multiple AWS accounts; it only copies existing objects. Option B is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that can ingest and transform data, but it is not designed to natively aggregate logs from multiple accounts into a single S3 bucket without custom cross-account IAM roles and additional configuration. Option D is wrong because AWS Config records resource configuration changes and compliance, not log aggregation; it cannot centralize VPC Flow Logs, CloudTrail logs, or DNS logs into a single S3 bucket.

763
MCQmedium

A large enterprise with multiple business units (BUs) uses AWS Organizations with a shared services account and BU-specific accounts. Each BU account has a VPC with multiple subnets. The shared services account hosts a central NAT gateway that provides outbound internet access to all BU private subnets via VPC peering. Recently, the network team noticed that traffic from one BU's private subnet is being blocked by the security group in the shared services account. They verified that the route tables are correctly configured. What is the most likely cause and solution?

A.The BU account's route table does not have a route to the NAT gateway's private IP. Add a route via the VPC peering connection.
B.The security group attached to the NAT gateway's ENI does not allow incoming traffic from the BU private subnet. Update the security group to allow inbound traffic from the BU subnet CIDR.
C.The VPC peering connection is not in the 'active' state. Recreate the VPC peering connection.
D.The NAT gateway's Elastic IP is not attached. Attach an Elastic IP to the NAT gateway.
AnswerB

NAT gateway's security group must allow inbound traffic from private subnets.

Why this answer

VPC peering does not support transitive routing. In this setup, traffic from BU private subnets goes to the NAT gateway in the shared services account via VPC peering. However, the NAT gateway's security group must allow inbound traffic from the BU private subnet CIDR.

If it does not, traffic will be blocked. The solution is to update the NAT gateway's security group. Option D is correct.

764
MCQeasy

A company is using AWS Organizations with consolidated billing. They want to track costs by department, where each department has its own AWS account. Which service should they use to tag resources with department IDs and view cost breakdowns?

A.AWS Budgets with tag-based filters.
B.AWS Trusted Advisor cost optimization checks.
C.AWS Cost Explorer with tag-based filtering.
D.AWS Cost Explorer with cost allocation tags.
AnswerD

Cost allocation tags (user-defined) can be applied to resources and used in Cost Explorer to break down costs by department.

Why this answer

Cost allocation tags in AWS allow you to tag resources (e.g., EC2 instances, S3 buckets) with department IDs and then use AWS Cost Explorer to view cost breakdowns by those tags. This directly meets the requirement to track costs per department account within AWS Organizations with consolidated billing.

Exam trap

The trap here is confusing 'tag-based filtering' (which is not a native Cost Explorer feature) with 'cost allocation tags' (the correct mechanism), leading candidates to pick Option C instead of D.

How to eliminate wrong answers

Option A is wrong because AWS Budgets can use tag-based filters to create budget alerts, but it does not provide a historical cost breakdown view by tag; it only monitors against a threshold. Option B is wrong because AWS Trusted Advisor cost optimization checks provide recommendations to reduce costs (e.g., idle resources), but it cannot tag resources or break down costs by department tags. Option C is wrong because AWS Cost Explorer with tag-based filtering is not a feature; Cost Explorer supports filtering by tags only after they are activated as cost allocation tags, and the phrase 'tag-based filtering' is misleading—Cost Explorer uses cost allocation tags, not arbitrary tag-based filtering.

765
MCQhard

A CloudFormation stack output is as above. The company wants to use the SQS queue URL in another stack. Which intrinsic function should be used to reference the queue URL in the second stack?

A.Fn::ImportValue
B.Fn::GetAtt
C.Fn::Sub
D.Fn::Ref
AnswerA

ImportValue imports exported output values from other stacks.

Why this answer

Option C is correct because Fn::ImportValue is used to import exported stack outputs. Option A is wrong because Fn::GetAtt gets attributes from resources in the same template. Option B is wrong because Fn::Ref returns a resource's primary identifier.

Option D is wrong because Fn::Sub is for string substitution.

766
Multi-Selectmedium

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances must use a specific AMI ID that is approved by the security team. Which two actions should the team take to achieve this? (Choose two.)

Select 2 answers
A.Create an SCP that denies ec2:RunInstances unless the ami id matches an approved list.
B.Use AWS Resource Access Manager to share the approved AMI with all accounts.
C.Use AWS Config rules to detect instances launched with non-approved AMIs and trigger remediation.
D.Use AWS CloudTrail to monitor instance launches and send alerts.
E.Attach an IAM policy to each account's IAM roles that allows only approved AMIs.
AnswersA, C

SCPs can deny actions based on conditions.

Why this answer

Options A and D are correct. An SCP can deny the ec2:RunInstances action if the AMI ID is not in an approved list, and AWS Config can detect noncompliant instances. Option B is wrong because AMI IDs are account-specific and shared via RAM.

Option C is wrong because IAM policies cannot enforce specific AMIs across accounts easily. Option E is wrong because CloudTrail does not prevent launches.

767
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences occasional read replica lag of up to 5 seconds. The application requires read-after-write consistency. Which action should the company take to improve the solution?

A.Modify the application to always read from the primary instance.
B.Increase the number of read replicas to distribute the load.
C.Implement Amazon ElastiCache to cache read results.
D.Use Amazon RDS Proxy to route read queries to the read replica.
AnswerA

Primary instance provides strong consistency.

Why this answer

Option C is correct because reading from the primary instance ensures strong consistency. Option A is wrong because RDS Proxy does not eliminate read replica lag. Option B is wrong because adding more read replicas does not solve consistency.

Option D is wrong because ElastiCache is for caching, not consistency.

768
MCQhard

A company runs a global application on AWS spanning multiple regions. They need to enforce that IAM users in specific accounts can only launch EC2 instances in approved regions. The company uses AWS Organizations. What is the most effective way to enforce this?

A.Use AWS Config rules to detect EC2 instances in non-approved regions and trigger automatic termination.
B.Create IAM policies in each account that deny EC2 actions outside approved regions.
C.Use VPC endpoints to restrict API calls to approved regions.
D.Create a Service Control Policy (SCP) that denies EC2:RunInstances in non-approved regions.
AnswerD

SCPs are applied at the OU or account level and prevent actions.

Why this answer

Option D is correct because SCPs can deny EC2 actions in non-approved regions across all accounts. Option A is wrong because IAM policies in each account require manual management. Option B is wrong because AWS Config only detects non-compliance.

Option C is wrong because VPC endpoints do not restrict EC2 launch.

769
MCQmedium

A company is building a serverless application using AWS Lambda. The application processes files uploaded to an S3 bucket. Each file can be up to 500 MB, and processing takes up to 10 minutes. The Lambda function must be triggered as soon as a file is uploaded. Which configuration should they use?

A.Use S3 event notification to send an SQS message, which triggers Lambda.
B.Configure S3 event notification to invoke the Lambda function directly.
C.Increase the Lambda function timeout to 15 minutes and memory to 3 GB.
D.Use AWS Step Functions to poll S3 and invoke Lambda.
AnswerB

S3 can directly invoke Lambda for each object creation event.

Why this answer

Option A is correct because S3 event notifications can trigger Lambda for each object creation. Option B is incorrect because Lambda supports up to 15 minutes, but 10 minutes is fine, but S3 event notification is needed. Option C is incorrect because SQS is not necessary for direct S3 trigger.

Option D is incorrect because Step Functions add complexity.

770
Multi-Selectmedium

A company is implementing a multi-account strategy using AWS Organizations. They want to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which TWO steps are required to achieve this? (Choose two.)

Select 2 answers
A.Use S3 replication to copy logs from member account buckets to the central bucket.
B.Create an IAM role in each member account that allows CloudTrail to write to the central bucket.
C.Enable AWS Config in each member account to forward logs to the central bucket.
D.Create a CloudTrail trail in the management account with the 'Enable for all accounts in my organization' option.
E.Configure the S3 bucket policy to grant the CloudTrail service principal write access from all accounts.
AnswersD, E

This allows CloudTrail to deliver logs from all accounts to the management account's bucket.

771
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The security team requires that all newly created member accounts automatically have an AWS Config rule enabled that checks whether S3 buckets have default encryption enabled. Which solution should be used?

