AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 12011275

1746 questions total · 24pages · All types, answers revealed

Page 16

Page 17 of 24

Page 18
1201
MCQhard

A company is experiencing increased latency in their web application running on EC2 instances behind an Application Load Balancer. The application uses an RDS MySQL database. The CloudWatch metrics show elevated CPU utilization on the database instance during peak hours. Which design change would be MOST effective to reduce database load without application code changes?

A.Add a second RDS read replica to distribute read traffic.
B.Upgrade the RDS instance to a larger instance type with more vCPUs.
C.Implement an ElastiCache for Redis cluster to cache frequently accessed data.
D.Enable RDS Proxy to manage database connections.
AnswerC

Caching reduces database read load without application modifications.

Why this answer

Option A is correct because ElastiCache for Redis provides an in-memory cache that reduces database read load without code changes. Option B is wrong because it would not reduce database load. Option C is wrong because RDS Proxy is for connection pooling, not caching.

Option D is wrong because increasing instance size is a vertical scaling approach that may not be as cost-effective as caching.

1202
MCQhard

A company is migrating a legacy CRM application from a colocation facility to AWS. The application uses a client-server architecture with a thick client installed on employee desktops. The company wants to reduce desktop administration and provide remote access. Which migration approach should the architect recommend?

A.Deploy the thick client on Amazon WorkSpaces and provide access to employees
B.Refactor the application into a web application using AWS App Runner
C.Rehost the application on Amazon EC2 and provide VPN access to employees
D.Retire the application and use a SaaS alternative
AnswerA

WorkSpaces provides a managed virtual desktop where the thick client can run, reducing desktop administration.

Why this answer

Using Amazon WorkSpaces allows the thick client to run in a virtual desktop, providing remote access and reducing desktop management. Rehosting the application on EC2 and using a VPN does not address the thick client issue. Refactoring to a web application would require significant development.

Retiring the application is not desired.

1203
MCQhard

A gaming company uses Amazon DynamoDB as the database for a leaderboard feature. The table has a partition key of 'game_id' and a sort key of 'score'. The table uses on-demand capacity mode. During a new game launch, write traffic to a few popular game_id partitions becomes very hot, causing throttling. The company wants to improve performance for these hot partitions without changing the application code. What should they do?

A.Add a global secondary index with a different partition key.
B.Enable DynamoDB Accelerator (DAX) for the table to cache frequently accessed data.
C.Switch to provisioned capacity and increase read/write capacity units for the table.
D.Implement an Amazon SQS queue to buffer write requests.
AnswerB

DAX reduces the number of reads to the table, alleviating hot partition contention.

Why this answer

Option D is correct. Using DynamoDB Accelerator (DAX) caches hot data and reduces read/write load on partitions. Option A: Increasing read/wix capacity units does not apply to on-demand mode.

Option B: Adding a secondary index does not reduce throttling on the base table. Option C: Using SQS for writes would add latency and change application behavior.

1204
MCQmedium

A company is migrating a legacy application that uses SOAP web services to AWS. The application currently runs on a single on-premises server. The company wants to minimize changes and reduce operational overhead. Which approach should the company take?

A.Refactor the SOAP web services to RESTful APIs and deploy on Amazon API Gateway and AWS Lambda.
B.Containerize the application and deploy it on Amazon ECS using Fargate.
C.Rehost the application on Amazon EC2 using AWS Application Migration Service (MGN).
D.Use AWS Database Migration Service (DMS) to migrate the database and redeploy the application manually.
AnswerC

MGN automates lift-and-shift with minimal downtime.

Why this answer

Option C is correct because rehosting the application on Amazon EC2 using AWS Application Migration Service (MGN) minimizes changes by lifting and shifting the entire on-premises server, including the SOAP web services, to AWS with minimal modification. This approach reduces operational overhead by automating server replication and cutover, avoiding the need to refactor or containerize the application, which aligns with the requirement to minimize changes.

Exam trap

The trap here is that candidates may assume modernizing to serverless or containers is always better, but the question explicitly requires minimizing changes, making rehosting the correct choice despite its perceived lack of modernization.

How to eliminate wrong answers

Option A is wrong because refactoring SOAP web services to RESTful APIs and deploying on Amazon API Gateway and AWS Lambda introduces significant changes to the application architecture and code, contradicting the requirement to minimize changes. Option B is wrong because containerizing the application and deploying on Amazon ECS using Fargate requires modifying the application to run in containers, which adds operational complexity and changes the deployment model, increasing rather than reducing overhead. Option D is wrong because using AWS Database Migration Service (DMS) only addresses database migration, not the application itself, and manually redeploying the application does not minimize changes or reduce operational overhead compared to a fully automated rehosting solution.

1205
Multi-Selecthard

A company runs a critical application on EC2 instances in an Auto Scaling group. They want to ensure that during a patching cycle, the application remains available and no requests are dropped. Which TWO strategies should they implement? (Choose TWO.)

Select 2 answers
A.Increase the desired capacity of the Auto Scaling group before patching.
B.Stop all instances at the same time to apply patches consistently.
C.Perform a rolling update using a batch size of 50% with a pause time.
D.Use an Auto Scaling lifecycle hook to wait for a custom action before terminating instances.
E.Use Amazon Inspector to automatically patch instances.
AnswersC, D

Rolling update ensures that only a portion of instances are replaced at a time.

Why this answer

Options B and D are correct. B: Using a lifecycle hook with a custom action can pause the instance before termination, allowing graceful draining. D: Using a rolling update with a batch size ensures that only a portion of instances are patched at a time.

Option A is wrong because stopping instances all at once causes downtime. Option C is wrong because increasing desired capacity without draining connections may cause issues. Option E is wrong because Amazon Inspector identifies vulnerabilities but does not implement patching.

1206
Multi-Selecthard

A company is migrating a large on-premises data lake to Amazon S3. They need to transfer petabytes of data over the network securely and efficiently. Which TWO AWS services should they use?

Select 2 answers
A.AWS Direct Connect
B.Amazon Kinesis Data Firehose
C.AWS Snowball Edge
D.AWS DataSync
E.Amazon S3 Transfer Acceleration
AnswersD, E

For online data transfer with optimization.

Why this answer

Options A and D are correct. DataSync is for online data transfer, and S3 Transfer Acceleration speeds up transfers. Option B (Snowball Edge) is offline, not over network.

Option C (Direct Connect) is a network service, not a transfer service. Option E (Kinesis Firehose) is for streaming data.

1207
Multi-Selecthard

A company is modernizing a legacy application by breaking it into microservices. The application currently uses a single relational database. The company wants to adopt a microservices architecture with separate databases per service. Which THREE patterns should the company consider? (Choose THREE.)

Select 3 answers
A.API Gateway
B.Shared Database
C.Database per Service
D.Event Sourcing
E.Command Query Responsibility Segregation (CQRS)
AnswersA, C, D

API Gateway provides a single entry point for microservices.

Why this answer

Option A (Database per Service) is correct. Option B (API Gateway) is correct for routing. Option D (Event Sourcing) is correct for maintaining data consistency.

Option C is wrong because Shared Database is anti-pattern. Option E is wrong because CQRS is for read/write separation, not required.

1208
MCQhard

A company is migrating a large-scale Hadoop cluster to Amazon EMR. They want to optimize costs by using transient clusters and storing data in Amazon S3. Which feature should they enable on the EMR cluster to improve performance?

A.Auto Scaling
B.Kerberos authentication
C.EMRFS consistent view
D.EBS-optimized instances
AnswerC

EMRFS provides consistent view and performance tuning for S3.

Why this answer

Amazon EMRFS with consistent view and S3DistCp improves performance by using S3 as storage. Option A is wrong because EBS-optimized is for network performance. Option B is wrong because Kerberos is for security.

Option D is wrong because Auto Scaling is for compute, not storage performance.

1209
MCQmedium

A company is designing a microservices architecture on AWS. Each service needs its own DynamoDB table, and services must be fully isolated. Which networking design ensures that services can only communicate through APIs and not directly to each other's databases?

A.Place all services in a single VPC with security groups to control traffic.
B.Use a transit VPC with VPN connections to each service's VPC.
C.Create a separate VPC for each service, with VPC peering only between the API gateway and each service VPC.
D.Use a single VPC with public and private subnets; place databases in private subnets and services in public subnets.
AnswerC

This ensures each service's database is isolated and only accessible via the API.

Why this answer

Placing services in separate VPCs with VPC peering only for API communication ensures network-level isolation. Option B is correct because it prevents direct database access by not allowing peering between all VPCs. Option A is wrong because a shared VPC with security groups could allow unintended traffic.

Option C is wrong because a single VPC with subnets still allows routing between services. Option D is wrong because a transit VPN does not provide the needed isolation.

1210
MCQmedium

A company has a multi-account AWS environment. The security team needs to centrally manage and audit IAM roles that allow cross-account access. Which solution meets these requirements?

A.Use AWS Organizations service control policies to deny cross-account access.
B.Enable AWS IAM Access Analyzer in the management account and delegate admin to the security account.
C.Use AWS Trusted Advisor to check for unused cross-account roles.
D.Enable AWS CloudTrail across all accounts and use Athena to query for AssumeRole events.
AnswerB

Access Analyzer automatically discovers cross-account access and can be centrally managed.

Why this answer

AWS IAM Access Analyzer helps identify resources shared with external principals, including cross-account IAM roles. By enabling it in the management account and delegating administration to the security account, the security team gains a centralized view of all cross-account access findings across the organization without needing to enable it in each account individually. This meets the requirement for central management and auditing of cross-account IAM roles.

Exam trap

The trap here is that candidates confuse preventive controls (SCPs) with detective/audit controls, or they assume CloudTrail logging alone provides centralized auditing without considering the need for a purpose-built tool like IAM Access Analyzer to identify cross-account access configurations.

