AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 826900

1746 questions total · 24pages · All types, answers revealed

Page 11

Page 12 of 24

Page 13
826
MCQmedium

A company is designing a new event-driven architecture on AWS for processing orders. When a new order is placed, it must be validated, inventory checked, payment processed, and notification sent. Each step is independent and may take variable time. The company wants to decouple the steps and ensure that failures do not block the entire workflow. Which solution should a Solutions Architect recommend?

A.Use Amazon SQS queues for each step, with Lambda functions polling each queue and forwarding to the next step.
B.Use Amazon SNS to publish order events, and subscribe separate Lambda functions for validation, inventory, payment, and notification.
C.Use AWS Step Functions to define a state machine that invokes Lambda functions for each step, with retry and error handling.
D.Create a single Lambda function that performs all steps sequentially.
AnswerC

Step Functions provides orchestration, error handling, and visibility into the workflow.

Why this answer

AWS Step Functions is the correct choice because it provides a fully managed state machine that can orchestrate multiple Lambda functions with built-in retry logic, error handling, and parallel execution. This decouples each step (validation, inventory, payment, notification) while ensuring that failures in one step do not block the entire workflow, as Step Functions can handle errors gracefully with configurable retries and fallback states.

Exam trap

The trap here is that candidates often confuse decoupling with simple fan-out (SNS) or queue-based processing (SQS), overlooking the need for orchestration with error handling and sequential/parallel coordination that Step Functions uniquely provides.

How to eliminate wrong answers

Option A is wrong because using separate SQS queues with Lambda functions polling each queue introduces unnecessary complexity and latency, and does not natively support orchestration of sequential or parallel steps with error handling; it also requires custom code to manage retries and ordering. Option B is wrong because Amazon SNS is a pub/sub messaging service that fans out events to all subscribers simultaneously, but it cannot enforce a sequential order of steps or handle failures in one step without affecting others, as all subscribers receive the event at once and there is no built-in retry or error handling for the workflow. Option D is wrong because a single Lambda function performing all steps sequentially creates a monolithic architecture that violates the decoupling requirement, and any failure in a step would block the entire process with no built-in retry or error isolation.

827
Multi-Selecthard

A company uses Amazon DynamoDB for a gaming application. The table has a partition key of user_id and a sort key of timestamp. During a new game launch, the table experiences throttling on a few partitions. The company wants to improve the partition distribution. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Add a random suffix to the partition key to distribute writes more evenly.
B.Use DAX (DynamoDB Accelerator) to cache read-heavy workloads.
C.Increase the read capacity units for the table.
D.Implement write sharding by using a composite partition key.
E.Switch the table to on-demand capacity mode.
AnswersA, B, D

Random suffixes spread writes across partitions.

Why this answer

Option A is correct because adding a suffix to partition key can spread writes across partitions. Option C is correct because using DynamoDB Accelerator (DAX) reduces read load, indirectly helping write capacity. Option D is correct because using write sharding distributes writes across multiple partitions.

Option B is wrong because increasing read capacity does not help write throttling. Option E is wrong because changing to on-demand may help but does not improve partition distribution.

828
MCQhard

A global company uses a multi-account AWS Organizations structure with hundreds of accounts. The network team wants to centrally manage VPC flow logs for all accounts and send them to a centralized S3 bucket in the security account. Which solution is MOST scalable and operationally efficient?

A.Use AWS Config to detect VPCs without flow logs and trigger a Lambda function to enable them.
B.Use CloudFormation StackSets to deploy a stack that enables VPC flow logs in every account and region, sending logs to a centralized S3 bucket with appropriate bucket policies.
C.Write a script that uses the AWS API to enable VPC flow logs in each account and region, triggered by AWS Config rules.
D.Set up a VPN connection from each account to the security account and configure flow logs to use a S3 endpoint in the security account.
AnswerB

StackSets allow automated deployment across accounts and regions with minimal overhead.

Why this answer

CloudFormation StackSets allow you to deploy a single CloudFormation template across multiple accounts and regions in an AWS Organization, making it the most scalable and operationally efficient solution for centrally enabling VPC Flow Logs. By including the appropriate S3 bucket policy in the security account, you can ensure logs from all accounts are delivered to a centralized bucket without manual intervention.

Exam trap

The trap here is that candidates often overcomplicate the solution by considering VPNs or custom scripts, when the most scalable and operationally efficient approach is to use CloudFormation StackSets with a service-managed permission model to deploy a standardized stack across the entire organization.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect non-compliant VPCs, but relying on a Lambda function to enable flow logs introduces a single point of failure and is less scalable than a declarative, infrastructure-as-code approach like StackSets. Option C is wrong because writing a custom script that uses the AWS API to enable flow logs in each account and region is error-prone, requires ongoing maintenance, and does not provide the same level of consistency and rollback capabilities as StackSets. Option D is wrong because setting up a VPN connection from each account to the security account is unnecessary and adds significant complexity and cost; VPC Flow Logs can be delivered directly to a centralized S3 bucket using a bucket policy that grants cross-account access, without requiring network connectivity.

829
MCQeasy

A company uses AWS Organizations with a management account and multiple member accounts. The management account has a trail in AWS CloudTrail that logs all management events for all accounts. The security team wants to also log data events for S3 buckets across all accounts. They create a new trail in the management account with data events enabled for all S3 buckets in all accounts. However, data events from member accounts are not appearing in the CloudTrail logs. What is the most likely cause?

A.The S3 bucket in the management account does not have a bucket policy that allows CloudTrail to write logs from member accounts.
B.The trail is not configured to log data events for all S3 buckets; it only logs for specific buckets.
C.Data events for S3 buckets are not logged centrally by a trail created in the management account; each account must have its own trail for data events.
D.The S3 bucket is encrypted with a KMS key that CloudTrail does not have permission to use.
AnswerC

Data events are per-account unless using advanced event selectors with cross-account support (which is not default).

Why this answer

Option B is correct because a trail in the management account can log management events for all accounts, but to log data events for member accounts, the trail must be created in each member account or use a trail in the management account with the 'Include global services' option not applicable. Data events are per-account unless using advanced event selectors with cross-account support, but standard trails require account-specific settings. Option A is wrong because CloudTrail does not require S3 bucket policies for logging.

Option C is wrong because there is no such limitation. Option D is wrong because encryption does not affect logging.

830
MCQhard

An IAM policy attached to a user allows s3:GetObject and s3:PutObject on my-bucket, but denies all actions on the confidential/ prefix. The user reports that they can still upload objects to the confidential/ folder. Why?

A.The Allow statement appears before the Deny statement in the policy.
B.The Deny statement is not explicit enough to override the Allow.
C.The Deny statement is in a separate policy that is not attached to the user.
D.The Deny statement's resource ARN does not match the confidential folder objects.
AnswerC

If the Deny policy is not attached, it has no effect.

Why this answer

IAM policy evaluation logic: an explicit Deny overrides any Allow. However, the Deny statement uses a specific resource ARN for the confidential folder, but the Allow statement uses my-bucket/* which includes the confidential folder. Since the Deny is explicit, it should block.

But the user can still upload, likely because the policy is not applied correctly or there is another policy allowing the action. Wait: Actually, an explicit Deny always overrides Allow. The most likely reason is that the user has another policy that allows s3:PutObject on the bucket, and the Deny is not effective because the resource pattern in the Deny might not match the specific object ARN? In IAM, resource ARNs must match.

The Deny uses arn:aws:s3:::my-bucket/confidential/* which should match any object under that prefix. So the Deny should work. The correct answer is that the policy order is irrelevant, but perhaps the Deny is not being evaluated because of missing condition? Actually, the most common issue is that the user has a separate policy that explicitly allows the action, and the Deny is not applied? No, explicit Deny always wins.

The issue could be that the policy is not attached to the user. Option D is correct: the Deny statement might be in a different policy that is not attached. Option A is incorrect because order does not matter.

Option B is incorrect because explicit Deny overrides Allow. Option C is incorrect because the resource matches.

831
Multi-Selecthard

A company runs a web application on EC2 instances in an Auto Scaling group. The application writes logs to local instance storage. The operations team wants to centralize log analysis using Amazon CloudWatch Logs. The team needs a solution that is resilient to instance failures and does not lose logs. Which TWO options should the team implement? (Choose TWO.)

Select 2 answers
A.Use the CloudWatch agent with the auto-scaling group lifecycle hooks
B.Mount an EFS volume to the instances for log storage
C.Install the CloudWatch Logs agent on each EC2 instance to stream logs to CloudWatch Logs
D.Configure the Auto Scaling group to send logs to Amazon S3 on instance termination
E.Use Amazon SQS to buffer log events before sending to CloudWatch Logs
AnswersB, C

Persistent storage ensures logs survive instance termination.

Why this answer

Option A ensures logs are sent to CloudWatch in near real-time. Option B ensures that if the instance fails, logs are not lost by writing to a persistent volume. Option C (S3) is not necessary if using CloudWatch Logs.

Option D (SQS) adds complexity. Option E (CloudWatch agent with auto-scaling) is not a separate feature.

832
MCQhard

A financial services company uses AWS Organizations with a multi-account structure: a central security account, a shared services account, and multiple workload accounts. The security team needs to centrally manage and audit all changes to security groups across all accounts. They have implemented AWS Config with an aggregator in the security account. However, they notice that changes to security groups in workload accounts are not appearing in the aggregator. The workload accounts have AWS Config enabled and are recording security group changes. The security account has the necessary cross-account permissions. What is the most likely cause and solution?

A.The security account is not authorized in each workload account's Config settings. The security team must add the security account as an authorized aggregator in each workload account.
B.AWS CloudTrail is not enabled in workload accounts. The security team must enable CloudTrail.
C.Service Control Policies are blocking cross-account access. The security team must modify SCPs to allow Config aggregation.
D.AWS Config in workload accounts is not recording security group changes. The security team must enable recording for security groups.
AnswerA

Config aggregator requires explicit authorization from source accounts.

Why this answer

Option A is correct because AWS Config aggregator requires an authorized aggregator account that is set up in each source account. Without this authorization, the aggregator cannot collect data. Option B is wrong because Config is recording changes.