A.Use an SCP in the root to require encryption on S3 buckets.
B.Use AWS CloudFormation StackSets with automatic deployment to deploy the AWS Config rule across all accounts in the organization.
C.Create an AWS Config rule in the management account and delegate an admin account to apply it to all member accounts.
D.Configure AWS CloudTrail to automatically enable the AWS Config rule in new accounts.
AnswerB

StackSets with automatic deployment apply templates to new accounts as they join the organization.

Why this answer

Option D is correct because AWS CloudFormation StackSets can deploy the AWS Config rule across all accounts in the organization, and with automatic deployment enabled, it applies to new accounts as they are created. Option A is wrong because AWS Config rules are not automatically applied to new accounts unless set up via delegation. Option B is wrong because Service Control Policies (SCPs) control permissions but cannot directly enable AWS Config rules.

Option C is wrong because AWS CloudTrail is for logging API calls, not for deploying Config rules.

772
MCQeasy

A small business wants to host a simple static website on AWS. The website consists of HTML, CSS, JavaScript, and images. The company expects low traffic and wants to minimize costs. The website must be highly available and load quickly for users globally. Which solution should a Solutions Architect recommend?

A.Store the website files in an S3 bucket configured for static website hosting, and use Amazon CloudFront as a CDN.
B.Host the website on Amazon Lightsail with a load balancer and two instances.
C.Host the website on a single EC2 instance running Apache web server, with an Elastic IP address.
D.Deploy the website on AWS Elastic Beanstalk with a single EC2 instance.
AnswerA

S3 static hosting is very low cost, highly available, and CloudFront provides global performance.

Why this answer

Option C is correct because S3 static website hosting with CloudFront provides low cost, high availability, and global low latency. Option A is wrong because EC2 instances are overkill and expensive for static content. Option B is wrong because Lightsail is more expensive than S3 for static sites.

Option D is wrong because Elastic Beanstalk is designed for dynamic web apps, not static sites.

773
MCQmedium

A company has multiple AWS accounts and wants to centralize logging from all accounts to a single S3 bucket in a logging account. The logs must be encrypted with a KMS key managed by the logging account. What is the MOST secure way to allow cross-account S3 server access logs?

A.Set the bucket policy to allow the source accounts to write logs, and enable default encryption on the bucket with the KMS key.
B.Use a bucket policy in the logging account that grants the S3 log delivery service principal access to write objects, and configure the KMS key policy to allow the log delivery service to use the key.
C.Create an IAM role in the logging account and allow the source accounts to assume it, then configure the source accounts to use that role for logging.
D.Configure the logging account's KMS key with a policy that allows the S3 service to use it, and set the bucket policy to allow the source accounts to write logs.
AnswerB

The S3 logging service uses the log delivery group (log-delivery.log.amazonaws.com) and needs both bucket policy and KMS key policy permissions.

Why this answer

Option C is correct because the S3 bucket policy can grant cross-account permissions to the logging service principal, and the logging account's KMS key policy must allow the log delivery service to use the key. Option A is wrong because KMS key policies must explicitly allow the service to use the key. Option B is wrong because cross-account roles are not automatically used by S3 logging.

Option D is wrong because the bucket policy alone does not handle KMS encryption.

774
MCQmedium

A company is designing a new solution to securely store and manage secrets for applications running on AWS. The secrets include database credentials, API keys, and OAuth tokens. The solution must automatically rotate secrets and integrate with AWS services like Amazon RDS. Which AWS service should be used?

A.Store secrets in AWS Systems Manager Parameter Store with a SecureString parameter type.
B.Use AWS CloudHSM to store secrets as keys.
C.Use AWS Key Management Service (KMS) to store secrets as encrypted data keys.
D.Use AWS Secrets Manager to store secrets and configure automatic rotation.
AnswerD

Secrets Manager is purpose-built for secrets with rotation and native RDS integration.

Why this answer

AWS Secrets Manager is purpose-built for securely storing, managing, and automatically rotating secrets such as database credentials, API keys, and OAuth tokens. It provides native integration with Amazon RDS, enabling automatic rotation of RDS credentials without custom code, which directly meets the requirements for automatic rotation and AWS service integration.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with AWS Secrets Manager (which is designed specifically for automatic secret rotation and deep AWS service integration), leading them to choose Parameter Store for its lower cost and familiarity.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with SecureString does not support automatic rotation of secrets; it requires custom AWS Lambda functions or external processes to rotate secrets. Option B is wrong because AWS CloudHSM is a hardware security module for generating and storing cryptographic keys, not for managing application secrets like database credentials or API keys, and it lacks native rotation and RDS integration. Option C is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing secrets; it can encrypt data keys but does not provide secret storage, rotation, or direct RDS integration.

775
Multi-Selecteasy

A company uses AWS CloudFormation to deploy a multi-tier application. The deployment includes an Application Load Balancer, Auto Scaling group, and Amazon RDS database. The company wants to ensure that updates to the database do not cause downtime. Which TWO strategies should the company use? (Choose two.)

Select 2 answers
A.Enable Multi-AZ on the RDS instance to allow failover during updates.
B.Update the CloudFormation stack directly without creating a new database.
C.Use AWS CloudFormation with a blue/green deployment strategy for the database.
D.Use a read replica to serve traffic during the update.
E.Use a database snapshot to restore the database if the update fails.
AnswersC, E

Blue/green allows you to create a new database and switch traffic.

Why this answer

Option A is correct because a blue/green deployment minimizes downtime by creating a new database environment. Option C is correct because taking a snapshot before updates provides a rollback option. Option B is wrong because Multi-AZ is for high availability, not for zero-downtime updates.

Option D is wrong because a read replica is for read scaling, not for updates. Option E is wrong because modifying the stack directly may cause downtime.

776
MCQmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application must maintain session state. The company expects steady traffic with occasional spikes. Which solution is MOST scalable and cost-effective?

A.Use sticky sessions (session affinity) on the ALB with a session cookie.
B.Use Amazon ElastiCache for Memcached to store session data.
C.Store session data in Amazon DynamoDB tables.
D.Use Amazon ElastiCache for Redis to store session data externally.
AnswerD

Redis provides a scalable, highly available session store.

Why this answer

ElastiCache for Redis provides a centralized, scalable session store decoupled from EC2. Option A (sticky sessions) is less scalable. Option C (ElastiCache Memcached) is also viable but Redis is preferred for persistence.

Option D (DynamoDB) is more expensive for session data.

777
Multi-Selecteasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that no S3 buckets in any account are publicly accessible. Which TWO services can the team use to achieve this?

Select 2 answers
A.AWS Resource Access Manager
B.AWS WAF
C.AWS IAM Identity Center (SSO)
D.AWS Config
E.AWS Organizations Service Control Policies (SCPs)
AnswersD, E

Can evaluate bucket policies and auto-remediate non-compliant buckets.

Why this answer

Options A and D are correct: SCPs can deny public access at the OU level, and AWS Config can detect and remediate. Option B is wrong because it's for resource restrictions, not access control. Option C is wrong because it's a firewall, not for bucket policies.

Option E is wrong because it's for identity federation.

778
MCQhard

A company is designing a data lake on Amazon S3. The data is ingested from multiple sources and must be encrypted at rest using customer-managed keys. The company also needs to audit all access to the data lake. Which combination of services should be used?

A.Enable S3 bucket encryption with SSE-S3. Enable S3 server access logs.
B.Configure S3 bucket encryption with SSE-KMS using a customer-managed CMK. Enable AWS CloudTrail with data events for S3 and KMS.
C.Enable S3 default encryption with SSE-S3. Enable Amazon CloudWatch Logs for S3 access logging.
D.Use client-side encryption with a customer-managed key. Enable Amazon CloudWatch Logs for S3 access logs.
AnswerB

Customer-managed key meets requirement; CloudTrail audits access.

Why this answer

AWS KMS with customer-managed CMKs provides encryption control. AWS CloudTrail logs all API calls including KMS decrypt operations. Option A (SSE-S3) does not use customer keys.

Option C (CloudWatch) does not audit access. Option D (S3 server access logs) does not capture KMS usage.

