AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 13511425

1746 questions total · 24pages · All types, answers revealed

Page 18

Page 19 of 24

Page 20
1351
Multi-Selectmedium

A company is designing a new serverless application using AWS Lambda. The application must process files uploaded to an S3 bucket. Each file can be up to 1 GB in size. The processing time for each file is expected to be up to 15 minutes. The company wants to minimize cost and operational overhead. Which TWO configuration choices should the company make? (Choose TWO.)

Select 2 answers
A.Mount an Amazon EFS file system to the Lambda function for temporary storage.
B.Use S3 event notifications to send the file content directly to Lambda.
C.Extend the Lambda function timeout to 30 minutes.
D.Configure S3 to send event notifications to the Lambda function.
E.Set the Lambda function timeout to 15 minutes.
AnswersD, E

S3 can trigger Lambda directly via event notifications when a new object is created, which is a simple and cost-effective integration.

Why this answer

The correct answers are A and C. Option A is correct because Lambda's maximum execution timeout is 15 minutes, which meets the processing time requirement. Option C is correct because using S3 event notifications to invoke Lambda directly is a simple, cost-effective integration.

Option B is wrong because Lambda has a maximum payload size of 128 KB for synchronous invocation, but for S3 events, the payload size limit is 128 KB; however, the file itself is stored in S3, and Lambda reads it using the S3 API, so the 1 GB file is not passed as an event payload. The event notification contains only metadata. Option D is wrong because Lambda does not support mounting EFS by default in all regions; it requires a VPC configuration and is not needed here.

Option E is wrong because extending Lambda timeout to 30 minutes is not possible as the maximum is 15 minutes.

1352
MCQhard

A company uses AWS Organizations with 50 accounts. The network team wants to centrally manage VPC flow logs for all accounts, storing them in a central S3 bucket in the security account. The flow logs must be encrypted with a KMS key managed by the security account. What is the MOST efficient way to configure this?

A.Manually create VPC flow logs in each account and point to the central S3 bucket
B.Use AWS CloudFormation StackSets to deploy a stack that creates VPC flow logs with the required configuration in all accounts
C.Use AWS Config rules to enforce flow log creation across accounts
D.Use AWS Systems Manager Automation to create flow logs in each account
AnswerB

StackSets can deploy the same template across multiple accounts and regions, ensuring consistent configuration.

Why this answer

Option D is correct because CloudFormation StackSets can deploy the required resources across all accounts efficiently. Option A is wrong because manually configuring each account is not efficient. Option B is wrong because AWS Config can detect but not deploy.

Option C is wrong because SSM Automation documents are run per account but require additional setup.

1353
Multi-Selectmedium

A company has a stateful web application running on Amazon EC2 instances. They want to implement blue/green deployments to reduce downtime. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Migrate session state to Amazon ElastiCache or DynamoDB.
B.Use an Elastic Load Balancer (ELB) to manage the blue and green environments.
C.Use Amazon Route 53 weighted routing policies to shift traffic gradually.
D.Set a high TTL on the DNS record to prevent caching issues.
E.Immediately deregister the blue instances from the load balancer after deployment.
AnswersA, C

Decoupling session state from instances enables seamless blue/green.

Why this answer

Option B is correct because a swap at the DNS level (e.g., Route 53 weighted records or blue/green with ALB) is key. Option D is correct because for stateful apps, migrating session state to ElastiCache or DynamoDB ensures continuity. Option A is wrong because ELB does not manage blue/green natively.

Option C is wrong because setting TTL high delays traffic switching. Option E is wrong because deregistering instances from the old group is done after testing, not immediately.

1354
MCQeasy

A company wants to modernize a legacy monolithic application by decomposing it into microservices. The application handles HTTP requests and uses a MySQL database. The company needs to decouple the microservices and improve scalability. Which AWS services should be used?

A.Amazon SQS for decoupling and Amazon Aurora MySQL for data.
B.Amazon S3 for decoupling and Amazon RDS for MySQL.
C.Amazon SQS for decoupling and Amazon DynamoDB for data.
D.Amazon Kinesis Data Streams for decoupling and Amazon RDS for MySQL.
AnswerA

SQS provides message queuing for decoupling; Aurora is MySQL-compatible and scalable.

Why this answer

Option C is correct because SQS decouples microservices and Aurora is a scalable MySQL-compatible database. Option A is wrong because S3 is not a queue. Option B is wrong because DynamoDB is NoSQL.

Option D is wrong because Kinesis is for real-time streaming, not decoupling.

1355
Multi-Selecteasy

A company is migrating a web application to AWS and wants to use a microservices architecture. The application needs to communicate synchronously via REST APIs. Which TWO AWS services should the architect consider for implementing API communication?

Select 2 answers
A.Application Load Balancer
B.AWS Step Functions
C.Amazon API Gateway
D.AWS AppSync
E.Amazon Simple Queue Service (Amazon SQS)
AnswersA, C

ALB can route HTTP requests to different microservices based on paths.

Why this answer

Amazon API Gateway is a fully managed service for creating RESTful APIs. AWS AppSync is for GraphQL. For internal microservice communication, API Gateway is suitable.

Application Load Balancer can also route HTTP traffic to multiple services. NLB is for TCP/UDP. SQS is asynchronous.

Step Functions orchestrate workflows.

1356
MCQhard

A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?

A.Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.
B.Migrate the application to use Amazon DynamoDB with global tables.
C.Use Amazon RDS Multi-AZ with a standby instance for read traffic.
D.Implement Amazon ElastiCache in front of the database to cache read queries.
AnswerA

Read replicas offload read traffic and the reader endpoint distributes reads.

Why this answer

Creating a read replica of the RDS for MySQL DB instance and modifying the application connection string to use the reader endpoint offloads read traffic from the primary instance with minimal application changes. The reader endpoint automatically distributes connections across all read replicas, reducing the load on the primary instance without requiring code changes beyond updating the connection string.

Exam trap

The trap here is that candidates often confuse Multi-AZ standby instances with read replicas, not realizing that Multi-AZ standby instances are strictly for high availability and cannot serve read traffic, while read replicas are specifically designed to offload read workloads.

How to eliminate wrong answers

Option B is wrong because migrating to Amazon DynamoDB with global tables would require significant application changes to adapt from a relational to a NoSQL data model, which contradicts the requirement for minimal application changes. Option C is wrong because Amazon RDS Multi-AZ with a standby instance does not support read traffic; the standby instance is only for failover and cannot serve read requests. Option D is wrong because implementing Amazon ElastiCache would require application code changes to implement caching logic, which does not meet the minimal application changes requirement.

1357
Multi-Selectmedium

A company uses AWS Control Tower to manage a multi-account environment. The security team wants to ensure that all accounts conform to a set of baseline rules, including encryption at rest for S3 buckets. Which THREE steps should the team take to implement this control? (Choose THREE.)

Select 3 answers
A.Set up an automatic remediation action using AWS Config to enable encryption on non-compliant buckets.
B.Attach an IAM policy to each account's root user.
C.Create a Service Control Policy (SCP) that denies creating S3 buckets without encryption.
D.Define an AWS Config rule to check that S3 buckets have encryption enabled.
E.Enable AWS CloudTrail to log all S3 API calls.
AnswersA, C, D

Remediation can auto-fix violations detected by Config rules.

Why this answer

Option A is correct because SCPs can enforce encryption. Option C is correct because Config rules detect non-compliance. Option E is correct because remediation actions can auto-fix violations.

Option B is wrong because IAM policies are not preventive at the OU level. Option D is wrong because CloudTrail trails are for logging, not enforcement.