Option C is wrong because CloudTrail is not needed for Config aggregation. Option D is wrong because SCPs do not block Config aggregation.

833
MCQhard

A media company is designing a video transcoding pipeline using AWS Lambda and Amazon S3. The pipeline must process videos uploaded to an S3 bucket, transcode them into multiple formats, and store the results in another S3 bucket. The processing time for each video can vary from a few seconds to several minutes. Which architecture will minimize cost and ensure all videos are processed, even if Lambda execution timeout is reached?

A.Configure S3 event notifications to invoke Lambda directly and use a dead-letter queue to capture failed events.
B.Use AWS Step Functions to orchestrate the transcoding workflow, with each step as a separate Lambda function.
C.Configure S3 event notifications to send messages to an Amazon SQS queue. Have Lambda poll the queue and process each message. Set the SQS visibility timeout to match the expected maximum processing time.
D.Use Amazon Kinesis Data Streams to ingest S3 events and have Lambda process records from the stream.
AnswerC

SQS decouples the trigger from processing, allowing Lambda to poll at its own pace; visibility timeout ensures messages are reprocessed if Lambda times out or fails.

Why this answer

Option B is correct because S3 event notifications to SQS, with Lambda polling the queue, decouples the process and allows Lambda to process messages at its own pace; if a timeout occurs, the message becomes visible again after the visibility timeout. Option A is wrong because direct Lambda invocation via S3 events can cause concurrent invocations to be throttled; DLQ alone does not handle timeouts. Option C is wrong because Step Functions adds cost and complexity.

Option D is wrong because Kinesis is overkill and streaming is not needed.

834
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The application experiences increased traffic, and the environment's Auto Scaling group is not scaling out quickly enough. What should a solutions architect do to improve the scaling response?

A.Decrease the CPU utilization threshold for scale-out alarms.
B.Increase the minimum number of instances in the Auto Scaling group.
C.Reduce the cooldown period for the Auto Scaling group.
D.Use a larger instance type to handle more traffic.
AnswerC

A shorter cooldown allows new instances to be launched sooner after a scaling activity.

Why this answer

Option C is correct because reducing the cooldown period allows the Auto Scaling group to respond faster to changes. Option A is wrong because increasing min size does not speed up scaling. Option B is wrong because it changes the threshold.

Option D is wrong because it's not about instance type.

835
MCQmedium

A company uses Amazon S3 to store backups. The backup process uploads objects with a prefix 'backups/' and sets the storage class to STANDARD_IA. The company wants to automatically move objects older than 30 days to GLACIER. What is the most efficient way to achieve this?

A.Use an AWS Lambda function triggered by S3 events to change the storage class.
B.Use S3 Batch Operations to copy objects to a new bucket with GLACIER storage class.
C.Create an S3 Lifecycle rule that transitions objects with prefix 'backups/' to GLACIER after 30 days.
D.Enable S3 Intelligent-Tiering on the bucket.
AnswerC

Lifecycle rules automate transitions based on age.

Why this answer

Option D is correct because an S3 Lifecycle rule can be configured to transition objects with the specified prefix to GLACIER after 30 days. Option A is incorrect because S3 Batch Operations are for one-time bulk operations. Option B is incorrect because S3 Intelligent-Tiering may not move to GLACIER automatically.

Option C is incorrect because Lambda would be less efficient.

836
MCQhard

A company is using an AWS Direct Connect connection to access its VPC. The company is experiencing intermittent connectivity issues. The Solutions Architect suspects a routing problem. Which AWS service can help diagnose the issue by providing real-time metrics and logs?

A.Amazon CloudWatch with Direct Connect metrics
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerA

CloudWatch provides metrics like connection state and BGP status.

Why this answer

Option C is correct because AWS Direct Connect provides metrics and logs via CloudWatch and can be used with VPC Flow Logs. Option A is wrong because CloudTrail does not provide network metrics. Option B is wrong because VPC Flow Logs alone do not provide Direct Connect specific metrics.

Option D is wrong because AWS Trusted Advisor provides recommendations but not real-time diagnostics.

837
MCQhard

A company is designing a multi-account AWS environment using AWS Organizations. The security team requires that all Amazon S3 buckets across accounts must have server access logging enabled and must block public access. What is the MOST scalable and secure way to enforce these requirements?

A.Use AWS CloudFormation StackSets to deploy S3 buckets with logging and public access blocks
B.Apply service control policies (SCPs) at the organizational unit (OU) level to deny actions that disable logging or enable public access
C.Create IAM roles in each account with policies that require logging and block public access
D.Use AWS Config rules to detect non-compliant buckets and send notifications
AnswerB

SCPs centrally enforce restrictions across all accounts.

Why this answer

Option C is correct because SCPs can be applied at the OU level to deny actions that disable logging or allow public access, enforcing compliance across all accounts. Option A is incorrect because IAM roles in each account are not scalable for enforcement. Option B is incorrect because CloudFormation StackSets can deploy resources but cannot prevent non-compliant actions.

Option D is incorrect because Config rules only detect non-compliance, not enforce.

838
MCQeasy

Refer to the exhibit. A CloudFormation stack creation failed. The architect needs to identify the reason for the failure. Which CLI command should be used to get detailed error messages?

A.aws cloudformation describe-stacks --stack-name my-stack
B.aws cloudformation describe-stack-events --stack-name my-stack
C.aws cloudformation get-template --stack-name my-stack
D.aws cloudformation list-stack-resources --stack-name my-stack
AnswerB

This command returns stack events including failure reasons.

Why this answer

Option A is correct because 'describe-stack-events' provides detailed events including error messages. Option B is wrong because 'describe-stacks' only shows status. Option C is wrong because 'list-stack-resources' shows resources.

Option D is wrong because 'get-template' shows the template.

839
MCQhard

A company uses Amazon ElastiCache for Redis to cache frequently accessed data. The cache cluster is a single node (cache.r5.large). Over time, the cache hit ratio has decreased, and the CPU utilization is consistently above 80%. What should a solutions architect do to improve performance?

A.Reduce the Time-to-Live (TTL) of cached objects.
B.Add a read replica to offload read traffic.
C.Scale up to a larger node type, such as cache.r5.xlarge.
D.Enable cluster mode and distribute the cache across multiple shards.
AnswerD

Cluster mode allows horizontal scaling and reduces CPU pressure.

Why this answer

Option D is correct because moving to a cluster mode enabled configuration distributes data across multiple shards, reducing CPU load and improving hit ratio. Option A is wrong because simply increasing instance size may help temporarily but doesn't address architectural issues. Option B is wrong because read replicas are for read scaling, not reducing CPU on the primary.

Option C is wrong because TTL reduction may increase misses.

840
Multi-Selectmedium

A company is implementing a hybrid network architecture with multiple VPCs in different AWS accounts. They need to ensure private connectivity between the VPCs and their on-premises data center. Which TWO services should they use together to meet this requirement?

Select 2 answers
A.AWS Direct Connect
B.Amazon Route 53 Resolver
C.VPC peering
D.AWS Transit Gateway
E.AWS Client VPN
AnswersA, D

Direct Connect provides private, dedicated connectivity to on-premises.

Why this answer

AWS Direct Connect provides a dedicated private network connection from an on-premises data center to AWS, bypassing the public internet for consistent latency and bandwidth. AWS Transit Gateway acts as a central hub to interconnect multiple VPCs across different AWS accounts and route traffic to the Direct Connect virtual interface, enabling a scalable hub-and-spoke architecture for hybrid connectivity.

Exam trap

The trap here is that candidates often choose VPC peering (Option C) thinking it can connect multiple VPCs to on-premises directly, but VPC peering lacks transitive routing and cannot terminate a Direct Connect connection, making Transit Gateway the required central aggregation point.

841
MCQmedium

A company is designing a multi-tier web application on AWS. The web tier must automatically scale based on CPU utilization, and the application tier must process messages from an SQS queue. The application tier instances are frequently terminated and replaced due to scaling events. Where should the application logs be stored to ensure they are retained regardless of instance lifecycle?

A.Configure the CloudWatch Logs agent on each instance to stream logs to CloudWatch Logs.
B.Store logs on an EBS volume and take regular snapshots.
C.Write logs to the instance store volume of each EC2 instance.
D.Write logs to an Amazon S3 bucket mounted on each instance using NFS.
AnswerA

CloudWatch Logs persists logs independently of instance lifecycle and supports real-time streaming.

Why this answer

Option C is correct because CloudWatch Logs agent can stream logs to CloudWatch Logs, which persists logs independently of instance lifecycle. Option A is wrong because instance store data is ephemeral. Option B is wrong because S3 mounted via NFS is complex and not designed for real-time log streaming.

Option D is wrong because EBS snapshots are not for continuous log collection.

842
MCQmedium

A company runs a critical application on an Amazon RDS for PostgreSQL DB instance. The database experiences periodic slowdowns. The team notices that the DB instance has a large number of connections in an idle state. What is the BEST way to address this issue?

A.Migrate the database to Amazon Aurora.
B.Configure AWS Lambda to manage database connections.
C.Use an RDS Proxy to pool database connections.
D.Increase the max_connections parameter in the DB parameter group.
AnswerC

RDS Proxy reduces the number of idle connections by pooling and reusing them.

Why this answer

Option B is correct because using an RDS Proxy reduces the number of idle connections by pooling and reusing them. Option A is wrong because switching to Aurora may not directly address idle connections. Option C is wrong because increasing max_connections might worsen the problem.

Option D is wrong because Lambda is not a database connection management tool.

843
MCQmedium

Refer to the exhibit. A company uses AWS CloudFormation to deploy an EC2 instance. The template uses a condition to select the instance type based on the environment. The company deploys the stack with the parameter EnvType set to 'prod'. What will be the instance type of the created EC2 instance?

A.t3.large
B.The instance type will be determined at runtime.
C.The instance will not be created because the condition is false.
D.t2.micro
AnswerA

The condition IsProduction is true, so Fn::If returns t3.large.

Why this answer

The condition in the CloudFormation template evaluates to true when EnvType equals 'prod', so the EC2 instance is created with the instance type specified in the condition's true branch, which is t3.large. The template uses a condition like 'If(Equals(EnvType, 'prod'), t3.large, t2.micro)', and since the parameter is set to 'prod', the Fn::If intrinsic function returns 't3.large'.