779
MCQmedium

A company is migrating a multi-tier web application to AWS. The application uses sticky sessions (session affinity). The company wants to use an Application Load Balancer (ALB). How should the architect configure the ALB to support sticky sessions?

A.Configure the ALB listener to use a custom header for session affinity.
B.Enable stickiness on the target group and set a cookie expiration duration.
C.Use a Network Load Balancer (NLB) and enable proxy protocol.
D.Place an Amazon ElastiCache cluster in front of the ALB to store session data.
AnswerB

ALB supports sticky sessions via a cookie; configuration is on the target group.

Why this answer

Option D is correct because ALB supports sticky sessions by enabling stickiness on the target group and setting a duration. Option A is wrong because NLB does not support cookies for stickiness. Option B is wrong because stickiness is set on target group, not listener.

Option C is wrong because stickiness is a feature of the load balancer, not an external service.

780
MCQhard

A company is migrating a legacy .NET application to AWS. The application currently uses Windows Authentication and a SQL Server database. The company wants to reduce licensing costs and use managed services where possible. The migration should minimize code changes. Which combination of services meets these requirements?

A.Amazon EC2 instances with SQL Server installed and AWS Directory Service for AD
B.AWS Lambda for the application logic and Amazon DynamoDB for the database
C.Amazon ECS with Windows containers, Amazon RDS for SQL Server, and AWS SSO
D.AWS Elastic Beanstalk for the .NET application, Amazon RDS for SQL Server, and AWS Managed Microsoft AD
AnswerD

Elastic Beanstalk supports .NET, RDS for SQL Server is managed, and Managed AD provides Windows Authentication.

Why this answer

AWS Managed Microsoft AD provides Windows Authentication compatibility. Amazon RDS for SQL Server is a managed database service that reduces operational overhead and licensing costs compared to self-managed SQL Server. AWS Elastic Beanstalk supports .NET applications.

This combination minimizes code changes. Lambda does not support .NET Windows Authentication natively; DynamoDB is not compatible; EC2 does not reduce licensing costs.

781
MCQmedium

A company is migrating a monolithic e-commerce application to a microservices architecture on AWS. The application consists of several services that need to communicate asynchronously. The company wants to decouple the services and ensure that messages are processed exactly once and in order. The current solution uses a single Amazon SQS queue with multiple consumers, but messages are sometimes processed out of order or duplicated. The company needs a solution that guarantees order and exactly-once processing without introducing significant latency. Which approach should be used?

A.Use a single Amazon SQS standard queue with a deduplication ID to ensure each message is processed only once.
B.Use an Amazon SQS FIFO queue with a message group ID to ensure messages are processed exactly once and in order.
C.Use Amazon Kinesis Data Streams with a single shard and implement idempotent processing in the consumer.
D.Use Amazon SNS with a FIFO topic and subscribe SQS FIFO queues to ensure ordered delivery.
AnswerB

FIFO queues guarantee first-in-first-out delivery and exactly-once processing.

Why this answer

Option B is correct because Amazon SQS FIFO queues guarantee exactly-once processing and preserve message order. Option A: SQS standard queues do not guarantee order or exactly-once. Option C: SNS does not provide ordering or exactly-once delivery to subscribers.

Option D: Kinesis Data Streams can provide ordering within a shard but does not guarantee exactly-once processing; also adds complexity.

782
Multi-Selecteasy

A company wants to implement a data perimeter across all AWS accounts to prevent data exfiltration. Which TWO strategies should the company use? (Choose TWO.)

Select 2 answers
A.Disable public access to all S3 buckets and restrict cross-account access.
B.Use AWS Resource Access Manager to share resources only with trusted accounts.
C.Use SCPs to deny access to external AWS accounts unless explicitly allowed.
D.Use VPC endpoints for all AWS services and ensure they are private.
E.Use security groups to restrict outbound traffic to known IP addresses.
AnswersB, C

RAM allows fine-grained control over resource sharing within the organization.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) enables you to share resources such as subnets, transit gateways, and License Manager configurations only with specific AWS accounts or organizational units, which directly supports a data perimeter by preventing unintended cross-account access. Option C is correct because Service Control Policies (SCPs) can be applied at the organization root, OU, or account level to deny access to external AWS accounts unless explicitly allowed, effectively creating a boundary that prevents data exfiltration to unauthorized accounts.

Exam trap

The trap here is that candidates often confuse network-level controls (like VPC endpoints or security groups) with identity and resource-based perimeter controls, leading them to choose options D or E, which only address network paths and not the authorization boundaries needed to prevent data exfiltration across accounts.

783
MCQeasy

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket. The logging accounts are part of an AWS Organization. Which approach should be used to allow CloudTrail to deliver logs from all accounts to the central bucket?

A.Configure the central S3 bucket policy to allow CloudTrail from all accounts in the organization to write logs.
B.Use a VPC endpoint and route logs through a central VPC.
C.Attach an SCP to allow CloudTrail to write to the central bucket.
D.Create an IAM role in each member account and allow the central account to assume it.
AnswerA

A bucket policy with a condition for AWS:SourceOrgID allows all accounts in the organization.

Why this answer

Option A is correct because CloudTrail can deliver logs from all accounts in an AWS Organization to a single central S3 bucket by configuring the bucket policy to grant the CloudTrail service principal (cloudtrail.amazonaws.com) from each member account the s3:PutObject permission. This approach leverages the organization's trusted access, eliminating the need for individual IAM roles or cross-account assumptions, as CloudTrail automatically uses the organization's management account to validate member account identities.

Exam trap

The trap here is that candidates often confuse SCPs with resource-based policies, thinking an SCP can grant cross-account write access to an S3 bucket, when in reality only the bucket policy (or a combination of bucket policy and IAM) can authorize CloudTrail's service principal from another account.

How to eliminate wrong answers

Option B is wrong because VPC endpoints (Gateway or Interface endpoints) are used for private connectivity to AWS services within a VPC, not for cross-account log delivery from CloudTrail; CloudTrail delivers logs directly to S3 over the public internet or via an interface endpoint, but routing through a central VPC does not solve the multi-account authorization requirement. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions across accounts in an organization, not to grant permissions; an SCP cannot allow CloudTrail to write to a bucket—it can only deny or allow actions, and the actual write permission must come from the bucket policy or IAM. Option D is wrong because CloudTrail does not use IAM roles for cross-account log delivery; instead, it relies on the bucket policy to grant the CloudTrail service principal from each account the necessary write access, making IAM role assumption unnecessary and architecturally incorrect.

784
MCQhard

A company is designing a multi-region active-active application using Amazon Route 53, Application Load Balancers, and Auto Scaling groups. They need to route users to the closest region with the lowest latency. Which routing policy should they use?

A.Latency routing
B.Weighted routing
C.Failover routing
D.Geolocation routing
AnswerA

Routes to the region with the lowest latency.

Why this answer

Option C is correct because latency-based routing routes users to the region with the lowest latency. Option A (geolocation) routes based on user location, not latency. Option B (weighted) distributes traffic by weight.

Option D (failover) is for disaster recovery.

785
MCQmedium

A media company runs a video processing pipeline on AWS. Videos are uploaded to an S3 bucket, which triggers an AWS Lambda function that transcodes the video into multiple formats using FFmpeg. The transcoding job runs on the Lambda function with a 15-minute timeout. Recently, the company started receiving 4K videos that take more than 15 minutes to transcode. The Lambda function times out, and the video is not processed. The company wants to process these large videos without increasing the Lambda timeout and without rewriting the entire pipeline. What should the solutions architect do?

A.Replace the Lambda function with AWS Elemental MediaConvert job triggered by S3 events.
B.Increase the Lambda function memory to the maximum to improve performance and reduce processing time.
C.Use AWS Step Functions to call multiple Lambda functions in parallel to process chunks of the video.
D.Use a Lambda function with a larger ephemeral storage to handle the video file.
AnswerA

MediaConvert supports long-running jobs and is designed for video processing.

Why this answer

Option A is correct. AWS Elemental MediaConvert is a managed service designed for video transcoding. It can handle large files and long-running jobs.