1358
Multi-Selectmedium

A company uses AWS CloudFormation to manage infrastructure. A recent update to a stack failed, and the stack is now in a ROLLBACK_COMPLETE state. The team needs to investigate the cause and then redeploy the update. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.View the stack events in the CloudFormation console.
B.Review the previous stack template version.
C.Create a ChangeSet to review the proposed changes before applying.
D.Use AWS CloudFormation StackSets to redeploy across accounts.
E.Execute a rollback to continue the rollback process.
AnswersA, C

Stack events provide error messages that indicate the cause of failure.

Why this answer

Options A and E are correct. Option A: Viewing stack events shows detailed error messages for each resource. Option E: Using ChangeSets allows previewing changes before applying.

Option B is wrong because the stack is in ROLLBACK_COMPLETE, not UPDATE_ROLLBACK_FAILED. Option C is wrong because StackSets manage multiple accounts, not single stack debugging. Option D is wrong because the template is already in use; reviewing the previous version is not directly helpful.

1359
MCQeasy

A company has a central IT team that manages multiple AWS accounts. The team wants to allow developers to create resources in their own accounts but wants to restrict the use of certain expensive services like Amazon Redshift. The developers should not be able to launch Redshift clusters in any account. What is the MOST efficient way to achieve this?

A.Apply an SCP that denies redshift:CreateCluster to the organizational unit containing the developer accounts.
B.Use AWS CloudTrail to monitor cluster creation and alert the security team.
C.Create an IAM policy that denies redshift:CreateCluster and attach it to the developers' IAM groups in each account.
D.Use AWS Config rules to detect Redshift cluster creation and automatically delete them.
AnswerA

SCPs provide centralized control across accounts.

Why this answer

Option A is correct because SCPs can deny the redshift:CreateCluster action across all accounts in the organization. Option B is wrong because IAM policies in each account require manual setup. Option C is wrong because AWS Config cannot deny actions.

Option D is wrong because CloudTrail does not prevent actions.

1360
MCQhard

A global company uses AWS Organizations with hundreds of accounts. The security team requires that all S3 buckets across the organization block public access. They want to enforce this policy without modifying existing bucket policies. Which solution should they use?

A.Use AWS CloudTrail to monitor for public bucket creation and alert the security team.
B.Create a service control policy (SCP) that denies s3:PutBucketPolicy for any bucket that allows public access.
C.Use AWS Config rules to detect public buckets and auto-remediate with a Lambda function.
D.Create an SCP that denies s3:PutAccountPublicAccessBlock and s3:DeleteAccountPublicAccessBlock, and enable S3 Block Public Access at the account level via a custom resource in each account.
AnswerD

This enforces that account-level block public access settings cannot be changed, effectively blocking all public access.

Why this answer

Option D is correct because S3 Block Public Access settings at the account level override bucket-level policies and can be enforced organization-wide via a service control policy (SCP) that denies the ability to disable or delete those settings. By using a custom resource (e.g., AWS CloudFormation) to enable S3 Block Public Access at the account level in each account, and an SCP to prevent any account from modifying those settings, the security team ensures all buckets in the organization block public access without needing to modify existing bucket policies.

Exam trap

The trap here is that candidates often confuse reactive detection (AWS Config) or partial policy restrictions (denying s3:PutBucketPolicy) with the comprehensive, preventive account-level block that SCPs can enforce, missing that S3 Block Public Access at the account level is the only way to block all public access without touching existing bucket policies.

How to eliminate wrong answers

Option A is wrong because CloudTrail only provides logging and alerting; it does not enforce or prevent public access, so it fails to meet the requirement to block public access without modifying bucket policies. Option B is wrong because denying s3:PutBucketPolicy does not block public access via bucket ACLs or object-level permissions; it only prevents policy changes, leaving other public access vectors open. Option C is wrong because AWS Config rules with auto-remediation via Lambda can detect and fix public buckets, but this is a reactive approach that may have a delay and does not proactively block public access at the account level as required.

1361
MCQeasy

A Solutions Architect is reviewing the CloudFormation template snippet shown in the exhibit. What will happen when this template is deployed?

A.The template will create an S3 bucket with versioning enabled.
B.The template will create an S3 bucket with a random name.
C.The template will fail because the bucket name is not globally unique.
D.The template will create an S3 bucket with versioning disabled.
AnswerA

The template creates a bucket with versioning enabled.

Why this answer

The template creates an S3 bucket with versioning enabled. The bucket name is specified, and versioning is enabled via the VersioningConfiguration property.

1362
MCQeasy

A company uses AWS Organizations with multiple OUs. The security team wants to enforce that no resources can be created outside of approved AWS Regions. Which policy should be used, and how should it be attached?

A.Create a resource-based policy on each resource type that denies creation in unapproved Regions.
B.Create a service control policy (SCP) that denies actions in unapproved Regions. Attach it to the root or OUs.
C.Create an IAM policy that denies actions in unapproved Regions. Attach it to all IAM users and roles.
D.Enable AWS CloudTrail to log resource creation and set up a CloudWatch alarm to notify if resources are created in unapproved Regions.
AnswerB

SCPs provide centralized control over maximum permissions for accounts in an organization.

Why this answer

Option A is correct because SCPs can be attached to the root or OUs to deny actions in unapproved Regions. Option B is wrong because IAM policies can be attached to users/roles but not to OUs. Option C is wrong because resource-based policies are attached to individual resources.

Option D is wrong because CloudTrail trails only log events, not enforce policies.

1363
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate. The application uses an Application Load Balancer (ALB) to distribute traffic. The company has configured a target tracking scaling policy based on average memory utilization. During a traffic spike, the ECS service scales out, but the new tasks are immediately deregistered and replaced. The CloudWatch logs show that the new tasks are failing the ALB health check. The health check is configured to ping the '/health' endpoint on the container. The solutions architect verifies that the application container correctly responds to the '/health' endpoint with a 200 status code. What is the MOST likely cause of the health check failures?

A.The ALB is not configured with a proper listener rule to forward traffic to the target group.
B.The security group attached to the ECS tasks does not allow inbound traffic from the ALB on the health check port.
C.The deregistration delay (connection draining) is set too high, causing the ALB to think the tasks are unhealthy.
D.The health check path is incorrect; it should be '/index.html' instead of '/health'.
AnswerB

Without inbound rules allowing traffic from the ALB, health checks will fail.

Why this answer

Option C is correct. When using Fargate, each task gets an ENI. If the security group for the tasks does not allow inbound traffic from the ALB on the health check port, the health check will fail.

The architect confirmed the application responds correctly, so the issue is likely network connectivity. Option A is wrong because the health check path is correct. Option B is wrong because target group deregistration delay does not cause health check failures.

Option D is wrong because the ALB is already configured correctly; the issue is at the task level.

1364
Multi-Selecteasy

A global e-commerce company is migrating its on-premises application to AWS. The application uses Active Directory for authentication and requires integration with AWS Managed Microsoft AD. The company has a multi-account strategy using AWS Organizations. Which TWO steps should the solutions architect take to ensure seamless authentication across the organization?

Select 2 answers
A.Configure an IAM identity provider to use the on-premises Active Directory.
B.Establish a two-way forest trust between the on-premises Active Directory and AWS Managed Microsoft AD.
C.Store AD credentials in AWS Systems Manager Parameter Store and retrieve them at runtime.
D.Use AWS Resource Access Manager to share the AWS Managed Microsoft AD directory with other accounts in the organization.
E.Deploy AWS Managed Microsoft AD in each account and configure replication.
AnswersB, D

This enables users to authenticate with their existing credentials.

