AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 11261200

1746 questions total · 24pages · All types, answers revealed

Page 15

Page 16 of 24

Page 17
1126
Multi-Selecthard

A company has multiple AWS accounts in an organization. The security team needs to centrally manage Amazon GuardDuty findings from all accounts. Which THREE steps should the team take to meet this requirement? (Choose THREE.)

Select 3 answers
A.Configure GuardDuty to send findings to Amazon CloudWatch Logs in a central logging account.
B.Create a new S3 bucket in each account to store GuardDuty findings.
C.Designate a delegated administrator account for GuardDuty in AWS Organizations.
D.Enable Amazon GuardDuty in each member account.
E.Use the delegated administrator account to view findings from all accounts in the GuardDuty console.
AnswersC, D, E

The delegated admin can manage GuardDuty across accounts.

Why this answer

Option C is correct because designating a delegated administrator account for GuardDuty in AWS Organizations centralizes management of findings across all member accounts. This allows the security team to view, manage, and respond to findings from a single account without needing to log into each individual account.

Exam trap

The trap here is that candidates might think sending findings to CloudWatch Logs or S3 is the correct way to centralize management, but AWS's native multi-account architecture for GuardDuty relies on the delegated administrator and member account model, not log aggregation.

1127
MCQhard

A gaming company is designing a new real-time multiplayer game backend on AWS. The game requires low-latency communication between players (< 50 ms) and the ability to handle up to 100,000 concurrent players. The backend must manage game state, player matchmaking, and chat. The company wants to use managed AWS services to reduce operational overhead. Which solution should a Solutions Architect recommend?

A.Use Amazon DynamoDB for game state, AWS Lambda for game logic, and API Gateway for client communication.
B.Use Amazon GameLift for session-based game server hosting, with its built-in matchmaking and fleet management.
C.Deploy game servers on EC2 instances behind a Network Load Balancer. Use ElastiCache for Redis for game state and SQS for chat messages.
D.Use Amazon ECS with Fargate to run game server containers, and use Application Auto Scaling to handle load.
AnswerB

GameLift is purpose-built for multiplayer games, handles scaling, matchmaking, and low-latency.

Why this answer

Option B is correct because GameLift is designed for multiplayer game hosting, including session management, matchmaking, and scaling. Option A is wrong because EC2 instances require manual management of game servers. Option C is wrong because ECS with Fargate may not meet low-latency requirements for gaming.

Option D is wrong because DynamoDB is for storage, not for real-time game server logic.

1128
MCQhard

A company is designing a new real-time analytics platform that ingests millions of events per second from IoT devices. The events must be processed with low latency (under 100 ms) and stored for replay. The company wants to use managed services. Which combination of AWS services should the company use?

A.Amazon Kinesis Data Streams + AWS Lambda
B.Amazon S3 + AWS Lambda
C.Amazon Kinesis Data Firehose + Amazon Redshift
D.Amazon SQS + AWS Lambda
AnswerA

Kinesis Data Streams provides low-latency ingestion with replay capability; Lambda processes records in real time.

Why this answer

Amazon Kinesis Data Streams can ingest and buffer millions of events per second with sub-100 ms latency, and AWS Lambda can process each record in near real-time as it arrives in the stream. This combination meets the low-latency requirement and allows events to be replayed from the stream's retention window (up to 365 days with extended retention).

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose (which is near-real-time with batching) with Kinesis Data Streams (which is true real-time), or assume SQS can handle high-throughput streaming with replay, but SQS lacks ordered delivery and long-term retention for replay.

How to eliminate wrong answers

Option B is wrong because Amazon S3 is an object storage service with eventual consistency and no built-in real-time streaming capability, making it unsuitable for sub-100 ms event processing. Option C is wrong because Amazon Kinesis Data Firehose delivers data in batches (typically 60 seconds or 1 MB) and Amazon Redshift is a data warehouse optimized for analytical queries, not real-time per-event processing under 100 ms. Option D is wrong because Amazon SQS is a message queue with at least once delivery and typical latencies in the tens to hundreds of milliseconds, but it lacks the ordered replay and high-throughput streaming capabilities required for millions of events per second.

1129
Multi-Selecteasy

A company uses AWS CloudFormation to manage infrastructure. The operations team wants to ensure that all future stack updates follow best practices for change management. Which THREE actions should the team implement?

Select 3 answers
A.Enable drift detection to identify resources that have changed outside of CloudFormation.
B.Use IAM policies to restrict who can update stacks and require approval.
C.Use nested stacks to reuse templates across multiple environments.
D.Apply a stack policy to protect critical resources from accidental updates.
E.Require change sets to be created and reviewed before executing stack updates.
AnswersB, D, E

IAM policies control who can perform stack updates.

Why this answer

Options A, C, and D are correct. Change sets allow review, stack policies protect resources, and IAM policies enforce least privilege. Option B is wrong because nested stacks do not enforce change management.

Option E is wrong because Drift detection identifies differences but does not manage changes.

1130
Multi-Selecteasy

A company is migrating a legacy batch processing system to AWS. The batch jobs run on a schedule and process files from an FTP server. The company wants a serverless solution. Which THREE AWS services should be combined to implement the solution?

Select 3 answers
A.Amazon EventBridge (CloudWatch Events)
B.Amazon EC2 with Auto Scaling
C.AWS Lambda
D.Amazon S3
E.Amazon Simple Workflow Service (SWF)
AnswersA, C, D

EventBridge can trigger Lambda on a schedule.

Why this answer

Options A, B, and D are correct. Option A (EventBridge) schedules events. Option B (Lambda) processes files.

Option D (S3) stores files. Option C is wrong because EC2 is not serverless. Option E is wrong because SWF is a workflow service for long-running tasks.

1131
MCQmedium

A company is migrating its data warehouse from on-premises to Amazon Redshift. The current on-premises data warehouse runs on a proprietary MPP system. The company wants to minimize downtime and ensure data consistency. The company has a large volume of historical data (30 TB) and daily incremental updates of 10 GB. Which migration approach should the company use?

A.Use AWS Snowball to transfer the historical data to Amazon S3, then use AWS DMS with ongoing CDC to replicate incremental changes until cutover
B.Use an ETL tool to extract data from the source and load directly into Amazon Redshift during a maintenance window
C.Perform a full export of the on-premises database to flat files, transfer them over the network, and load into Amazon Redshift
D.Use AWS DMS with full load only, then schedule a downtime window for the final sync
AnswerA

Correct. Snowball handles large historical data transfer efficiently, and DMS CDC keeps the target updated with minimal downtime.

Why this answer

Using AWS DMS with CDC for incremental data allows zero-downtime migration by keeping the target in sync. A bulk export/import approach requires downtime for the final load. Using Snowball for historical data and DMS for incremental updates is efficient for large datasets.

1132
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The operations team wants to be notified when a stack operation fails. Which approach is the MOST efficient?

A.Create a scheduled CloudWatch Events rule that calls the DescribeStacks API and sends an alert if status is FAILED
B.Configure an SNS topic as a notification option in the CloudFormation stack
C.Use a Lambda function that is invoked by CloudFormation via custom resource
D.Use Amazon EventBridge to monitor CloudFormation API calls and trigger a Lambda function
AnswerB

CloudFormation sends real-time notifications on stack events.

Why this answer

Option B is correct because CloudFormation can directly publish to SNS topics on stack events, including failures. Option A is inefficient because it requires polling. Option C is not native.

Option D is expensive and complex.

1133
MCQmedium

A company is designing a serverless application using AWS Lambda functions. The application processes events from an Amazon SQS queue. The company wants to ensure that the Lambda function can scale to handle a sudden increase in messages without losing any messages. The Lambda function must process each message at least once. Which configuration should the company use?

A.Configure the SQS queue as a Lambda event source with a reserved concurrency of 1000 for the Lambda function.
B.Configure the SQS queue to invoke the Lambda function asynchronously and set the Lambda function timeout to 5 minutes.
C.Set the SQS queue visibility timeout to 30 seconds and the Lambda batch size to 100. Configure a dead-letter queue for failed messages.
D.Use an SQS FIFO queue with a Lambda function that has a reserved concurrency of 1.
AnswerA

Reserved concurrency ensures the function can scale, and SQS event source mapping provides at-least-once processing.

Why this answer

Option A is correct because configuring the SQS queue as a Lambda event source with a reserved concurrency of 1000 ensures that Lambda can scale up to 1000 concurrent executions to handle a sudden burst of messages. The SQS event source uses long polling and synchronously invokes Lambda, which processes messages in batches and automatically deletes them from the queue only upon successful completion, guaranteeing at-least-once processing. Reserved concurrency prevents throttling and ensures that the function has sufficient capacity to scale without losing messages.

Exam trap

The trap here is that candidates often assume increasing the batch size or using a dead-letter queue alone prevents message loss, but they overlook the critical need for reserved concurrency to guarantee scaling capacity during sudden spikes.

How to eliminate wrong answers

Option B is wrong because SQS cannot invoke Lambda asynchronously; Lambda must be configured as an event source mapping that synchronously pulls messages from the queue, and setting a 5-minute timeout does not address scaling or message loss. Option C is wrong because a 30-second visibility timeout is too short for Lambda processing, risking messages becoming visible again before processing completes, leading to duplicate processing; while a dead-letter queue captures failures, it does not prevent message loss during scaling. Option D is wrong because using a FIFO queue with a reserved concurrency of 1 severely limits throughput and prevents scaling to handle a sudden increase in messages, as FIFO queues process messages in order with limited concurrency.