The pipeline can be modified to trigger a MediaConvert job instead of a Lambda function. Option B is incorrect because Lambda functions have a maximum execution time of 15 minutes; increasing memory does not extend timeout. Option C is incorrect because using a larger Lambda function still has the 15-minute limit.

Option D is incorrect because Step Functions orchestrate Lambda functions but do not extend the individual Lambda timeout.

786
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data lake will store petabytes of data from various sources. The company needs to query the data using Amazon Athena and Amazon Redshift Spectrum. The data is highly compressed and stored in Parquet format. Which storage class should be used to minimize costs while maintaining immediate query performance?

A.S3 Standard
B.S3 Glacier Deep Archive
C.S3 One Zone-IA
D.S3 Intelligent-Tiering
AnswerD

Intelligent-Tiering optimizes cost automatically.

Why this answer

Option B is correct. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers based on usage, optimizing cost without compromising performance. Option A is wrong because S3 Standard is more expensive for infrequently accessed data.

Option C is wrong because S3 Glacier has retrieval delays. Option D is wrong because S3 One Zone-IA has lower durability and availability.

787
MCQeasy

A company uses AWS CloudFormation to deploy resources. The operations team notices that some stack updates fail due to resource conflicts. What is the BEST practice to minimize such failures?

A.Enable termination protection on the stack.
B.Use AWS CloudFormation change sets before updating the stack.
C.Use AWS CloudFormation nested stacks.
D.Use stack policies to protect critical resources.
AnswerB

Change sets allow you to review proposed changes and identify conflicts before execution.

Why this answer

Option C is correct because change sets allow you to preview the changes before execution, helping to identify conflicts. Option A is wrong because it does not directly address conflicts. Option B is wrong because resource deletion is not the primary goal.

Option D is wrong because it targets templates, not update execution.

788
Multi-Selecteasy

Which TWO AWS services can be used to monitor and troubleshoot network connectivity issues between EC2 instances? (Choose two.)

Select 2 answers
A.Amazon Inspector.
B.AWS CloudTrail.
C.AWS Config.
D.VPC Reachability Analyzer.
E.VPC Flow Logs.
AnswersD, E

Tests network paths between resources.

Why this answer

Options A and D are correct. A: VPC Flow Logs capture IP traffic information. D: Reachability Analyzer checks network paths.

B is incorrect because CloudTrail records API calls, not network traffic. C is incorrect because Config records resource configuration, not real-time connectivity. E is incorrect because Inspector is for security assessments.

789
MCQmedium

A company with multiple AWS accounts wants to centrally manage network security policies. The security team needs to inspect all traffic between VPCs in different accounts and block malicious traffic. Which solution is MOST operationally efficient?

A.AWS PrivateLink to route traffic through a centralized security appliance in a single account.
B.VPC Peering connections between all VPCs and use security groups to control traffic.
C.AWS Network Firewall with AWS Firewall Manager and AWS Resource Access Manager to deploy across accounts.
D.AWS Transit Gateway with a centralized inspection VPC using a Gateway Load Balancer.
AnswerC

This provides centralized policy management and automatic deployment across accounts with minimal operational effort.

Why this answer

Option C is correct because AWS Network Firewall, combined with AWS Firewall Manager and AWS Resource Access Manager, provides a centralized, policy-based approach to deploy and manage network security rules across multiple accounts and VPCs. Firewall Manager allows you to define common security policies (e.g., domain filtering, intrusion prevention) and automatically apply them to new and existing VPCs, while RAM enables sharing the firewall subnet across accounts. This eliminates the need for manual per-account configuration, making it the most operationally efficient solution for centrally inspecting and blocking malicious traffic between VPCs in different accounts.

Exam trap

The trap here is that candidates often assume AWS Transit Gateway with a Gateway Load Balancer is the most operationally efficient because it provides centralized inspection, but they overlook the automated policy management and cross-account deployment capabilities of AWS Firewall Manager, which reduces operational overhead significantly for multi-account environments.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink is designed for private connectivity to services (e.g., VPC endpoints) and does not provide traffic inspection or routing capabilities; it cannot inspect or block traffic between VPCs. Option B is wrong because VPC Peering creates point-to-point connections without a central inspection point, requiring security groups to be managed per VPC, which is not scalable for cross-account traffic inspection and does not support centralized policy enforcement. Option D is wrong because while AWS Transit Gateway with a centralized inspection VPC using a Gateway Load Balancer can inspect traffic, it requires significant manual setup (e.g., route tables, GWLB endpoints) and does not offer the same level of automated policy deployment and management across accounts as Firewall Manager, making it less operationally efficient.

790
Multi-Selecteasy

A company is building a data lake on Amazon S3. The data comes from various sources and must be encrypted at rest. The security policy requires that the encryption keys be managed by the company and rotated annually. Which TWO solutions meet these requirements? (Choose two.)

Select 2 answers
A.Use server-side encryption with customer-provided keys (SSE-C)
B.Use server-side encryption with S3 managed keys (SSE-S3)
C.Use server-side encryption with AWS KMS managed keys (SSE-KMS) with a customer managed key
D.Enable default encryption on the S3 bucket with SSE-S3
E.Use client-side encryption with the Amazon S3 encryption client
AnswersA, C

Customer manages keys and rotates them.

Why this answer

SSE-C allows the company to manage keys and rotate them. SSE-KMS with customer managed key also allows management and rotation. Option B (SSE-S3) uses AWS-managed keys.

Option C (client-side encryption) is not at rest encryption. Option D (default encryption) might use SSE-S3 or SSE-KMS but not necessarily customer managed.

791
Multi-Selecthard

A company is migrating a large-scale application to AWS. The application uses a message queue for decoupling components. The current on-premises solution uses RabbitMQ. The company wants a managed service that supports message durability and at-least-once delivery. Which THREE AWS services meet these requirements? (Choose THREE.)

Select 3 answers
A.Amazon Simple Notification Service (SNS) topic.
B.Amazon MQ (managed RabbitMQ broker).
C.Amazon SQS FIFO queue.
D.Amazon Kinesis Data Streams.
E.Amazon Simple Queue Service (SQS) standard queue.
AnswersB, C, E

Managed RabbitMQ service, supports durability.

Why this answer

Options A, B, and D are correct. Amazon SQS provides at-least-once delivery and durability. Amazon MQ is a managed RabbitMQ service.

Amazon SQS FIFO also provides at-least-once and exactly-once processing. Option C is wrong because Amazon SNS is pub/sub, not a queue. Option E is wrong because Kinesis Data Streams is for streaming data, not a message queue.

792
Multi-Selecteasy

A company runs a web application on EC2 instances behind an ALB. They want to improve the security posture by implementing defense in depth. Which TWO measures should they implement? (Choose TWO.)

Select 2 answers
A.Store static assets in a public S3 bucket.
B.Place EC2 instances in public subnets for easier management.
C.Allow direct internet access to the EC2 instances.
D.Configure security groups to restrict traffic to only necessary ports.
E.Use AWS WAF to filter common web exploits.
AnswersD, E

Security groups act as a firewall for EC2 instances.

Why this answer

Defense in depth includes multiple layers. AWS WAF protects against web exploits. Security groups act as a virtual firewall.

Option A (WAF) and Option D (security groups) are correct. Option B (public subnets) is less secure. Option C (direct internet access) bypasses security.

Option E (public S3) is not relevant.

793
Multi-Selectmedium

A company is migrating a batch processing workload to AWS. The workload reads input files from an on-premises NFS server, processes them, and writes output files. The company wants to use AWS managed services and minimize operational overhead. Which TWO AWS services should the company use to replace the on-premises NFS server? (Choose TWO.)

Select 2 answers
A.Amazon S3 with S3 File Gateway.
B.AWS DataSync to transfer files from on-premises to Amazon EFS.
C.AWS Storage Gateway File Gateway.
D.Amazon EBS with a shared snapshot.
E.Amazon EFS (Elastic File System).
AnswersB, E

DataSync automates data transfer to AWS.

Why this answer

Options B and D are correct because Amazon EFS provides a scalable NFS file system, and AWS DataSync can migrate data from on-premises to EFS. Option A is wrong because S3 is object storage, not file. Option C is wrong because Storage Gateway File Gateway also provides NFS, but DataSync is more efficient for initial migration.