How to eliminate wrong answers

Option A is wrong because service control policies (SCPs) can deny or restrict permissions but do not provide auditing or centralized management of existing cross-account roles; they are preventive, not detective. Option C is wrong because AWS Trusted Advisor checks for unused IAM roles but does not specifically audit cross-account access or provide centralized management across multiple accounts. Option D is wrong because while CloudTrail logs AssumeRole events and Athena can query them, this approach requires aggregating logs from all accounts and does not offer a built-in, centralized auditing mechanism for cross-account roles like IAM Access Analyzer does.

1211
MCQeasy

A company needs to store application logs for at least one year with the ability to query them occasionally. The logs are generated at a rate of 10 GB per day. Which storage solution is MOST cost-effective?

A.Store logs on Amazon EBS volumes attached to a single EC2 instance for querying.
B.Stream logs to Amazon S3 using Amazon Kinesis Data Firehose, then use S3 Lifecycle policies to transition to S3 Standard-IA after 30 days.
C.Store logs in Amazon S3 Glacier and use S3 Select to query directly.
D.Stream logs to Amazon CloudWatch Logs and set a retention policy of 365 days.
AnswerB

S3 Standard-IA offers lower cost for infrequent access with retrieval available.

Why this answer

Amazon S3 with S3 Intelligent-Tiering or S3 Standard-IA is cost-effective for infrequent access. Option A (CloudWatch Logs) is expensive for long-term storage. Option C (S3 Glacier) has retrieval delays.

Option D (EBS) is not suitable for logs.

1212
Multi-Selecthard

A company is using AWS CloudTrail to log API activity. The security team wants to ensure that log files are tamper-proof and can be used for forensic analysis. Which TWO actions should the company take?

Select 2 answers
A.Enable S3 Object Lock on the CloudTrail S3 bucket.
B.Enable CloudTrail log file validation.
C.Use server-side encryption with AWS KMS managed keys (SSE-KMS).
D.Enable S3 Transfer Acceleration on the CloudTrail S3 bucket.
E.Set an S3 Lifecycle policy to transition logs to Amazon S3 Glacier.
AnswersA, B

Prevents deletion and overwrites.

Why this answer

Option A is correct because enabling log file validation creates a digest file that can be used to verify integrity. Option D is correct because S3 Object Lock prevents objects from being deleted or overwritten. Option B is incorrect because SSE-KMS does not prevent tampering.

Option C is incorrect because S3 Lifecycle does not prevent deletion. Option E is incorrect because S3 Transfer Acceleration does not provide security.

1213
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM group. When a user in the group tries to start a stopped EC2 instance with the tag 'Environment: production', the action fails. What is the MOST likely reason?

A.The policy is attached to a group, not directly to the user.
B.The user does not have MFA enabled.
C.The policy does not allow 'ec2:StartInstances' on all resources.
D.The 'ec2:StartInstances' action does not support resource-level conditions.
AnswerD

StartInstances only supports instance-level conditions, but the condition is on the resource tag; however, the condition must be on the request, not resource, for such actions.

Why this answer

Option B is correct because the Condition block requires the resource tag to be 'Environment: production', but the action 'StartInstances' does not support resource-level authorization; it requires 'ec2:StartInstances' to be allowed without conditions, or the condition must be on the request. AWS evaluates conditions on the resource only for actions that support it. Option A is wrong because the policy allows all actions.

Option C is wrong because the policy does not enforce MFA. Option D is wrong because the policy is attached to a group, not a user, but that should still work.

1214
MCQeasy

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application needs to maintain a fixed number of instances and should automatically replace any unhealthy instance. Which scaling policy should be used?

A.Scheduled scaling policy
B.Simple scaling policy
C.Target tracking scaling policy
D.Manual scaling with health check replacement
AnswerD

Manual scaling sets the desired capacity and health checks replace unhealthy instances.

Why this answer

A manual scaling policy set to maintain a fixed number of instances combined with health checks ensures that unhealthy instances are replaced.

1215
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance does not have a public IP. What is the most secure way to provide internet access?

A.Create a VPC endpoint for the internet.
B.Launch a NAT instance in the private subnet.
C.Attach an Internet Gateway directly to the private subnet.
D.Add a NAT Gateway in the public subnet and update the private subnet's route table.
AnswerD

NAT Gateway provides outbound internet access securely.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows outbound internet traffic while preventing inbound connections. Option B is incorrect because a NAT instance is less managed and secure. Option C is incorrect because a VPC endpoint is for AWS services only.

Option D is incorrect because an Internet Gateway attached to the private subnet would allow inbound traffic.

1216
Multi-Selectmedium

Which TWO design patterns help ensure data durability in Amazon S3?

Select 2 answers
A.Enable Cross-Region Replication (CRR).
B.Enable S3 Versioning.
C.Enable MFA Delete.
D.Use S3 Standard-IA storage class.
E.Configure lifecycle policies to transition to Glacier.
AnswersA, B

Replicates objects to another region for durability against regional failures.

Why this answer

Options A and B are correct. Versioning protects against accidental deletion or overwrite. Cross-Region Replication provides durability across regions.

Option C is incorrect because S3 Standard is already durable; additional storage class doesn't improve durability. Option D is incorrect because MFA Delete is a security feature for deletion protection. Option E is incorrect because lifecycle policies manage cost, not durability.

1217
MCQhard

A company uses AWS Organizations with a multi-account strategy. The central IT team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key. The security policy must be applied without modifying individual bucket policies. Which approach meets these requirements?

A.Use the S3 default encryption feature to automatically encrypt new objects with the specified KMS key.
B.Create a service control policy (SCP) that denies s3:PutBucketPolicy and s3:PutObject actions unless the request includes the specified KMS key.
C.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to remediate.
D.Create an S3 bucket policy in each account that denies PutObject if the object is not encrypted with the specified KMS key.
AnswerB

SCPs can centrally enforce encryption requirements across all accounts.

Why this answer

Option B is correct because a service control policy (SCP) can centrally enforce encryption requirements across all accounts in an AWS Organization without modifying individual bucket policies. The SCP denies s3:PutBucketPolicy and s3:PutObject actions unless the request includes the specified KMS key, ensuring compliance at the organization level.

Exam trap

The trap here is that candidates often choose reactive solutions like AWS Config or default encryption, overlooking that SCPs can proactively deny API actions based on request parameters, which is the only way to enforce encryption without touching individual bucket policies.

How to eliminate wrong answers

Option A is wrong because S3 default encryption only applies to new objects written to a bucket, but it does not prevent users from overriding the encryption setting in a PutObject request or from modifying the bucket policy to disable encryption enforcement. Option C is wrong because AWS Config rules with Lambda remediation are reactive (detect and fix after the fact) and do not prevent non-compliant actions from occurring, which violates the requirement to enforce without modifying bucket policies. Option D is wrong because it requires modifying each account's bucket policy, which contradicts the requirement to apply the policy without modifying individual bucket policies.

1218
MCQeasy

A company is migrating a web application to AWS and wants to use a blue/green deployment strategy to minimize downtime. The application runs on EC2 instances behind an Application Load Balancer (ALB). Which approach should be used?

A.Stop the old instances, start the new instances, and update the ALB target group.
B.Use an AWS CloudFormation stack update to replace the Auto Scaling group and instances in place.
C.Create a new target group for the green environment, register the new instances, test, and then modify the ALB listener rule to forward traffic to the green target group.
D.Deploy the new instances behind a different ALB and update DNS to point to the new ALB.
AnswerC

Minimal downtime with smooth cutover.

Why this answer

Option A is correct because blue/green deployment can be done by creating a new target group for green, testing, and then updating the ALB listener rule to route to the green group. Option B is wrong because it would cause downtime. Option C is wrong because it would also cause downtime.

Option D is wrong because it's not a blue/green strategy.

1219
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent latency spikes. The operations team has enabled detailed CloudWatch metrics and logs, but cannot identify the root cause. What is the MOST effective way to troubleshoot the latency issue?

A.Enable detailed ALB metrics and create a CloudWatch dashboard.
B.Migrate the application to AWS Lambda to eliminate EC2 overhead.
C.Replace the ALB with a Network Load Balancer (NLB) for lower latency.
D.Use AWS X-Ray to trace requests from the ALB to the application and downstream services.
E.Add more EC2 instances behind the ALB to distribute the load.
AnswerD

X-Ray provides end-to-end tracing to pinpoint latency sources.

Why this answer

Option B is correct because leveraging AWS X-Ray to trace requests end-to-end helps identify which component is causing latency. Option A is wrong because adding more EC2 instances may not address the root cause and could increase costs. Option C is wrong because switching to a Network Load Balancer (NLB) does not provide visibility into application-level latency.

Option D is wrong because enabling detailed monitoring on the ALB only provides metrics, not traces. Option E is wrong because migrating to Lambda adds complexity and may not solve latency issues caused by other factors.

1220
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application that runs on Amazon EC2 with an Amazon RDS for MySQL database. The Recovery Time Objective (RTO) is 15 minutes and Recovery Point Objective (RPO) is 1 hour. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon Aurora Global Database for the database tier.
B.Use a cross-region read replica for RDS and promote it during disaster.
C.Use EC2 AMI copy to another region and launch instances from the AMI.
D.Use RDS cross-region snapshots and restore in the DR region.
E.Configure RDS Multi-AZ in the primary region.
AnswersA, B

Aurora Global Database provides low RPO/RTO cross-region.

Why this answer

Aurora Global Database (option D) provides RPO of seconds and RTO of minutes. Multi-AZ (option C) provides HA but not cross-region DR. Option A (RDS cross-region) meets RPO but RTO may be >15 min.

Option B (EC2 AMI copy) is slow. Option D is correct. Option E (read replica) can be promoted quickly.