1134
MCQeasy

A company plans to migrate 50 on-premises virtual machines (VMs) to AWS. The migration must be completed within 2 weeks. The VMs run various operating systems and have a total data size of 10 TB. The company has a low-bandwidth internet connection (50 Mbps). Which migration approach minimizes the time to transfer the data?

A.Set up an AWS Direct Connect connection to increase bandwidth
B.Create a VPN tunnel to AWS and use rsync to copy the data
C.Use AWS Application Migration Service to replicate the VMs continuously
D.Use AWS Snowball Edge to transfer the VM images physically
AnswerD

Correct: Snowball Edge can transfer 10 TB quickly via physical shipment.

Why this answer

AWS Snowball Edge is a physical device that can handle large data transfers over low-bandwidth connections. AWS Application Migration Service relies on network replication, which would be too slow. Direct Connect would require longer setup time.

VPN is also network-based and slow.

1135
MCQeasy

A development team deploys a web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences intermittent 503 errors. A Solutions Architect notices that the errors coincide with high CPU utilization on the EC2 instances. What is the MOST effective way to improve the application's availability?

A.Increase the idle timeout setting on the Application Load Balancer.
B.Decrease the health check interval on the Application Load Balancer.
C.Configure an Auto Scaling group for the EC2 instances with a scaling policy based on average CPU utilization.
D.Use larger EC2 instance types to handle the load.
AnswerC

Auto Scaling dynamically adds/removes instances based on demand, maintaining availability and reducing 503 errors.

Why this answer

Option C is correct because adding an Auto Scaling group with a scaling policy based on CPU utilization dynamically adjusts capacity to handle load spikes, reducing 503 errors. Option A is wrong because larger instances may not be cost-effective and do not address dynamic scaling. Option B is wrong because increasing the ALB idle timeout does not affect CPU utilization.

Option D is wrong because reducing the health check interval may cause premature instance replacement without fixing the root cause.

1136
MCQmedium

An IAM policy is attached to a user. What is the result when the user tries to upload an object with SSE-KMS encryption?

A.The upload succeeds because the Deny statement has no Principal specified.
B.The upload is denied only if the object is larger than 5 GB.
C.The upload succeeds because the user has an Allow for s3:PutObject.
D.The upload is denied because the Deny statement applies to all uploads.
AnswerD

The Deny is unconditional.

Why this answer

Option B is correct because the Deny statement without a condition applies to all uploads, overriding the Allow. Option A is incorrect because the Allow only applies to SSE-S3. Option C is incorrect because the Deny statement applies to all principals.

Option D is incorrect because the Deny statement is explicit.

1137
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Organizations. The company has several business units that each require their own VPC in shared accounts managed centrally. The company wants to enable VPC sharing to allow business units to create resources in shared subnets while maintaining network isolation. Which combination of steps should the company take to achieve this? (Choose TWO.)

Select 2 answers
A.Create a resource share in AWS Resource Access Manager (RAM) for the shared VPC subnets.
B.Attach a transit gateway to the shared VPC and to each business unit's VPC.
C.Configure VPC endpoints in each business unit VPC to access the shared VPC.
D.Create VPC peering connections between the shared VPC and each business unit's VPC.
E.Use AWS PrivateLink to connect the business unit VPCs to the shared VPC.
AnswersA, B

AWS RAM allows sharing subnets with other accounts in the organization.

Why this answer

Option A is correct because AWS Resource Access Manager (RAM) allows you to share subnets from a centrally owned VPC with other AWS accounts within your AWS Organization. This enables business units to launch resources directly into the shared subnets while the VPC and its networking configuration remain managed centrally, ensuring network isolation through separate security groups and network ACLs.

Exam trap

The trap here is that candidates often confuse VPC sharing (which uses RAM to share subnets for resource creation) with network connectivity solutions like transit gateway, VPC peering, or PrivateLink, which are used for routing traffic between VPCs rather than enabling cross-account resource deployment in shared subnets.

1138
Multi-Selectmedium

A company is designing a cross-account backup strategy using AWS Backup. The backup policy must be centrally managed from the management account. Which TWO steps are required to implement this?

Select 2 answers
A.Create IAM roles in each member account to allow AWS Backup to assume them.
B.Create a separate backup policy for each member account.
C.Create a backup vault in the management account and share it with member accounts.
D.Create a backup vault in each member account and aggregate them using AWS Config.
E.Enable AWS Backup as a trusted service within AWS Organizations.
AnswersC, E

Allows member accounts to use the central vault.

Why this answer

Options B and C are correct. Option A is wrong because the backup policy is applied to the organization, not per account. Option D is wrong because the backup vault must be in the management account.

Option E is wrong because IAM roles are not created automatically for AWS Backup.

1139
MCQhard

A company has a bucket policy on an S3 bucket as shown in the exhibit. A cross-account role (CrossAccountRole) is used to access the bucket. The role has an IAM policy that allows s3:GetObject and s3:PutObject on the bucket. When users assume the role and try to upload objects without specifying encryption, the upload fails. What must the users do to successfully upload objects?

A.Remove the condition from the bucket policy.
B.Add an IAM policy that allows s3:PutObject to the role.
C.Include the x-amz-server-side-encryption header with value aws:kms in the upload request.
D.Grant the role permission to use the KMS key.
AnswerC

The condition requires that header.

Why this answer

The bucket policy condition requires that the request includes the header 'x-amz-server-side-encryption' with value 'aws:kms' for PutObject. Users must specify SSE-KMS encryption in their upload request. Option C is correct.

Option A is wrong because the bucket policy already allows. Option B is wrong because the role policy allows it. Option D is wrong because KMS key permission is not the issue.

1140
Multi-Selecteasy

A company is using AWS CloudFormation to deploy infrastructure. They want to ensure that updates to a stack do not cause downtime for a critical web application. Which THREE strategies should they consider? (Choose THREE.)

Select 3 answers
A.Use the DeletionPolicy attribute to retain resources.
B.Apply a stack policy to protect critical resources.
C.Use a rolling update strategy with an appropriate batch size.
D.Use Change Sets to preview stack updates.
E.Use nested stacks to isolate components.
AnswersB, C, D

Stack policies prevent accidental updates to protected resources.

Why this answer

Option A is correct because change sets allow you to review changes before applying. Option B is correct because stack policies prevent updates to critical resources. Option D is correct because rolling updates with batch size reduce impact.

Option C is wrong because deletion policy only protects against stack deletion, not updates. Option E is wrong because nested stacks don't inherently prevent downtime.

1141
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A stack update fails with a resource update failure. The team wants to investigate the specific error without rolling back the stack. What is the BEST approach?

A.Rerun the stack update with the --disable-rollback flag and then describe the stack events.
B.Delete the stack and review the CloudFormation logs.
C.Create a change set to preview the updates.
D.Use the AWS CLI describe-stack-resources command to see the status of each resource.
AnswerA

Disabling rollback preserves the stack for investigation.

Why this answer

Option C is correct because disabling rollback on failure allows the stack to remain in a failed state for investigation. Option A is wrong because you cannot describe stack events of a deleted stack. Option D is wrong because creating a change set does not help with the current failure.

Option B is wrong because you can check the specific resource status reason.

1142
MCQeasy

A company is migrating an application that uses a commercial database to Amazon RDS. The database size is 500 GB. Which migration approach minimizes downtime?

A.Use native database tools to export and import data.
B.Use AWS Snowball Edge to transfer the database files.
C.Use AWS Database Migration Service (AWS DMS) with ongoing replication (change data capture).
D.Copy database files to Amazon S3 and restore to RDS.
AnswerC

DMS with CDC allows near-zero downtime.

Why this answer

Option B is correct because AWS DMS with CDC minimizes downtime. Option A is wrong because a manual dump requires downtime. Option C is wrong because S3 is not for live migration.

Option D is wrong because Snowball is offline.

1143
MCQmedium

A company is migrating a large-scale batch processing system from on-premises to AWS. The system processes hundreds of thousands of files daily, each file being a few MB in size. The files are received via SFTP and need to be processed within 4 hours. The company wants to use AWS services to build a fully managed, scalable, and cost-effective solution. The current on-premises system uses a single server with a scheduled task that processes files sequentially. The migration should improve throughput and reduce processing time. Which architecture should the company implement?

A.Use AWS Transfer Family for SFTP, store files in Amazon S3, and use AWS Batch with Fargate launch type to process files in parallel.
B.Use AWS Transfer Family for SFTP, store files in Amazon S3, and use AWS Lambda functions triggered by S3 events to process each file.
C.Use AWS Transfer Family for SFTP, store files in Amazon S3, and configure a single EC2 instance to poll S3 for new files and process them sequentially.
D.Use AWS Transfer Family for SFTP, store files in Amazon S3, configure an S3 event notification to publish messages to an Amazon SQS queue, and use an Auto Scaling group of EC2 instances to process messages from the queue.
AnswerD

SQS decouples and scales processing; Auto Scaling based on queue depth improves throughput.

Why this answer

Option B is correct because AWS Transfer Family provides managed SFTP, and an S3 event notification can trigger a Lambda function that submits jobs to an SQS queue. The SQS queue acts as a buffer, and an Auto Scaling group of EC2 instances (or a Spot Fleet) processes the messages, scaling based on queue depth. This provides high throughput and cost optimization.

Option A is wrong because a single EC2 instance does not improve throughput over on-premises. Option C is wrong because AWS Batch with Fargate launch type is limited by concurrent job count and may not be cost-effective for long-running jobs. Option D is wrong because Lambda has a 15-minute timeout and is not suitable for processing files that may take longer.

1144
MCQeasy

A company is migrating a virtualized workload to AWS. The current environment uses VMware vSphere. The company wants to migrate the virtual machines (VMs) to AWS with minimal changes. Which AWS service should the company use?