Exam trap

The trap here is that candidates may confuse a false condition with skipping resource creation, but in this case the condition is used only to select a property value, not to conditionally create the resource itself.

How to eliminate wrong answers

Option B is wrong because the instance type is not determined at runtime; CloudFormation resolves the condition and intrinsic functions at stack creation time, not during instance boot. Option C is wrong because the condition is true (EnvType equals 'prod'), so the instance is created; a false condition would omit the resource entirely. Option D is wrong because t2.micro is the value for the false branch of the condition, which is used only when EnvType is not 'prod'.

844
MCQeasy

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session data locally on the EC2 instances. The company wants to make the application stateless to improve availability and scalability. Which solution should the solutions architect recommend?

A.Use Amazon ElastiCache for Redis to store session data externally.
B.Configure session stickiness on the ALB to route requests from the same user to the same EC2 instance.
C.Mount an Amazon EFS file system on the EC2 instances and store session files there.
D.Store session data in Amazon S3 and update the application to read and write sessions to S3.
AnswerA

ElastiCache for Redis is a fast, in-memory store ideal for session management, making the application stateless.

Why this answer

Option C is correct because ElastiCache with Redis provides a centralized, fast, and durable session store, making the application stateless. Option A is wrong because storing sessions in S3 would introduce high latency and is not designed for high-frequency read/write. Option B is wrong because session stickiness (sticky sessions) on the ALB prevents true statelessness and can cause uneven load.

Option D is wrong because mounting an EFS volume for session files still ties sessions to a filesystem but adds complexity and latency compared to ElastiCache.

845
MCQeasy

A company is designing a serverless application using AWS Lambda for business logic and Amazon API Gateway for REST APIs. The application needs to store and retrieve user session data. Which service should they use for session state?

A.Amazon ElastiCache for Redis
B.Amazon RDS for MySQL
C.Amazon DynamoDB
D.Amazon S3
AnswerA

Redis is a common choice for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice for storing user session state in a serverless application because it provides an in-memory data store with sub-millisecond latency, which is ideal for session management where fast reads and writes are critical. Redis supports key-value structures with TTL (time-to-live) expiration, allowing automatic cleanup of stale sessions, and integrates seamlessly with Lambda and API Gateway via the ElastiCache client SDK.

Exam trap

The trap here is that candidates often choose DynamoDB because it is a serverless, managed NoSQL database commonly used with Lambda, but they overlook the specific requirement for session state, which demands in-memory performance and TTL-based expiry that ElastiCache for Redis provides natively.

How to eliminate wrong answers

Option B (Amazon RDS for MySQL) is wrong because relational databases are designed for persistent, ACID-compliant transactional data, not for ephemeral session state; the overhead of connection management and higher latency makes it unsuitable for high-frequency session lookups. Option C (Amazon DynamoDB) is wrong because while DynamoDB is a NoSQL key-value store and can technically store session data, it is a disk-based database with higher latency than in-memory caches, and its cost per operation is typically higher for the read-heavy, short-lived session patterns that ElastiCache handles more efficiently. Option D (Amazon S3) is wrong because S3 is an object storage service designed for large, durable, infrequently accessed data, not for low-latency, high-throughput session state; its eventual consistency model and per-request overhead make it impractical for real-time session retrieval.

846
MCQhard

Refer to the exhibit. A CloudFormation template is used to create an S3 bucket. After deployment, the bucket is created but objects are not automatically deleted after 30 days as expected. What is the most likely cause?

A.The lifecycle rule only applies to noncurrent versions, not current objects.
B.The bucket name conflicts with an existing bucket.
C.Versioning is not enabled on the bucket.
D.The lifecycle rule requires a region-specific prefix.
AnswerA

NoncurrentVersionExpirationInDays only deletes old versions, not current objects.

Why this answer

Option C is correct because the lifecycle rule only expires noncurrent versions, not current objects. To delete current objects, need an ExpirationInDays rule. Option A (versioning not enabled) is wrong because versioning is enabled.

Option B (bucket name conflict) would cause stack creation failure, not lifecycle issue. Option D (region not specified) is irrelevant.

847
Multi-Selecteasy

A company has an AWS Lambda function that processes messages from an SQS queue. The function is experiencing timeouts. Which TWO changes could help resolve the timeout issue? (Choose 2)

Select 2 answers
A.Increase the batch size in the SQS event source mapping.
B.Enable SQS queue encryption.
C.Increase the Lambda function timeout.
D.Increase the Lambda function memory allocation.
E.Decrease the SQS visibility timeout.
AnswersC, D

Allows longer execution.

Why this answer

Options A and B are correct. Increasing timeout gives more time, increasing memory provides more CPU. C does not affect timeout, D reduces visibility timeout (opposite), E is for SQS, not Lambda.

848
MCQeasy

Refer to the exhibit. A company runs this CLI command and sees the output. Which account is the management account?

A.333333333333
B.222222222222
C.o-example1
D.111111111111
AnswerD

The management account is the one that created the organization; it is typically the first account.

Why this answer

Option A is correct because the management account is the one that created the organization, and its account ID is shown in the ARN of the organization (222222222222). However, in the list-accounts output, the management account itself is listed with JoinedMethod: INVITED. Actually, the management account is the one that invited others, but it appears as INVITED when listing itself.

The account ID 111111111111 is the management account because it is the one that owns the organization (the ARN contains the management account ID). But wait: the ARN shows the organization ID is 'o-example1' and the account ID in the ARN is the management account ID? Actually, the ARN format for an account is arn:aws:organizations::management-account-id:account/o-orgid/account-id. So the management account ID is 222222222222.

But that account is not listed? The list shows two accounts: 111111111111 and 333333333333. So the management account is 111111111111 because it is the first account and the organization's management account is typically the first account. However, the ARN shows management account ID as 222222222222, which is inconsistent.

In reality, the management account ID is 111111111111 if it is the first account. The exhibit might be designed to trick. Actually, in AWS Organizations, the management account is the account that created the organization.

The list-accounts output includes the management account. The ARN format is arn:aws:organizations::management-account-id:account/o-orgid/account-id. So the management account ID is 222222222222, but that account is not in the list? This is a trick: the management account ID is 222222222222, but it is not listed because the command might have been run from a delegated admin? Actually, the simplest answer: the management account is the one with the email admin@example.com (111111111111) because it is the first account and typically the management account.

Option A is correct.

849
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. What is the MOST scalable and efficient way to enforce this policy?

A.Use an AWS Lambda function that runs periodically across all accounts to check and remediate buckets.
B.Use an SCP that denies s3:PutBucketEncryption actions unless the encryption is set to aws:kms.
C.Use AWS Config rules in each account to detect unencrypted buckets and trigger auto-remediation.
D.Use AWS CloudTrail to monitor PutBucketEncryption calls and alert the security team.
AnswerB

SCPs can prevent the creation of non-compliant buckets across all accounts in the organization.

Why this answer

Option D is correct because using a service control policy (SCP) that denies the creation of unencrypted S3 buckets if encryption is not set to aws:kms is the most scalable way to enforce this across all accounts. Option A is wrong because it requires manual auditing. Option B is wrong because Config rules are per-account.

Option C is wrong because CloudTrail does not enforce policies.

850
MCQmedium

A company is designing a new application that will be deployed on Amazon ECS with Fargate launch type. The application needs to store configuration data, including database connection strings, that must be encrypted at rest. The company wants to follow best practices for managing secrets. Which solution should the company use?

A.Store the secrets in AWS Secrets Manager and reference them in the ECS task definition.
B.Store the configuration data in an S3 bucket with server-side encryption (SSE-S3) and download it at container startup.
C.Store the secrets in AWS Systems Manager Parameter Store (SecureString) and reference them in the ECS task definition.
D.Store the configuration data in environment variables in the ECS task definition.
AnswerA

Secrets Manager provides encryption, rotation, and ECS integration.

Why this answer

AWS Secrets Manager is the recommended service for storing sensitive configuration data like database connection strings because it provides built-in encryption at rest using AWS KMS, automatic secret rotation, and fine-grained access control. ECS task definitions can reference Secrets Manager secrets directly using the 'secrets' parameter, which injects the secret value into the container at runtime without exposing it in plaintext. This approach follows AWS best practices for managing secrets by avoiding hard-coded values and leveraging a dedicated secrets management service.

Exam trap

The trap here is that candidates often choose Systems Manager Parameter Store (Option C) because it is cheaper and also supports SecureString, but they overlook that AWS Secrets Manager is the specifically recommended service for secrets that require rotation and tighter integration with ECS, especially for database credentials.

How to eliminate wrong answers

Option B is wrong because storing configuration data in an S3 bucket with SSE-S3 requires the container to download the file at startup, which introduces complexity, potential exposure of the bucket or object, and lacks native integration with ECS task definitions for secure injection. Option C is wrong because while Systems Manager Parameter Store (SecureString) can store secrets, it does not support automatic secret rotation natively (unlike Secrets Manager), and AWS best practices recommend Secrets Manager for database credentials and other secrets that require rotation. Option D is wrong because storing secrets in environment variables in the ECS task definition exposes them in plaintext in the task definition and container metadata, violating security best practices for secret management.

851
MCQhard

A company is modernizing a legacy Java application to run on AWS. The application currently uses a monolithic architecture with a shared MySQL database. The company wants to adopt a microservices architecture using containers and wants to decouple the database. The solutions architect proposes using Amazon ECS with Fargate for compute and Amazon RDS for MySQL for the database. However, during the transition, the performance team notices that the database CPU utilization is consistently above 80% during peak hours. The application logs show many slow queries. The team suspects that the database is the bottleneck. The company wants to improve performance without rewriting the application. Which action should the solutions architect take first?

A.Enable Amazon RDS Performance Insights to identify the most resource-intensive queries.
B.Add an RDS read replica and direct read traffic to it.
C.Scale up the RDS instance to a larger instance type.
D.Migrate the database to Amazon DynamoDB to eliminate relational bottlenecks.
AnswerA

First step: diagnose the problem.