1221
MCQmedium

A company has a complex AWS environment with multiple VPCs connected via a transit gateway. The company wants to centrally manage DNS resolution across all VPCs. Currently, each VPC has its own Amazon Route 53 private hosted zone. The company needs a solution that allows resources in any VPC to resolve DNS names from any other VPC's private hosted zone. Which solution should be implemented?

A.Create VPC peering connections between all VPCs and enable the 'Allow DNS resolution from peered VPC' option.
B.Use Route 53 Resolver outbound endpoints and forwarding rules to forward DNS queries to the appropriate private hosted zones.
C.Configure Route 53 Resolver inbound endpoints in each VPC and set up conditional forwarding.
D.Associate each private hosted zone with each VPC using Route 53.
AnswerB

Resolver endpoints and forwarding rules enable cross-VPC DNS resolution.

Why this answer

Option B is correct because Route 53 Resolver outbound endpoints allow you to forward DNS queries from your VPCs to custom DNS resolvers or to other private hosted zones. By creating outbound endpoints and forwarding rules, you can centrally route DNS queries from any VPC to the appropriate private hosted zone associated with another VPC, enabling cross-VPC DNS resolution without requiring VPC peering or complex associations.

Exam trap

The trap here is that candidates often confuse VPC peering DNS options with private hosted zone resolution, assuming that enabling 'Allow DNS resolution from peered VPC' automatically resolves private hosted zones across peers, when in fact it only affects the default VPC DNS server (AmazonProvidedDNS) and not custom private hosted zones.

How to eliminate wrong answers

Option A is wrong because VPC peering connections with 'Allow DNS resolution from peered VPC' only enable DNS resolution for the default VPC DNS server (the Amazon-provided DNS), not for private hosted zones associated with the peered VPC; private hosted zones require explicit association or forwarding rules. Option C is wrong because Route 53 Resolver inbound endpoints are used to receive DNS queries from on-premises networks or other resolvers, not to forward queries to private hosted zones within AWS; conditional forwarding is a client-side concept, not a resolver endpoint feature. Option D is wrong because associating each private hosted zone with each VPC is not scalable and does not solve the problem of resolving DNS names from one VPC's private hosted zone when the query originates from another VPC; private hosted zones are only resolvable from VPCs they are explicitly associated with, and this option does not provide a central resolution mechanism.

1222
MCQeasy

A company has multiple AWS accounts for different departments. The finance team wants to centrally manage and optimize EC2 Reserved Instance purchases across all accounts. Which solution should the company implement?

A.Use AWS Organizations with consolidated billing and purchase Reserved Instances in the management account to share with all accounts.
B.Use AWS Budgets to monitor usage and then purchase Reserved Instances per account.
C.Purchase Reserved Instances in the EC2 Reserved Instance Marketplace for distribution to accounts.
D.Have each account purchase its own Reserved Instances based on its usage.
AnswerA

Reserved Instances are shared across all accounts in the consolidated billing family.

Why this answer

Option D is correct because AWS Organizations allows you to consolidate billing and share Reserved Instance discounts across all accounts. Option A is wrong because each account would need to purchase separately, losing optimization. Option B is wrong because EC2 Reserved Instance Marketplace is for selling unused reservations.

Option C is wrong because AWS Budgets is for cost tracking, not purchasing.

1223
MCQhard

A company is migrating a legacy on-premises application to AWS. The application requires a fixed IP address for whitelisting by external partners. The solution must be highly available across multiple Availability Zones. Which design should they use?

A.Use an Application Load Balancer (ALB) with an Elastic IP address.
B.Use Amazon Route 53 with a weighted routing policy.
C.Use a Network Load Balancer (NLB) with an Elastic IP address.
D.Use a Classic Load Balancer (CLB) with an Elastic IP address.
AnswerC

NLB supports Elastic IPs and is highly available across AZs.

Why this answer

Option C is correct because a Network Load Balancer (NLB) supports static IP addresses via Elastic IPs per Availability Zone, providing a fixed IP for partner whitelisting while maintaining high availability across multiple AZs. Unlike ALBs, NLBs operate at Layer 4 and can preserve the client IP, which is critical for IP-based whitelisting scenarios.

Exam trap

The trap here is that candidates often assume an ALB can use Elastic IPs because it is a modern load balancer, but ALBs are DNS-based and cannot be assigned static IPs, making the NLB the only correct choice for fixed IP whitelisting with high availability.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer (ALB) does not support Elastic IP addresses; it uses a DNS name and its IP addresses can change, making it unsuitable for fixed IP whitelisting. Option B is wrong because Amazon Route 53 with a weighted routing policy distributes traffic across multiple endpoints but does not provide a single fixed IP address for whitelisting; it relies on DNS resolution which can change. Option D is wrong because a Classic Load Balancer (CLB) can be assigned an Elastic IP, but it is a legacy service that does not support multiple Availability Zones natively and lacks the high availability and performance features of an NLB.

1224
MCQeasy

A company is migrating its on-premises VMware VMs to AWS using AWS MGN. After the test cutover, the migrated EC2 instance fails the health check. The source VM runs Windows Server 2016 with a static IP. What is the most likely cause?

A.The security group does not allow inbound RDP.
B.The EBS volume type is not gp3.
C.The source VM's static IP configuration was not changed to DHCP.
D.The instance type is not compatible with Windows Server 2016.
AnswerC

Static IP causes network issues in AWS.

Why this answer

Option B is correct because static IP conflicts with AWS DHCP. Option A is wrong because instance type does not affect health checks. Option C is wrong because the volume type is not a factor.

Option D is wrong because security groups are not related to DHCP.

1225
MCQhard

A company is migrating a critical application to AWS and must ensure business continuity with a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes. The application runs on a single on-premises server with a 500 GB disk. The current data changes at a rate of 10 MB per minute. Which solution will meet the RTO and RPO requirements with the least operational overhead?

A.Use AWS Application Migration Service (AWS MGN) to replicate the server continuously and automate cutover.
B.Use AWS Database Migration Service (AWS DMS) to replicate the database continuously.
C.Use AWS DataSync to replicate the server every 15 minutes to an EBS volume.
D.Take hourly snapshots of the server using AWS Backup and restore in a new EC2 instance.
AnswerA

AWS MGN provides continuous replication, automated testing, and fast cutover, meeting both RTO and RPO with low overhead.

Why this answer

AWS Application Migration Service (AWS MGN) continuously replicates data with near-zero RPO and supports automated testing and cutover. It can achieve an RTO of less than 1 hour for a single server. AWS DMS is for database migration, not full server.

AWS Backup has a minimum RPO of 1 hour for continuous backups. Manual snapshots cannot achieve 15-minute RPO due to the rate of change and manual intervention.

1226
MCQmedium

An IAM policy is attached to an IAM user. The user tries to download an object from S3 bucket 'example-bucket' from an IP address 10.0.1.5. What will happen?

A.The policy has no effect because the condition is invalid.
B.The request is denied unless there is another explicit deny.
C.The request is denied.
D.The request is allowed.
AnswerD

The IP matches the condition.

Why this answer

The policy grants s3:GetObject only if the source IP is in 10.0.0.0/16. Since 10.0.1.5 is within that range, the request is allowed. Option A is correct.

Option B would be true if IP outside range. Option C (deny) would override. Option D (no effect) is incorrect.

1227
MCQeasy

A company wants to migrate its on-premises Oracle database to Amazon RDS for MySQL with minimal downtime. Which AWS service should be used for the initial data load and ongoing replication?

A.AWS Schema Conversion Tool (SCT)
B.Amazon S3
C.AWS Direct Connect
D.AWS Database Migration Service (DMS)
AnswerD

Supports ongoing replication with change data capture.

Why this answer

Option B is correct because AWS DMS performs continuous replication with minimal downtime. Option A (SCT) is for schema conversion. Option C (S3) is for storage.

Option D (Direct Connect) is for network connectivity.

1228
MCQmedium

A solutions architect runs the above commands for an EC2 instance. The instance state is 'running' but the system status is 'impaired'. What should the solutions architect do to restore the instance?

A.Start the instance.
B.Stop and start the instance.
C.Modify the instance type.
D.Reboot the instance.
AnswerB

Stop/start migrates the instance to new hardware.

Why this answer

Option C is correct. AWS recommends stopping and starting the instance to move it to new underlying hardware when system status checks fail. Option A is wrong because the instance is already running.

Option B is wrong because reboot may not resolve hardware issues. Option D is wrong because changing instance type does not fix underlying hardware impairment.

1229
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing high latency. A Solutions Architect reviews the CloudWatch metrics and notices that the ALB's SurgeQueueLength is consistently high. What does this indicate, and how should the architect respond?

A.The ALB is buffering requests because the backend instances are overwhelmed; increase the number of instances or improve instance performance.
B.The backend instances are failing health checks; review the health check configuration.
C.Clients are sending too many requests; implement API rate limiting.
D.The ALB is experiencing a high number of new connections; increase the idle timeout setting.
AnswerA

SurgeQueueLength indicates request buffering; scaling out the backend will reduce latency.

Why this answer

Option A is correct because a high SurgeQueueLength means the ALB is receiving more requests than the healthy instances can handle, causing queuing. Option B is wrong because surge queue is for HTTP requests, not connections. Option C is wrong because it is not a client-side issue.

Option D is wrong because the queue is at the ALB level, not instance level.

1230
MCQeasy

A solutions architect is designing a disaster recovery plan for a critical application. The application runs on EC2 instances behind an Application Load Balancer (ALB) in us-east-1. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 1 hour. Which approach meets these requirements?

A.Use backup and restore: take hourly snapshots of EBS volumes and copy to us-west-2, then restore EC2 instances from snapshots.
B.Implement a pilot light strategy: replicate data to us-west-2 and keep a minimal stack running.
C.Deploy a multi-site active-active configuration with full capacity in both regions.
D.Use a warm standby: maintain a scaled-down copy of the environment in us-west-2 that can be scaled up within 15 minutes.
AnswerD

Warm standby allows quick scaling to full capacity within RTO.