A.VMware Cloud on AWS
B.AWS Migration Hub
C.AWS Application Discovery Service
D.AWS VM Import/Export
AnswerD

VM Import/Export enables importing VMs from on-premises to AWS as EC2 instances.

Why this answer

Option A is correct because VM Import/Export allows you to import VMs from on-premises to EC2. Option B is wrong because AWS Application Discovery Service is for discovery, not migration. Option C is wrong because VMware Cloud on AWS is a different offering that runs VMware SDDC on AWS, not a direct migration of existing VMs.

Option D is wrong because AWS Migration Hub tracks migrations but does not perform the migration.

1145
MCQmedium

A company has multiple AWS accounts and wants to share a centrally managed Amazon VPC subnet for workloads that require low latency. The VPC is in the networking account. Which solution meets these requirements with the LEAST operational overhead?

A.Create a separate VPC in each account and connect them with VPC peering.
B.Use AWS Resource Access Manager (RAM) to share the subnet with the workload accounts.
C.Set up an AWS Transit Gateway and attach the VPCs from each account.
D.Create VPC peering connections between the networking account and each workload account.
AnswerB

RAM enables subnet sharing with minimal overhead.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) allows sharing subnets across accounts with minimal overhead. Option A is wrong because VPC peering does not share subnets. Option C is wrong because Transit Gateway attaches VPCs but does not share subnets.

Option D is wrong because creating separate VPCs in each account defeats the purpose of a shared subnet.

1146
MCQeasy

A company uses AWS Organizations with a single OU for all production accounts. The central security team wants to prevent any user from disabling Amazon GuardDuty in any production account. What is the MOST effective way to enforce this?

A.Use AWS Lambda to re-enable GuardDuty if it is disabled.
B.Create an AWS Config rule to detect disabled GuardDuty and send alerts.
C.Apply an SCP to the production OU that denies guardduty:Disable* and guardduty:Delete* actions.
D.Attach an IAM policy to each user that denies guardduty:Disable* actions.
AnswerC

SCPs prevent the actions across all accounts in the OU, regardless of user permissions.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts in an OU. By attaching an SCP that explicitly denies `guardduty:Disable*` and `guardduty:Delete*` actions to the production OU, the security team ensures that no principal (including the root user) in any production account can disable or delete GuardDuty, regardless of IAM policies or direct account-level actions.

Exam trap

The trap here is that candidates often choose a detective or reactive solution (like AWS Config or Lambda) because they overlook the requirement to *prevent* the action, or they mistakenly believe IAM policies attached to users are sufficient to block all principals, including the root user and cross-account roles.

How to eliminate wrong answers

Option A is wrong because using AWS Lambda to re-enable GuardDuty is a reactive, non-preventive approach; it does not block the disable action itself, and there is a window of vulnerability between the disable event and the Lambda execution. Option B is wrong because an AWS Config rule can only detect and alert on a non-compliant state (e.g., GuardDuty disabled), but it cannot prevent the disable action from occurring. Option D is wrong because IAM policies attached to individual users do not prevent the root user or other principals (such as roles or services) from disabling GuardDuty, and they are not enforceable across all accounts in the OU without manual, error-prone replication.

1147
Drag & Dropmedium

Drag and drop the steps to configure an Application Load Balancer with HTTPS listeners in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First get the certificate, then create the target group, then the ALB with HTTPS, register targets, and update DNS.

1148
MCQmedium

A company is migrating a web application to AWS and wants to use Amazon ECS with Fargate. The application needs to store session state. Which AWS service should the company use for session state management?

A.Amazon ElastiCache for Redis
B.Amazon S3
C.Amazon DynamoDB
D.Amazon RDS
AnswerA

ElastiCache for Redis is ideal for session state management.

Why this answer

Option B is correct because Amazon ElastiCache for Redis is commonly used for session state management in containerized applications. Option A is wrong because Amazon DynamoDB can also be used, but ElastiCache is more commonly recommended for session state. Option C is wrong because Amazon S3 is not suitable for low-latency session state.

Option D is wrong because Amazon RDS is for relational databases, not session state.

1149
MCQmedium

A company is designing a new application that requires a relational database with high read capacity. The application is read-heavy and requires low latency. Which database configuration should be used?

A.Amazon RDS with read replicas
B.Amazon DynamoDB with DAX
C.Amazon RDS with Multi-AZ deployment
D.Amazon ElastiCache for Redis
AnswerA

Read replicas scale read capacity.

Why this answer

Amazon RDS with read replicas is the correct choice because the application is read-heavy and requires low latency. Read replicas offload read traffic from the primary database instance, scaling read capacity and reducing latency for read operations by distributing the load across multiple copies of the data.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments with read replicas, assuming Multi-AZ also improves read performance, but Multi-AZ only provides failover redundancy and does not offload read traffic.

How to eliminate wrong answers

Option B is wrong because Amazon DynamoDB with DAX is a NoSQL key-value and document database, not a relational database, and the question explicitly requires a relational database. Option C is wrong because Amazon RDS with Multi-AZ deployment provides high availability and failover support, but does not increase read capacity or reduce read latency; it only maintains a standby replica for disaster recovery. Option D is wrong because Amazon ElastiCache for Redis is an in-memory data store, not a relational database, and while it can cache data to improve read performance, it does not serve as the primary relational database itself.

1150
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). They have configured an Auto Scaling group with a dynamic scaling policy based on CPU utilization. During a traffic spike, the Auto Scaling group launches new instances, but users report slow response times. What should the company do to improve the scaling responsiveness?

A.Decrease the CPU utilization threshold for scale-out.
B.Increase the cooldown period for the Auto Scaling group.
C.Implement scheduled scaling actions to add capacity before known peak times.
D.Change the scaling policy to step scaling with a higher step adjustment.
AnswerC

Scheduled scaling proactively adds capacity based on expected traffic.

Why this answer

Option C is correct because scheduled scaling can pre-emptively add capacity based on known traffic patterns. Option A is wrong because increasing cooldown would delay scaling. Option B is wrong because step scaling is more aggressive but not proactive.

Option D is wrong because lowering threshold would cause over-scaling and cost.

1151
MCQmedium

A company is migrating a critical application to AWS. The application requires consistent performance and low latency. The company has selected an instance type that meets the performance requirements. However, during testing, the application experiences variable performance due to CPU stealing from other instances on the same physical host. What should the company do to mitigate this issue?

A.Use Amazon EC2 Dedicated Hosts for the instances
B.Launch instances in a cluster placement group
C.Use T2 or T3 instances with the unlimited credit option
D.Switch to a compute-optimized instance type such as C5
AnswerA

Dedicated Hosts provide physical isolation, eliminating CPU stealing.

Why this answer

Option A is correct: Dedicated Hosts provide dedicated physical servers, eliminating CPU stealing. Option B (placement group) helps with network performance, not CPU isolation. Option C (T2/T3 unlimited) is for burstable instances, not dedicated.

Option D (C5 instance) does not prevent CPU stealing.

1152
MCQeasy

A company is using Amazon S3 to store sensitive customer data. The security team requires that all data be encrypted at rest. Currently, the S3 bucket uses server-side encryption with S3 managed keys (SSE-S3). The company wants to use a key stored in AWS KMS for additional control. What is the simplest way to achieve this?

A.Add a lifecycle policy to transition objects to SSE-KMS.
B.Use S3 Batch Operations to copy objects and re-encrypt with SSE-KMS.
C.Change the bucket's default encryption configuration to SSE-KMS.
D.Use a bucket policy to deny uploads without SSE-KMS.
AnswerC

Default encryption applies automatically to all new objects; existing objects remain with SSE-S3.

Why this answer

Option C is correct because changing the default encryption configuration to SSE-KMS automatically encrypts new objects with the specified KMS key without re-uploading existing objects. Option A is incorrect because a lifecycle policy does not change encryption. Option B is incorrect because bucket policies do not control encryption keys.

Option D is incorrect because existing objects are not re-encrypted by default encryption changes.

1153
MCQmedium

An S3 bucket is created using the above CloudFormation template. What happens to objects in the bucket after 30 days?

A.Objects are transitioned to Glacier
B.The lifecycle rule is not applied because no prefix is specified
C.Objects are archived to S3 Standard-IA
D.Objects are permanently deleted
AnswerD

ExpirationInDays causes deletion after 30 days.

Why this answer

Option B is correct because the lifecycle rule expires objects after 30 days (deletes them). Option A is wrong because there is no transition. Option C is wrong because expiration deletes objects permanently.

Option D is wrong because the rule is enabled.

1154
MCQmedium

A company uses AWS Organizations with multiple OUs. The finance team needs visibility into costs across all accounts. They want to tag resources with a 'CostCenter' tag. What is the BEST way to enforce tag propagation?

A.Use AWS Service Catalog to enforce tagging on provisioned products.
B.Run a Lambda function that tags resources after creation based on the creator's cost center.
C.Use AWS Config rules to mark non-compliant resources and auto-remediate.
D.Apply an SCP that denies ec2:RunInstances unless the request includes the CostCenter tag.
AnswerD

SCP can enforce tag requirements at creation time.

Why this answer

Using an SCP to deny creation of untagged resources is effective. Option A is wrong because AWS Config can detect but not enforce. Option C is wrong because it doesn't prevent creation.

Option D is wrong because it's after the fact.

1155
MCQhard

A company is designing a new data lake on AWS. The data lake will store petabytes of data from various sources, including IoT devices, application logs, and streaming data. The data must be stored cost-effectively, and access patterns vary from frequently accessed recent data to rarely accessed historical data. The company also needs to run SQL queries on the data. Which solution should the architect recommend?