Why this answer

Before making architectural changes, it's important to analyze the slow queries to identify root causes. Enabling RDS Performance Insights provides detailed query performance metrics. Option A is wrong because DynamoDB would require code changes.

Option C is wrong because read replicas help with read traffic but not write-heavy or complex queries. Option D is wrong because scaling vertically may help but is not the first step; understanding the issue is better.

852
MCQmedium

A company is migrating its on-premises PostgreSQL database to Amazon Aurora PostgreSQL. The database is 2 TB in size and has a 24-hour maintenance window on weekends. The company needs to minimize downtime and ensure data consistency. Which strategy should the solutions architect recommend?

A.Create an Aurora read replica from the on-premises database using a VPN connection.
B.Use AWS DMS with ongoing replication from the on-premises database to Aurora, then perform a cutover during the maintenance window.
C.Use AWS Schema Conversion Tool (AWS SCT) to convert the schema and then use AWS Database Migration Service (AWS DMS) with full load only.
D.Perform a full pg_dump of the on-premises database and restore it to Aurora using pg_restore.
AnswerB

Ongoing replication keeps data in sync with minimal downtime during cutover, leveraging the maintenance window.

Why this answer

AWS DMS with ongoing replication (change data capture, CDC) allows the on-premises PostgreSQL database to be continuously synchronized with the target Aurora PostgreSQL cluster, minimizing downtime. When the cutover is performed during the 24-hour maintenance window, data consistency is ensured because all changes up to that point have been replicated. This approach avoids the need for a lengthy full database dump and restore, which would cause extended downtime.

Exam trap

The trap here is that candidates often assume a full dump and restore (pg_dump/pg_restore) is the simplest approach, but they overlook the massive downtime it requires for a 2 TB database, whereas DMS with CDC is designed specifically to minimize downtime for large-scale migrations.

How to eliminate wrong answers

Option A is wrong because Aurora read replicas can only be created from an existing Aurora DB cluster, not from an on-premises database; a VPN connection alone does not enable this replication. Option C is wrong because AWS SCT is used for schema conversion (not needed here since both are PostgreSQL), and a full-load-only DMS task would not capture ongoing changes, leading to data inconsistency and longer downtime. Option D is wrong because performing a full pg_dump and pg_restore would require the on-premises database to be offline for the duration of the dump and restore, causing significant downtime that exceeds the maintenance window.

853
MCQhard

A company has a legacy application that runs on a single EC2 instance. The application stores data on an attached EBS volume. The company wants to improve availability and reduce the recovery time objective (RTO) in case of instance failure. What should the company do?

A.Create an Auto Scaling group with a minimum of 2 instances across multiple Availability Zones and use a load balancer.
B.Take frequent EBS snapshots and automate the creation of a new instance from the latest snapshot.
C.Configure the EBS volume as a Multi-Attach volume and attach it to a standby instance.
D.Convert the instance to an AMI and launch a new instance from that AMI in a different Availability Zone.
AnswerA

This provides high availability and fast recovery by automatically replacing failed instances.

Why this answer

Option D is correct because AMI-backed instances launch from a stored AMI, and data on instance store is ephemeral; the application should store data on EBS. Option A is wrong because high availability requires multiple instances. Option B is wrong because Multi-Attach is for specific use cases.

Option C is wrong because EBS snapshots are for backups, not quick recovery.

854
MCQmedium

A company is migrating a legacy application to AWS. The application has hardcoded IP addresses and uses non-HTTP protocols. The solutions architect needs to minimize changes to the application code. Which migration pattern should be used?

A.Use AWS Global Accelerator to assign static IP addresses.
B.Containerize the application and use service discovery.
C.Rehost the application on EC2 instances with the same IP addresses using Elastic IPs.
D.Refactor the application to use DNS names instead of IP addresses.
AnswerC

Minimal changes; EIPs preserve IPs.

Why this answer

Rehosting (lift-and-shift) with private IP addresses on EC2 and security groups allows the application to retain its IP configurations with minimal changes. Option A is wrong because refactoring to use DNS requires code changes. Option B is wrong because containerization requires code modifications.

Option D is wrong because AWS Global Accelerator is for traffic management, not for replacing hardcoded IPs without code changes.

855
MCQmedium

A company is migrating a legacy monolithic application to AWS. The application currently uses a shared file system for storing user uploads. The solution architect needs to design a highly available and scalable storage solution that supports concurrent read/write operations from multiple EC2 instances. Which AWS service should be used?

A.Amazon FSx for Windows File Server
B.Amazon S3 with S3 File Gateway
C.Amazon EFS
D.Amazon EBS with Multi-Attach enabled
AnswerC

EFS provides a scalable, shared file system accessible from multiple EC2 instances.

Why this answer

Amazon EFS is a fully managed, elastic NFS file system that supports concurrent access from multiple EC2 instances, making it ideal for shared file storage. Option A (S3) is object storage, not a file system. Option C (EBS) is block storage attached to a single instance.

Option D (FSx for Windows File Server) is for Windows workloads but requires Windows instances.

856
MCQhard

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. They need to ensure that the application can handle sudden spikes in traffic without throttling. Which design should they implement?

A.Use Lambda provisioned concurrency and an API Gateway usage plan.
B.Enable DynamoDB auto scaling and configure Lambda function reserved concurrency.
C.Configure Lambda function reserved concurrency and an API Gateway cache.
D.Use DynamoDB Accelerator (DAX) and Lambda function reserved concurrency.
AnswerB

Auto scaling handles throughput spikes; reserved concurrency prevents throttling of the function.

Why this answer

Option A is correct because enabling DynamoDB auto scaling and Lambda concurrency limits allows handling spikes while preventing throttling. Option B (provisioned concurrency) helps with cold starts but not throttling. Option C (reserved concurrency) prevents other functions from using concurrency but doesn't handle spikes.

Option D (DAX) is a caching layer, not for scaling.

857
MCQhard

A company is migrating a legacy API to Amazon API Gateway and Lambda. The API currently uses long-polling to retrieve messages from a queue. The migration must maintain the same client behavior. Which AWS service should replace the long-polling mechanism?

A.Use Amazon SQS with long polling enabled.
B.Use Amazon Kinesis Data Streams with enhanced fan-out.
C.Use Amazon MQ (ActiveMQ) with STOMP protocol.
D.Use API Gateway WebSocket APIs to maintain persistent connections.
AnswerD

WebSocket APIs allow persistent connections, replacing long-polling.

Why this answer

Option A is correct because WebSocket APIs in API Gateway support persistent connections for bidirectional communication. Option B is wrong because Kinesis is for streaming. Option C is wrong because SQS with long polling is still polling.

Option D is wrong because MQ is for message brokers.

858
MCQmedium

A company is designing a new microservices architecture using AWS Lambda. Each microservice has its own database. The company wants to securely store database credentials and rotate them automatically. Which AWS service should be used?

A.AWS Key Management Service (KMS)
B.AWS Systems Manager Parameter Store
C.AWS Identity and Access Management (IAM)
D.AWS Secrets Manager
AnswerD

Secrets Manager supports automatic rotation.

Why this answer

Option C is correct. AWS Secrets Manager supports automatic rotation of secrets. Option A is wrong because Parameter Store does not have built-in rotation.

Option B is wrong because IAM is for access management, not secret storage. Option D is wrong because KMS is for encryption keys, not secrets.

859
MCQmedium

A company is designing a data lake on Amazon S3. The data will be ingested from various sources, including streaming data from IoT devices. The data must be processed in near real-time to derive insights. The company wants to use serverless technologies to minimize operational overhead. Which combination of services should the company use?

A.AWS Lambda, Amazon DynamoDB Streams, and Amazon S3.
B.Amazon Kinesis Data Streams, Amazon Kinesis Data Analytics, and Amazon Kinesis Data Firehose.
C.Amazon SQS, AWS Lambda, and Amazon S3.
D.Amazon Kinesis Data Firehose, AWS Glue, and Amazon S3.
AnswerB

Kinesis Data Streams ingests streaming data, Kinesis Data Analytics processes it in real-time, and Firehose loads it into S3.

Why this answer

Option A is correct because Kinesis Data Streams ingests streaming data, Kinesis Data Analytics performs near real-time analysis, and Kinesis Data Firehose delivers the results to S3. Option B is wrong because SQS is not for streaming data. Option C is wrong because Lambda alone cannot handle streaming data at scale.

Option D is wrong because Glue is for batch ETL, not real-time.

860
MCQhard

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts in AWS Organizations. The logs are stored in Amazon S3. The security team needs to query these logs for specific IP addresses and time ranges. Which solution is MOST cost-effective and scalable?

A.Use Amazon Athena to query the logs directly in S3.
B.Use Amazon S3 Select to retrieve only the relevant log entries based on the IP address and time range.
C.Stream the logs to Amazon OpenSearch Service for real-time querying.
D.Use AWS Glue to catalog the logs and query with Amazon Redshift Spectrum.
AnswerB

S3 Select filters server-side and only returns matching data, minimizing data transfer and cost.

Why this answer

Amazon S3 Select allows you to retrieve only a subset of data from an object using SQL expressions, making it highly cost-effective for scanning large log files for specific IP addresses and time ranges. It reduces the amount of data transferred and processed compared to reading the entire object, and it scales automatically without provisioning any infrastructure. This approach is ideal for ad-hoc queries on structured or semi-structured log data stored in S3.

Exam trap

The trap here is that candidates often assume Athena is the default choice for querying S3 logs, overlooking that S3 Select is more cost-effective for simple, selective row retrieval from individual objects without the need for a full SQL engine or schema-on-read overhead.

How to eliminate wrong answers

Option A is wrong because Amazon Athena would require scanning the entire dataset (or using partitions) and incurs costs based on the amount of data scanned per query, which is less cost-effective than S3 Select for simple filtering on individual objects. Option C is wrong because streaming logs to Amazon OpenSearch Service involves ongoing ingestion costs, cluster management overhead, and is not as cost-effective for infrequent, ad-hoc queries on historical log data. Option D is wrong because AWS Glue and Redshift Spectrum introduce additional complexity and cost for cataloging and querying, and are overkill for simple IP and time-range filtering on log files that can be handled directly with S3 Select.