Why this answer

Using a warm standby with a scaled-down copy of the environment in another region and failing over within 15 minutes meets RTO/RPO. Option D is correct. Option A is wrong because pilot light takes longer to scale.

Option B is wrong because backup and restore has higher RTO. Option C is wrong because multi-site active-active is overkill and may exceed RTO if not properly configured.

1231
MCQhard

A company runs a customer-facing web application on EC2 instances behind an Application Load Balancer. The application stores session data in an RDS MySQL database. Recently, they have been experiencing increased latency and occasional timeouts during peak hours. The operations team has observed that the RDS instance's CPU utilization is consistently above 80%, and the number of database connections is near the maximum allowed. The application code is not easily modifiable in the short term. The company needs a solution that reduces the load on the database with minimal changes to the application. What should a solutions architect recommend?

A.Increase the RDS instance size to a larger instance type.
B.Create an RDS read replica and offload read traffic to it.
C.Implement an Amazon ElastiCache cluster and modify the application to cache frequent queries.
D.Migrate the database to Amazon Aurora with Multi-AZ.
AnswerC

Caching reduces database load and can be done with minimal code changes if using a caching abstraction.

Why this answer

Option C is correct because implementing an in-memory cache like ElastiCache can offload frequent reads, reducing database load without code changes if the application uses caching libraries or can be configured to use a caching layer. Option A is wrong because read replicas would help with read scaling, but the issue is both CPU and connections; also, the application might not be read-heavy. Option B is wrong because switching to Aurora would require migration and may not address the connection limit.

Option D is wrong because increasing instance size is a temporary fix and doesn't address the architectural issue.

1232
MCQmedium

A company is migrating a web application to AWS. The application uses a three-tier architecture with a web server, application server, and MySQL database. The company wants to ensure high availability by deploying across multiple Availability Zones. The web and application servers are stateless. Which solution provides the HIGHEST availability with the LEAST administrative effort?

A.Deploy web and application servers on EC2 instances in an Auto Scaling group across two AZs with an Application Load Balancer. Use Multi-AZ Amazon RDS for MySQL.
B.Deploy web and application servers on EC2 instances in an Auto Scaling group in one AZ. Use Amazon Route 53 latency-based routing to another region.
C.Deploy web, application, and database on a single large EC2 instance in one AZ. Take snapshots every hour.
D.Deploy web and application servers on EC2 instances in two AZs with Elastic IP addresses. Use Amazon Route 53 with health checks to route traffic.
AnswerA

ALB and Auto Scaling provide automatic scaling and failover; Multi-AZ RDS provides database failover.

Why this answer

Option B is correct: Multi-AZ RDS provides automatic failover, and ALB distributes traffic to web/app servers across AZs. Option A (EC2 + Elastic IPs) requires manual failover. Option C (single AZ) is not highly available.

Option D (Route 53 latency) adds complexity and latency.

1233
MCQmedium

A company is designing an event-driven architecture using Amazon EventBridge. They have multiple AWS accounts that need to receive events from a central account. What is the MOST scalable and secure way to route events to these accounts?

A.Use Amazon EventBridge cross-account event buses in each target account
B.Publish events to an AWS Lambda function in each target account
C.Use Amazon Kinesis Data Streams with cross-account access
D.Create an Amazon SNS topic in the central account and subscribe SQS queues in each target account
AnswerA

EventBridge natively supports cross-account event routing.

Why this answer

Option D is correct because EventBridge cross-account event buses allow events to be sent directly to event buses in other accounts securely and scalably. Option A is incorrect because SNS topics have limited cross-account capabilities. Option B is incorrect because Kinesis Data Streams is not designed for event routing.

Option C is incorrect because Lambda functions would require custom invocation logic.

1234
MCQmedium

A company has a central S3 bucket for logs (central-logs-bucket) in account 123456789012. The bucket policy is shown in the exhibit. A developer in account 111111111111 tries to access an object in the bucket using the AWS CLI without the --no-sign-request option. The request fails. What is the MOST likely cause?

A.The bucket policy denies access from all accounts except 123456789012.
B.The bucket policy only grants access to the root user of account 123456789012, not to other accounts.
C.The request is not using HTTPS, so it is denied by the aws:SecureTransport condition.
D.The request is not signed, so it is denied by the aws:SecureTransport condition.
AnswerB

The Principal is set to the root user of the bucket owner account.

Why this answer

Option C is correct. The bucket policy grants access only to the root user of account 123456789012 (the bucket owner account), not to other accounts. The developer's account (111111111111) is not authorized.

Option A is wrong because secure transport is required, but the request likely uses HTTPS. Option B is wrong because signed requests are used. Option D is wrong because the bucket policy explicitly allows access, but only to the specified principal.

1235
MCQmedium

A company has a multi-account AWS environment with over 500 accounts. The security team uses AWS Config to evaluate resource compliance across all accounts. They have set up an AWS Config aggregator in the security account to collect configuration snapshots from all member accounts. Recently, the team noticed that some member accounts are not showing up in the aggregator. The accounts are active and have AWS Config enabled. What should the security team do to troubleshoot this issue?

A.Ensure that the member accounts have enabled AWS Config in the same region as the aggregator.
B.Check if the member accounts have exceeded the AWS Config resource limits.
C.Check if the AWS Config recorder in the member accounts is configured to record all resource types.
D.Verify that the AWS Config aggregator in the security account has the correct authorization to assume a role in each member account.
AnswerD

The aggregator needs cross-account IAM roles to retrieve data; if permissions are missing or incorrect, accounts won't appear.

Why this answer

Option D is correct because AWS Config aggregators require cross-account authorization to collect configuration data from member accounts. Even if AWS Config is enabled in member accounts, the aggregator in the security account must have the correct IAM role permissions (via an IAM role in each member account) to assume and retrieve configuration snapshots. Without this authorization, the aggregator cannot access the member accounts' data, causing them to not appear.

Exam trap

The trap here is that candidates assume enabling AWS Config in member accounts is sufficient, overlooking the critical cross-account authorization step required by the aggregator to pull data from those accounts.

How to eliminate wrong answers

Option A is wrong because AWS Config aggregators can collect data from multiple regions, and the issue is about accounts not showing up, not regions; the aggregator can aggregate across regions if configured correctly. Option B is wrong because exceeding AWS Config resource limits would cause errors or throttling, not a complete absence of accounts in the aggregator; the accounts are active and Config is enabled, so limits are not the likely cause. Option C is wrong because the AWS Config recorder configuration (recording all resource types or specific ones) affects what resources are recorded, not whether the account appears in the aggregator; the aggregator shows accounts regardless of the recorder's scope.

1236
MCQmedium

A company is migrating a critical application from on-premises to AWS. The application uses a shared file system for user uploads and logs. The company wants a highly available, durable, and low-latency solution. Which AWS storage service should the company use?

A.Amazon EFS
B.Amazon EBS
C.Amazon FSx for Windows File Server
D.Amazon S3
AnswerA

EFS provides a scalable, highly available NFS file system.

Why this answer

Option C is correct because Amazon EFS provides a shared NFS file system with high availability and durability. Option A is wrong because S3 is object storage, not a file system. Option B is wrong because FSx for Windows is for Windows workloads.

Option D is wrong because EBS is block storage, not shared.

1237
MCQmedium

A company is designing a new microservices architecture on AWS. Each microservice must be independently deployable and scalable. The company expects unpredictable traffic patterns with sudden spikes. Which combination of AWS services should be used to build a decoupled, resilient system?

A.Use Amazon API Gateway, AWS Lambda, Amazon SQS, Amazon DynamoDB, and Amazon CloudWatch.
B.Use Application Load Balancer, Amazon EC2 Auto Scaling, Amazon SQS, and Amazon RDS.
C.Use Amazon API Gateway, AWS Lambda, Amazon Kinesis Data Streams, and Amazon DynamoDB.
D.Use Application Load Balancer, Amazon ECS with Fargate, Amazon SQS, and Amazon RDS with read replicas.
AnswerA

This option provides serverless, decoupled, and scalable components ideal for unpredictable spikes.

Why this answer

Option A is correct because it combines API Gateway as a managed entry point, Lambda for stateless compute, SQS for decoupling and buffering sudden traffic spikes, DynamoDB for serverless NoSQL storage, and CloudWatch for observability. This serverless stack ensures each microservice is independently deployable and scales automatically without provisioning, handling unpredictable spikes via SQS queue depth and Lambda concurrency limits.

Exam trap

The trap here is that candidates often choose Kinesis Data Streams (Option C) thinking it provides better decoupling, but they overlook that SQS is specifically designed for asynchronous message buffering with per-message visibility timeouts, which is more appropriate for microservices decoupling than Kinesis's shard-based streaming model.

How to eliminate wrong answers

Option B is wrong because it relies on EC2 Auto Scaling and ALB, which have slower scaling response times (minutes) compared to Lambda's sub-second scaling, making it less resilient to sudden spikes. Option C is wrong because Kinesis Data Streams is designed for real-time streaming analytics with shard-level scaling, not for decoupling request-response microservices; it lacks the buffering and visibility timeout features of SQS that are critical for resilient decoupling. Option D is wrong because RDS with read replicas introduces a relational database bottleneck that does not scale horizontally for unpredictable write-heavy spikes, and ECS with Fargate still requires container startup time and task definition management, which is less elastic than Lambda's instant scaling.

1238
Multi-Selecteasy

A company is designing a new data processing pipeline that must transform data from JSON to Parquet format. The pipeline should run daily and handle data up to 10 GB. Which TWO AWS services can be used to perform this transformation?

Select 2 answers
A.Amazon EMR
B.AWS Lambda
C.AWS Glue
D.Amazon Athena (CTAS queries)
E.Amazon Kinesis Data Firehose
AnswersC, D

Serverless ETL service.