Why this answer

Option B is correct because establishing a two-way forest trust between on-premises Active Directory and AWS Managed Microsoft AD allows users authenticated by the on-premises AD to access resources in the AWS cloud without needing separate credentials. This trust enables Kerberos and NTLM authentication to flow seamlessly between the two forests, supporting the company's requirement for integration with AWS Managed Microsoft AD.

Exam trap

The trap here is that candidates often confuse IAM identity providers (Option A) with Active Directory trust relationships, or they incorrectly assume that storing credentials in Parameter Store (Option C) is a valid authentication strategy for directory integration, when in fact the correct approach is to establish a forest trust and share the directory via RAM.

1365
MCQmedium

A company is designing a new application that will store sensitive user data in Amazon S3. Compliance requirements mandate that all data must be encrypted at rest using a key that is managed by the company and rotated automatically every year. Which solution meets these requirements?

A.Use S3 server-side encryption with AWS KMS customer managed keys (SSE-KMS) and enable automatic key rotation.
B.Use client-side encryption with the AWS SDK.
C.Use S3 server-side encryption with customer-provided keys (SSE-C).
D.Use S3 server-side encryption with S3 managed keys (SSE-S3).
AnswerA

Customer managed keys can be rotated automatically yearly.

Why this answer

SSE-KMS with a customer managed key (CMK) allows the company to control the key and enable automatic yearly rotation (option D). Option A (SSE-S3) uses AWS-managed keys. Option B (SSE-C) requires the company to manage keys outside AWS.

Option C (client-side) stores keys client-side.

1366
Multi-Selecthard

A company is building a data analytics pipeline. Raw data is ingested into an Amazon S3 bucket. The data must be transformed and loaded into Amazon Redshift for analysis. The pipeline must handle late-arriving data and ensure data consistency. Which THREE AWS services should the company use?

Select 3 answers
A.Amazon Kinesis Data Analytics
B.AWS Lambda
C.Amazon EMR
D.AWS Glue
E.Amazon Redshift
AnswersB, D, E

Lambda can trigger on S3 events for late-arriving data.

Why this answer

AWS Glue catalogs and transforms data, S3 stores raw data, and AWS Lambda can handle late-arriving data triggers. Option B (Kinesis Data Analytics) is for streaming. Option D (EMR) is for big data processing but adds complexity.

Option E (RDS) is not suitable for analytics.

1367
Multi-Selectmedium

A company is designing a multi-account strategy for its AWS environment. Which TWO considerations are important when using AWS Organizations?

Select 2 answers
A.Service control policies (SCPs) apply to all accounts in the organization, including the management account.
B.AWS CloudTrail can be enabled for all accounts from the management account using an organization trail.
C.Each account in an organization must have its own payment method.
D.Consolidated billing allows you to combine usage and receive volume discounts.
E.AWS Config rules cannot be applied across accounts via AWS Organizations.
AnswersB, D

An organization trail automatically logs events for all accounts.

Why this answer

Option B is correct because AWS Organizations allows you to create an organization trail in CloudTrail that logs events for all accounts within the organization from the management account. This simplifies audit and compliance by centralizing log collection without needing to configure trails individually in each member account.

Exam trap

The trap here is that candidates often assume SCPs apply to all accounts including the management account, but AWS explicitly excludes the management account from SCP effects to prevent accidental lockout of administrative access.

1368
MCQhard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. During a recent failover, the application experienced a 5-minute downtime. The application uses a connection pool with a 30-second connection timeout. The RDS DNS name is used as the endpoint. What is the MOST likely cause of the downtime?

A.The DNS TTL for the RDS endpoint is set too high
B.The connection pool timeout is too short to allow failover
C.The Multi-AZ failover took longer than expected
D.The application is using the wrong endpoint after failover
AnswerA

High DNS TTL causes clients to cache the old IP, leading to connection failures until cache expires.

Why this answer

Option B is correct because DNS TTL caching can cause the application to resolve the old IP for the duration of the TTL, even after the DNS record is updated during failover. Option A is wrong because the RDS DNS name remains the same after failover; only the IP changes. Option C is wrong because the connection pool's connection timeout is 30 seconds, which is short, but the issue is DNS caching, not timeout.

Option D is wrong because RDS failover typically takes less than 2 minutes, but the 5-minute downtime suggests DNS propagation delay.

1369
MCQhard

A company is migrating a legacy application to AWS. The application requires a shared file system that can be mounted by hundreds of EC2 instances across multiple Availability Zones. The file system must provide high throughput and low latency. Which storage solution meets these requirements?

A.Use Amazon EBS with a multi-attach enabled volume.
B.Use Amazon EFS with provisioned throughput.
C.Use Amazon S3 with S3 File Gateway to present as a file system.
D.Use Amazon FSx for Windows File Server with a single file system.
AnswerB

EFS provides a shared NFS file system that scales throughput and is accessible across AZs.

Why this answer

Amazon EFS is a scalable, NFS-based file system that can be mounted by many EC2 instances across AZs and provides high throughput. Option B is correct. Option A is wrong because S3 is object storage, not a file system.

Option C is wrong because EBS volumes can only be attached to a single instance in one AZ. Option D is wrong because FSx for Windows File Server is designed for Windows workloads, not general Linux file sharing.

1370
MCQhard

A company runs a containerized application on Amazon ECS using Fargate. The application experiences intermittent high latency during peak hours. The operations team suspects that the task placement strategy is causing resource contention. The cluster uses the default binpack strategy. What should the team do to improve performance?

A.Increase the memory and CPU for each task definition to reduce contention.
B.Increase the number of tasks to distribute the load evenly.
C.Change the task placement strategy to spread across Availability Zones.
D.Use a launch type of EC2 with GPU instances to handle the load.
AnswerC

Spread strategy distributes tasks, reducing resource contention.

Why this answer

Option D is correct because the spread strategy distributes tasks across availability zones, reducing contention. Option A is wrong because increasing memory doesn't address placement. Option B is wrong because more tasks could worsen contention.

Option C is wrong because GPU instances are not relevant.

1371
MCQeasy

A company wants to migrate an on-premises relational database to Amazon RDS for MySQL with minimal downtime. The database is 500 GB in size. Which AWS service should be used for the initial data load and ongoing replication?

A.Use AWS Snowball to transfer the database files to RDS.
B.Use an RDS read replica from the on-premises database.
C.Use AWS Database Migration Service (DMS) with ongoing replication.
D.Export the database to Amazon S3 and import into RDS.
AnswerC

DMS supports full load and CDC replication with minimal downtime.

Why this answer

Option B is correct. AWS Database Migration Service (DMS) can perform a full load and then ongoing replication using change data capture (CDC) to minimize downtime. Option A is incorrect because RDS does not support native replication from on-premises.

Option C is incorrect because S3 is for storage, not database migration. Option D is incorrect because Snowball is for offline data transfer, not ongoing replication.

1372
MCQeasy

A company is running a web application on AWS Elastic Beanstalk with an Auto Scaling group behind an Application Load Balancer. The application stores session state in an Amazon DynamoDB table. During a traffic spike, the application becomes slow and some users are logged out unexpectedly. The operations team notices that the DynamoDB table's read capacity utilization is consistently at 100%. The company needs to improve the performance of the session store without over-provisioning capacity. Which solution should be implemented?