861
MCQhard

A company is designing a multi-region active-active application that uses Amazon DynamoDB global tables. The application must be able to handle write conflicts that may occur when the same item is updated in two different regions at the same time. The company needs to ensure that the application uses the most recently written data. What should the architect recommend?

A.Use the default last writer wins conflict resolution
B.Use optimistic locking with a version number
C.Use DynamoDB Streams to capture changes and reconcile conflicts
D.Use conditional writes to prevent overwrites
AnswerA

DynamoDB global tables use LWW based on a timestamp attribute to ensure the most recently written data is kept.

Why this answer

Option D is correct because DynamoDB global tables use last writer wins (LWW) based on a timestamp attribute to resolve concurrent updates. Option A is wrong because conditional writes would reject one update, not guarantee the most recent. Option B is wrong because DynamoDB Streams only capture changes, they do not resolve conflicts.

Option C is wrong because optimistic locking requires application logic and does not automatically resolve multi-region conflicts.

862
MCQmedium

A company uses AWS Organizations with multiple accounts. They want to centralize VPC flow logs for all VPCs across accounts. The logs should be stored in a central S3 bucket in the management account. What is the MOST efficient way to achieve this?

A.Use a bucket policy on the central S3 bucket to allow cross-account delivery from all accounts.
B.Enable VPC flow logs at the organization level using CloudTrail.
C.Create a flow log in each account and configure it to deliver to a central S3 bucket.
D.Use CloudWatch Logs in each account and stream to a central log group.
AnswerA

Bucket policy allows any account to deliver logs to that bucket.

Why this answer

Option C is correct because you can create a bucket policy in the management account that allows cross-account delivery. Option A is wrong because it requires manual setup. Option B is wrong because CloudWatch Logs is not centralized.

Option D is wrong because enabling flow logs on each VPC individually is inefficient.

863
MCQhard

A company is migrating a critical application to AWS and needs to ensure it meets a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 5 minutes. The application runs on EC2 with an EBS volume. Which configuration should the company use?

A.Multi-AZ deployment with synchronous replication between two instances.
B.Single EC2 instance with EBS snapshots every 5 minutes.
C.Two EC2 instances in an Auto Scaling group with a warm standby.
D.EC2 instance with Elastic Disaster Recovery service.
AnswerA

Synchronous replication achieves low RPO; Multi-AZ provides failover.

Why this answer

Option D is correct because Multi-AZ with synchronous replication provides low RTO and RPO. Option A is wrong because a single EC2 instance does not provide failover. Option B is wrong because EBS Snapshots have higher RPO.

Option C is wrong because an Auto Scaling group alone does not handle stateful recovery.

864
MCQhard

A company is using a multi-account strategy with AWS Organizations. The security team discovers that an SCP intended to block access to non-compliant AWS regions is not working. The SCP is attached to the root OU. When a user in a member account attempts to launch an EC2 instance in a blocked region, the request succeeds. What is the most likely cause?

A.The IAM policy of the user overrides the SCP.
B.The SCP is not attached to the member account's OU.
C.The SCP is missing an explicit allow statement for the regions.
D.The user belongs to the management account, and SCPs do not apply to the management account.
AnswerD

SCPs do not affect the management account.

Why this answer

SCPs do not apply to the management account of an AWS Organizations hierarchy. Since the user belongs to the management account, the SCP attached to the root OU has no effect on their actions, allowing the EC2 launch in a blocked region to succeed.

Exam trap

The trap here is that candidates assume SCPs apply to all accounts in the organization, forgetting the explicit exemption for the management account, which is a common oversight in multi-account security scenarios.

How to eliminate wrong answers

Option A is wrong because IAM policies cannot override SCPs; SCPs set the maximum permissions boundary, and any action denied by an SCP cannot be allowed by an IAM policy. Option B is wrong because the SCP is attached to the root OU, which applies to all member accounts and OUs under it, so the member account's OU is already covered. Option C is wrong because SCPs use an implicit deny by default; an explicit allow is not required for regions not blocked—only an explicit deny is needed to block them.

865
MCQhard

A company runs a high-traffic web application on EC2 instances in an Auto Scaling group. The application uses a Redis cluster for caching. Recently, they have noticed that the cache hit ratio has dropped significantly, causing increased load on the database. The operations team observed that the Redis cluster's CPU utilization is high and memory usage is near capacity. They need to improve the cache performance with minimal changes to the application code. What should a solutions architect recommend?

A.Migrate from ElastiCache to Amazon MemoryDB for Redis.
B.Upgrade the Redis cluster to a larger node type with more CPU and memory.
C.Increase the TTL values for cached objects in the application.
D.Enable encryption in transit for the Redis cluster.
AnswerB

More resources directly improve performance and cache hit ratio.

Why this answer

Option D is correct because using a larger node type provides more CPU and memory, improving performance without code changes. Option A is wrong because increasing TTL may reduce churn but does not address capacity. Option B is wrong because ElastiCache is already in use.

Option C is wrong because enabling encryption adds overhead and does not solve the capacity issue.

866
MCQhard

Refer to the exhibit. An architect is troubleshooting an EC2 instance that is not responding to health checks from an Application Load Balancer. The instance is in the 'running' state. Which of the following is the most likely cause?

A.The security group is blocking the health check traffic.
B.The instance is in a stopped state.
C.The instance is impaired due to an AWS issue.
D.The instance has exhausted its CPU credits.
AnswerA

A misconfigured security group can block health checks even if the instance is running.

Why this answer

Option D is correct because a running instance may still have a failed application or security group blocking health checks. Option A is wrong because the instance is running, so it's not stopped. Option B is wrong because CPU credits affect performance but not health check responses.

Option C is wrong because the instance status is running, not impaired.

867
MCQmedium

A company is running a stateful web application on EC2 instances in an Auto Scaling group. Users report that their sessions are lost when instances are terminated during scale-in. What should a solutions architect do to preserve session state?

A.Use lifecycle hooks to save session data to Amazon S3 before instance termination.
B.Enable sticky sessions (session affinity) on the Application Load Balancer.
C.Store session state in Amazon ElastiCache.
D.Increase the Auto Scaling group's cooldown period to prevent rapid scaling.
AnswerC

ElastiCache provides a durable, shared session store independent of EC2 instances.

Why this answer

Option D is correct because ElastiCache provides a centralized, fast session store that persists across instance terminations. Option A is wrong because sticky sessions (session affinity) can cause uneven load and still lose sessions if all instances in a target group are replaced. Option B is wrong because increasing cooldown delays scaling but does not prevent session loss.

Option C is wrong because lifecycle hooks allow custom actions before termination, but moving session data during termination is complex and may not be reliable.

868
MCQhard

A company runs a data processing application on EC2 instances that read from an Amazon SQS queue. The application processes each message in about 2 seconds. The company expects a sudden spike in messages and wants to minimize processing latency. Which configuration will handle the spike most cost-effectively?

A.Replace the EC2 instances with AWS Lambda functions that are triggered by SQS events.
B.Increase the EC2 instance size to handle more messages per instance.
C.Increase the Auto Scaling group's desired capacity to a higher fixed value during the expected spike.
D.Use Auto Scaling with a step scaling policy based on the SQS queue depth.
AnswerA

Lambda scales automatically with the number of messages and is cost-effective for variable loads.

Why this answer

Option B is correct because using a Lambda function with SQS triggers scales automatically and cost-effectively for variable workloads. Option A is wrong because Auto Scaling with a fixed schedule may not react quickly to a sudden spike. Option C is wrong because Auto Scaling based on queue length may be slower to scale.

Option D is wrong because increasing instance size is less cost-effective than serverless.

869
MCQhard

A company uses cross-account S3 access. The above IAM policy is attached to an IAM user in Account A. The user tries to upload an object to a bucket in Account B, but the upload fails. What is the MOST likely reason?

A.The upload request does not include the 'x-amz-acl' header with value 'bucket-owner-full-control'.
B.The resource ARN in the policy is incorrect; it should include the bucket name only.
C.The bucket policy in Account B denies the upload.
D.The IAM user does not have permission to call s3:PutObject.
AnswerA

The condition requires that header to be set.

Why this answer

Option B is correct. The policy requires the x-amz-acl header to be set to 'bucket-owner-full-control', but the user likely did not include that header. Option A is wrong because the policy allows s3:PutObject.

Option C is wrong because the resource is the bucket ARN. Option D is wrong because the bucket policy is not shown, but the IAM policy is correct.

870
MCQhard

A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application uses an Amazon RDS for MySQL database. The company wants to achieve a recovery point objective (RPO) of 5 seconds and a recovery time objective (RTO) of 15 minutes. Which solution should the company use?

A.Configure an RDS Multi-AZ DB cluster with a standby instance in another Region.
B.Use EC2 Auto Scaling to launch new instances in another Region and use an Application Load Balancer.
C.Take automated snapshots of the RDS instance every 5 seconds and copy them to another Region.
D.Deploy RDS Read Replicas in another Region and promote them during a disaster.
AnswerA

Multi-AZ DB cluster with synchronous replication provides low RPO and automatic failover within minutes.

Why this answer

Option D is correct because a Multi-AZ DB cluster with standby in another Region provides synchronous replication and fast failover, achieving low RPO/RTO. Option A is wrong because RDS Read Replicas are asynchronous and cross-Region replication has higher RPO. Option B is wrong because restoring from snapshots takes longer than 15 minutes.

Option C is wrong because EC2 Auto Scaling groups do not handle database replication.

871
MCQhard

A company uses AWS Organizations with 50 accounts. The central IT team wants to deploy a CloudFormation stack set to create a VPC with a CIDR of 10.0.0.0/16 in each account, but the VPC CIDR must not overlap with existing VPCs in each account. What is the most scalable and automated approach?

A.Use AWS Service Catalog to create a product that deploys the VPC, and share the portfolio with each account.
B.Create a StackSet that references an Amazon S3 bucket containing a JSON file with account-specific parameters, including unique CIDR blocks for each account.
C.Write a custom AWS Lambda function that iterates through each account and deploys the CloudFormation template with a different CIDR.
D.Create a StackSet with a single parameter for the CIDR block and deploy it to all accounts.
AnswerB

This allows each account to have a unique CIDR without manual intervention.