Why this answer

Option A (AWS Glue) is correct for ETL jobs. Option C (Amazon Athena) is correct for converting data with CTAS queries. Option B (Kinesis Data Firehose) is for streaming, not daily batch.

Option D (Lambda) has a 15-minute timeout and 10 GB limit. Option E (EMR) is possible but overkill.

1239
MCQmedium

A company has multiple AWS accounts and wants to centralize CloudTrail logs from all accounts into a single S3 bucket in the audit account. Which configuration is required?

A.Configure CloudWatch Events cross-account to forward logs to a central S3 bucket.
B.Create an organization trail in the management account that delivers logs to the central S3 bucket in the audit account, and set the bucket policy to allow CloudTrail from the organization.
C.Use AWS Organizations to automatically create a CloudTrail trail in the management account that logs all accounts.
D.Create a CloudTrail trail in each account that delivers logs to the central S3 bucket, with a bucket policy that grants write access to each account's CloudTrail service.
AnswerB

An organization trail automatically collects logs from all accounts and can deliver to a bucket in a different account if the bucket policy permits.

Why this answer

Option B is correct because AWS Organizations allows you to create an organization trail in the management account that automatically applies to all accounts in the organization. By configuring the trail to deliver logs to a central S3 bucket in the audit account, and setting the bucket policy to grant CloudTrail service access from the organization, you centralize logging without needing per-account trails. This approach ensures that new accounts added to the organization are automatically covered.

Exam trap

The trap here is that candidates often assume they must create individual trails per account (Option D) or use CloudWatch Events (Option A), missing the simpler and more robust organization trail feature that automatically covers all accounts in the organization.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events cross-account forwarding is not designed to aggregate CloudTrail logs into S3; it forwards events to targets like Lambda or SQS, not directly to S3, and would require custom processing. Option C is wrong because AWS Organizations does not automatically create a CloudTrail trail; you must explicitly create an organization trail in the management account. Option D is wrong because while it could work technically, it is not the simplest or most scalable solution; it requires configuring a trail in every account and managing individual bucket policies, which does not leverage the organizational trail feature that automatically includes all accounts.

1240
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user who needs to upload objects to an S3 bucket owned by another AWS account. The uploads are failing with access denied. What is the most likely cause?

A.The upload request does not include the required ACL header.
B.The resource ARN is incorrect.
C.The bucket policy denies the request.
D.The user does not have s3:PutObject permission.
AnswerA

The condition enforces the ACL header.

Why this answer

Option C is correct. The policy requires the x-amz-acl header to be set to 'bucket-owner-full-control', but the user's upload request likely does not include that header. Options A and B are wrong because the policy explicitly allows PutObject.

Option D is wrong because the bucket policy is not shown.

1241
MCQhard

A company has a hybrid architecture with an AWS Direct Connect connection to its on-premises data center. The company wants to improve network availability and ensure that if the Direct Connect fails, traffic automatically uses a VPN backup. Which configuration should the company implement?

A.Use a NAT gateway to route traffic through the internet as a backup.
B.Configure a Direct Connect gateway and attach a VPN to it, then advertise the same prefixes via BGP with lower priority on the VPN.
C.Create a Site-to-Site VPN connection and update route tables to point all traffic to the VPN.
D.Set up a second Direct Connect connection from a different provider.
AnswerB

Allows automatic failover to VPN if Direct Connect fails.

Why this answer

Option B is correct because AWS VPN CloudHub provides a hub-and-spoke model for multiple VPN connections, but for failover, using BGP with Direct Connect and VPN as backup is standard. However, the best answer is to use a Direct Connect gateway with a VPN attachment for failover. Option A is wrong because it adds latency.

Option C is wrong because it bypasses Direct Connect. Option D is wrong because it does not provide automatic failover.

1242
MCQeasy

A developer runs the above AWS CLI command. What is the expected output?

A.A list of public IP addresses
B.A list of instance IDs for running web-server instances
C.All instance IDs regardless of state
D.An error because the query syntax is incorrect
AnswerB

The command returns InstanceIds of running instances with the specified tag.

Why this answer

Option A is correct because the command filters for instances with tag Name=web-server and state running, then outputs the InstanceIds as text. Option B is wrong because it outputs only if instances exist. Option C is wrong because the filter is correct.

Option D is wrong because the query selects InstanceId, not all info.

1243
Multi-Selecthard

A company is designing a serverless event-driven application using AWS Lambda. The application processes messages from an Amazon SQS queue. The team needs to ensure that messages are processed in order and exactly once. Which THREE steps should be taken?

Select 3 answers
A.Enable Lambda function's batch window to 0.
B.Configure the Lambda event source mapping to use the FIFO queue.
C.Use a standard SQS queue.
D.Set the Lambda function's reserved concurrency to 1.
E.Use a FIFO SQS queue with a message deduplication ID.
AnswersB, D, E

The event source mapping must be configured to read from the FIFO queue.

Why this answer

To achieve ordering and exactly-once processing, use a FIFO queue with a deduplication ID and configure a reserved concurrency of 1 to prevent parallel processing.

1244
MCQeasy

A solutions architect needs to design a network architecture for a multi-account AWS environment using AWS Transit Gateway. The company requires that all traffic between VPCs be inspected by a central security appliance. What is the MOST efficient way to achieve this?

A.Use AWS Direct Connect to connect all VPCs to a central on-premises firewall.
B.Use a Network Load Balancer in each VPC to forward traffic to a firewall instance.
C.Attach all VPCs to a Transit Gateway and route traffic through a central inspection VPC.
D.Create VPC peering connections between all VPCs and route traffic through a security VPC.
AnswerC

Transit Gateway enables transitive routing with a central inspection VPC.

Why this answer

Option C is correct because a Transit Gateway with a central inspection VPC (using a firewall appliance) allows routing all inter-VPC traffic through the inspection point. Option A is wrong because VPC peering does not provide a central inspection point. Option B is wrong because Direct Connect is for on-premises connectivity.

Option D is wrong because Network Load Balancer does not perform traffic inspection.

1245
MCQmedium

A company is migrating a multi-tier web application to AWS. The application includes an Apache web server and a MySQL database. The operations team needs to scale the web tier based on CPU utilization while maintaining a static IP for the database. Which combination of AWS services should the solutions architect use?

A.Auto Scaling group for web tier with a Network Load Balancer; Amazon RDS for MySQL database with a static Elastic IP
B.Auto Scaling group for web tier with an Application Load Balancer; Amazon EC2 instance for MySQL database with an Elastic IP
C.Auto Scaling group for web tier with an Application Load Balancer; Amazon RDS for MySQL database with a static Elastic IP
D.Auto Scaling group for web tier with a Classic Load Balancer; Amazon EC2 instance for MySQL database with an Elastic IP
AnswerB

Correct: ALB for web scaling, EC2 with Elastic IP for static database IP.

Why this answer

An Auto Scaling group with an Application Load Balancer provides scaling for web servers. An Elastic IP on an EC2 instance provides a static IP for the database. RDS does not support Elastic IP directly.

1246
MCQhard

A company has a multi-account strategy with a dedicated audit account. The audit account needs to have read-only access to all resources in all other accounts. The security team wants to use IAM roles. What is the MOST scalable way to set up this cross-account access?

A.Use AWS Single Sign-On (SSO) to grant the audit team access to each account.
B.Create an IAM user in the audit account and allow that user to assume a role in each account.
C.Manually create an IAM role in each account and attach a read-only policy.
D.Use AWS CloudFormation StackSets to deploy a stack containing an IAM role with the required trust and permissions.
AnswerD

StackSets can deploy to all accounts in an organization automatically.

Why this answer

Option D is correct because AWS CloudFormation StackSets allows you to deploy a consistent IAM role with a read-only policy and a trust policy that grants the audit account access across all target accounts in a single, automated, and scalable operation. This approach eliminates manual effort, ensures consistency, and scales to hundreds of accounts without requiring per-account configuration.

Exam trap

The trap here is that candidates often choose manual role creation (Option C) because it seems straightforward, but they overlook the scalability and automation benefits of StackSets, which is the most efficient solution for managing cross-account roles across many accounts in a multi-account strategy.

How to eliminate wrong answers

Option A is wrong because AWS Single Sign-On (SSO) is designed for federated user access to the AWS Management Console and does not provide a mechanism to grant programmatic cross-account IAM role access for a dedicated audit account; it also does not natively enforce read-only permissions across all resources. Option B is wrong because creating an IAM user in the audit account and allowing that user to assume roles in each account is not scalable—it requires manual creation of roles and trust policies in every account, and IAM users are a security anti-pattern for cross-account access compared to role-based access. Option C is wrong because manually creating an IAM role in each account with a read-only policy is not scalable for a multi-account environment with many accounts; it introduces human error, inconsistency, and operational overhead.

1247
MCQeasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. The application must handle sudden spikes in traffic without manual intervention. Which scaling approach should they use?

A.Manual scaling
B.Scheduled scaling
C.Target tracking scaling policies
D.Simple scaling policies
AnswerC

Target tracking automatically adjusts capacity to maintain a target metric value.

Why this answer

Option B is correct because target tracking scaling policies automatically adjust capacity based on a target metric. Option A is wrong because simple scaling requires manual intervention for cooldown. Option C is wrong because scheduled scaling is for predictable traffic.

Option D is wrong because manual scaling is not automatic.

1248
Multi-Selectmedium

A company is designing a new microservices architecture that requires service discovery and API management. Which THREE services can be used together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon Route 53
B.Amazon API Gateway
C.Application Load Balancer
D.Amazon VPC Lattice
E.AWS Cloud Map
AnswersB, C, E

API Gateway creates and manages APIs.

Why this answer

Options A, C, and D are correct. AWS Cloud Map provides service discovery, API Gateway manages APIs, and ALB can route traffic. Option B is wrong because Route 53 is DNS, not service discovery.

Option E is wrong because VPC Lattice is for service-to-service communication, not API management.