A.Migrate the session store from DynamoDB to Amazon ElastiCache Memcached.
B.Increase the read capacity units (RCU) of the DynamoDB table to handle peak traffic.
C.Move session state to Amazon SQS and have the application poll the queue.
D.Implement Amazon DynamoDB Accelerator (DAX) as a caching layer for the session store.
AnswerD

DAX provides an in-memory cache that reduces read latency and offloads read capacity from the DynamoDB table.

Why this answer

Option D is correct because DynamoDB Accelerator (DAX) provides an in-memory cache for DynamoDB, reducing read latency and offloading read capacity, without over-provisioning. Option A: Increasing read capacity manually is not scalable and still may not handle spikes. Option B: ElastiCache Memcached can be used as a session store, but it requires application changes; also it does not directly address the DynamoDB read issue.

Option C: SQS is not a session store.

1373
Multi-Selecthard

A company uses AWS Organizations with a multi-account setup. The security team needs to ensure that all users in all accounts use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should be taken to enforce this?

Select 3 answers
A.Enable CloudTrail to log all console logins and alert if MFA is not used.
B.Use AWS IAM Identity Center (SSO) with MFA enforcement for all accounts.
C.Use AWS Config rules to detect IAM users without MFA and automatically remediate by sending notifications.
D.Use a service control policy (SCP) to require MFA on all IAM users.
E.Create an IAM policy that requires MFA for ConsoleLogin and attach it to all IAM users in each account.
AnswersB, C, E

IAM Identity Center can enforce MFA centrally for all accounts.

Why this answer

Option B is correct because AWS IAM Identity Center (SSO) allows you to centrally manage user access and enforce MFA at the identity provider level. By configuring MFA enforcement in IAM Identity Center, all users federating into any account in the organization are required to present a valid MFA token before accessing the AWS Management Console, ensuring consistent enforcement across the multi-account setup.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can enforce MFA enrollment, when in fact SCPs only deny actions based on the presence of MFA and cannot force users to configure or use MFA at login.

1374
MCQmedium

A company is migrating a large-scale data warehouse from on-premises to Amazon Redshift. The current on-premises solution uses a proprietary columnar storage format. The company needs to minimize data transformation effort. Which approach should the company take?

A.Use the Amazon Redshift COPY command to load data directly from the on-premises storage.
B.Use AWS Glue to convert the proprietary format to Apache Parquet and load into Amazon Redshift.
C.Use AWS Database Migration Service (DMS) to migrate the data directly to Redshift.
D.Use Amazon Kinesis Data Firehose to stream the data to Redshift.
AnswerB

AWS Glue can transform data into columnar formats optimized for Redshift.

Why this answer

Option C is correct because AWS Glue can crawl the proprietary format and convert it to columnar formats like Parquet, which Redshift can load. Option A is wrong because COPY from S3 requires a supported format. Option B is wrong because Kinesis is for streaming.

Option D is wrong because DMS is for databases and may not handle proprietary storage formats.

1375
MCQhard

A company is modernizing a legacy application by breaking it into microservices. The application uses a shared MySQL database. The team wants to refactor the database to use Amazon DynamoDB for better scalability. Which migration strategy should be used?

A.Rehost the database to Amazon RDS
B.Use the Strangler Fig pattern to incrementally migrate data to DynamoDB
C.Replatform the database to Amazon Aurora
D.Retire the existing database and switch to DynamoDB
AnswerB

Allows gradual transition with minimal risk.

Why this answer

Option A is correct because the Strangler Fig pattern allows gradual migration of data and logic. Option B (retire) is for decommissioning. Option C (rehost) does not change database.

Option D (replatform) may still use relational.

1376
MCQeasy

A security engineer attaches this SCP to the root organizational unit. What is the result?

A.All actions are allowed only if MFA is not used.
B.Only the root user is required to use MFA.
C.All IAM users and roles must use MFA for any AWS API call.
D.All IAM users must use MFA to access the console, but API calls are not affected.
AnswerC

The SCP denies all actions if MFA is not present.

Why this answer

Option B is correct because the SCP denies all actions if MFA is not present. This effectively requires MFA for all API calls, including console login and CLI. Option A is wrong because it applies to all principals, not just IAM users.

Option C is wrong because the SCP denies, not allows. Option D is wrong because it does not require MFA for root user only; it affects all principals, except root user is not affected by SCPs.

1377
MCQhard

A large financial services company uses AWS Organizations with over 200 accounts. The security team has implemented a Service Control Policy (SCP) that denies access to all services except a whitelist that includes Amazon S3, Amazon DynamoDB, AWS Lambda, and Amazon CloudWatch. Recently, the DevOps team reported that they cannot create new EC2 instances in their development account, even though the administrator explicitly attached an IAM policy allowing ec2:RunInstances. The SCP does not explicitly deny EC2. What is the most likely cause of this issue?

A.The IAM role used by the DevOps team has a trust policy that does not allow EC2 actions
B.The EC2 service has been disabled via AWS Config in that account
C.The development account is in an organizational unit (OU) with a different SCP that denies EC2
D.The SCP denies all services not explicitly allowed, and EC2 is not on the whitelist
AnswerD

SCPs that use an allow list deny all services not explicitly listed.

Why this answer

The SCP uses a deny-all approach with a whitelist of allowed services. Since EC2 is not on that whitelist, the SCP implicitly denies all EC2 actions, overriding any IAM policy that explicitly allows ec2:RunInstances. SCPs act as a guardrail that cannot be bypassed by account-level IAM policies.

Exam trap

The trap here is that candidates may think an explicit IAM allow can override an SCP, but SCPs set the maximum permissions boundary, so any action not explicitly allowed by the SCP is implicitly denied.

How to eliminate wrong answers

Option A is wrong because a trust policy controls which principals can assume a role, not the actions the role can perform; the issue is about authorization, not trust. Option B is wrong because AWS Config is a compliance and monitoring service, not a service control mechanism that can disable EC2; it cannot prevent API calls. Option C is wrong because the question states the SCP does not explicitly deny EC2, and the SCP described is the only one mentioned; while an OU-level SCP could cause this, the most direct and likely cause given the whitelist design is that EC2 is simply not allowed.

1378
Multi-Selecthard

A company is designing a serverless data processing pipeline using AWS Lambda. The pipeline processes data from an Amazon Kinesis Data Stream. The Lambda function has a memory limit of 512 MB and a timeout of 5 minutes. The data volume is expected to increase significantly. Which TWO strategies should the company implement to improve throughput and reduce processing latency? (Choose TWO.)

Select 3 answers
A.Increase the number of shards in the Kinesis data stream
B.Increase the batch size in the event source mapping
C.Change the data source from Kinesis to an Amazon SQS queue
D.Increase the Lambda function memory to 1024 MB
E.Increase the Lambda function's reserved concurrency to a higher value
AnswersA, B, D

More shards allow more Lambda executions in parallel, improving throughput.

Why this answer

Increasing the number of shards increases parallelism. Using a larger batch size reduces the number of Lambda invocations. Option A (increase memory) may improve performance but each invocation still processes one batch.

Option C (concurrent executions limit increase) is not needed if the account limit is not hit. Option D (change to SQS) changes the architecture.

1379
MCQmedium

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket is used to store sensitive logs from multiple accounts in an AWS Organization. What is the primary purpose of the condition element in this policy?

A.To ensure that only requests originating from accounts within the specified organization are allowed.
B.To restrict access to only the root user of the management account.
C.To enforce that all requests are made using HTTPS.
D.To allow access only from specific IP addresses within the organization.
AnswerA

The aws:SourceOrgID condition checks the organization ID.