A.Store data in S3 with lifecycle policies to transition between storage classes, and use Amazon Athena for queries
B.Store data in S3 with lifecycle policies to transition to Glacier, and use S3 Select for queries
C.Store data in Amazon EMR on EC2 and query with Hive
D.Store data in Amazon Redshift and query with Redshift Spectrum
AnswerA

S3 provides cost-effective storage with lifecycle management, and Athena can query data directly.

Why this answer

Option C is correct because S3 with lifecycle policies can move data to lower-cost storage classes as it ages, and Athena can query data in place without loading. Option A is wrong because Redshift is designed for structured data warehouse workloads, not a data lake. Option B is wrong because S3 with Glacier does not support direct querying; data must be restored first.

Option D is wrong because EMR requires managing clusters and is not cost-effective for occasional queries.

1156
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences a failover event. After the failover, the application team notices that the new primary DB instance has higher latency than expected. What is the most likely cause?

A.The read replica in a different region is now serving traffic.
B.The Multi-AZ configuration was disabled during the failover.
C.A pending modification to the DB instance was applied during failover.
D.The DB parameter group was changed to a less efficient configuration.
AnswerC

Pending modifications are applied during failover, which can cause latency.

Why this answer

Option A is correct because the new primary may have a pending modification (e.g., scaling) applied during failover, causing a brief performance impact. Option B is incorrect because failover is automatic. Option C is incorrect because parameter group changes require a reboot, not failover.

Option D is incorrect because Multi-AZ does not provide read replicas.

1157
Multi-Selecteasy

Which TWO AWS services can be used to decouple components in a new microservices architecture? (Choose two.)

Select 2 answers
A.Amazon Simple Notification Service (SNS)
B.AWS Direct Connect
C.Amazon Route 53
D.Amazon Simple Queue Service (SQS)
E.Amazon ElastiCache
AnswersA, D

SNS is a pub/sub service for decoupling.

Why this answer

Amazon SQS (message queue) and Amazon SNS (pub/sub) are both decoupling services that allow asynchronous communication between services.

1158
Multi-Selectmedium

A company is using AWS CloudFormation to deploy a web application. The stack creation fails with the error: 'The following resource(s) failed to create: [MyEC2Instance].' The EC2 instance creation failed because of an insufficient IAM permissions error. Which TWO actions should the company take to resolve this issue? (Choose two.)

Select 2 answers
A.Modify the CloudFormation template to use a different instance type.
B.Create a new IAM service role for CloudFormation and assign it to the stack.
C.Update the IAM role associated with the CloudFormation stack to include ec2:RunInstances permission.
D.Grant the user additional IAM permissions to create EC2 instances.
E.Execute a stack update with the corrected IAM role.
AnswersC, E

The CloudFormation service needs permission to create the EC2 instance.

Why this answer

Option A is correct because the IAM role used by CloudFormation needs permissions to create EC2 instances. Option C is correct because updating the stack with the corrected IAM role allows the resource creation to proceed. Option B is wrong because the template doesn't need to be changed.

Option D is wrong because the service role is not the issue. Option E is wrong because user does not need more permissions.

1159
MCQhard

A company runs a containerized microservices application on Amazon ECS using Fargate. The application includes a service that processes messages from an Amazon SQS queue. The service is CPU-bound and takes longer to process messages as the queue depth increases. The team wants to automatically scale the number of tasks based on the queue depth. Which solution is MOST effective?

A.Use an AWS Lambda function to poll the SQS queue and invoke a new task for each message.
B.Configure ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue's ApproximateNumberOfMessagesVisible metric.
C.Increase the CPU allocation for the task definition to process messages faster.
D.Use a CloudWatch alarm based on CPU utilization to trigger an Auto Scaling action.
AnswerB

This directly scales tasks based on queue depth, providing proactive scaling.

Why this answer

Option B is correct because ECS Service Auto Scaling can use a target tracking scaling policy with the SQS ApproximateNumberOfMessagesVisible metric to scale the number of tasks. Option A is wrong because CloudWatch alarms on CPU can cause slow reaction. Option C is wrong because Lambda is not suitable for long-running CPU-bound tasks.

Option D is wrong because adjusting CPU allocation does not address scaling; it's a vertical scaling approach.

1160
MCQhard

Refer to the exhibit. A trust policy is attached to an IAM role named AuditRole in account 111111111111. The IAM role Admin in account 222222222222 attempts to assume AuditRole. The session is launched with source identity 'admin'. Will the assumption succeed?

A.No, because the source identity does not match.
B.Yes, because the role in account 222222222222 is allowed by the principal.
C.No, because cross-account role assumption is not allowed.
D.Yes, because the source identity condition is optional.
AnswerA

The condition requires source identity 'central-admin', but it is 'admin'.

Why this answer

The assumption fails because the trust policy on AuditRole includes a `sts:SourceIdentity` condition that requires the source identity to match a specific value (e.g., 'auditor'), but the session is launched with source identity 'admin'. Since the condition is not satisfied, AWS STS denies the AssumeRole API call, even though the principal (the Admin role in account 222222222222) is allowed by the `Principal` element. The `sts:SourceIdentity` condition key is evaluated at request time and must match exactly for the policy to grant access.

Exam trap

The trap here is that candidates assume a trust policy only needs a matching principal and action to succeed, overlooking that condition keys like `sts:SourceIdentity` can independently deny the request even when the principal is valid.

How to eliminate wrong answers

Option B is wrong because while the principal is allowed, the trust policy also includes an `sts:SourceIdentity` condition that must be satisfied; the condition fails due to mismatched source identity, so the assumption is denied. Option C is wrong because cross-account role assumption is explicitly allowed when the trust policy grants access to a principal from another account, which is the case here. Option D is wrong because the `sts:SourceIdentity` condition is not optional—it is a required condition in the policy statement, and if it is present, it must be satisfied for the request to succeed.

1161
MCQmedium

An IAM policy is attached to an IAM role that is assumed by an EC2 instance. The EC2 instance has an IP address of 10.0.1.15. The instance is unable to download objects from the S3 bucket 'example-bucket'. What is the MOST likely cause?

A.The S3 bucket policy denies access to the IAM role.
B.The IAM role is not attached to the EC2 instance profile.
C.The policy lacks permissions for s3:ListBucket.
D.The EC2 instance is using a public IP address to access S3, which does not match the 'aws:SourceIp' condition.
AnswerD

The condition requires the source IP to be in the private range, but S3 access from EC2 uses public IPs unless using a VPC endpoint.

Why this answer

The condition restricts access to IP addresses in the 10.0.0.0/8 range. However, EC2 instances use public IPs when accessing S3, or private IPs via a VPC endpoint. If the instance uses a public IP, the condition fails.

Option B (instance profile) is not an issue. Option C (permissions boundary) is not shown. Option D (bucket policy) is not shown.

1162
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application requires a relational database. The company wants to minimize operational overhead. Which TWO options should the company consider? (Choose two.)

Select 2 answers
A.AWS Database Migration Service
B.Amazon Aurora
C.Amazon S3
D.Amazon RDS
E.Amazon EC2 with self-managed database
AnswersB, D

Managed relational database with MySQL/PostgreSQL compatibility.

Why this answer

Options A and B are correct because both are fully managed database services. Option C (EC2) requires self-management. Option D (DMS) is a migration tool.

Option E (S3) is object storage.

1163
Multi-Selectmedium

A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?

Select 2 answers
A.Apply service control policies (SCPs) to deny the creation of IAM roles with overly broad permissions, such as 'Action: *' and 'Resource: *'.
B.Use AWS CloudTrail to monitor IAM role creation and alert when roles with broad permissions are created.
C.Enable IAM Access Analyzer to review and identify IAM roles that grant permissions to external principals or have unused permissions.
D.Use AWS IAM Roles Anywhere to manage temporary credentials for workloads outside AWS.
E.Enable AWS Resource Access Manager to share resources only with trusted accounts.
AnswersA, C

SCPs enforce preventive controls at the organization level.

Why this answer

Option A is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts within an organizational unit (OU). By applying an SCP that denies the creation of IAM roles with 'Action: *' and 'Resource: *', the security team enforces the principle of least privilege at the organization level, preventing any account from creating overly permissive roles regardless of the account's own IAM policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail alerts) with preventive controls (like SCPs), assuming monitoring alone is sufficient to enforce least privilege, but the question explicitly asks for actions that 'ensure' compliance, which requires proactive denial, not just detection.

1164
MCQhard

A company is migrating a 2 TB Oracle database to Amazon Aurora PostgreSQL. The database has frequent write operations and the migration must have minimal downtime. The team uses AWS DMS for ongoing replication. After the initial full load, the target Aurora instance becomes unresponsive during ongoing replication. What is the MOST likely cause?

A.The DMS task is configured to replicate DDL changes, which are not supported for Oracle to Aurora PostgreSQL.
B.The number of logical replication slots on the Aurora PostgreSQL instance exceeds the maximum supported.
C.The DMS task is using full LOB mode, which is not supported with ongoing replication.
D.The target Aurora instance's storage is full and cannot accept new writes.
AnswerB

Aurora PostgreSQL supports a limited number of replication slots; exceeding it causes failures.

Why this answer

The most likely cause is that the number of logical replication slots on the Aurora PostgreSQL instance exceeds the maximum supported. AWS DMS uses logical replication slots to capture ongoing changes from the source Oracle database and apply them to the target Aurora PostgreSQL. Each DMS task creates at least one replication slot on the target.