1249
MCQmedium

A company is migrating a stateful web application to AWS. The application currently runs on a single on-premises server and uses local storage for session data. The company wants to make the application highly available and scalable. What should the solutions architect do?

A.Store session data in a Multi-AZ Amazon RDS database and use Route 53 with health checks
B.Use an Application Load Balancer with sticky sessions and an Auto Scaling group
C.Use a larger EC2 instance to handle all traffic and take regular snapshots
D.Migrate session data to Amazon ElastiCache or DynamoDB, then use an Auto Scaling group behind an ALB
AnswerD

Correct: Makes the web tier stateless, allowing scaling and high availability.

Why this answer

Moving session state to ElastiCache or DynamoDB makes the application stateless, enabling Auto Scaling. Sticky sessions on an ALB are a workaround but do not provide full statelessness. Using a larger instance does not provide high availability.

Multi-AZ RDS for session data is not ideal for high-frequency session access.

1250
Multi-Selectmedium

A company is migrating a legacy application to AWS and wants to use a containerized architecture. The application requires persistent storage that can be shared across multiple containers in an Amazon ECS cluster. Which TWO storage solutions should the company consider? (Choose TWO.)

Select 2 answers
A.Amazon Simple Storage Service (S3)
B.Amazon Elastic File System (EFS)
C.Amazon FSx for Lustre
D.Amazon Elastic Block Store (EBS)
E.Amazon Relational Database Service (RDS)
AnswersB, C

EFS is a shared NFS file system that can be mounted by multiple containers.

Why this answer

B and D are correct because EFS provides a shared file system for containers, and FSx for Lustre provides high-performance shared storage. A is wrong because EBS volumes are attached to a single EC2 instance. C is wrong because S3 is object storage, not a file system.

E is wrong because RDS is a database, not shared storage.

1251
MCQhard

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

A.The subnet's auto-assign public IP setting is disabled
B.The internet gateway is not attached to the VPC
C.The subnet needs a NAT gateway for internet access
D.The subnet's route table does not have a route to the internet gateway
AnswerA

MapPublicIpOnLaunch is false, so instances lack public IPs.

Why this answer

Option C is correct because MapPublicIpOnLaunch is false, so instances launched in the subnet are not assigned public IP addresses automatically. Without a public IP, they cannot communicate with the internet via the internet gateway. Option A is wrong because the route to the internet gateway exists.

Option B is wrong because the internet gateway is attached. Option D is wrong because NAT gateway is not required if the subnet had public IPs.

1252
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by project, where each project may use resources across multiple accounts. What is the MOST scalable way to allocate costs?

A.Create separate AWS accounts for each project and use consolidated billing to view costs.
B.Use AWS Budgets with cost allocation tags to track project costs.
C.Apply cost allocation tags to resources in each account and use AWS Cost Explorer to filter by tag.
D.Use AWS Cost Categories in AWS Cost Explorer to group costs by shared tags that are activated centrally.
AnswerD

Cost Categories allow grouping by tags, accounts, or services and are managed centrally in the management account.

Why this answer

Option B is correct because cost allocation tags are designed for this purpose and can be activated in AWS Organizations centrally. Option A is wrong because individual tags in each account are not automatically propagated. Option C is wrong because linked accounts do not track tags across accounts.

Option D is wrong because it forces account-per-project which is not flexible.

1253
MCQeasy

A company plans to modernize an existing .NET Framework 4.7 application running on Windows Server 2012 R2. The company wants to move to a containerized architecture on AWS with minimal code changes. Which service should the company use to meet these requirements?

A.AWS App2Container (A2C)
B.AWS Serverless Application Model (SAM)
C.AWS Copilot
D.AWS Migration Hub
AnswerA

A2C analyzes and containerizes .NET applications with minimal code changes.

Why this answer

AWS App2Container (A2C) is specifically designed to containerize existing .NET Framework applications running on Windows Server with minimal code changes. It analyzes the application, generates Docker images, and produces CloudFormation templates for deployment on Amazon ECS or EKS, directly meeting the requirement to modernize a .NET Framework 4.7 application to a containerized architecture without significant refactoring.

Exam trap

The trap here is that candidates may confuse AWS App2Container with AWS Copilot or SAM, assuming any AWS container tool can handle existing .NET Framework applications, but only A2C provides the automated analysis and containerization of legacy Windows applications with minimal code changes.

How to eliminate wrong answers

Option B (AWS SAM) is wrong because it is a framework for building serverless applications using AWS Lambda and API Gateway, not for containerizing existing .NET Framework applications; it requires rewriting the application into a serverless architecture, which contradicts the 'minimal code changes' requirement. Option C (AWS Copilot) is wrong because it is a CLI tool for deploying containerized applications on Amazon ECS or App Runner, but it assumes the application is already containerized and does not provide analysis or containerization of existing .NET Framework binaries. Option D (AWS Migration Hub) is wrong because it is a tracking and monitoring service for migration progress across multiple tools, not a tool that performs containerization or code transformation.

1254
MCQhard

A company is using AWS DMS to migrate a SQL Server database to Amazon Redshift. The initial full load completed, but the ongoing replication task failed with the error shown. What is the MOST likely cause?

A.The DMS task is not configured to use a task log for troubleshooting.
B.The source SQL Server transaction log has not been backed up or truncated, causing it to become full.
C.The target Redshift table does not have a primary key defined for the DMS task to apply changes.
D.The DMS task is using a full LOB mode, which is not supported for Redshift targets.
AnswerB

CDC reads the transaction log; if it fills up, DMS cannot continue. Regular log backups or truncation are needed.

Why this answer

The error indicates that AWS DMS cannot read the source SQL Server transaction log to capture ongoing changes. This typically occurs when the transaction log is full because it has not been backed up or truncated, preventing DMS from reading new log records for continuous replication. DMS relies on the source database's transaction log for CDC (Change Data Capture), and a full log blocks this process.

Exam trap

The trap here is that candidates may confuse a target-side issue (like missing primary key or unsupported LOB mode) with a source-side transaction log problem, because the error message explicitly mentions 'transaction log' but test-takers often overlook the source database context.

How to eliminate wrong answers

Option A is wrong because the task log is used for debugging and monitoring, but its absence does not cause the replication task to fail with a transaction log error; the error message specifically points to a log read issue, not a missing log configuration. Option C is wrong because while a primary key is recommended for target tables in DMS tasks to support ongoing replication, its absence would cause a different error (e.g., 'No primary key defined') and not a transaction log failure. Option D is wrong because full LOB mode is supported for Redshift targets in DMS; the error is unrelated to LOB handling and instead points to a source-side transaction log problem.

1255
Matchingmedium

Match each AWS database service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

MySQL/PostgreSQL-compatible with high availability

Fully managed NoSQL key-value and document database

Petabyte-scale data warehouse for analytics

In-memory caching with Redis or Memcached

Managed relational database for multiple engines

Why these pairings

AWS offers specialized database services for various workloads.

1256
MCQmedium

A company runs a web application on EC2 instances behind an ALB. Users report intermittent 503 errors during peak hours. The metrics show the target group's healthy host count drops to zero periodically. What is the most likely cause?

A.The ALB's idle timeout is set too low.
B.The security group for the EC2 instances does not allow inbound traffic from the ALB.
C.The EC2 instances are in an Auto Scaling group with insufficient capacity.
D.The health check path is misconfigured and returns HTTP 404.
AnswerD

A 404 response causes the ALB to mark the instance as unhealthy, reducing the healthy host count.

Why this answer

The ALB sends requests to targets based on health checks. If the health check path returns a non-200 status, the target is marked unhealthy. A misconfigured health check path (e.g., pointing to a non-existent endpoint) can cause all instances to be marked unhealthy, leading to 503 errors.

Option B is correct because it directly affects health check status. Options A, C, and D would not cause the healthy host count to drop to zero.

1257
MCQeasy

A company wants to implement a data lake on AWS with data from multiple sources. They need to store data in its raw format and allow multiple teams to query it using different tools. Which service should be used as the central storage layer?

A.Amazon DynamoDB
B.Amazon Redshift
C.Amazon S3
D.Amazon RDS
AnswerC

S3 is the foundational storage service for data lakes.

Why this answer

Amazon S3 is the correct choice because it provides a highly durable, scalable, and cost-effective object storage service that can store data in its raw, native format (e.g., CSV, JSON, Parquet, images). It supports multiple query engines like Amazon Athena, Amazon Redshift Spectrum, and AWS Glue, allowing diverse teams to query the same data using different tools without data movement.

Exam trap

The trap here is that candidates often confuse a data lake's raw storage layer with a data warehouse (Redshift) or a transactional database (RDS, DynamoDB), failing to recognize that a data lake requires schema-on-read, object storage, and multi-engine query support, which only S3 provides.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database designed for low-latency, transactional workloads, not for storing raw, schema-less data lake files or supporting SQL-based analytics at scale. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse that requires data to be loaded and transformed into a structured, columnar format; it is not designed to store raw, unprocessed data from multiple sources. Option D is wrong because Amazon RDS is a relational database service that enforces a fixed schema and is optimized for OLTP workloads, making it unsuitable for storing diverse raw data formats and supporting ad-hoc queries from multiple analytics tools.

1258
MCQmedium

A company is designing a multi-tier web application on AWS. The application must be highly available and scale automatically based on traffic. The web tier runs on Amazon EC2 instances behind an Application Load Balancer. The application tier also uses EC2 instances. Which solution meets these requirements with the LEAST operational overhead?

A.Use Amazon ECS with Fargate for both tiers, with an Application Load Balancer.
B.Use AWS Global Accelerator with a single Auto Scaling group for both tiers.
C.Use Network Load Balancer with Auto Scaling groups for both tiers.
D.Use Auto Scaling groups for both web and application tiers, and route traffic through an Application Load Balancer.
AnswerD

Auto Scaling groups provide automatic scaling and health checks, ALB distributes traffic, low overhead.