Why this answer

The condition element in this S3 bucket policy uses the `aws:PrincipalOrgID` condition key to restrict access to principals (users or roles) that belong to accounts within the specified AWS Organization. This ensures that only requests from accounts that are members of the organization are allowed, even if the IAM principal has explicit permissions. This is the primary purpose of the condition, as it enforces organizational boundaries for cross-account access to sensitive logs.

Exam trap

The trap here is that candidates may confuse `aws:PrincipalOrgID` with other condition keys like `aws:SourceIp` or `aws:SecureTransport`, or assume it restricts to the management account root user, when in fact it validates organization membership for any principal in the organization.

How to eliminate wrong answers

Option B is wrong because the condition does not reference the root user of the management account; it uses `aws:PrincipalOrgID` which applies to all principals in the organization, not just the root user. Option C is wrong because enforcing HTTPS is done using the `aws:SecureTransport` condition key, not `aws:PrincipalOrgID`. Option D is wrong because restricting access to specific IP addresses is achieved with the `aws:SourceIp` condition key, not `aws:PrincipalOrgID`.

1380
Multi-Selectmedium

A company is designing a new serverless application that uses AWS Lambda, Amazon DynamoDB, and Amazon API Gateway. The application must handle burst traffic and cannot lose any data. The company wants to use a dead-letter queue (DLQ) for failed Lambda invocations. Which TWO services can be used as a DLQ for Lambda? (Choose two.)

Select 2 answers
A.Amazon DynamoDB Streams
B.Amazon SNS
C.Amazon Kinesis Data Streams
D.Amazon SQS
E.Amazon Simple Email Service (SES)
AnswersB, D

Lambda can use SNS as a DLQ for asynchronous invocations.

Why this answer

Amazon SNS and Amazon SQS are the two supported destinations for Lambda's dead-letter queue (DLQ) configuration. When a Lambda invocation fails synchronously or asynchronously, the event can be redirected to an SNS topic or an SQS queue for later reprocessing or analysis. This ensures no data is lost during burst traffic, as failed events are persisted in the DLQ.

Exam trap

The trap here is that candidates often confuse Lambda's event sources (like DynamoDB Streams or Kinesis) with supported DLQ destinations, but Lambda only allows SQS and SNS as DLQ targets for asynchronous invocations.

1381
MCQmedium

A multinational company wants to implement a multi-account AWS environment using AWS Organizations. The security team requires that all new accounts automatically have AWS CloudTrail and AWS Config enabled with specific rules. Which solution should the company use to enforce these settings across all accounts?

A.Use AWS Organizations Service Control Policies (SCPs) to deny actions that disable CloudTrail and AWS Config.
B.Use AWS CloudFormation StackSets to deploy CloudTrail and AWS Config in each account.
C.Use IAM permissions boundaries to restrict what users can do in each account.
D.Use AWS Config conformance packs to deploy rules across accounts.
AnswerA

SCPs can enforce required services by denying disabling actions.

Why this answer

Option C is correct because Service Control Policies (SCPs) can be used to enforce that CloudTrail and Config are enabled and cannot be disabled by member accounts. Option A is wrong because CloudFormation StackSets require manual deployment to each account. Option B is wrong because AWS Config rules alone cannot enforce CloudTrail.

Option D is wrong because IAM permissions boundaries do not enforce service enablement.

1382
Multi-Selectmedium

A company is migrating a legacy e-commerce platform to AWS. The platform includes a MySQL database that experiences heavy read traffic. The company wants to improve performance and reduce latency for read operations. Which TWO actions should the solutions architect take?

Select 2 answers
A.Enable Multi-AZ on the RDS instance.
B.Shard the database across multiple RDS instances.
C.Upgrade to Provisioned IOPS for the database.
D.Add read replicas to the RDS MySQL database.
E.Use Amazon ElastiCache in front of the database.
AnswersD, E

Read replicas reduce load on the primary and improve read latency.

Why this answer

Adding read replicas offloads read traffic from the primary database, improving performance. Implementing Amazon ElastiCache for caching reduces database load for frequently accessed data. Multi-AZ is for high availability, not read performance.

Provisioned IOPS improves write performance. Sharding adds complexity and may not be necessary.

1383
MCQmedium

A company is designing a multi-tier web application on AWS. They want to ensure that the web tier can scale automatically based on CPU utilization. Which AWS service should they use?

A.Amazon CloudFront
B.Amazon Route 53
C.Auto Scaling groups
D.Elastic Load Balancing
AnswerC

Auto Scaling can scale EC2 instances based on metrics.

Why this answer

Option A is correct because Auto Scaling groups can automatically adjust capacity based on CloudWatch alarms. Option B is wrong because Elastic Load Balancing distributes traffic but does not scale. Option C is wrong because CloudFront is a CDN.

Option D is wrong because Route 53 is DNS.

1384
MCQmedium

An IAM policy condition allows launching EC2 instances only if the instance type is t2.micro or t2.small. A developer tries to launch a t2.medium instance. What happens?

A.The launch is denied only if the user does not have a separate policy allowing t2.medium.
B.The launch succeeds because the condition only allows, not denies.
C.The launch succeeds if the user has an additional Allow for t2.medium.
D.The launch is denied because t2.medium is not in the allowed list.
AnswerD

Only allowed types are permitted.

Why this answer

Option C is correct because the condition restricts allowed instance types, so t2.medium is not allowed. Option A is incorrect because the condition is explicit. Option B is incorrect because the condition applies.

Option D is incorrect because the policy is evaluated at launch time.

1385
MCQeasy

A company uses AWS Organizations with multiple OUs. The DevOps team needs to allow developers to launch EC2 instances only of type t3.micro in the dev OU. Which action should the team take?

A.Create an IAM role with a policy that allows only t3.micro, and attach it to users in the dev OU.
B.Use AWS CloudFormation templates that specify t3.micro.
C.Apply a Service Control Policy (SCP) to the dev OU that denies ec2:RunInstances with instance type not equal to t3.micro.
D.Use AWS Config rules to terminate non-compliant instances.
AnswerC

SCPs prevent non-compliant actions at the OU level.

Why this answer

Option C is correct because a Service Control Policy (SCP) applied to the dev OU can centrally restrict which EC2 instance types can be launched by all accounts within that OU. The SCP uses a Deny effect with a condition key ec2:InstanceType not equal to t3.micro, which prevents any IAM principal in the OU from launching non-compliant instances, regardless of their IAM permissions. This is the most effective way to enforce a hard boundary at the organization level.

Exam trap

The trap here is that candidates often choose AWS Config rules (Option D) thinking they can prevent launches, but Config is detective, not preventive; SCPs are the correct preventive control at the organization level.

How to eliminate wrong answers

Option A is wrong because an IAM role attached to users does not apply to all principals in the OU; users could still launch instances via other roles or services, and the role does not enforce the restriction across all accounts in the OU. Option B is wrong because CloudFormation templates are not an enforcement mechanism; developers could bypass the template and launch instances manually via the console or CLI. Option D is wrong because AWS Config rules only detect and report non-compliance after the instance is launched; they do not prevent the launch, and terminating instances after creation is reactive and can incur costs and operational overhead.

1386
MCQhard

A company is migrating a distributed application that uses a custom TCP protocol between components. The application is deployed on-premises across multiple servers. The company wants to use AWS without modifying the application code. Which approach should the company take to migrate the application while maintaining low latency between components?

A.Use Amazon EC2 instances in a Placement Group within a single VPC to ensure low latency.
B.Use AWS Direct Connect to connect the on-premises servers to AWS and keep the application on-premises.
C.Use VPC Peering to connect the application components across different VPCs.
D.Use a VPN connection between the on-premises environment and AWS VPC.
AnswerA

Placement Groups provide low latency and high throughput, and EC2 allows running the application unchanged.