If the number of slots exceeds the Aurora PostgreSQL limit (typically 1 for Aurora Serverless v1 or a configurable limit for provisioned instances), the target instance can become unresponsive due to resource contention or slot management overhead.

Exam trap

The trap here is that candidates may incorrectly attribute the unresponsiveness to storage exhaustion (Option D) or unsupported LOB modes (Option C), overlooking the specific resource limitation of logical replication slots that is unique to Aurora PostgreSQL's managed replication architecture.

How to eliminate wrong answers

Option A is wrong because DMS does support replicating DDL changes from Oracle to Aurora PostgreSQL for many common DDL operations, and unsupported DDL would cause task failure or errors, not make the target instance unresponsive. Option C is wrong because full LOB mode is fully supported with ongoing replication in DMS; it may impact performance but does not cause the target to become unresponsive. Option D is wrong because while a full storage volume can cause write failures, it would typically result in errors or a read-only state, not an unresponsive instance, and the scenario describes unresponsiveness specifically during ongoing replication.

1165
MCQmedium

A company is building a new microservices-based application on AWS using Amazon ECS with Fargate. The application has a frontend service, an order service, and a payment service. Services communicate synchronously via REST APIs. The company expects variable traffic and wants to ensure that failures in one service do not cascade to others. Which solution should a Solutions Architect recommend?

A.Use Amazon API Gateway in front of each service to throttle requests and protect against traffic spikes.
B.Implement retry logic with exponential backoff, circuit breakers, and timeouts in each service's client code.
C.Convert all inter-service communication to asynchronous messaging using Amazon SQS or SNS.
D.Deploy multiple instances of each service across multiple Availability Zones and use an Application Load Balancer.
AnswerB

Circuit breakers and retries isolate failures and prevent cascading, a standard resilience pattern.

Why this answer

Option D is correct because implementing circuit breakers, retries, and timeouts is a standard pattern to prevent cascading failures. Option A is wrong because synchronous communication is already in place; adding an API Gateway doesn't prevent cascading failures. Option B is wrong because adding more instances does not protect against service failures.

Option C is wrong because converting to asynchronous messaging is a larger architectural change and may not be suitable for all interactions.

1166
MCQmedium

A company wants to migrate a legacy monolithic application to AWS with minimal changes. The application currently runs on a single on-premises server with a Microsoft SQL Server database. The company wants to use AWS managed services to reduce operational overhead. Which combination of services should the company use to meet these requirements?

A.AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon DynamoDB
B.AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server
C.AWS Server Migration Service (SMS) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server
D.AWS CloudFormation to provision EC2 instances, and AWS DMS to Amazon RDS for SQL Server
AnswerB

MGN minimizes changes for server migration, DMS migrates the database to managed RDS.

Why this answer

Option B is correct because AWS Application Migration Service (MGN) enables lift-and-shift migration of the on-premises server to Amazon EC2 with minimal changes, while AWS DMS can migrate the Microsoft SQL Server database to Amazon RDS for SQL Server, a fully managed service that reduces operational overhead. This combination meets the requirement of minimal application changes and leverages AWS managed services for the database.

Exam trap

The trap here is that candidates might choose Option A thinking DynamoDB is a managed database service, but they overlook the requirement for minimal changes, which is broken by switching from a relational to a NoSQL database, or they might pick Option C not realizing SMS is deprecated and lacks the continuous replication capabilities of MGN.

How to eliminate wrong answers

Option A is wrong because AWS DMS cannot migrate a SQL Server database to Amazon DynamoDB (a NoSQL database) without significant application changes to adapt to a different data model and query language, violating the 'minimal changes' requirement. Option C is wrong because AWS Server Migration Service (SMS) is deprecated and replaced by AWS Application Migration Service (MGN); using SMS would not be a current best practice and may lack support. Option D is wrong because AWS CloudFormation is an infrastructure-as-code provisioning tool, not a migration service; it does not directly migrate the application or database, and using it alone would not reduce operational overhead for the migration itself.

1167
MCQeasy

A company is designing a network architecture for a multi-account AWS environment. They need to establish a central inspection VPC through which all traffic between VPCs in different accounts must pass. Which AWS service should be used to route traffic between VPCs through the inspection VPC?

A.AWS Direct Connect gateway
B.VPC peering with full mesh connectivity
C.Elastic Load Balancer
D.AWS Transit Gateway
AnswerD

Transit Gateway supports transitive routing and central inspection VPC architectures.

Why this answer

AWS Transit Gateway (D) is the correct service because it acts as a central hub that can route traffic between multiple VPCs across different accounts, and it supports route tables that can force all inter-VPC traffic through a dedicated inspection VPC (e.g., using a blackhole route or a network appliance). This enables transitive routing without requiring full mesh peering, and it integrates with AWS Resource Access Manager (RAM) for cross-account sharing.

Exam trap

The trap here is that candidates often confuse VPC peering with transitive routing, assuming that a full mesh of peering connections can achieve the same centralized inspection as Transit Gateway, but VPC peering explicitly does not support transitive routing (per AWS documentation), making it impossible to force all traffic through a single inspection VPC without additional, unsupported workarounds.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect gateway is used to connect on-premises networks to AWS via Direct Connect, not for routing traffic between VPCs in different accounts. Option B is wrong because VPC peering with full mesh connectivity does not support transitive routing—each peering connection is a one-to-one relationship, so traffic cannot be forced through a central inspection VPC without complex, non-scalable configurations. Option C is wrong because Elastic Load Balancer is a traffic distribution service for applications, not a routing service for inter-VPC traffic; it cannot route packets between VPCs or enforce inspection paths.

1168
MCQeasy

A company is designing a new microservices architecture on AWS. Each microservice must store its own data and communicate with other services via RESTful APIs. The company wants to minimize operational overhead. Which data store should the company use for each microservice?

A.Amazon ElastiCache for Redis
B.Amazon Redshift
C.Amazon RDS for PostgreSQL
D.Amazon DynamoDB
AnswerD

DynamoDB is fully managed, serverless, and scales automatically, ideal for microservices.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that provides single-digit millisecond latency at any scale, making it ideal for microservices that need to store their own data and communicate via RESTful APIs. It requires no operational overhead for scaling, patching, or replication, and its pay-per-request billing aligns with the unpredictable traffic patterns common in microservices architectures.

Exam trap

The trap here is that candidates often choose Amazon RDS for PostgreSQL because they assume relational databases are required for structured data, but the question emphasizes minimizing operational overhead, and DynamoDB's serverless, fully managed nature eliminates the need for schema management, scaling, and patching that RDS still requires.

How to eliminate wrong answers

Option A is wrong because Amazon ElastiCache for Redis is an in-memory cache, not a durable primary data store; it is designed for caching, session management, and real-time analytics, not for persistent storage of microservice data. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries on large datasets, not for transactional or operational data storage required by individual microservices. Option C is wrong because Amazon RDS for PostgreSQL, while a fully managed relational database, introduces operational overhead for schema management, connection pooling, and scaling that contradicts the goal of minimizing operational overhead for microservices, and its relational model is less flexible for the independent data persistence patterns of microservices.

1169
Multi-Selecteasy

A company is migrating a web application to AWS and wants to use a content delivery network (CDN) to improve performance. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon CloudFront
B.Amazon Route 53
C.Amazon S3
D.AWS WAF
E.Application Load Balancer
AnswersA, E

CloudFront is a CDN service.

Why this answer

Option A (Amazon CloudFront) is a CDN. Option C (ALB) is a load balancer that works with CloudFront. Option B is wrong because Amazon Route 53 is DNS, not CDN.

Option D is wrong because Amazon S3 can be an origin but not a CDN. Option E is wrong because AWS WAF is a firewall.

1170
MCQmedium

A solutions architect is trying to export an EC2 instance as a VM using AWS VM Import/Export. The CLI command fails with the error shown in the exhibit. What is the most likely cause?

A.The specified S3 bucket is in a different region.
B.The instance is not an EBS-backed instance.
C.The IAM role used does not have permission to export instances.
D.The instance is based on an instance store-backed AMI.
AnswerB

VM Import/Export requires EBS-backed instances; instance store-backed instances lack a persistent root volume.

Why this answer

Option C is correct because the error explicitly states the instance does not have an attached root volume. Option A is wrong because the error mentions root volume, not a snapshot. Option B is wrong because the error does not mention permissions.

Option D is wrong because the error does not mention format.

1171
MCQhard

A company is designing a new data lake on AWS. The data lake will store structured and unstructured data from various sources. The company needs a solution that can automatically catalog the data and make it searchable. Data will be stored in Amazon S3. Which AWS service should be used to catalog and enable search across the data lake?

A.Amazon Athena
B.Amazon EMR
C.Amazon Redshift Spectrum
D.AWS Glue Data Catalog
AnswerD

Glue Data Catalog automatically crawls data sources and stores metadata.

Why this answer

Option A is correct because AWS Glue provides a data catalog that automatically discovers and catalogs metadata from S3. Option B: Athena is a query engine, not a catalog. Option C: EMR is for big data processing.

Option D: Redshift Spectrum queries data in S3 but does not catalog it.

1172
MCQhard

A company is migrating to AWS and wants to set up a multi-account structure using AWS Organizations. The security team requires that all accounts be part of an organization and that any attempt to leave the organization be blocked. Additionally, the company wants to prevent the use of the root user in member accounts for daily operations. What should they do?

A.Apply an SCP to the root OU that denies the organizations:LeaveOrganization action and denies the root user's ability to perform actions.
B.Create an IAM policy that denies the organizations:LeaveOrganization action and attach it to all IAM users.
C.Use AWS Config rules to detect when an account leaves the organization and automatically rejoin it.
D.Use AWS CloudTrail to monitor and alert on root user activity and organizations:LeaveOrganization.
AnswerA

SCPs apply to root user and all IAM entities; can block leave and restrict root.