Option E is wrong because EBS is block storage and not shared.

794
MCQmedium

A company uses AWS Organizations and wants to allow certain accounts to use AWS Service Catalog for self-service provisioning. The IT team needs to control which products are available. Where should the product portfolio be shared?

A.Share the portfolio with the target accounts from the Service Catalog console
B.Use AWS CloudFormation StackSets to deploy products to each account
C.Use SCPs to allow specific accounts to use Service Catalog
D.Create IAM roles in the central account that developers can assume
AnswerA

Portfolio sharing enables cross-account access to products.

Why this answer

Option A is correct because AWS Service Catalog allows you to share a product portfolio directly with individual AWS accounts or organizational units (OUs) within AWS Organizations. By sharing the portfolio from the Service Catalog console, the IT team can control which products are available to specific accounts, enabling self-service provisioning while maintaining governance. This approach leverages Service Catalog's native portfolio sharing mechanism, which does not require additional infrastructure or cross-account IAM roles.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog portfolio sharing with other cross-account mechanisms like CloudFormation StackSets or IAM roles, failing to recognize that Service Catalog's native sharing via RAM is the correct way to control product availability for self-service provisioning.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets are used to deploy infrastructure across multiple accounts and regions, but they do not provide a self-service catalog for end users to provision products on demand; they are an automation tool, not a governance mechanism for product availability. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions at the AWS Organizations level, but they cannot control which specific Service Catalog products are available to an account; SCPs only allow or deny actions on the Service Catalog API, not portfolio-level sharing. Option D is wrong because creating IAM roles in the central account for developers to assume does not directly control which Service Catalog products are available in target accounts; it only grants cross-account access, but the portfolio must still be shared with the target account for the products to appear in that account's Service Catalog.

795
MCQmedium

A company runs a batch processing job on Amazon EMR every night. The job processes data from an S3 bucket and writes results to another S3 bucket. The job currently takes 6 hours to complete. The company wants to reduce the runtime to under 2 hours to meet a new SLA. The data volume is expected to grow by 20% each month. The EMR cluster uses a single master node and 10 core nodes of type m5.xlarge. The job is CPU-bound. What should they do?

A.Change the core node instance type to m5.4xlarge.
B.Use spot instances for the core nodes to reduce costs.
C.Add task nodes with spot instances to the cluster.
D.Increase the number of core nodes in the EMR cluster.
AnswerD

Adding more nodes increases parallelism for CPU-bound tasks, reducing runtime.

Why this answer

Option A is correct. Adding more core nodes (horizontal scaling) distributes the CPU load and reduces runtime. Option B: Using spot instances can reduce cost but may cause interruptions if nodes are reclaimed.

Option C: Using larger instance types (vertical scaling) helps but may not be as cost-effective as adding more nodes. Option D: Using task nodes with spot instances could help but also risk interruptions.

796
MCQhard

A company runs a critical e-commerce platform on AWS. The application is deployed across multiple Availability Zones in a single region (us-east-1). The architecture includes an Application Load Balancer (ALB), an EC2 Auto Scaling group, and an Amazon RDS for MySQL Multi-AZ database. The application experiences periodic spikes in traffic, and the Auto Scaling group scales out successfully. However, during a recent traffic spike, the database CPU utilization reached 90%, causing increased latency and some database connection timeouts. The company needs to improve the database performance to handle the spikes without over-provisioning. The solutions architect must design a solution that reduces the load on the primary database instance and improves read scalability. The application is read-heavy, with a read-to-write ratio of 80:20. Which solution should the architect implement?

A.Implement an Amazon ElastiCache Redis cluster to cache frequent database queries.
B.Increase the DB instance class to a larger size and enable Multi-AZ with synchronous replication.
C.Migrate the database to Amazon DynamoDB and use DynamoDB Accelerator (DAX) for read performance.
D.Create one or more Amazon RDS Read Replicas in the same region and configure the application to route read queries to the read replica endpoint.
AnswerD

Read replicas offload read traffic from the primary, improving performance for read-heavy workloads.

Why this answer

Amazon RDS Read Replicas can offload read traffic from the primary instance, reducing CPU utilization. The application must be configured to use the reader endpoint for read queries. Option A is correct.

Option B is wrong because scaling up the instance class vertically has limits and may not be cost-effective; it also doesn't provide read scalability. Option C is wrong because ElastiCache is for caching, not for offloading database reads; it requires application changes and may not support all query patterns. Option D is wrong because DynamoDB Accelerator (DAX) is for DynamoDB, not RDS MySQL.

797
MCQhard

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to use AWS Transit Gateway to connect VPCs across accounts. The network team has created a Transit Gateway in the network account and shared it using AWS Resource Access Manager (RAM) with the workload accounts. The workload accounts have created VPC attachments to the Transit Gateway. However, traffic is not flowing between the VPCs. The route tables in the workload VPCs have routes pointing to the Transit Gateway. What is the most likely cause?

A.The Transit Gateway is in a different AWS account, so route propagation is not automatic.
B.The Transit Gateway route tables do not have routes for the attached VPCs.
C.The security groups in the workload VPCs are blocking traffic.
D.VPC flow logs are not enabled.
AnswerB

Transit Gateway route tables need routes to forward traffic.

Why this answer

Option C is correct because even if the Transit Gateway is shared and attachments are created, the Transit Gateway route tables must have routes for the VPCs to communicate. By default, the Transit Gateway route table does not propagate attachments automatically. Option A is wrong because VPC flow logs are not required.

Option B is wrong because the Transit Gateway is not in the same account, but it is shared. Option D is wrong because security groups are within the VPC, not the Transit Gateway.

798
Multi-Selectmedium

Which TWO of the following are best practices for migrating a large-scale relational database to Amazon Aurora using AWS DMS? (Choose two.)

Select 2 answers
A.Use multiple parallel DMS tasks to improve throughput
B.Disable foreign key constraints on the target database during migration to speed up the load
C.Use the largest DMS replication instance to maximize performance
D.Enable validation on the DMS task to ensure data consistency after migration
E.Migrate while the source database is fully active without any downtime
AnswersA, D

Parallel tasks increase performance.

Why this answer

Using parallel tasks improves throughput. Validating data after migration ensures consistency. Disabling foreign keys may cause data integrity issues.

Using largest instance type may not be cost-effective. Using CDC reduces downtime.

799
MCQhard

A company runs a data processing pipeline on AWS using AWS Glue and Amazon Redshift. Recently, the pipeline has been failing due to insufficient memory in the Glue job. The team wants to improve the pipeline to handle larger datasets without manual intervention. Which solution is MOST cost-effective?

A.Enable job bookmarking and configure incremental processing to reduce data volume per run.
B.Use a larger node type for the Amazon Redshift cluster to offload processing.
C.Replace AWS Glue with Amazon EMR and use spot instances for cost savings.
D.Partition the input data in Amazon S3 into more files with smaller sizes.
E.Increase the number of DPUs (Data Processing Units) for the Glue job.
AnswerA

Reduces the amount of data processed each time, preventing memory exhaustion.

Why this answer

Option B is correct because using Glue job bookmarking with incremental processing reduces the data processed per run, avoiding memory issues. Option A is wrong because increasing DPUs increases cost linearly. Option C is wrong because using a larger instance type for Redshift does not affect Glue memory.

Option D is wrong because switching to EMR adds complexity and may not be more cost-effective. Option E is wrong because partitioning data in Amazon S3 with more files does not directly solve memory issues.

800
Multi-Selecthard

A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application data is stored on Amazon EBS volumes. The recovery point objective (RPO) is 15 minutes, and the recovery time objective (RTO) is 2 hours. Which TWO actions should the company take to meet these objectives? (Choose two.)

Select 2 answers
A.Use Amazon EBS Multi-Attach to attach volumes to instances in another region.
B.Use AWS Backup to create a backup plan with a daily backup.
C.Use AWS CloudFormation to recreate the EC2 instances from a template.
D.Configure Amazon EBS snapshots to be taken every 15 minutes.
E.Copy EBS snapshots to another AWS Region and automate restoring them into EBS volumes.
AnswersD, E

Meets the 15-minute RPO.