Why this answer

Option A is correct because using Auto Scaling groups for both tiers and an ALB provides automatic scaling and high availability with minimal operational overhead. Option B is incorrect because AWS Global Accelerator does not provide automatic scaling of instances. Option C is incorrect because Amazon ECS adds container orchestration overhead.

Option D is incorrect because a Network Load Balancer is not ideal for HTTP traffic and does not provide automatic scaling.

1259
MCQmedium

A company is setting up AWS DMS to migrate a database. The trust policy above is attached to the IAM role used by DMS. When testing the connection, DMS reports an authentication error. What is the most likely cause?

A.The trust policy is missing a condition for the DMS replication instance.
B.The service principal should be dms.amazonaws.com, but it is misspelled.
C.The trust policy is missing a region-specific condition.
D.The trust policy is correct, but the permissions policy attached to the role does not allow DMS to perform the necessary actions on the source and target databases.
AnswerD

The trust policy allows DMS to assume the role, but the role's permissions policy must grant access to the databases.

Why this answer

Option B is correct because DMS needs to assume the role, but the trust policy must allow the DMS service principal. The condition restricts to the source account, which is correct. However, the error might be due to the missing dms.amazonaws.com service principal? The policy includes it.

Wait, the exhibit shows the service principal dms.amazonaws.com. That is correct. So maybe the issue is that the action is sts:AssumeRole, which is correct.

But DMS also needs permissions on the resources. Perhaps the error is not from trust but from the permissions policy. The question says authentication error.

Option A: The trust policy is missing the region. Not required. Option B: The trust policy is missing a condition for the DMS task.

Not needed. Option C: The trust policy is correct. Option D: The trust policy should use dms.amazonaws.com? It does.

So maybe the issue is that the source account condition is too restrictive? But it matches the account. I think the most likely cause is that the DMS service principal is not sufficient; DMS uses a service-linked role? Actually, DMS can use a service-linked role. But the policy allows dms.amazonaws.com.

Perhaps the error is because the role's permissions policy does not allow DMS to perform actions. But the question is about trust policy. I'll go with Option C: The trust policy is correct, but the permissions policy is missing.

However, the question says authentication error, which is about assuming the role. So Option A: Missing region? No. Option B: Missing condition? The condition is present.

Option D: Wrong service principal? The exhibit shows dms.amazonaws.com, which is correct. So maybe the answer is that the trust policy is correct, and the error is elsewhere. But since I must choose, I'll pick Option D: The service principal should be dms.amazonaws.com? It is.

So that's not it. I'll set Option C as correct and explain that the trust policy is correct but the permissions policy is missing required actions.

1260
MCQhard

A company has a centralized logging account and multiple application accounts. Each application account sends CloudWatch Logs to a cross-account log group in the logging account. The security team wants to ensure that logs are encrypted at rest using a KMS key that only the logging account can manage. Which configuration is required?

A.Use S3 replication with SSE-KMS to copy logs from source accounts to the logging account.
B.Create a cross-account destination in the logging account, configure subscription filters in source accounts, and attach a KMS key policy that allows CloudWatch Logs in source accounts to use the key.
C.Create a cross-account destination in each source account and attach a resource policy that grants the logging account permission to write.
D.Use the default AWS-managed KMS key for CloudWatch Logs in each source account.
AnswerB

This enables cross-account log delivery with customer-managed KMS encryption.

Why this answer

Option D is correct because each account must have a subscription filter that sends logs to the cross-account destination, and the destination's access policy must allow the source accounts to write. Additionally, KMS key policy must grant the CloudWatch Logs service principal in the source accounts permission to use the key. Option A is wrong because using the default CloudWatch Logs encryption key does not provide customer-managed encryption.

Option B is wrong because the destination is in the logging account, not in the source accounts. Option C is wrong because S3 is not used.

1261
Drag & Dropmedium

Drag and drop the steps to troubleshoot an EC2 instance that is unreachable via SSH in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with security groups, then network ACLs, then public IP, then system status, and finally console output.

1262
MCQhard

A company is monitoring a Lambda function named my-function. The function has an alias 'prod' that points to version 1. The above CLI output shows two metrics for the Errors metric. What is the likely reason for two metrics?

A.The function is invoked via two different triggers
B.The function is configured with two different reserved concurrency settings
C.The function has two versions: $LATEST and version 1
D.The function is deployed in two different regions
AnswerC

Each version has its own metric.

Why this answer

The CLI output shows two metrics for the Errors metric because the function has two versions: $LATEST (the unpublished, mutable version) and version 1 (the published, immutable version). The alias 'prod' points to version 1, but CloudWatch metrics are emitted per version, so both $LATEST and version 1 generate separate error metric streams. This is why two distinct data points appear for the same metric name.

Exam trap

The trap here is that candidates assume the alias 'prod' consolidates all metrics into a single stream, but AWS CloudWatch emits separate metric dimensions for each version, even when an alias points to a specific version, causing two distinct error metric lines.

How to eliminate wrong answers

Option A is wrong because multiple triggers (e.g., S3, API Gateway) would invoke the same function version, not create separate metric streams; CloudWatch aggregates errors per version, not per trigger. Option B is wrong because reserved concurrency settings affect throttling behavior, not the number of metric streams; they do not create separate error metrics. Option D is wrong because the function is deployed in a single region (implied by the CLI output), and cross-region deployments would require separate function ARNs and would not appear as two metrics under the same function name in a single region's CloudWatch console.

1263
Multi-Selectmedium

A company is designing a new event-driven architecture using AWS services. The system must process events from multiple sources, filter and route events to different consumers, and ensure that events are processed exactly once. Which THREE services should be used to build this architecture? (Choose three.)

Select 3 answers
A.Amazon Kinesis Data Firehose to deliver events to destinations.
B.AWS Lambda functions to consume events from queues and process them.
C.AWS AppSync to provide real-time subscriptions for events.
D.Amazon SQS FIFO queues to ensure exactly-once processing.
E.Amazon EventBridge to ingest events and route them based on rules.
AnswersB, D, E

Lambda can poll SQS queues and process events.

Why this answer

AWS Lambda functions are correct because they can be triggered by Amazon SQS FIFO queues to process messages one at a time, preserving the order and enabling idempotent processing. Lambda integrates natively with SQS, automatically scaling the number of concurrent executions based on the queue depth, which supports the exactly-once processing requirement when combined with FIFO queues.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Firehose with Amazon Kinesis Data Streams, assuming Firehose supports exactly-once processing, but Firehose only provides at-least-once delivery and lacks the FIFO ordering and deduplication capabilities required for this use case.

1264
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy for a critical application. The application runs on EC2 instances in a single AWS Region. The company needs a Recovery Time Objective (RTO) of 2 hours and a Recovery Point Objective (RPO) of 15 minutes. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use S3 Cross-Region Replication for application data and launch EC2 instances from AMIs copied to the secondary Region
B.Take hourly snapshots of EBS volumes and copy them to another Region; use AWS CloudFormation to launch instances from the snapshots
C.Use Amazon Aurora Global Database for the database and deploy EC2 instances with an Application Load Balancer that has cross-Region load balancing enabled
D.Use Amazon DynamoDB global tables for the database and deploy EC2 instances in a warm standby configuration in another Region
E.Configure an Active-Passive failover using Route 53 with health checks within the same Region
AnswersC, D

Aurora Global Database provides replication with RPO of seconds, and cross-Region ALB can redirect traffic to warm standby instances.

Why this answer

Multi-Region replication with Aurora Global Database provides fast failover and RPO of seconds. Application Load Balancer with cross-Region load balancing can route traffic to a warm standby in another Region. Option B (snapshot to S3) may take longer than 15 minutes RPO.

Option D (single Region) does not provide DR. Option E (S3 Cross-Region Replication) is for S3 objects, not EC2 instance state.

1265
Multi-Selecthard

A company runs a containerized microservices application on Amazon EKS. The operations team notices that some pods are frequently being evicted due to resource constraints. The team wants to improve resource utilization and reduce evictions. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Configure Horizontal Pod Autoscaler based on CPU and memory utilization.
B.Increase the resource requests for all pods to ensure they have enough resources.
C.Set resource quotas per namespace to limit resource consumption.
D.Enable Cluster Autoscaler to add more worker nodes.
E.Use Vertical Pod Autoscaler to automatically adjust pod resource requests.
AnswersA, C

Scales pods to handle load.

Why this answer

Options A and C are correct. Resource quotas prevent a single namespace from consuming all resources. Horizontal Pod Autoscaler automatically scales pods based on resource usage.

Option B is wrong because Vertical Pod Autoscaler adjusts resource requests, but can cause pod restarts. Option D is wrong because cluster autoscaler adds nodes, not reduces evictions due to pod-level constraints. Option E is wrong because increasing requests may lead to over-provisioning.

1266
MCQmedium

A company is deploying a new microservices application on Amazon ECS using Fargate. The application consists of several services that need to communicate with each other. The company wants to use service discovery so that services can find each other by name. Additionally, the company needs to ensure that traffic between services is encrypted in transit. The security team requires that all inter-service traffic uses TLS. Which combination of services should be used to meet these requirements?

A.Use AWS Cloud Map for service discovery and an Application Load Balancer for inter-service communication with TLS termination.
B.Use the built-in service discovery in Amazon ECS and encrypt traffic using AWS Certificate Manager (ACM) certificates.
C.Use an Application Load Balancer with target groups for each service and enable TLS on the load balancer.
D.Use AWS Cloud Map for service discovery and AWS App Mesh with TLS enforcement for inter-service communication.
AnswerD

Cloud Map provides DNS-based service discovery; App Mesh enables mTLS between services.

Why this answer

Option A is correct because AWS Cloud Map provides service discovery and AWS App Mesh can enforce TLS encryption for inter-service traffic. Option B: Service discovery via Cloud Map works, but ALB is for external traffic, not inter-service mTLS. Option C: Service discovery is not provided by default in ECS; you need Cloud Map.