Why this answer

Option C is correct because SCPs can deny leaving the organization and restrict root user actions. Option A is wrong because IAM policies cannot restrict root user. Option B is wrong because CloudTrail does not prevent actions.

Option D is wrong because AWS Config cannot block actions.

1173
MCQeasy

A company is designing a new application to store and retrieve user profile pictures. The images will be accessed frequently and must be served with low latency. Which storage solution should they use?

A.Amazon EBS
B.Amazon S3
C.Amazon EFS
D.Amazon RDS
AnswerB

S3 is object storage optimized for high availability and low latency.

Why this answer

Amazon S3 is ideal for storing and serving static content like images with low latency. Option B (Amazon EBS) is block storage for EC2, Option C (Amazon EFS) is file storage, and Option D (Amazon RDS) is a relational database.

1174
MCQeasy

A company is designing a web application that must handle sudden spikes in traffic. The application runs in a VPC and uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The solution must be cost-effective for variable traffic patterns. Which scaling strategy should be used?

A.Simple scaling with step adjustments
B.Target tracking scaling policy based on average CPU utilization
C.Scheduled scaling
D.Manual scaling
AnswerB

Automatically adjusts capacity to maintain a target metric, cost-effective.

Why this answer

Option D is correct because a target tracking scaling policy with a predefined metric like CPU utilization is the simplest and most cost-effective way to handle variable traffic. Option A (manual scaling) is not dynamic. Option B (scheduled scaling) works for predictable patterns, not sudden spikes.

Option C (simple scaling) is less responsive than target tracking.

1175
Multi-Selecthard

A company is designing a multi-account strategy using AWS Organizations. They need to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO approaches should they combine to enforce this requirement?

Select 2 answers
A.Use AWS Config rules to detect users without MFA and send alerts.
B.Enable AWS CloudTrail to log console access without MFA.
C.Create a service control policy (SCP) that denies console access unless aws:MultiFactorAuthPresent is true.
D.Use AWS Single Sign-On (SSO) with MFA enabled for all users.
E.Create an IAM policy in each account that denies console access unless aws:MultiFactorAuthPresent is true.
AnswersC, E

SCPs can centrally enforce MFA across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) can be applied at the organizational unit (OU) or account level to deny all console access unless the `aws:MultiFactorAuthPresent` condition key is `true`. This enforces MFA usage across all member accounts centrally, without requiring per-account IAM policy changes. SCPs are the recommended mechanism for guardrails in AWS Organizations because they cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (AWS Config) with preventive controls (SCPs) or assume that a per-account IAM policy (Option E) is sufficient, but the question requires a multi-account strategy where SCPs provide centralized enforcement that cannot be bypassed by account administrators.

1176
MCQmedium

A solutions architect deployed an AWS Lambda function using a deployment package. The function logs the error shown in the exhibit. What is the most likely cause?

A.The deployment package does not include the 'express' npm dependency.
B.The Lambda function has exceeded the maximum memory limit.
C.The Lambda function handler is incorrectly configured.
D.The Lambda execution role does not have permissions to access the module.
AnswerA

The error 'Cannot find module' means the module is missing from the package.

Why this answer

Option A is correct. The error indicates that the 'express' module is not found, which means it was not included in the deployment package. Option B is wrong because the function ran, so the handler is correct.

Option C is wrong because the Lambda execution role does not affect module availability. Option D is wrong because the error is a missing module, not a memory issue.

1177
MCQhard

A company is migrating a large Oracle database to Amazon Aurora PostgreSQL using AWS DMS. The database is 5 TB and has frequent write operations. The migration must have minimal downtime. Which configuration should be used?

A.Use AWS DMS with full load and ongoing replication using CDC
B.Use AWS DataSync for the database files
C.Use AWS SCT to convert schema and then copy data manually
D.Use AWS DMS with full load only
AnswerA

Ongoing replication with CDC keeps the target in sync until cutover, minimizing downtime.

Why this answer

AWS DMS ongoing replication with Change Data Capture (CDC) allows continuous syncing after the full load, minimizing downtime. Option A (only full load) causes downtime during migration. Option B (AWS SCT only) is for schema conversion, not data migration.

Option C (AWS DataSync) is for file-based data, not databases.

1178
MCQhard

A company is designing a data lake on AWS using Amazon S3 as the storage layer. The data lake will ingest data from multiple sources, including streaming data from Amazon Kinesis Data Streams and batch data from on-premises systems via AWS Snowball. The company needs to catalog the data and make it available for querying with Amazon Athena and Amazon Redshift Spectrum. Which combination of services should the company use to meet these requirements?

A.Use AWS Glue to create a data catalog and run ETL jobs for both streaming and batch data.
B.Use AWS Lake Formation to set up the data lake and use its built-in catalog.
C.Use Amazon Athena to create tables and partitions directly from S3.
D.Use Amazon Kinesis Data Firehose to deliver streaming data to S3 and catalog with Athena.
AnswerA

Glue provides a data catalog and ETL capabilities.

Why this answer

AWS Glue provides a managed data catalog that integrates with Athena and Redshift Spectrum. Glue ETL can handle both streaming and batch data. Option B is correct.

Option A is wrong because Athena does not catalog data. Option C is wrong because Lake Formation builds on Glue. Option D is wrong because Kinesis Data Firehose is for streaming only.

1179
MCQmedium

A company uses AWS Lambda to process incoming messages from an SQS queue. The Lambda function is triggered by SQS and processes messages in batches of 10. Recently, the number of messages has increased significantly, and some messages are being processed multiple times. What should a solutions architect do to ensure exactly-once processing?

A.Use a DynamoDB table to store unique message IDs and check for duplicates before processing.
B.Set the Lambda function's reserved concurrency to a higher value to prevent throttling.
C.Increase the visibility timeout of the SQS queue to 30 minutes.
D.Change the SQS queue to a FIFO queue and enable content-based deduplication.
AnswerB

Reserved concurrency ensures the function can scale, preventing visibility timeouts and reprocessing.

Why this answer

Option C is correct because enabling the Lambda function's reserved concurrency ensures that the function can scale to handle the increased load without throttling, reducing the chance of reprocessing due to visibility timeouts. Option A is wrong because increasing the SQS visibility timeout solely may not prevent reprocessing if the function is throttled. Option B is wrong because enabling SQS FIFO queues provides exactly-once processing, but Lambda does not support FIFO triggers.

Option D is wrong because using a DynamoDB table for idempotency keys is a valid approach for exactly-once processing, but it adds complexity and latency; the simpler solution is to manage concurrency.

1180
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. They want to update a stack that fails due to a resource limit exceeded error. Which approach minimizes downtime while fixing the issue?

A.Manually modify the resource to reduce its capacity and then continue the update.
B.Create a change set that replaces the resource causing the limit error with a smaller instance type.
C.Roll back the stack update and ignore the error.
D.Delete the stack and recreate it with the corrected template.
AnswerB

A change set allows you to review and execute the update with minimal downtime.

Why this answer

Option D is correct because updating the stack with a change set that replaces the resource causing the limit error is the safest way to handle it. Option A is wrong because deleting and recreating causes downtime. Option B is wrong because manual modifications lead to drift.

Option C is wrong because rolling back doesn't fix the underlying issue.

1181
MCQeasy

A company wants to modernize a batch processing application that runs on EC2 instances using a cron job. The job processes files from an S3 bucket and takes about 2 hours. They want to reduce operational overhead. Which service should they use?

A.AWS Batch
B.Amazon ECS with Fargate
C.AWS Lambda
D.AWS Step Functions
AnswerA

AWS Batch is purpose-built for batch processing and manages compute resources.

Why this answer

AWS Batch is designed for batch computing and can automatically provision EC2 instances, run the job, and terminate them, reducing overhead. Option A (Lambda) has a 15-minute timeout. Option B (Step Functions) orchestrates but does not run the compute.

Option D (ECS with Fargate) is possible but requires more configuration than AWS Batch for batch jobs.

1182
MCQeasy

An organization wants to migrate 50 TB of data from an on-premises NAS to Amazon S3 over a slow internet connection. The migration must be completed within two weeks. Which approach is most appropriate?

A.Use AWS DataSync over the internet
B.Use AWS Snowball Edge
C.Use Amazon S3 Transfer Acceleration
D.Set up AWS Direct Connect
AnswerB

Snowball Edge is a physical device that can handle large data volumes offline, bypassing slow internet.

Why this answer

Option C (AWS Snowball Edge) is correct because it can handle large data volumes over slow networks. Option A (AWS DataSync) may be too slow. Option B (S3 Transfer Acceleration) still uses internet.

Option D (AWS Direct Connect) may take time to set up.

1183
MCQmedium

A developer ran the AWS CLI command shown in the exhibit. The instance has an attached EBS volume with 'DeleteOnTermination' set to false. The instance will be started again soon. What will happen to the EBS volume when the instance is stopped?

A.The EBS volume is detached but the data is preserved.
B.The EBS volume is deleted.
C.The EBS volume is deleted because the instance is stopped.
D.The EBS volume remains attached to the instance and the data persists.
AnswerD

Stopping an instance does not affect attached EBS volumes; data is preserved.

Why this answer

Option D is correct because stopping an EC2 instance does not affect the attached EBS volumes; they remain attached and their data persists. The 'DeleteOnTermination' attribute only controls behavior when the instance is terminated, not stopped. Since the instance will be started again soon, the volume stays attached with its data intact.