Why this answer

Options A and D are correct. To meet an RPO of 15 minutes, EBS snapshots must be taken every 15 minutes. To meet an RTO of 2 hours, the snapshots can be copied to another region and used to restore volumes and launch instances.

Option B is not sufficient because EBS snapshots are not real-time. Option C is wrong because the RPO is 15 minutes, not 1 hour. Option E is wrong because it does not specify cross-region replication.

801
MCQeasy

A company wants to centralize management of AWS resources across multiple accounts using AWS Control Tower. What is a prerequisite for setting up Control Tower?

A.A pre-configured landing zone.
B.An AWS Organizations management account.
C.At least three organizational units (OUs).
D.Existing AWS Config rules in all accounts.
AnswerB

Control Tower is built on Organizations.

Why this answer

Option B is correct because Control Tower requires an AWS Organizations management account. Option A is wrong because it is not required. Option C is wrong because Control Tower sets up a landing zone.

Option D is wrong because multiple OUs are created automatically.

802
MCQhard

A company uses Amazon RDS for PostgreSQL with Multi-AZ and automated backups set to 35 days. The database experiences a sudden spike in write IOPS, causing performance degradation. The team needs to investigate the cause without affecting production. What should they do?

A.Use the enhanced monitoring feature to collect OS-level metrics on the production instance.
B.Review Amazon CloudWatch metrics for the production DB instance to identify the cause.
C.Enable Performance Insights on the production instance to analyze queries.
D.Create a read replica from the latest automated snapshot and enable Performance Insights on the replica.
AnswerD

This provides a copy for analysis without impacting production.

Why this answer

Option B is correct because creating a read replica from the latest snapshot provides a near-current copy without impacting production. Option A is wrong because enabling Performance Insights on the current instance adds overhead. Option C is wrong because querying the production database directly affects performance.

Option D is wrong because CloudWatch metrics alone do not show query-level details.

803
MCQhard

A company is migrating a large-scale batch processing workload to AWS. The workload runs on a schedule and processes terabytes of data. The migration must be cost-effective. Which AWS service is best suited for this workload?

A.Amazon EMR
B.AWS Lambda
C.AWS Batch
D.Amazon EC2 with Auto Scaling
AnswerC

AWS Batch is a fully managed batch computing service that dynamically provisions compute resources.

Why this answer

Option C is correct because AWS Batch is designed for batch computing and can automatically provision the optimal quantity and type of compute resources. Option A is wrong because Lambda has a 15-minute timeout and limited memory. Option B is wrong because EMR is optimized for big data frameworks like Spark, not general batch.

Option D is wrong because EC2 requires manual management of instances.

804
MCQmedium

A company is using Amazon RDS for MySQL and notices that read replicas are falling behind the primary. The primary instance is experiencing high write traffic. What is the best solution to reduce replica lag?

A.Increase the instance class of the read replica.
B.Enable Multi-AZ on the primary instance.
C.Disable binary logging on the primary.
D.Move the read replica to the same AWS Region as the primary.
AnswerA

Larger instance class can apply changes faster.

Why this answer

Option C is correct because increasing the replica instance class size improves its ability to apply changes. Option A is incorrect because Multi-AZ does not affect read replica lag. Option B is incorrect because read replicas cannot be in the same region.

Option D is incorrect because disabling binary logging would break replication.

805
MCQeasy

A solutions architect runs the command shown in the exhibit. Which statement is true about the output?

A.There are two instances with the Environment=production tag.
B.The command displays the instance ID, instance type, and launch time of three running instances.
C.One of the instances is stopped.
D.The command lists all instances in the account regardless of tags.
AnswerB

The output shows three instances with those attributes.

Why this answer

The command `aws ec2 describe-instances --query 'Reservations[].Instances[?State.Name==`running`].[InstanceId,InstanceType,LaunchTime]' --output table` filters for running instances and projects only the InstanceId, InstanceType, and LaunchTime fields. The output shows three rows, each representing a running instance with those three attributes. Therefore, option B is correct because it accurately describes the displayed data.

Exam trap

The trap here is that candidates may assume the output includes all instances or tag information, but the JMESPath query explicitly filters for running instances and projects only the specified fields, so any inference about tags or stopped instances is unsupported by the output.

How to eliminate wrong answers

Option A is wrong because the command does not filter or display tags; it only queries instances with State.Name==`running` and projects InstanceId, InstanceType, and LaunchTime, so there is no way to determine the Environment tag from this output. Option C is wrong because the command explicitly filters for instances where State.Name equals `running`, so a stopped instance would not appear in the output. Option D is wrong because the command uses a JMESPath query to filter for running instances only, not all instances in the account regardless of tags.

806
Multi-Selectmedium

A company is using Amazon CloudFront to distribute content globally. They want to optimize cost and performance. Which TWO actions are recommended?

Select 2 answers
A.Enable Regional Edge Caches to reduce load on the origin.
B.Disable compression to reduce CPU usage on the origin.
C.Use a single origin server to simplify configuration.
D.Use multiple CloudFront distributions for the same content.
E.Select the appropriate Price Class to limit the number of edge locations used.
AnswersA, E

Regional Edge Caches improve performance and reduce origin load.

Why this answer

Using Regional Edge Caches reduces origin load and latency. Price Class selection reduces cost by limiting edge locations.

807
MCQhard

A company is migrating a critical application from on-premises to AWS. The application uses a Microsoft SQL Server database with Always On Availability Groups for high availability. The company wants to use Amazon RDS for SQL Server to reduce management overhead. The database size is 500 GB. The migration must have minimal downtime and support transactional consistency. The company has a VPN connection to AWS. Which migration strategy should the company use?

A.Use AWS DMS with a full-load migration and ongoing replication from the on-premises SQL Server to RDS for SQL Server.
B.Take a full backup of the database, restore it to RDS, and then schedule a final backup and restore after cutting over.
C.Use the SQL Server Import/Export Wizard to copy data from on-premises to RDS over the VPN.
D.Use AWS SCT to convert the database schema and then use AWS DMS for data migration.
AnswerA

DMS supports full load and CDC for minimal downtime.

Why this answer

Option C is correct because AWS DMS supports ongoing replication from SQL Server to RDS for SQL Server using native CDC capabilities, enabling minimal downtime. Option A is wrong because native backup/restore requires downtime and does not support ongoing replication. Option B is wrong because exporting data with SQL Server Import/Export Wizard requires downtime and does not support ongoing sync.

Option D is wrong because SCT is for schema conversion, not data migration; also, SCT does not handle data migration.

808
MCQmedium

A company is using Amazon CloudFront with an S3 origin. They notice that users are receiving outdated content. What configuration change should be made to ensure users always get the latest content?

A.Use signed URLs to serve content.
B.Create an invalidation for the objects.
C.Enable compression on the S3 bucket.
D.Reduce the TTL to 0 in the CloudFront distribution.
AnswerB

Invalidation removes cached objects, forcing fresh fetch.

Why this answer

Option D is correct because creating an invalidation removes cached objects. Option A is incorrect because TTL to 0 would increase origin load. Option B is incorrect because signed URLs control access, not cache.

Option C is incorrect because compression doesn't affect freshness.

809
MCQhard

A company is migrating a legacy on-premises application to AWS. The application consists of a web server, an application server, and a MySQL database. The company has already migrated the web and application servers to EC2 instances in a VPC. The database is still on-premises. The application currently connects to the database using a JDBC connection string with the on-premises IP address. The company wants to minimize changes to the application code. The network team has established an AWS Direct Connect connection between the on-premises data center and the VPC. The security team requires that traffic between the application and the database be encrypted in transit. The database is not publicly accessible. The migration plan includes moving the database to Amazon RDS for MySQL in the same VPC after the initial cutover. During the migration testing phase, the application team reports that the application can connect to the on-premises database but performance is slower than expected. CloudWatch metrics show high latency on the database connections. The application uses a connection pool with 100 connections. Which solution should the solutions architect recommend to improve performance while minimizing application code changes?