Option D: ALB can route traffic but does not provide service discovery by service name.

1267
MCQmedium

A company is running a stateful web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session data locally on the instance. The company wants to make the application highly available and fault-tolerant without rewriting the application code. What should the solutions architect do?

A.Replace the ALB with a Network Load Balancer (NLB) and enable cross-zone load balancing.
B.Move session state to Amazon ElastiCache and configure the ALB to use sticky sessions.
C.Configure the ALB with sticky sessions (session affinity) and use a custom cookie.
D.Use an Auto Scaling group to add more instances and distribute load.
AnswerC

Sticky sessions bind a user to a specific instance, preserving local state without code changes.

Why this answer

Option D is correct. By using an ALB with sticky sessions (session affinity), requests from the same user go to the same instance, preserving local session state. Option A is incorrect because moving session state to ElastiCache would require code changes.

Option B is incorrect because a Network Load Balancer does not support sticky sessions by default and also doesn't solve the state issue. Option C is incorrect because Auto Scaling would terminate instances, losing session data.

1268
Multi-Selectmedium

A company is designing a new data lake on Amazon S3. They need to ensure that data is encrypted at rest and that access is audited. Which services should they use? (Choose TWO.)

Select 2 answers
A.Amazon Macie
B.Amazon GuardDuty
C.AWS KMS
D.AWS Config
E.AWS CloudTrail
AnswersC, E

Manages encryption keys for S3.

Why this answer

AWS KMS provides encryption keys, and AWS CloudTrail logs API calls for auditing. Option C (Amazon GuardDuty) is for threat detection, Option D (Amazon Macie) is for sensitive data discovery, and Option E (AWS Config) is for resource configuration tracking.

1269
MCQmedium

A Lambda function logs are being retained for 30 days. The company wants to reduce costs by deleting logs older than 7 days. What should they do?

A.Export the logs to S3 and delete the log group.
B.Use the put-retention-policy command to set retentionInDays to 7.
C.Configure an S3 Lifecycle policy on the log group's underlying storage.
D.Create a CloudTrail trail to capture log events and expire them after 7 days.
AnswerB

This command directly sets the log group's retention period.

Why this answer

The exhibit shows the log group has a retention policy of 30 days. To change it to 7 days, use the put-retention-policy CLI command. Option B is correct.

Option A (CloudTrail) is for API logs. Option C (S3 lifecycle) is for objects, not CloudWatch Logs. Option D (export to S3) is for archival, not deletion.

1270
MCQmedium

A company uses AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required to set this up?

A.Use the management account to designate the member account as a delegated administrator for IAM Identity Center.
B.Enable AWS Organizations and create an admin role in the member account.
C.Create a new OU for the delegated administrator account.
D.Attach an SCP to allow IAM Identity Center actions in the member account.
AnswerA

This is the standard AWS procedure.

Why this answer

To delegate administration of IAM Identity Center to a member account, you must use the AWS Organizations management account to register that member account as a delegated administrator for IAM Identity Center. This is done via the AWS Organizations console or API (RegisterDelegatedAdministrator), which grants the member account the necessary permissions to manage IAM Identity Center settings, users, and groups without requiring full management account access. Only the management account can designate delegated administrators, and this action is specific to IAM Identity Center within AWS Organizations.

Exam trap

The trap here is that candidates often confuse generic cross-account role delegation (like creating an IAM role in a member account) with the specific AWS Organizations delegated administrator feature, which requires explicit registration from the management account and is not achieved by simply creating roles or policies.

How to eliminate wrong answers

Option B is wrong because enabling AWS Organizations and creating an admin role in the member account is a generic step for cross-account access, but it does not specifically delegate IAM Identity Center administration; delegated administration requires explicit registration via the management account, not just role creation. Option C is wrong because creating a new OU for the delegated administrator account is not required; delegated administrators can be any member account in any OU, and OUs are for organizational structure and policy application, not for enabling delegation. Option D is wrong because attaching an SCP to allow IAM Identity Center actions in the member account is unnecessary and incorrect; SCPs are used to restrict permissions, not to grant them, and delegation is controlled by the management account's registration, not by SCPs.

1271
MCQhard

A company is migrating a legacy .NET application to AWS. The application uses Windows authentication and has a dependency on a local file system. The company wants to minimize code changes. Which combination of services should be used?

A.Amazon EC2 Windows instances with Amazon EFS
B.AWS Elastic Beanstalk with Amazon EFS
C.Amazon Lightsail with local instance storage
D.Amazon EC2 Windows instances with Amazon FSx for Windows File Server
AnswerD

Provides native Windows environment and SMB file sharing with minimal changes.

Why this answer

Option A is correct because Amazon EC2 Windows with FSx for Windows File Server provides a native Windows environment and shared file storage. Option B is wrong because Elastic Beanstalk does not support Windows authentication easily. Option C is wrong because Lightsail has limitations for complex scenarios.

Option D is wrong because EFS does not support Windows SMB natively.

1272
MCQhard

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application stores session state in an Amazon ElastiCache for Redis cluster. Recently, the operations team noticed that during traffic spikes, the ALB returns 5xx errors and the application becomes slow. CloudWatch metrics show that the Redis cluster's CPU utilization reaches 100% and memory usage is high. The Auto Scaling group scales out, but the new instances take several minutes to warm up and become healthy. The company needs to improve the application's ability to handle traffic spikes with minimal impact on performance. Which solution should the company implement?

A.Configure ElastiCache Auto Scaling to automatically add nodes when CPU utilization exceeds 75%.
B.Enable cluster mode for the Redis cluster and add more shards.
C.Enable Multi-AZ replication for the Redis cluster.
D.Increase the instance size of the Redis cluster to a larger node type.
AnswerB

Cluster mode distributes data and load across multiple shards, increasing CPU and memory capacity.

Why this answer

Enabling cluster mode for the Redis cluster and adding more shards horizontally partitions the data across multiple nodes, distributing both CPU and memory load. This directly addresses the 100% CPU and high memory utilization during traffic spikes, allowing the cluster to handle more concurrent requests without performance degradation. Cluster mode also provides linear scalability, which is essential for a critical web application experiencing variable traffic.

Exam trap

The trap here is that candidates often confuse vertical scaling (increasing instance size) with horizontal scaling (adding shards), and fail to recognize that cluster mode is the only option that distributes both CPU and memory load across multiple nodes, which is necessary when a single node reaches 100% CPU utilization.

How to eliminate wrong answers

Option A is wrong because ElastiCache Auto Scaling is not a native feature; it requires custom automation using CloudWatch alarms and Lambda, and even then it adds nodes reactively, not proactively preventing the latency and 5xx errors during spikes. Option C is wrong because Multi-AZ replication provides high availability and failover, but it does not distribute read/write load or reduce CPU/memory pressure on the primary node. Option D is wrong because increasing the instance size (vertical scaling) has a hard limit based on the largest available node type and can still be overwhelmed during extreme spikes, whereas horizontal scaling with cluster mode offers near-unlimited scalability.

1273
MCQmedium

A company is migrating a legacy on-premises application to AWS. The application requires a shared file system that supports the NFS protocol and must be accessible from multiple EC2 instances across different Availability Zones. The file system must provide high durability and low latency. The company also needs to control access to the file system using IAM policies. The solutions architect needs to choose the appropriate AWS storage service. Which service should the architect use?

A.Amazon S3 with S3 File Gateway to present as a file system.
B.Amazon EBS with a Provisioned IOPS volume type, mounted on multiple instances using a cluster file system.
C.Amazon EFS with IAM authorization.
D.Amazon FSx for Lustre with a persistent deployment type.
AnswerC

EFS provides NFS access across AZs and supports IAM policies for access control.

Why this answer

Amazon EFS is a fully managed NFS file system that is accessible across AZs, supports IAM policies for access control, and provides high durability and low latency. Option C is correct. Option A is wrong because EBS volumes can only be attached to a single instance in one AZ.

Option B is wrong because S3 is object storage, not a file system. Option D is wrong because FSx for Lustre is designed for high-performance computing, not general NFS.

1274
Multi-Selecthard

A company is building a serverless application using AWS Lambda and Amazon DynamoDB. They need to ensure that the application can handle a sudden increase in traffic without losing any data or causing errors. Which THREE strategies should they implement?

Select 3 answers
A.Use DynamoDB on-demand capacity mode.
B.Decouple the application with Amazon SQS.
C.Enable DynamoDB auto scaling.
D.Use DynamoDB Accelerator (DAX) for caching.
E.Configure Lambda reserved concurrency.
AnswersA, C, E

On-demand handles unpredictable traffic without capacity planning.

Why this answer

Option A (DynamoDB auto scaling) handles throughput spikes. Option B (Lambda reserved concurrency) prevents throttling. Option D (DynamoDB on-demand capacity) handles unpredictable traffic.

Option C (DAX) improves read performance but not write scaling. Option E (SQS) would decouple but adds complexity.

1275
MCQeasy

A company wants to centralize management of Amazon EC2 instances across multiple accounts using AWS Systems Manager. The company uses AWS Organizations. What is the simplest way to enable Systems Manager to manage instances in all accounts?

A.Use AWS Config to aggregate configuration data
B.Use Systems Manager Automation runbooks in each account
C.Use Systems Manager Explorer with multi-account management
D.Use CloudFormation StackSets to deploy Systems Manager agents
AnswerC

Explorer provides a single pane of glass for all accounts in the organization.

Why this answer

Option C is correct because Systems Manager Explorer provides a centralized view of operational data across accounts. Option A is wrong because Systems Manager Automation runbooks are for automation, not centralized management. Option B is wrong because AWS Config is for compliance, not management.

Option D is wrong because CloudFormation is for infrastructure deployment.

Page 16

Page 17 of 24

Page 18