Why this answer

Option B is correct because AWS CloudFormation StackSets can use account-specific parameters via a parameter file in Amazon S3, allowing each account to have a unique CIDR. Option A is wrong because it uses a single CIDR for all accounts, causing overlap. Option C is wrong because AWS Service Catalog does not handle dynamic CIDR assignment across many accounts.

Option D is wrong because a custom Lambda function per account is not scalable.

872
MCQeasy

A company wants to store application logs in Amazon S3 with a lifecycle policy that moves objects to S3 Glacier Instant Retrieval after 30 days and deletes them after 1 year. The logs are accessed frequently in the first 30 days but rarely after. Which storage class should the company use for the first 30 days?

A.S3 Standard
B.S3 Standard-IA
C.S3 One Zone-IA
D.S3 Glacier Flexible Retrieval
AnswerB

S3 Standard-IA offers lower cost for infrequently accessed data with millisecond retrieval, suitable for logs accessed rarely after initial period.

Why this answer

Option B is correct because S3 Standard-IA is cost-effective for data accessed infrequently but with rapid access when needed, and it transitions to Glacier Instant Retrieval. Option A is too expensive if logs are not frequently accessed. Option C is for infrequent access with longer retrieval times.

Option D is for archival.

873
Multi-Selectmedium

A company wants to implement a data perimeter to ensure that only authorized accounts can access their S3 buckets. Which TWO steps should they take?

Select 2 answers
A.Use SCPs to deny access from external accounts.
B.Use VPC endpoints with bucket policies.
C.Use S3 bucket policy with aws:SourceAccount condition.
D.Enable CloudTrail to log access.
E.Use AWS Network Firewall.
AnswersA, C

Prevents access from accounts outside organization.

Why this answer

Option B is correct because bucket policy with aws:SourceAccount condition ensures only specific accounts. Option D is correct because SCPs can deny access from outside the organization. Option A is wrong because it's for CloudTrail.

Option C is wrong because it's for VPC endpoints. Option E is wrong because it's for network perimeter, not account-level.

874
MCQmedium

A company has multiple AWS accounts and wants to use AWS CloudFormation StackSets to deploy a common set of resources across all accounts. The StackSet should be managed from the management account. What permissions are required?

A.Create IAM users in target accounts with AdministratorAccess.
B.Create an IAM role in each target account with a trust policy allowing the management account to assume it.
C.Use a CloudFormation service role in the management account.
D.Apply an SCP to allow CloudFormation actions across accounts.
AnswerB

StackSets assume this role to deploy resources.

Why this answer

Option C is correct because it requires an IAM role in the target accounts that StackSets can assume. Option A is wrong because StackSets use roles, not user credentials. Option B is wrong because CloudFormation service role is for stack operations, not cross-account.

Option D is wrong because SCPs cannot grant permissions.

875
MCQhard

A company uses AWS Config to evaluate resource compliance across multiple accounts. The security team wants to automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Which solution is MOST scalable and secure?

A.Create a Lambda function in each account that periodically checks Config rules and triggers remediation
B.Set up Amazon CloudWatch Events rules in each account to detect Config compliance changes and invoke remediation Lambda functions
C.Enable AWS Config rules with automatic remediation using SSM Automation documents in each account, and use an AWS Config aggregator to monitor compliance across all accounts
D.Use AWS Organizations service control policies to automatically remediate non-compliant resources
AnswerC

This leverages Config's built-in remediation and provides centralized monitoring.

Why this answer

Option C is correct because it leverages AWS Config's native automatic remediation feature, which directly associates SSM Automation documents with Config rules to remediate non-compliant resources as soon as they are detected. This approach is scalable as it operates within each account without requiring custom Lambda functions or external triggers, and it is secure because remediation actions are defined and controlled by the SSM Automation documents, which can be centrally managed. The use of an AWS Config aggregator provides a single-pane-of-glass view across all accounts for monitoring compliance, meeting the security team's requirements efficiently.

Exam trap

The trap here is that candidates often confuse AWS Config's automatic remediation with custom event-driven approaches (like Lambda or CloudWatch Events) or mistakenly think SCPs can remediate resources, when in fact SCPs only prevent non-compliant actions from being taken, not fix existing non-compliant resources.

How to eliminate wrong answers

Option A is wrong because periodically checking Config rules with a Lambda function introduces latency and inefficiency, as it relies on polling rather than event-driven detection, and it requires managing Lambda functions in every account, which is less scalable and secure than using native Config remediation. Option B is wrong because while CloudWatch Events (now Amazon EventBridge) can detect compliance changes, invoking a Lambda function for remediation adds unnecessary complexity and custom code, whereas AWS Config's built-in automatic remediation is more direct and secure, eliminating the need for additional event processing. Option D is wrong because AWS Organizations service control policies (SCPs) are used to restrict permissions and enforce guardrails, not to automatically remediate non-compliant resources; SCPs cannot trigger remediation actions on existing resources.

876
Multi-Selecthard

A company is migrating a legacy application that uses hard-coded IP addresses for database connections. The company wants to refactor the application to use a more resilient architecture in AWS. Which THREE steps should the company take to modernize the database connectivity? (Choose THREE.)

Select 3 answers
A.Enable Multi-AZ deployment for the RDS instance to automatically failover.
B.Use Amazon RDS read replicas to offload read traffic and improve resilience.
C.Assign an Elastic IP address to the RDS instance for consistent connectivity.
D.Migrate the database to Amazon RDS and use the RDS endpoint (DNS name) in the connection string.
E.Modify the application to read the database endpoint from an environment variable or configuration file.
AnswersB, D, E

Read replicas provide scalability and resilience for read-heavy workloads.

Why this answer

Options B, C, and D are correct because using an RDS endpoint (DNS name) allows failover, modifying the application to use the DNS name removes hard-coded IPs, and using a read replica offloads read traffic. Option A is wrong because an Elastic IP is not recommended for RDS. Option E is wrong because Multi-AZ is for high availability, not for removing hard-coded IPs.

877
MCQeasy

A company is using AWS Application Migration Service (MGN) to migrate hundreds of on-premises servers to AWS. After the migration, some servers fail a health check. What is the most efficient way to remediate the failed servers?

A.Launch test instances from MGN, diagnose the issues, then update the source servers and perform a final cutover.
B.Rerun the MGN replication and perform a new cutover.
C.Restore the servers from the latest AMI and re-run the health check.
D.Use AWS CloudEndure Migration to re-migrate the servers.
AnswerA

Test instances enable safe troubleshooting before final cutover.

Why this answer

D is correct because MGN's test and cutover instances allow iterative testing and remediation. A is wrong because rehydrating from backup is time-consuming. B is wrong because it restarts the process from scratch.

C is wrong because CloudEndure is a different service (now part of MGN).

878
MCQhard

A company is building a high-performance computing (HPC) cluster on AWS for genomics research. The compute nodes require low-latency inter-node communication. Which networking solution should be used?

A.Elastic Fabric Adapter (EFA)
B.Enhanced Networking (ENA)
C.VPC Peering
D.AWS Direct Connect
AnswerA

EFA provides low-latency, high-throughput inter-node communication for HPC.

Why this answer

Elastic Fabric Adapter (EFA) is a network interface that enables HPC and machine learning applications to achieve low-latency inter-node communication by bypassing the operating system kernel and providing OS-bypass capabilities via the Libfabric library. This is essential for tightly coupled HPC workloads like genomics research, where MPI (Message Passing Interface) jobs require microsecond-level latency and high throughput between compute nodes.

Exam trap

The trap here is that candidates confuse Enhanced Networking (ENA) with Elastic Fabric Adapter (EFA), assuming both provide similar low-latency benefits, but only EFA offers OS-bypass for HPC inter-node communication, while ENA still relies on kernel processing.

How to eliminate wrong answers

Option B (Enhanced Networking with ENA) is wrong because while it provides higher bandwidth and lower jitter than standard networking, it still operates through the kernel network stack and does not support OS-bypass, so it cannot achieve the ultra-low latency required for tightly coupled HPC inter-node communication. Option C (VPC Peering) is wrong because it is a logical connection between VPCs used for routing traffic, not a physical network adapter or interface; it does not reduce latency or provide OS-bypass for compute nodes within the same cluster. Option D (AWS Direct Connect) is wrong because it establishes a dedicated network connection from on-premises to AWS, not between compute nodes within a VPC; it is irrelevant to inter-node communication latency inside an HPC cluster.

879
Multi-Selectmedium

A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application uses an Amazon RDS for MySQL database. The recovery time objective (RTO) is 1 hour and the recovery point objective (RPO) is 15 minutes. Which combination of steps should the company take to meet these requirements? (Choose THREE.)

Select 3 answers
A.Use Amazon Route 53 health checks to monitor the primary application and configure DNS failover to the secondary Region.
B.Configure a Multi-AZ deployment for the RDS database in the primary Region.
C.Deploy the application on Amazon Aurora Global Database.
D.Create an Amazon Machine Image (AMI) of the EC2 instances and copy it to the secondary Region. Use an Auto Scaling group to launch instances from the AMI.
E.Create a cross-Region read replica of the RDS MySQL database in the secondary Region.
AnswersA, D, E

Route 53 health checks and failover route traffic to the secondary Region when the primary fails.

Why this answer

Option A is correct because Route 53 health checks can monitor the primary application's endpoint, and DNS failover to a secondary Region enables automatic traffic redirection within minutes, aligning with the 1-hour RTO. This approach provides a simple, stateless failover mechanism without requiring complex routing changes.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments (which provide high availability within a Region) with cross-Region disaster recovery, failing to recognize that Multi-AZ does not protect against a full Region outage.

880
MCQmedium

A company is designing a new application that will run on EC2 instances behind an Application Load Balancer. The application must handle sudden spikes in traffic without manual intervention. Which scaling strategy should be used?

A.Manual scaling by operations team
B.Simple scaling with a cooldown period
C.Scheduled scaling based on historical data
D.Target tracking scaling policy
AnswerD

Target tracking dynamically adjusts capacity to maintain a metric target.

Why this answer

Option C is correct because a target tracking scaling policy automatically adjusts capacity based on a CloudWatch metric. Option A is wrong because scheduled scaling is for predictable patterns. Option B is wrong because simple scaling is less responsive.