A.Increase the connection pool size to 200 and enable connection multiplexing
B.Deploy an Amazon RDS for MySQL read replica in the same Region and direct read traffic to it
C.Use AWS Database Migration Service to set up ongoing replication from on-premises to RDS
D.Enable Multi-AZ on the RDS instance
AnswerB

Offloads reads, reducing latency for read-heavy workloads.

Why this answer

Option C is correct because deploying an RDS read replica in the same Region reduces latency for read-heavy workloads. Option A (increase connections) may exacerbate issues. Option B (enable Multi-AZ) does not reduce latency.

Option D (DMS ongoing replication) does not improve read performance.

810
MCQhard

A company is migrating a monolithic application to microservices on AWS. The application uses a shared MySQL database. The team wants to decouple the database per microservice. Which strategy should the team use to minimize downtime during migration?

A.Rehost the application on EC2 and use a single RDS MySQL instance for all microservices.
B.Use the strangler fig pattern to gradually migrate functionality to microservices, each with its own database.
C.Use AWS Database Migration Service (DMS) to replicate the shared database to multiple target databases in real time.
D.Rewrite the entire application as microservices in a single release, using a shared database initially.
AnswerB

The strangler fig pattern allows incremental migration with minimal downtime.

Why this answer

Option B is correct because the strangler fig pattern incrementally replaces parts of the monolith. Option A is wrong because re-platforming as-is does not decouple the database. Option C is wrong because a single shared database contradicts microservices.

Option D is wrong because rewriting the entire application at once increases risk and downtime.

811
MCQmedium

A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?

A.Use CloudFormation StackSets to deploy Route 53 private hosted zones in each account
B.Use Route 53 Resolver outbound endpoints in the central account and share Resolver rules with other accounts using AWS RAM
C.Create a VPC peering connection between each VPC and the central account's VPC
D.Use AWS PrivateLink to connect VPCs to a central DNS service
AnswerB

This allows conditional forwarding of DNS queries to the central hosted zones.

Why this answer

Option B is correct because Route 53 Resolver rules can be shared with other accounts using AWS Resource Access Manager (RAM), and outbound endpoints can forward queries. Option A is wrong because VPC peering does not support DNS resolution of private hosted zones across accounts by default. Option C is wrong because PrivateLink is for accessing services, not DNS.

Option D is wrong because CloudFormation does not provide DNS resolution.

812
MCQhard

A company is running a production web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application uses a MySQL database hosted on Amazon RDS with Multi-AZ enabled. Recently, during a traffic spike, some users experienced increased latency and occasional 503 errors. The operations team noticed that the database CPU utilization reached 100% and the number of database connections peaked at the maximum limit. The application team confirmed that the application uses connection pooling on the EC2 instances but the pool size is fixed. Which solution should the solutions architect recommend to prevent recurrence?

A.Add read replicas to offload read queries.
B.Increase the DB instance class to a larger size.
C.Implement Amazon RDS Proxy to manage database connections.
D.Increase the maximum number of EC2 instances in the Auto Scaling group.
AnswerC

RDS Proxy pools connections, reducing the load on the database and preventing connection exhaustion.

Why this answer

Option C is correct because the issue stems from database connections hitting the maximum limit, causing CPU saturation and 503 errors. Amazon RDS Proxy sits between the application and the database, efficiently managing and pooling connections from the EC2 instances, reducing the number of open connections to the RDS instance and preventing connection exhaustion. This allows the existing connection pooling on the EC2 side to scale without overwhelming the database, directly addressing the root cause.

Exam trap

The trap here is that candidates often confuse connection exhaustion with CPU or memory bottlenecks and choose vertical scaling (Option B) or read replicas (Option A), missing that the core issue is the fixed connection pool size and the database's max connections limit, which RDS Proxy directly addresses by pooling and reusing connections.

How to eliminate wrong answers

Option A is wrong because adding read replicas offloads read queries but does not reduce the number of database connections hitting the primary instance; the connection limit and CPU spike from connection overhead remain. Option B is wrong because increasing the DB instance class provides more CPU and memory but does not solve the connection limit issue; the application will still exhaust the max connections, and scaling vertically is a temporary fix that increases cost without addressing the architectural bottleneck. Option D is wrong because increasing the maximum number of EC2 instances in the Auto Scaling group would increase the number of application servers, each with a fixed connection pool, potentially worsening the connection exhaustion and CPU spike on the database.

813
Multi-Selecteasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. The application must be highly available across multiple Availability Zones. Which TWO actions should the architect take? (Choose TWO.)

Select 2 answers
A.Launch all EC2 instances in a single Availability Zone.
B.Configure the ALB as internet-facing and attach it to multiple Availability Zones.
C.Launch EC2 instances in at least two Availability Zones.
D.Use a Network Load Balancer instead of an Application Load Balancer.
E.Assign Elastic IP addresses to each EC2 instance.
AnswersB, C

Internet-facing ALB with multiple AZs provides HA.

Why this answer

For high availability, the ALB must be internet-facing (option B) and EC2 instances should be in multiple AZs (option C). Option A (single AZ) is not HA. Option D (NLB) is not needed.

Option E (public IPs) is unnecessary.

814
MCQhard

A media company is building a video transcoding pipeline using AWS Elemental MediaConvert. The source videos are uploaded to an S3 bucket, and the transcoded outputs are stored in another S3 bucket. The company wants to trigger the transcoding job as soon as a new video is uploaded. The pipeline must handle high volumes of uploads and ensure that no upload is missed. Which solution is MOST reliable and scalable?

A.Configure an S3 event notification to directly invoke an AWS Lambda function that starts the MediaConvert job.
B.Configure an S3 event notification to publish to an Amazon SNS topic, which triggers an AWS Lambda function that starts the MediaConvert job.
C.Use Amazon EventBridge to detect S3 PUT events and route them to a Lambda function.
D.Configure an S3 event notification to send events to an Amazon SQS queue, and have a Lambda function poll the queue and start MediaConvert jobs.
AnswerA

This is a simple, reliable, and scalable event-driven pattern.

Why this answer

Using S3 Event Notifications with Lambda to invoke MediaConvert is a reliable, serverless pattern. Option B (SQS) adds unnecessary complexity. Option C (SNS to Lambda) is indirect.

Option D (CloudWatch Events) is not designed for S3 upload triggers.

815
MCQmedium

A developer notices that CloudWatch Logs for a Lambda function show no logs after a recent deployment. The function is invoked successfully. What is the most likely cause?

A.The Lambda function is exceeding the CloudWatch Logs API rate limits.
B.The Lambda execution role does not have permissions to write to CloudWatch Logs.
C.The log group retention policy is set to 7 days, which expired old logs.
D.The log group was deleted and not recreated.
AnswerB

Without proper IAM permissions, Lambda cannot create log streams or write logs.

Why this answer

Option B is correct because if the Lambda execution role lacks logs:CreateLogGroup and logs:PutLogEvents permissions, Lambda cannot write logs. Option A is wrong because the log group exists but has 0 stored bytes. Option C is wrong because retention policy doesn't prevent new logs.

Option D is wrong because the log group exists.

816
MCQeasy

A company uses AWS Organizations with a single OU for all accounts. The security team wants to prevent any account from leaving the organization without approval. What should they do?

A.Configure IAM policies on the root user of each account to deny leave actions.
B.Create an AWS Config rule to detect leave attempts.
C.Enable AWS CloudTrail to monitor leave events and send alerts.
D.Apply an SCP that denies the organizations:LeaveOrganization action.
AnswerD

SCP can deny the action across all accounts.

Why this answer

An SCP with a Deny effect on organizations:LeaveOrganization prevents any account from leaving. Option B is wrong because IAM is account-specific. Option C is wrong because CloudTrail only logs.

Option D is wrong because it doesn't prevent.

817
MCQeasy

A startup is deploying a web application on Amazon EC2 instances behind an Application Load Balancer. The application stores session state in an Amazon DynamoDB table. To improve performance, the team wants to reduce latency for read-heavy workloads. Which design change would be MOST effective?