Exam trap

The trap here is that candidates confuse the 'stop' and 'terminate' actions, incorrectly assuming that 'DeleteOnTermination' applies to both, when in fact it only applies to termination.

How to eliminate wrong answers

Option A is wrong because stopping an instance does not detach the EBS volume; the volume remains attached and available when the instance is started again. Option B is wrong because the EBS volume is not deleted when the instance is stopped; deletion only occurs on instance termination if 'DeleteOnTermination' is set to true, which it is not. Option C is wrong because the volume is not deleted due to the instance being stopped; the 'DeleteOnTermination' attribute is irrelevant during a stop operation.

1184
MCQmedium

A company is migrating an on-premises monolithic application to AWS. The application uses a legacy database that cannot be easily refactored. The company wants to minimize changes to the application code while gaining scalability and high availability. Which migration strategy should the architect recommend?

A.Rehost the application on Amazon EC2 and use Amazon RDS for the database.
B.Replatform the application to use AWS Elastic Beanstalk and Amazon DynamoDB.
C.Refactor the application to use a microservices architecture with Amazon Aurora.
D.Retire the application and replace it with a SaaS solution.
AnswerA

Rehosting moves the application as-is to EC2 and RDS, minimizing code changes while providing scalability and HA.

Why this answer

Rehosting (lift-and-shift) involves moving the application and database to AWS infrastructure (EC2 and RDS) with minimal changes. This preserves the legacy database and allows the company to achieve scalability and HA using AWS features like Multi-AZ and Auto Scaling. Replatforming would require modifying the database engine; refactoring involves significant changes; and retiring removes the application.

1185
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. They want to enforce that no one can disable AWS CloudTrail in any account. Which TWO methods can achieve this?

Select 2 answers
A.Use AWS Trusted Advisor to alert when CloudTrail is disabled.
B.Attach a Service Control Policy (SCP) that denies disabling or deleting CloudTrail.
C.Use AWS Shield Advanced to protect CloudTrail.
D.Use AWS Config rules with auto-remediation to re-enable CloudTrail if disabled.
E.Use IAM permissions boundaries to restrict user permissions.
AnswersB, D

SCPs can prevent disabling actions at the organizational level.

Why this answer

Option A is correct because SCPs can deny CloudTrail:StopLogging and CloudTrail:DeleteTrail actions. Option D is correct because AWS Config rules can detect and remediate disabled trails. Option B is wrong because IAM permissions boundaries do not prevent root user actions.

Option C is wrong because Trusted Advisor does not enforce. Option E is wrong because AWS Shield is for DDoS protection.

1186
MCQmedium

A company has a multi-account AWS organization. The security team wants to centrally manage and enforce that all S3 buckets are encrypted with a specific KMS key. Which approach should the architect recommend?

A.Use a service control policy (SCP) to deny s3:PutBucketEncryption if the encryption is not the specified KMS key
B.Use AWS Trusted Advisor to check bucket encryption
C.Create an IAM policy that denies s3:PutObject unless the request includes the specific KMS key, and attach it to all users
D.Use AWS Config rules to detect non-compliant buckets and send alerts
AnswerA

SCPs enforce across all accounts in the organization.

Why this answer

Using SCPs in AWS Organizations allows the security team to deny creation of buckets that do not use the required KMS key. Option A (IAM policies) must be attached to each user/role, not centralized. Option C (Config rules) only detects non-compliance, does not enforce.

Option D (Trusted Advisor) provides recommendations only.

1187
MCQhard

A healthcare company is designing a new system on AWS to store and analyze patient health records. The system must comply with HIPAA regulations. Data includes structured lab results and unstructured clinical notes. The company needs to run complex SQL queries on the structured data and perform natural language processing (NLP) on the unstructured data. The solution should be cost-effective and minimize administrative overhead. Which solution should a Solutions Architect recommend?

A.Store structured data in Amazon RDS for PostgreSQL, store unstructured data in S3, and use AWS Glue to run NLP jobs.
B.Store all data in S3, use Amazon Athena for SQL queries and Amazon Textract for NLP.
C.Store structured data in DynamoDB, store unstructured data in S3, use Amazon SageMaker to build custom NLP models.
D.Store structured data in Amazon Redshift, store unstructured data in S3, and use Amazon Comprehend Medical for NLP.
AnswerD

Redshift is for analytics; Comprehend Medical is HIPAA-eligible and designed for medical NLP.

Why this answer

Option B is correct because Redshift is for SQL analytics on structured data, Comprehend Medical is a HIPAA-eligible NLP service for medical text. Option A is wrong because RDS is not designed for complex analytics at scale. Option C is wrong because Athena is serverless but slower for frequent queries; Textract is for document extraction, not NLP.

Option D is wrong because DynamoDB is for NoSQL, not complex SQL queries; SageMaker is overkill for NLP if Comprehend Medical suffices.

1188
MCQmedium

A company is designing a new application on AWS that processes real-time IoT sensor data from thousands of devices. The data must be ingested, processed, and stored for analysis. The company wants to use a serverless architecture to reduce operational overhead. The processing includes filtering, aggregation, and transformation. Which solution should a Solutions Architect recommend?

A.Use Amazon Kinesis Data Streams to ingest data, use Kinesis Data Firehose to deliver data to S3, and use Athena for queries.
B.Use Amazon Kinesis Data Streams to ingest data, trigger a Lambda function for processing, and store results in DynamoDB.
C.Use Amazon SQS to ingest sensor data, trigger a Lambda function for processing, and store results in DynamoDB.
D.Use AWS IoT Core to ingest data, use IoT rules to route data to Kinesis Data Analytics for real-time processing, and store results in S3.
AnswerD

IoT Core is designed for IoT; Kinesis Data Analytics provides real-time SQL processing; S3 is cost-effective storage.

Why this answer

Option C is correct because IoT Core is purpose-built for IoT device ingestion, rules engine can process and route data, Kinesis Data Analytics provides real-time SQL processing, and S3 stores results. Option A is wrong because SQS is not a streaming ingestion service. Option B is wrong because Lambda functions triggered by SQS may have concurrency limits and are not ideal for high-throughput streaming.

Option D is wrong because Kinesis Data Firehose delivers data in batches, not real-time processing.

1189
MCQhard

A company is using AWS Migration Hub to track a server migration. The migration task has failed with the error shown in the exhibit. Which action should the solutions architect take to resolve the issue?

A.Change the migration port from 443 to 80.
B.Retry the migration using AWS CloudEndure instead of AWS MGN.
C.Increase the timeout value for the migration task.
D.Ensure the source server's SSL certificate is signed by a trusted Certificate Authority (CA).
AnswerD

The error explicitly states the certificate is not trusted; replacing it with a valid certificate resolves the issue.

Why this answer

The error indicates that the SSL certificate of the source server is not trusted by the AWS Migration Hub or the migration tool (e.g., AWS MGN, CloudEndure). The solution is to ensure the source server has a valid SSL certificate from a trusted CA, or configure the migration tool to ignore certificate validation if appropriate. Increasing timeout or retrying will not fix the certificate issue.

Changing port is not relevant. Using a different tool may bypass but does not address the root cause.

1190
Multi-Selecthard

A company is using AWS Organizations with a centralized networking account that hosts a transit gateway. The company wants to ensure that all traffic between VPCs in different accounts flows through the transit gateway. Which THREE steps are required to implement this architecture?

Select 3 answers
A.Attach the VPCs in member accounts to the transit gateway.
B.Update the route tables of the VPCs to point to the transit gateway for inter-VPC traffic.
C.Create VPC endpoints for the transit gateway in each VPC.
D.Create VPC peering connections between each VPC and the networking VPC.
E.Share the transit gateway with the member accounts using AWS Resource Access Manager.
AnswersA, B, E

VPCs must be attached to the transit gateway to route traffic through it.

Why this answer

Option A is correct because attaching the VPCs in member accounts to the transit gateway is a fundamental step to establish connectivity. The transit gateway acts as a central hub, and each VPC must be explicitly attached to it to route traffic through the gateway. Without attachment, the transit gateway cannot forward traffic to or from those VPCs.

Exam trap

The trap here is that candidates often confuse VPC endpoints (used for AWS service access) with transit gateway attachments, or mistakenly think VPC peering is required when the transit gateway already provides the necessary connectivity.

1191
MCQmedium

A company is designing a new solution to process streaming data from IoT devices. The data must be ingested, processed in real-time, and stored in a data warehouse for analytics. The company expects millions of events per second. Which combination of AWS services should be used?

A.Amazon Kinesis Data Firehose for ingestion and delivery to Amazon S3, then use AWS Glue for ETL into Amazon Redshift.
B.Amazon DynamoDB Streams for ingestion, AWS Lambda for processing, and Amazon Redshift for storage.
C.Amazon SQS for ingestion, AWS Lambda for processing, and Amazon DynamoDB for storage.
D.Amazon Kinesis Data Streams for ingestion, Amazon Kinesis Data Analytics for real-time processing, and Amazon S3 as a staging area before loading into Amazon Redshift.
AnswerD

Kinesis Data Streams handles high throughput, Data Analytics processes in real-time, and S3 integrates with Redshift.

Why this answer

Amazon Kinesis Data Streams can ingest millions of events per second with durable, ordered shards, while Kinesis Data Analytics provides real-time SQL or Apache Flink processing on the stream. Amazon S3 acts as a staging layer before loading into Amazon Redshift via COPY or Redshift Spectrum, enabling scalable analytics without throttling the ingestion pipeline.

Exam trap

Cisco often tests the distinction between Kinesis Data Streams (real-time, sub-second) and Kinesis Data Firehose (near-real-time, minutes of latency), leading candidates to choose Firehose for real-time requirements.