Option D is wrong because manual scaling is not automated.

881
MCQeasy

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail. They want to ensure that logs are immutable and cannot be deleted or modified by any user, including the root user. Which S3 feature should be enabled?

A.S3 Object Lock in compliance mode.
B.S3 Versioning with a lifecycle policy.
C.S3 bucket policy denying s3:DeleteObject.
D.S3 MFA Delete.
AnswerA

Compliance mode prevents any user from deleting objects.

Why this answer

Option A is correct because S3 Object Lock in compliance mode prevents any user from overwriting or deleting objects for the specified retention period. Option B is wrong because MFA Delete does not prevent root user deletion. Option C is wrong because bucket policies can be changed.

Option D is wrong because versioning alone does not prevent deletion.

882
MCQmedium

Refer to the exhibit. A company is deploying a CloudFormation stack for a web application. The stack creation fails with the error 'The parameter DBPassword is not defined'. What is the most likely cause?

A.The DBPassword parameter is misspelled in the template
B.The DBPassword parameter is defined but used in a condition
C.The DBPassword parameter is not defined in the Parameters section
D.The DBPassword parameter is defined but the value is too short
AnswerC

Correct: The template lacks a Parameters section with DBPassword.

Why this answer

The template uses !Ref DBPassword, but DBPassword is not defined in the Parameters section of the template. CloudFormation requires parameters to be declared before they can be referenced. The other options are not indicated by the error message.

883
MCQeasy

A company is designing a multi-account strategy for its development, testing, and production environments. The security team requires that all accounts share a centralized logging solution. Which approach meets this requirement with the LEAST administrative overhead?

A.Configure each account to write logs to its own S3 bucket and use AWS Glue to copy them to a central bucket.
B.Use AWS CloudTrail to deliver logs to a central S3 bucket in the logging account.
C.Use Amazon CloudWatch Logs in each account and view logs from a central account via cross-account access.
D.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon OpenSearch Service.
AnswerB

CloudTrail can deliver to a single bucket across accounts via trail with organization-level settings.

Why this answer

Option B is correct because it centralizes logs with minimal overhead. Option A is wrong because separate buckets require more management. Option C is wrong because CloudWatch Logs in each account lacks centralization.

Option D is wrong because Kinesis Firehose adds unnecessary complexity.

884
Multi-Selectmedium

A company is using AWS Organizations and wants to delegate administration of Amazon GuardDuty to a member account. Which of the following are required? (Choose TWO.)

Select 2 answers
A.The delegated administrator must be the management account.
B.Register the member account as a delegated administrator for GuardDuty.
C.Enable GuardDuty in the management account.
D.Create an SCP that allows GuardDuty actions in the member account.
E.Enable GuardDuty in all member accounts.
AnswersB, C

Delegation is done via the management account.

Why this answer

Options B and D are correct. Option A is wrong because GuardDuty does not require an SCP. Option C is wrong because the service must be enabled in the management account.

Option E is wrong because the delegated administrator account is a member account, not the management account.

885
MCQeasy

A company is designing a new application that will process streaming data from IoT devices. The data must be ingested in real-time and stored in Amazon S3 for long-term analytics. Which AWS service should be used to ingest the streaming data?

A.Amazon Simple Notification Service (SNS)
B.Amazon Simple Queue Service (SQS)
C.AWS Database Migration Service (DMS)
D.Amazon Kinesis Data Streams
AnswerD

Kinesis Data Streams is designed for real-time data streaming ingestion.

Why this answer

Option C is correct because Amazon Kinesis Data Streams is designed for real-time data ingestion. Option A is wrong because SQS is for message queues, not streaming ingestion. Option B is wrong because SNS is for pub/sub messaging.

Option D is wrong because DMS is for database migration.

886
MCQhard

A company is designing a new system that will ingest and process real-time streaming data from thousands of IoT devices. Each device sends data every second. The data must be processed with low latency (under 1 second) and then stored in Amazon S3 for long-term analytics. The company also needs to be able to reprocess data in case of processing errors. Which solution should the architect recommend?

A.Use Amazon Kinesis Data Streams to ingest data, AWS Lambda to process, and store in S3
B.Use Amazon Kinesis Data Firehose to ingest data, transform with Lambda, and store in S3
C.Use AWS Database Migration Service (DMS) to ingest data into Amazon S3
D.Use Amazon SQS to buffer data, and an EC2 Auto Scaling group to process and store in S3
AnswerA

Kinesis Data Streams provides sub-second ingestion, Lambda can process in real-time, and data retention allows reprocessing.

Why this answer

Option D is correct because Kinesis Data Streams ingests data with low latency, Lambda processes it, and S3 stores it. Kinesis Data Analytics can also be used for real-time analytics. The stream's data retention allows reprocessing.

Option A is wrong because Kinesis Firehose is for near-real-time, not sub-second. Option B is wrong because SQS is not designed for streaming data and does not support reprocessing with the same ease. Option C is wrong because DMS is for database migration, not streaming ingestion.

887
MCQeasy

A company wants to provide temporary, limited-privilege credentials to its application running on an EC2 instance so that the application can access an S3 bucket. What is the BEST practice for achieving this?

A.Use an S3 bucket policy to allow access from the EC2 instance's public IP
B.Create an IAM user and store the credentials in the EC2 instance user data
C.Store AWS access keys in the application code
D.Create an IAM role with the necessary permissions and attach it to the EC2 instance
AnswerD

An IAM role provides temporary credentials that are automatically rotated, which is secure and best practice.

Why this answer

Using an IAM role attached to the EC2 instance allows temporary credentials via instance metadata. Option A (access key in code) is insecure. Option B (IAM user credentials) is not temporary and less secure.

Option D (S3 bucket policy) does not provide credentials to the instance.

888
MCQmedium

A company is implementing a multi-account strategy using AWS Organizations. They need to centralize logging of all API calls across accounts. Which solution meets this requirement with the least operational overhead?

A.Enable CloudWatch Logs in each account and stream to a central log group.
B.Create a CloudTrail trail in each account and aggregate logs to a central S3 bucket.
C.Create an organization trail in the management account with CloudTrail.
D.Enable S3 server access logs on all accounts and send to a central bucket.
AnswerC

Organization trail automatically logs all accounts, minimizing overhead.

Why this answer

Option C is correct because AWS CloudTrail can be configured in the management account to log all accounts in the organization. Option A is wrong because it requires creating trails in each account manually. Option B is wrong because CloudWatch Logs does not capture API calls.

Option D is wrong because S3 access logs record S3 operations only.

889
Multi-Selectmedium

A company is designing a new application that will store sensitive customer data in Amazon S3. The data must be encrypted at rest. The company wants to use an encryption solution that provides an audit trail of when keys are used and by whom. The company also wants to rotate the encryption keys automatically every year. Which two options meet these requirements? (Choose TWO.)

Select 2 answers
A.Use server-side encryption with S3 managed keys (SSE-S3)
B.Use client-side encryption with an AWS KMS managed key
C.Use server-side encryption with customer-provided keys (SSE-C)
D.Use client-side encryption with a master key stored in AWS Secrets Manager
E.Use server-side encryption with AWS KMS managed keys (SSE-KMS)
AnswersB, E

Client-side encryption with KMS also provides audit trail and key rotation.

Why this answer

Options B and C are correct. SSE-KMS uses AWS KMS which provides audit trail via CloudTrail and automatic key rotation. SSE-C does not provide key rotation.

Client-side encryption with KMS also provides audit trail and rotation. Option A (SSE-S3) does not provide audit trail. Option D (SSE-C) does not provide rotation.

Option E (client-side with master key) does not provide rotation or audit trail.

890
MCQeasy

A company uses AWS Organizations with multiple accounts. The central IT team wants to restrict the use of specific EC2 instance types across all accounts to control costs. Which approach should the team use?

A.Use AWS Budgets to send alerts when costs exceed a threshold.
B.Configure Amazon CloudWatch Events to detect launches and terminate instances.
C.Attach an IAM policy to each account's root user to deny the ec2:RunInstances action for certain instance types.
D.Create a service control policy (SCP) that denies the ec2:RunInstances action for prohibited instance types and apply it to the organization.
AnswerD

SCPs apply to all accounts in the organization.

Why this answer

Option B is correct because SCPs can deny the launch of specific EC2 instance types. Option A is wrong because IAM policies are per-account and not inherited. Option C is wrong because EC2 billing alerts do not prevent launches.

Option D is wrong because CloudWatch Events can only trigger notifications, not deny actions.

891
MCQeasy

A company is migrating an on-premises application to AWS. The application requires dedicated hardware for licensing compliance. Which AWS service should the company use to meet this requirement?

A.Amazon EC2 Dedicated Hosts
B.AWS Elastic Beanstalk
C.Amazon EC2 Reserved Instances
D.Amazon Virtual Private Cloud (VPC)
AnswerA

Dedicated Hosts provide physical servers dedicated for your use, meeting licensing needs.

Why this answer

Option D is correct because Dedicated Hosts provide physical servers dedicated for your use, which helps meet licensing requirements. Option A is wrong because a VPC is a virtual network. Option B is wrong because Elastic Beanstalk is a PaaS service.

Option C is wrong because Reserved Instances provide a discount but do not provide dedicated hardware.

892
Multi-Selecteasy

A company is planning to migrate its on-premises Oracle database to Amazon RDS for Oracle. Which actions should the company take to minimize downtime during the migration? (Choose TWO.)

Select 2 answers
A.Take a full backup of the on-premises database and restore it to RDS during a maintenance window.
B.Use AWS Direct Connect to establish a dedicated network connection for faster data transfer.
C.Increase the allocated storage on the target RDS instance to improve write performance.
D.Use AWS Schema Conversion Tool (SCT) to convert the schema and optimize for RDS.
E.Use AWS Database Migration Service (DMS) with ongoing replication to keep the target in sync.
AnswersD, E

SCT helps convert schema and identify potential issues, reducing downtime.

Why this answer

Option A (use AWS DMS with ongoing replication) and Option D (use AWS SCT for schema conversion) are correct. Option B (take a full backup and restore) causes downtime. Option C (use Direct Connect for faster transfer) is helpful but not specifically for minimizing downtime.