A.Add an Amazon ElastiCache Redis cluster in front of DynamoDB to cache session data.
B.Use an Auto Scaling group to add more EC2 instances during peak hours.
C.Enable DynamoDB Accelerator (DAX) for the session table.
D.Increase the size of the EC2 instances to handle more concurrent users.
AnswerC

DAX provides an in-memory cache for DynamoDB, reducing read latency without application changes.

Why this answer

Option C is correct because DynamoDB Accelerator (DAX) is an in-memory cache designed specifically for DynamoDB, reducing read latency. Option A is wrong because ElastiCache would require additional application code changes to integrate. Option B is wrong because increasing instance size is a generic scaling solution, not optimizing read latency.

Option D is wrong because Auto Scaling does not reduce latency for individual requests.

818
Multi-Selecthard

A company is migrating a critical application to AWS and needs to ensure high availability across AWS Regions. The application uses a relational database. Which THREE components are necessary for this multi-region architecture?

Select 3 answers
A.Amazon RDS Multi-AZ deployment
B.Application Load Balancer in each region
C.Amazon Route 53 with failover routing policy
D.Amazon RDS cross-Region read replica
E.VPC peering between regions
AnswersB, C, D

Distributes traffic within region.

Why this answer

For multi-region HA, an RDS cross-region read replica provides DR, Route 53 with failover routing directs traffic, and a global secondary index in DynamoDB is not relevant but actually for NoSQL. However, correct options: cross-region read replica, Route 53 failover, and an Application Load Balancer for regional distribution. Option D is wrong because VPC peering is within region.

Option E is wrong because DynamoDB global tables are for NoSQL.

819
MCQmedium

A company migrated a monolithic application to a microservices architecture on Amazon ECS. They notice that the CPU utilization of the cluster is high, but individual services are underutilized. What is the best optimization?

A.Increase the number of tasks for each service.
B.Use AWS Fargate Spot for interruptible workloads.
C.Switch from Fargate to EC2 launch type.
D.Right-size the task definitions by adjusting CPU and memory reservations.
AnswerD

Proper sizing reduces over-provisioning and improves cluster utilization.

Why this answer

Right-sizing the task definitions ensures each service gets the appropriate resources, reducing wasted capacity. Option C is correct. Option A (EC2 launch type) might not help with utilization.

Option B increases capacity unnecessarily. Option D (Fargate) can help but is not specific to the utilization issue.

820
MCQmedium

A company is migrating its on-premises VMware virtual machines to AWS. The company wants to use the same VM images and has a 10 Gbps direct connect link. Which service should be used to automate the migration of the VMs?

A.AWS Migration Hub
B.AWS DataSync
C.AWS VM Import/Export
D.AWS Server Migration Service
AnswerC

Directly imports VMware VMs as EC2 instances.

Why this answer

AWS VM Import/Export allows importing VM images from on-premises to EC2, supporting VMware formats. Option B is wrong because Migration Hub is a tracking tool. Option C is wrong because Server Migration Service (SMS) is deprecated; AWS Application Migration Service (MGN) is the recommended replacement but VM Import/Export fits the requirement of using existing images.

Option D is wrong because DataSync is for file/object storage.

821
MCQmedium

A company is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences sudden spikes in traffic. Which AWS service should be used to handle the traffic spikes without losing any requests?

A.Amazon SNS
B.AWS Step Functions
C.Amazon SQS
D.Amazon Kinesis Data Streams
AnswerC

SQS decouples the API from Lambda and buffers requests.

Why this answer

Amazon SQS can buffer requests during spikes, allowing Lambda to process them at its own pace without dropping any.

822
MCQhard

A multinational corporation is using AWS Organizations with hundreds of accounts. The finance team needs to track costs by cost center, which is stored as a tag on each resource. However, some resources are missing the tag. What is the most efficient way to ensure that all resources are tagged correctly going forward?

A.Use AWS Config rules to identify untagged resources and send alerts
B.Use tag policies in AWS Organizations to enforce tagging on new resources
C.Attach an SCP that denies all actions if the resource does not have the cost center tag
D.Create a Lambda function that runs daily to tag untagged resources
AnswerB

Tag policies proactively enforce tagging rules.

Why this answer

Option B is correct because tag policies in AWS Organizations allow you to define a set of tagging rules that are enforced across all accounts in the organization. When a tag policy is attached to an organizational root, OU, or account, AWS automatically prevents the creation of resources that do not comply with the specified tags, ensuring that all new resources are tagged correctly from the start without requiring manual remediation or custom scripts.

Exam trap

The trap here is that candidates often confuse AWS Config rules (detective control) with tag policies (preventive control), or incorrectly assume that SCPs can enforce tagging at resource creation, when in fact SCPs cannot condition on resource tags for most services and are not designed for tag enforcement.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect and alert on untagged resources after they are created; they do not prevent the creation of untagged resources, so they are not the most efficient way to ensure tagging going forward. Option C is wrong because an SCP that denies all actions if a resource does not have the cost center tag would be overly broad and impractical—SCPs cannot condition on resource tags at the time of creation for most services, and such a policy would block legitimate actions on existing untagged resources or services that do not support tag-based conditions. Option D is wrong because a Lambda function that runs daily to tag untagged resources is reactive and inefficient; it does not prevent the creation of untagged resources and adds operational overhead, whereas tag policies enforce tagging proactively at resource creation.

823
Multi-Selecthard

A company is migrating a legacy application to AWS. The application requires static IP addresses for whitelisting by third-party APIs. The company plans to use an Application Load Balancer with EC2 instances. Which two steps should the company take to ensure the ALB has a consistent set of IP addresses? (Choose TWO.)

Select 2 answers
A.Use a NAT Gateway with Elastic IPs for outbound traffic.
B.Place a Network Load Balancer with Elastic IP addresses in front of the ALB.
C.Use Amazon Route 53 with an A record pointing to the ALB.
D.Place the ALB behind an AWS Global Accelerator.
E.Associate an AWS WAF web ACL with the ALB.
AnswersD, E

Global Accelerator provides static IP addresses that front the ALB.

Why this answer

Using AWS Global Accelerator provides two static anycast IP addresses. Associating the ALB with a WAF protects the application. Option B (NLB with EIP) is not required if using Global Accelerator.

Option D (NAT Gateway) is for outbound traffic. Option E (Route 53) does not provide static IP.

824
Multi-Selecthard

A company is deploying a containerized application on Amazon ECS with Fargate. The application needs to be accessible from the internet and must be secured with an AWS WAF. Which TWO steps should be taken to achieve this?

Select 2 answers
A.Associate the ALB with an AWS WAF web ACL.
B.Use an Application Load Balancer in front of the ECS service.
C.Use a Network Load Balancer in front of the ECS service.
D.Assign public IP addresses to the Fargate tasks.
E.Use Amazon CloudFront as a CDN.
AnswersA, B

WAF can be associated with ALB to filter malicious traffic.

Why this answer

Option A is correct because AWS WAF can be associated with an Application Load Balancer (ALB) to filter HTTP/HTTPS traffic at the application layer. This allows you to protect the containerized application from common web exploits like SQL injection or cross-site scripting. Option B is correct because an ALB is required to route internet traffic to the ECS Fargate service and to terminate TLS, which is necessary for WAF to inspect the request payload.

Exam trap

The trap here is that candidates often assume a Network Load Balancer can be used with WAF or that assigning public IPs to tasks is acceptable, but WAF requires Layer 7 inspection which only an ALB (or CloudFront) can provide, and direct public IPs bypass all security controls.

825
MCQmedium

A company is migrating its on-premises application to AWS and needs to maintain the same private IP addresses for the application servers. The on-premises network uses 10.0.0.0/16. Which AWS service allows the company to extend its on-premises network to AWS and preserve IP addresses?

A.AWS Transit Gateway
B.VPC Peering
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN extends on-premises network to VPC, preserving IP addresses.

Why this answer

Option A is correct because AWS Site-to-Site VPN creates an encrypted connection between on-premises and VPC. Option B is wrong because VPC Peering does not extend on-premises network. Option C is wrong because AWS Transit Gateway connects VPCs and on-premises, but VPN is the actual mechanism to extend IPs.

Option D is wrong because Direct Connect provides dedicated connection but does not inherently preserve IPs.

Page 10

Page 11 of 24

Page 12