Why this answer

Option D is correct because using Placement Groups with EC2 instances ensures low latency and high throughput between components, and the application can run unchanged. Option A is incorrect because VPC peering is for connectivity between VPCs, not for low latency within a VPC. Option B is incorrect because Direct Connect improves connectivity to on-premises but not within AWS.

Option C is incorrect because a VPN is not needed for within AWS communication.

1387
MCQhard

A company plans to migrate on-premises workloads to AWS. They have 500 VMs and need to ensure consistent network segmentation and security group rules across multiple VPCs in different AWS accounts. The network team uses a centralized hub-and-spoke model with AWS Transit Gateway. Which approach minimizes operational overhead while maintaining security compliance?

A.Use AWS Config rules to detect non-compliant security groups and send alerts.
B.Create a Python script that uses AWS SDK to apply security group rules to each VPC and run it periodically.
C.Use AWS Firewall Manager to centrally define and apply security group policies across accounts.
D.Use network ACLs instead of security groups to enforce segmentation.
AnswerC

Firewall Manager automates policy enforcement across all accounts.

Why this answer

Option D is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and VPCs. Option A is wrong because manual scripting is error-prone. Option B is wrong because AWS Config does not enforce rules; it only detects drift.

Option C is wrong because Network ACLs are stateless and not as granular as security groups.

1388
MCQhard

A global company has a multi-region AWS deployment. They need to share a single Amazon RDS for MySQL database across multiple AWS Regions for disaster recovery. The database must have minimal data loss and RTO of less than 1 minute. Which solution meets these requirements?

A.Use cross-Region Read Replicas with automatic failover.
B.Use Amazon Aurora Global Database with MySQL compatibility.
C.Use a Multi-AZ RDS instance with a standby in another Region.
D.Use AWS Database Migration Service for continuous replication.
AnswerB

Aurora Global Database provides low-latency replication and fast failover across Regions.

Why this answer

Option D is correct because Amazon RDS for MySQL does not support cross-Region synchronous replication; the best option is to use Amazon Aurora Global Database with MySQL compatibility, which provides fast replication and failover. Option A is wrong because cross-Region Read Replicas are asynchronous and may have data loss. Option B is wrong because Multi-AZ is single-Region.

Option C is wrong because Database Migration Service is for migration, not continuous replication with low RTO.

1389
MCQmedium

A CloudFormation stack deployment failed with the status ROLLBACK_COMPLETE. What is the most likely cause?

A.The stack was created in the wrong AWS region.
B.The EC2 instance type is not available in the region.
C.The IAM role used by CloudFormation does not have permission to create EC2 instances.
D.The CloudFormation template has a syntax error.
AnswerC

Insufficient permissions cause resource creation to fail, leading to rollback.

Why this answer

The StackStatusReason indicates resource creation failure (MyEC2Instance). This could be due to insufficient IAM permissions to create the EC2 instance. Option A is correct.

Option B (template syntax) would cause a validation error before stack creation. Option C (out of quota) would also cause failure but is less specific. Option D (wrong region) would not cause a rollback after creation starts.

1390
MCQmedium

A company is migrating a legacy .NET application to AWS. The application currently runs on Windows Server and uses a SQL Server database. The company wants to minimize licensing costs and operational overhead. Which migration strategy should the company use?

A.Replatform using Docker containers on Amazon ECS with Windows containers.
B.Rehost the application on Amazon EC2 Windows instances with SQL Server using License Mobility.
C.Replatform the application by moving the database to Amazon RDS for SQL Server and the application to Elastic Beanstalk.
D.Refactor the application to .NET Core and deploy on Amazon Linux with SQL Server.
AnswerB

Rehosting minimizes changes and can leverage existing licenses through License Mobility.

Why this answer

Option A is correct because rehosting on Amazon EC2 with SQL Server and Windows Server licenses included through License Mobility can minimize costs and changes. Option B is incorrect because refactoring to .NET Core and SQL Server on Linux may reduce licensing costs but requires significant changes. Option C is incorrect because replacing with RDS for SQL Server may reduce operational overhead but licensing costs depend on license model.

Option D is incorrect because containers add complexity and may not be suitable for legacy .NET without changes.

1391
Multi-Selectmedium

A company uses AWS Organizations with 100 accounts. They want to restrict which AWS services can be used in the development OU. Which TWO steps should they take?

Select 2 answers
A.Use AWS CloudFormation StackSets to enforce service usage.
B.Use an SCP with an Allow effect for allowed services.
C.Use AWS Config rules to detect disallowed services.
D.Use IAM policies in each account to deny services.
E.Use an SCP with a Deny effect for services not allowed.
AnswersB, E

Explicitly allows only specified services.

Why this answer

Service control policies (SCPs) are the correct mechanism to centrally restrict which AWS services can be used across accounts in an AWS Organization. An SCP with an Allow effect explicitly permits only the specified services, while an SCP with a Deny effect blocks the specified services; both approaches achieve the goal of restricting service usage at the OU level. SCPs apply to all IAM users, roles, and root users in the member accounts, making them the appropriate tool for this requirement.

Exam trap

The trap here is that candidates often choose AWS Config rules (option C) thinking detective controls can prevent actions, but Config is reactive and cannot block service usage; only SCPs or IAM permissions boundaries can proactively restrict services.

1392
Multi-Selecteasy

A company is designing a new web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be highly available across multiple Availability Zones. The company wants to ensure that if an EC2 instance fails, the load balancer stops sending traffic to it. Which two steps should the architect take? (Choose TWO.)

Select 2 answers
A.Use a Network Load Balancer instead of an ALB
B.Use an Application Load Balancer with a single target group
C.Configure a health check on the ALB for the target group
D.Use an Auto Scaling group with a minimum of two instances across two Availability Zones
E.Launch all EC2 instances in a single Availability Zone
AnswersC, D

Health checks allow ALB to detect unhealthy instances and stop routing traffic.

Why this answer

Options A and D are correct. Configuring a health check on the ALB ensures the load balancer can detect unhealthy instances and stop sending traffic. Using an Auto Scaling group with a minimum of two instances across multiple AZs ensures high availability and replacement of failed instances.

Option B is wrong because using only one AZ does not provide multi-AZ high availability. Option C is wrong because a Network Load Balancer is for TCP traffic, not HTTP. Option E is wrong because an ALB is needed for HTTP traffic.

1393
MCQmedium

Refer to the exhibit. A solutions architect runs this CLI command but receives an error: 'Unknown options: --query'. What is the most likely cause?

A.The --filters parameter is incorrectly formatted.
B.The --query parameter is used without specifying --output.
C.The tag value is missing.
D.The AWS CLI version is outdated.
AnswerB

--query requires --output to be set.

Why this answer

Option B is correct. The --query parameter is not supported by the ec2 describe-instances command in the default output format; it requires the --output json or --output table option to be specified first. Option A is wrong because the command syntax is correct.

Option C is wrong because the filter is valid. Option D is wrong because the output table is specified.

1394
MCQhard

A company is designing a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The Lambda function sometimes experiences throttling, causing messages to be sent to the dead-letter queue (DLQ). The company wants to minimize throttling and ensure that messages are processed in order. What should the solutions architect do?

A.Use a standard SQS queue and configure a Lambda function with a higher concurrency limit.
B.Use an SQS FIFO queue with provisioned concurrency on the Lambda function.
C.Increase the batch size in the Lambda event source mapping and use a standard queue.
D.Use a FIFO SQS queue and configure the Lambda function with reserved concurrency.
AnswerD

FIFO queues preserve order. Reserved concurrency prevents throttling by ensuring enough capacity.