How to eliminate wrong answers

Option A is wrong because Kinesis Data Firehose is a near-real-time delivery service with a minimum buffer interval of 60 seconds, which cannot meet the sub-second real-time processing requirement for millions of events per second. Option B is wrong because DynamoDB Streams are designed for change data capture from a DynamoDB table, not for direct ingestion of high-throughput streaming data from IoT devices, and DynamoDB Streams have a limited retention period (24 hours) and throughput constraints. Option C is wrong because Amazon SQS is a message queue with at-least-once delivery and no native ordering guarantees (unless using FIFO, which limits throughput to 300 TPS), making it unsuitable for high-velocity, ordered streaming data; DynamoDB is not a data warehouse optimized for complex analytics queries.

1192
MCQmedium

A company has a serverless application using AWS Lambda and Amazon API Gateway. The application experiences cold starts that cause latency spikes. Which solution would reduce the impact of cold starts?

A.Configure Provisioned Concurrency for the Lambda function.
B.Increase the Lambda function memory allocation.
C.Decrease the Lambda function timeout.
D.Use a VPC and enable Lambda to access resources in the VPC.
AnswerA

Ensures a set number of environments are initialized and ready.

Why this answer

Option D is correct because Provisioned Concurrency keeps a number of execution environments warm. Option A is wrong because increasing memory reduces cold start duration but does not eliminate it. Option B is wrong because it increases cost and complexity.

Option C is wrong because it reduces performance.

1193
Multi-Selecthard

A company is deploying a containerized application on Amazon EKS. The application requires persistent storage that can be shared across multiple pods in different Availability Zones. Which TWO storage solutions meet this requirement? (Choose TWO.)

Select 2 answers
A.Amazon EBS with io2 volumes
B.Amazon S3
C.Amazon EC2 Instance Store
D.Amazon FSx for Lustre
E.Amazon EFS
AnswersD, E

FSx for Lustre is a high-performance file system that can be shared across multiple clients in different AZs.

Why this answer

Amazon EFS provides a fully managed, scalable, and elastic NFS file system that can be mounted concurrently by multiple Amazon EKS pods across different Availability Zones, making it suitable for shared persistent storage. Amazon FSx for Lustre is a high-performance file system optimized for workloads like machine learning and HPC, and it supports concurrent access from multiple clients across AZs, meeting the requirement for shared storage.

Exam trap

The trap here is that candidates often assume EBS volumes can be shared across pods because they are persistent, but EBS is a block device with a single-attach limitation, making it unsuitable for multi-pod shared access across AZs.

1194
MCQhard

A company is migrating a legacy e-commerce application to AWS. The application includes a web tier, an application tier, and a MySQL database. The company wants to improve scalability and reduce operational overhead. The architect plans to use Amazon RDS for MySQL and refactor the application to use Auto Scaling for the web and application tiers. However, the application currently stores session state locally on the web servers. What should the architect do to address session state management in the new architecture?

A.Store session state in Amazon S3
B.Store session state in Amazon RDS for MySQL
C.Configure an Application Load Balancer with sticky sessions
D.Use Amazon ElastiCache for Redis to store session state
AnswerD

ElastiCache provides a fast, scalable, and centralized session store.

Why this answer

Using ElastiCache for Redis provides a centralized, scalable session store that works with Auto Scaling. Using sticky sessions (ELB session stickiness) is a workaround but less scalable and not recommended for Auto Scaling. Storing sessions in RDS would add database load.

Storing in S3 is not suitable for low-latency session access.

1195
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS MySQL Multi-AZ DB instance. During a recent load test, the application became unresponsive for several minutes. The monitoring shows that the RDS instance CPU utilization spiked to 100% during the test. The application reads and writes to the same database. Which design change would provide the BEST improvement in database scalability and reduce CPU contention?

A.Create RDS read replicas for the DB instance and route read queries from the application to the replicas.
B.Configure an in-memory cache like Amazon ElastiCache to cache frequent queries.
C.Increase the instance size of the RDS DB instance to a larger instance type.
D.Enable Multi-AZ for the RDS instance to distribute the load across two instances.
AnswerA

Read replicas offload read traffic, reducing CPU on the primary.

Why this answer

The correct answer is A because creating RDS read replicas offloads read queries from the primary DB instance, reducing CPU contention from read-heavy workloads. Since the application reads and writes to the same database, directing read traffic to replicas decreases the primary instance's CPU utilization, directly addressing the 100% CPU spike observed during the load test. This improves database scalability by distributing read operations horizontally without altering write capacity.

Exam trap

The trap here is that candidates often confuse Multi-AZ with read replicas, thinking Multi-AZ distributes read traffic, when in fact Multi-AZ only provides a standby replica for failover and does not serve read requests.

How to eliminate wrong answers

Option B is wrong because while an in-memory cache like ElastiCache reduces read load on the database, it does not address CPU contention from write operations or provide the same level of scalability as read replicas for read-heavy workloads; it is a complementary solution, not the best improvement for database scalability in this scenario. Option C is wrong because scaling vertically (increasing instance size) provides only a temporary fix and does not improve scalability; it increases cost without addressing the root cause of read contention, and the CPU spike could recur under higher load. Option D is wrong because enabling Multi-AZ provides high availability and failover support, not load distribution; the standby instance in a Multi-AZ deployment is not active for reads or writes, so it does not reduce CPU contention on the primary instance.

1196
MCQeasy

A company has a management account in AWS Organizations. It wants to delegate administration of AWS IAM Identity Center to a member account for user management. What is the correct way to achieve this?

A.Use AWS Resource Access Manager to share the IAM Identity Center instance with the member account.
B.Use the IAM Identity Center console to add the member account as a delegated administrator.
C.Use a service control policy to allow the member account to manage IAM Identity Center.
D.Create an IAM role in the management account and allow the member account to assume it.
AnswerB

This is the native mechanism for delegation.

Why this answer

Option B is correct because IAM Identity Center can register member accounts as delegated administrators. Option A is wrong because IAM roles cannot manage IAM Identity Center. Option C is wrong because SCPs are not for delegation.

Option D is wrong because RAM does not share IAM Identity Center.

1197
MCQmedium

A company is migrating a legacy application that uses a network file system (NFS) for shared storage. The application runs on Windows servers. Which AWS storage service should be used for the migration?

A.Amazon FSx for Windows File Server
B.Amazon EFS
C.Amazon EBS
D.Amazon S3
AnswerA

Provides native SMB file storage for Windows applications.

Why this answer

Option B is correct because Amazon FSx for Windows File Server provides native SMB support for Windows. Option A is wrong because EFS is POSIX-based, not fully compatible with Windows. Option C is wrong because S3 is object storage, not a file system.

Option D is wrong because EBS volumes cannot be shared across multiple instances easily.

1198
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application uses a proprietary database that is not supported by Amazon RDS. The company wants to minimize changes and use a managed service. Which TWO options should the company consider? (Choose TWO.)

Select 2 answers
A.Use Amazon RDS with a custom engine.
B.Migrate the database to Amazon S3 and use S3 Select for queries.
C.Run the database on Amazon EC2 with Amazon EBS volumes.
D.Convert the database to Amazon DynamoDB.
E.Use an AWS Marketplace third-party solution that provides a managed service for the database.
AnswersC, E

EC2 allows you to install any database, providing flexibility with managed infrastructure.

Why this answer

Options A and C are correct. Option A: Run the database on EC2 with EBS, which is a common approach for unsupported databases. Option C: Use a partner solution from AWS Marketplace that supports the database.

Option B is wrong because RDS is not supported. Option D is wrong because S3 is not a database. Option E is wrong because DynamoDB is NoSQL and would require significant changes.

1199
MCQmedium

A company is designing a new application that will process messages from an SQS queue. The messages must be processed in real-time with minimal latency, and the processing time per message varies from 100 ms to 5 seconds. The company wants to minimize cost and operational overhead. Which solution should the architect recommend?

A.Use Amazon Kinesis Data Streams and an AWS Lambda function
B.Use an SQS queue and an EC2 Auto Scaling group to poll and process messages
C.Use an SQS queue as an event source for an AWS Lambda function
D.Use SQS to send messages to Amazon SNS, which triggers a Lambda function
AnswerC

Lambda scales automatically with the SQS queue and charges per execution, minimizing cost and overhead.

Why this answer

Option A is correct because SQS combined with Lambda provides a serverless solution that scales automatically, processes messages in near real-time, and charges only for compute time used. Option B is wrong because EC2 instances require provisioning and management, leading to higher operational overhead. Option C is wrong because Kinesis is designed for streaming data, not simple message processing.

Option D is wrong because SNS is for pub/sub messaging, not for processing messages.

1200
Multi-Selecthard

A company is designing a new application on AWS that requires a highly available and durable NoSQL database. The database must be able to scale horizontally for both reads and writes. Which TWO AWS services meet these requirements? (Choose two.)

Select 2 answers
A.Amazon Neptune
B.Amazon DynamoDB
C.Amazon RDS for MySQL with Multi-AZ
D.Amazon DocumentDB (with MongoDB compatibility)
E.Amazon ElastiCache for Memcached
AnswersB, D

DynamoDB is a fully managed NoSQL database with horizontal scaling and high durability.

Why this answer

Options A and C are correct. Amazon DynamoDB is a fully managed NoSQL database that scales horizontally and provides high availability and durability. Amazon DocumentDB is a MongoDB-compatible document database that also scales horizontally.

Option B is wrong because RDS is relational. Option D is wrong because Neptune is a graph database. Option E is wrong because ElastiCache is a cache.

Page 15

Page 16 of 24

Page 17