Option E (increase instance size) is not directly related.

893
MCQhard

A company runs a critical e-commerce platform on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to an Auto Scaling group of EC2 instances running a web server. The web servers store session data locally on the instance's ephemeral storage. The Auto Scaling group is configured with a min of 2, max of 10, and desired of 2. Recently, during a flash sale, traffic surged and the Auto Scaling group scaled out to 10 instances. However, many users reported that their shopping carts were lost and they were logged out during the event. The Cognito user pool was used for authentication, and the application uses cookies to maintain session state. The ALB's stickiness is enabled. The team observed that the ALB's RequestCountPerTarget metric was well below the instance's capacity, but the error rate increased. The CloudWatch logs show that the web server returned 503 errors for a subset of requests. After the flash sale ended, the Auto Scaling group scaled back to 2 instances, and the issue disappeared. The team wants to prevent this from happening in future events. Which solution should the Solutions Architect recommend?

A.Increase the minimum size of the Auto Scaling group to 10 to handle the surge without scaling down.
B.Disable stickiness on the ALB so that any instance can handle any request.
C.Modify the application to store session data in an Amazon ElastiCache for Redis cluster instead of local ephemeral storage.
D.Increase the health check interval on the ALB to prevent instances from being marked unhealthy too quickly.
AnswerC

This decouples sessions from instances, making them persistent across scaling events and instance replacements.

Why this answer

Option A is correct. The root cause is that session data stored on ephemeral storage is lost when instances are terminated or replaced. Even with ALB stickiness, if an instance is scaled in (terminated) or replaced, the session data is gone.

Using ElastiCache for session storage decouples sessions from instances, ensuring persistence across scaling events. Option B is wrong because increasing the min size does not solve the data loss; sessions are still lost on instance termination. Option C is wrong because disabling stickiness would make it worse, as requests would go to different instances, potentially losing sessions even without scaling.

Option D is wrong because increasing health check interval does not solve the data loss; it only delays detection of unhealthy instances.

894
MCQeasy

A company is migrating a legacy application that uses an Oracle database to AWS. The application is critical and requires high availability with automatic failover. The company wants to use Amazon RDS for Oracle. The database size is 200 GB. The company needs a solution that provides automatic failover to a standby instance in a different Availability Zone with minimal downtime. Which RDS deployment option should the company use?

A.Multi-Region deployment with Read Replicas
B.Single-AZ deployment with Oracle Data Guard
C.Single-AZ deployment with automatic backups
D.Multi-AZ deployment
AnswerD

Multi-AZ provides automatic failover with a standby in a different AZ.

Why this answer

Option A is correct because Multi-AZ deployment for RDS provides automatic failover to a standby instance in a different AZ. Option B is wrong because Read Replicas are for read scaling, not automatic failover. Option C is wrong because Single-AZ does not provide failover.

Option D is wrong because Oracle Data Guard requires manual configuration and is not managed by RDS automatically.

895
MCQeasy

A startup is deploying a multi-account AWS environment using AWS Organizations. They have a central logging account where all VPC Flow Logs and CloudTrail logs are stored in an S3 bucket. The security team requires that all accounts in the organization, including future accounts, automatically send logs to this central bucket. They also want to prevent any account from disabling logging. Which solution meets these requirements?

A.Set up VPC Flow Logs at the VPC level and CloudTrail at the account level, then use Lambda to copy logs to the central bucket.
B.Use AWS Config rules to detect when logs are not being sent and automatically re-enable logging.
C.Create an organization trail in CloudTrail and store logs in the central bucket. Attach an SCP to the root that denies s3:PutBucketPolicy for the central bucket.
D.Create individual trails per account and use S3 cross-region replication to copy logs to the central bucket.
AnswerC

Organization trail automatically applies to all accounts; SCP prevents disabling logging by blocking bucket policy changes.

Why this answer

AWS Organizations allows you to create service control policies (SCPs) that can deny actions across accounts. Using an SCP to deny the s3:PutBucketPolicy action on the central bucket ensures that no account can change the bucket policy to block log delivery. Additionally, enabling CloudTrail for all regions and all accounts with an organization trail ensures automatic log delivery.

Option A is correct.

896
Multi-Selectmedium

A company is designing a new web application that will be deployed on Amazon ECS with Fargate. They need to store session state for the application. Which TWO services can they use for this purpose?

Select 2 answers
A.Amazon EFS
B.Amazon RDS
C.Amazon S3
D.Amazon ElastiCache for Redis
E.Amazon DynamoDB
AnswersD, E

Redis is commonly used for session state.

Why this answer

Option B (ElastiCache for Redis) is commonly used for session state. Option D (DynamoDB) is also used for session state with low latency. Option A (RDS) is relational, not ideal.

Option C (S3) is object store, high latency. Option E (EFS) is file storage.

897
MCQeasy

A DevOps team wants to automatically enforce tagging standards on all AWS resources created in an account. If a resource is created without the required tags, the team wants to prevent the creation or remediate it. Which AWS service should the team use?

A.AWS Config
B.AWS Organizations
C.AWS Identity and Access Management (IAM)
D.AWS Resource Groups & Tag Editor
AnswerA

Can evaluate resource compliance and trigger remediation actions.

Why this answer

Option C is correct because AWS Config with managed rules (e.g., required-tags) can detect non-compliant resources and trigger auto-remediation. Option A is wrong because it is a governance tool but does not auto-remediate. Option B is wrong because it manages permissions, not tagging.

Option D is wrong because it visualizes resources but does not enforce policies.

898
MCQmedium

A company is designing a new web application that requires a scalable, low-latency key-value store for session state. The application runs on EC2 instances in an Auto Scaling group. Which solution is the MOST cost-effective and scalable?

A.Store session state on the local instance store of each EC2 instance.
B.Use Amazon ElastiCache for Redis.
C.Store session state in Amazon DynamoDB.
D.Store session state in Amazon RDS for MySQL.
AnswerB

ElastiCache Redis is optimized for low-latency key-value storage and is cost-effective.

Why this answer

ElastiCache for Redis (option B) is a managed, scalable, low-latency key-value store ideal for session state. Option A (DynamoDB) works but is more expensive for simple session data. Option C (RDS) is relational and not low-latency for key-value.

Option D (local instance store) is not durable.

899
MCQhard

A company is designing a new cloud-native application that uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The application handles user authentication using Amazon Cognito User Pools. During a stress test, the team notices that some requests are failing with HTTP 503 (Service Unavailable) errors. The CloudWatch logs show that Lambda functions are being throttled, and the DynamoDB table is experiencing high write throttling. The team needs to resolve these issues while maintaining low latency. Which solution is the MOST effective?

A.Set Lambda reserved concurrency to a value that covers peak load and enable DynamoDB auto scaling with a target utilization of 70%.
B.Use Amazon SQS to buffer requests to Lambda and configure a DynamoDB Accelerator (DAX) cluster for caching.
C.Increase the DynamoDB write capacity units to the maximum expected peak and configure Lambda provisioned concurrency.
D.Replace AWS Lambda with Amazon ECS on Fargate and use an Application Auto Scaling target tracking policy.
AnswerA

Reserved concurrency guarantees Lambda capacity; DynamoDB auto scaling adjusts capacity automatically.

Why this answer

Option A is correct because setting Lambda reserved concurrency ensures that the function always has capacity available to handle peak load without being throttled by the account-level concurrency limit, while DynamoDB auto scaling with a target utilization of 70% dynamically adjusts write capacity to match traffic patterns, preventing write throttling. This combination directly addresses both throttling issues without introducing additional latency from buffering or caching layers.

Exam trap

The trap here is that candidates often assume buffering with SQS or caching with DAX will solve throttling, but these add latency or only address reads, not writes, while the correct solution directly manages concurrency and write capacity scaling.

How to eliminate wrong answers

Option B is wrong because using Amazon SQS to buffer requests to Lambda introduces additional latency and does not resolve the root cause of Lambda throttling or DynamoDB write throttling; DAX caches reads, not writes, so it does not help with write throttling. Option C is wrong because increasing DynamoDB write capacity units to the maximum expected peak is cost-inefficient and does not adapt to variable traffic, while Lambda provisioned concurrency is a valid approach but the option lacks the complementary DynamoDB scaling strategy needed for write throttling. Option D is wrong because replacing Lambda with Amazon ECS on Fargate adds operational complexity and does not directly address the throttling issues; Application Auto Scaling for ECS does not solve DynamoDB write throttling, and the migration is unnecessary for a serverless application.

900
MCQhard

A company is migrating a monolithic application to a serverless architecture using AWS Lambda. The application reads and writes to an Amazon RDS for PostgreSQL database. The database connection pool is exhausted during peak traffic. Which design change should a solutions architect recommend to avoid connection exhaustion?

A.Use Amazon SQS to buffer write requests to the database.
B.Use DynamoDB Accelerator (DAX) as a caching layer.
C.Use Amazon RDS Proxy to pool and share database connections.
D.Increase the max_connections parameter in the RDS parameter group.
AnswerC

RDS Proxy manages connection pooling, reducing connection exhaustion from Lambda.

Why this answer

Amazon RDS Proxy sits between the Lambda function and the RDS database, managing a pool of database connections and reusing them across multiple invocations. This prevents the Lambda function from exhausting the database connection pool during traffic spikes, as each Lambda instance does not need to open its own connection. RDS Proxy also handles connection multiplexing and reduces the overhead of establishing new connections.

Exam trap

The trap here is that candidates often think increasing max_connections or using a queue (SQS) is sufficient, but they overlook that Lambda's concurrent execution model requires connection pooling at the database layer, which RDS Proxy uniquely provides.

How to eliminate wrong answers

Option A is wrong because Amazon SQS buffers write requests but does not address the root cause of connection exhaustion; it only decouples the write path, leaving read operations and other direct database interactions still vulnerable to connection pool exhaustion. Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for DynamoDB, not for Amazon RDS for PostgreSQL, and it cannot pool or manage database connections. Option D is wrong because increasing the max_connections parameter only raises the limit, but does not prevent Lambda from opening too many connections; it can lead to resource contention and still exhaust database resources under high concurrency.

Page 11

Page 12 of 24

Page 13