Why this answer

Option B is correct. To process messages in order, you need a FIFO queue. Lambda with reserved concurrency ensures it doesn't throttle.

Option A is incorrect because standard queues do not guarantee order. Option C is incorrect because increasing batch size does not prevent throttling; reserved concurrency does. Option D is incorrect because provisioned concurrency is for Lambda functions, not queues.

1395
Multi-Selecthard

A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?

Select 3 answers
A.Route 53 Resolver outbound endpoints in each VPC to forward queries to the central resolver.
B.A Transit Gateway connecting all VPCs.
C.Route 53 private hosted zones associated with the shared services VPC.
D.Route 53 Resolver inbound endpoints in the shared services VPC.
E.VPC peering connections between each VPC and the shared services VPC.
AnswersA, B, C

Allows conditional forwarding.

Why this answer

Options A, C, and D are correct. Option B is wrong because VPC peering is not needed if Transit Gateway is used. Option E is wrong because Route 53 Resolver endpoints are for hybrid, not inter-VPC.

1396
MCQmedium

A company is designing a data lake on AWS using Amazon S3. They need to run SQL queries on the data without moving it to a separate database. Which AWS service should they use?

A.Amazon EMR
B.Amazon Athena
C.Amazon Redshift
D.AWS Glue
AnswerB

Athena allows serverless SQL queries on S3.

Why this answer

Option D is correct because Amazon Athena allows serverless SQL queries directly on S3 data. Option A is wrong because Redshift is a data warehouse, requires loading data. Option B is wrong because EMR is for big data processing.

Option C is wrong because Glue is an ETL service.

1397
Multi-Selecthard

A company is planning to modernize a legacy Java application that runs on a single on-premises server. The application uses a proprietary file-based storage system. The company wants to migrate to AWS with the following goals: reduce operational overhead, improve availability, and minimize code changes. Which THREE strategies should the company use? (Choose three.)

Select 3 answers
A.Use AWS Application Migration Service (MGN) to migrate the application server to Amazon EC2
B.Use Amazon EFS to replace the proprietary file-based storage
C.Migrate the proprietary storage to Amazon S3
D.Migrate the proprietary storage to Amazon RDS for PostgreSQL
E.Refactor the application into microservices and deploy on Amazon EKS
AnswersA, B, D

MGN automates migration with minimal code changes.

Why this answer

AWS Application Migration Service (MGN) is correct because it automates the lift-and-shift migration of the on-premises server to Amazon EC2 with minimal downtime and no code changes, directly addressing the goal of reducing operational overhead and minimizing code changes. It replicates the entire server, including the proprietary file-based storage, to AWS, allowing the application to run unchanged.

Exam trap

The trap here is that candidates often assume Amazon S3 is the default storage replacement for any file-based system, but they overlook that S3 requires API changes, while Amazon EFS provides a drop-in NFS-compatible replacement that avoids code modifications.

1398
MCQhard

A company is migrating a legacy mainframe application to AWS. The application uses a hierarchical database (IMS) and has complex batch processing jobs. The company wants to minimize changes to the application code. Which approach should be taken?

A.Rehost the application on AWS Mainframe Modernization using Blu Age
B.Replace the application with a SaaS-based ERP system
C.Re-platform the database to Amazon RDS for PostgreSQL
D.Refactor the application to use microservices on Amazon EKS
AnswerA

Minimizes code changes by rehosting mainframe workloads.

Why this answer

Option D is correct because rehosting on AWS Mainframe Modernization with Blu Age or Micro Focus allows minimal code changes. Option A is wrong because refactoring to microservices requires significant changes. Option B is wrong because replacing with SaaS changes the application.

Option C is wrong because replatforming to RDS still requires changes.

1399
MCQhard

A company is designing a new application that will run on Amazon EKS. The application requires persistent storage that can be accessed by multiple pods simultaneously. The storage must be highly available and durable. Which storage solution should be used?

A.Amazon EFS with One Zone storage classes
B.Amazon EBS with gp3 volume type
C.Amazon S3 with Mountpoint for S3
D.Amazon FSx for Lustre
AnswerA

EFS provides a shared file system for multiple pods.

Why this answer

Option C is correct because Amazon EFS provides a shared file system that can be mounted by multiple pods concurrently, with high availability and durability. Option A is incorrect because EBS volumes can only be attached to a single EC2 instance, not multiple pods. Option B is incorrect because S3 is object storage, not file system.

Option D is incorrect because FSx for Lustre is optimized for high-performance computing, not general shared storage.

1400
MCQmedium

A company applied the above SCP to an OU. A developer in an account under that OU tries to launch a t2.medium EC2 instance. What will happen?

A.The instance launches only if the developer's IAM policy explicitly allows t2.medium.
B.The instance launch is allowed because there is no explicit Allow statement in the SCP.
C.The instance launches successfully because the SCP does not affect IAM users.
D.The instance launch is denied because the SCP denies all instance types except t2.micro and t2.small.
AnswerD

Correct interpretation of the Deny with condition.

Why this answer

The SCP denies RunInstances if the instance type is not t2.micro or t2.small. Since t2.medium is not in the allowed list, the action is denied. Option A is wrong because t2.medium is not allowed.

Option C is wrong because SCP applies. Option D is wrong because IAM policy does not override SCP.

1401
Multi-Selectmedium

A company is designing a new disaster recovery (DR) strategy for its critical applications. The DR plan must achieve a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 minute. The applications run on Amazon EC2 instances with Amazon EBS volumes. Which THREE actions should the company take to meet these requirements? (Choose three.)

Select 3 answers
A.Configure Amazon RDS Multi-AZ deployments.
B.Use a single Availability Zone for EC2 instances to simplify failover.
C.Implement a Pilot Light strategy by replicating data to a secondary region and launching resources on failover.
D.Store backups in Amazon S3 Glacier.
E.Use Amazon EBS cross-region snapshot copy to replicate data.
AnswersA, C, E

Multi-AZ provides automatic failover with RTO typically under 1 minute and RPO of seconds.

Why this answer

Option A is correct because Amazon RDS Multi-AZ deployments provide synchronous replication to a standby instance in a different Availability Zone, enabling automatic failover with an RTO typically under 1-2 minutes and an RPO of effectively zero, which meets the 15-minute RTO and 1-minute RPO requirements for the database tier.

Exam trap

The trap here is that candidates often confuse Pilot Light with Warm Standby or Multi-Site, and may incorrectly assume that using a single AZ or Glacier backups can meet aggressive RTO/RPO targets, when in fact they introduce unacceptable latency or single points of failure.

1402
MCQeasy

A company deploys the above CloudFormation template. After creation, they upload a file to the bucket and then delete it. What happens to the deleted object after 30 days?

A.All versions of the object are permanently deleted.
B.The delete marker is removed, and the object becomes current again.
C.The object is permanently deleted along with the delete marker.
D.The previous version is permanently deleted, but the delete marker remains.
AnswerD

Noncurrent version expires.

Why this answer

Option B is correct because the lifecycle rule expires noncurrent versions after 30 days. Deleting the object creates a delete marker (current version) and the previous version becomes noncurrent. After 30 days, the noncurrent version is permanently deleted.

Option A is wrong because the delete marker remains. Option C is wrong because only noncurrent versions expire. Option D is wrong because the delete marker is not expired.

1403
MCQhard

A financial services company has a multi-account AWS Organization with hundreds of accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted at rest and that no public read access is allowed. They want a solution that automatically remediates non-compliant buckets in real time. What is the MOST scalable and operationally efficient approach?

A.Use Service Control Policies to deny PutBucketPolicy that allows public access and require encryption
B.Use AWS Config conformance packs with remediation actions through AWS Systems Manager Automation
C.Use Amazon CloudWatch Events to detect bucket creation and trigger a Lambda function to apply encryption
D.Use AWS Config rules and AWS Lambda functions to scan buckets daily and send alerts
AnswerB

Provides continuous compliance and automatic remediation across the organization.

Why this answer

Option D is correct because AWS Config rules with automatic remediation via Systems Manager Automation documents can enforce encryption and public access settings across accounts using an organization-wide conformance pack. Option A is too manual. Option B (Service Control Policies) can prevent public access but not enforce encryption on existing buckets.

Option C (CloudWatch Events) requires per-account setup and custom Lambda functions.

1404
Multi-Selecthard

A company uses AWS Organizations with a central security account. They need to ensure that any S3 bucket created in any account is configured with encryption and versioning enabled. Which THREE steps should they take?

Select 3 answers
A.Create IAM policies in each account that require encryption and versioning for any bucket creation.
B.Use AWS CloudFormation StackSets to deploy a stack in each account that creates a bucket with encryption and versioning, and use SCPs to prevent deletion.
C.Deploy AWS Config rules across all accounts to detect buckets without encryption or versioning and trigger auto-remediation.
D.Apply a service control policy (SCP) that denies s3:CreateBucket unless encryption and versioning are specified.
E.Use AWS CloudTrail to monitor bucket creation and send alerts.
AnswersB, C, D

Ensures a compliant bucket exists.

Why this answer

Option B is correct because AWS CloudFormation StackSets allow you to deploy a standardized stack across multiple accounts in an organization, ensuring that any bucket created by the stack has encryption and versioning enabled. Combining this with a service control policy (SCP) that denies s3:CreateBucket unless encryption and versioning are specified (Option D) provides a preventive guardrail at the organization level. Additionally, deploying AWS Config rules with auto-remediation (Option C) acts as a detective and corrective measure, ensuring compliance even if buckets are created outside the approved stack.

Exam trap

The trap here is that candidates often think IAM policies alone can enforce resource configuration parameters, but IAM only controls permissions, not the actual values passed in the API call, which requires SCPs or service-specific controls.

1405
MCQeasy

A company wants to serve static content (images and videos) to users worldwide with low latency. The content is stored in an Amazon S3 bucket. What is the most cost-effective solution?

A.Use AWS Global Accelerator with endpoints pointing to the S3 bucket.
B.Deploy EC2 instances in multiple Regions and use a load balancer.
C.Use Amazon CloudFront with the S3 bucket as the origin.
D.Host the content directly from the S3 bucket and use S3 Transfer Acceleration.
AnswerC

CloudFront caches content at edge locations, reducing latency and data transfer costs.

Why this answer

Option C is correct because Amazon CloudFront is a CDN that caches content at edge locations, reducing latency and cost for data transfer. Option A is wrong because S3 alone does not provide edge caching. Option B is wrong because Global Accelerator improves network path but does not cache content.

Option D is wrong because EC2 instances would require management and scaling.

1406
Multi-Selecthard

A company is designing a high-performance computing (HPC) workload on AWS. The workload requires tightly coupled inter-node communication with low latency and high bandwidth. Which THREE services or features should the architect consider to meet these requirements? (Choose three.)

Select 3 answers
A.EC2 instances with enhanced networking and high-throughput (e.g., p4d, p3dn)
B.VPC peering between multiple VPCs
C.AWS Global Accelerator
D.Placement Groups (Cluster Placement Group)
E.Elastic Fabric Adapter (EFA)
AnswersA, D, E

These instance types offer high network bandwidth and EFA support.

Why this answer

Options A, C, and D are correct. A: Elastic Fabric Adapter (EFA) provides low-latency, high-bandwidth communication for HPC. C: Placement Groups with cluster placement ensure instances are physically close for low network latency.

D: Instance types like p4d or p3dn with enhanced networking offer high throughput. Option B is wrong because AWS Global Accelerator is for internet-facing traffic, not inter-node communication. Option E is wrong because VPC peering is for connecting VPCs, not for intra-VPC communication performance.

1407
MCQeasy

An organization is planning to migrate a large number of on-premises virtual machines to AWS. The migration must be automated and support replication of live workloads with minimal downtime. Which AWS service is best suited for this task?

A.AWS DataSync
B.AWS Application Migration Service (MGN)
C.AWS Server Migration Service (SMS)
D.AWS Database Migration Service (DMS)
AnswerB

MGN automates lift-and-shift migration with continuous replication and minimal downtime.

Why this answer

Option C (AWS Application Migration Service) is correct as it automates lift-and-shift migration with continuous replication and cutover. Option A (DMS) is for databases. Option B (Server Migration Service) is legacy and less capable.

Option D (DataSync) is for data transfer, not live VM replication.

1408
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Recently, the application has been experiencing intermittent latency spikes. CloudWatch metrics show high CPU utilization on the instances during these spikes, but no corresponding increase in request count. Which action is MOST likely to identify the root cause?

A.Increase the instance size to handle the load.
B.Enable detailed monitoring on the EC2 instances.
C.Add a scaling policy based on CPU utilization.
D.Enable AWS CloudTrail to log EC2 API calls.
AnswerB

Detailed monitoring provides metrics at 1-minute granularity, helping to identify when spikes occur.

Why this answer

Option D is correct because detailed CloudWatch metrics (at 1-minute granularity) can provide more granular data to pinpoint when CPU spikes occur. Option A is wrong because increasing instance size only masks the symptom. Option B is wrong because scaling policies respond to sustained high CPU, not intermittent spikes.

Option C is wrong because CloudTrail records API calls, not instance-level metrics.

1409
MCQeasy

A company wants to allow developers to manage their own resources in individual AWS accounts while the central IT team manages networking and security. Which AWS service can help enforce that developers cannot modify networking resources?

A.Use AWS Organizations Service Control Policies (SCPs) to deny networking actions for developer accounts.
B.Use IAM roles to grant developers access only to their own resources.
C.Use AWS Config rules to detect changes to networking resources.
D.Use resource tags to identify networking resources and apply IAM conditions.
AnswerA

SCPs can block specific actions across accounts.

Why this answer

Option C is correct because AWS Organizations SCPs can restrict access to networking actions in specific accounts or OUs. Option A is wrong because IAM roles can be assumed by developers, but they don't prevent developers from using other roles. Option B is wrong because AWS Config is detective, not preventive.

Option D is wrong because resource tags do not prevent actions.

1410
MCQmedium

A company is migrating a multi-tier web application to AWS. The application uses a commercial database that requires a license. The company wants to reduce licensing costs. Which migration strategy should be considered?

A.Rehost the database to EC2 with the same database software
B.Replatform the database to Amazon RDS for an open-source engine like PostgreSQL
C.Repurchase a Software as a Service (SaaS) alternative
D.Refactor the application to use Amazon DynamoDB
AnswerB

Eliminates commercial license costs, minimal changes.

Why this answer

Option C is correct because replatforming to Amazon RDS for an open-source engine eliminates commercial license costs. Option A is wrong because rehosting to EC2 still requires the same license. Option B is wrong because refactoring to use a different database may involve significant rework.

Option D is wrong because repurchasing to SaaS may not be suitable.

1411
MCQhard

A media company runs a video processing pipeline on AWS. The pipeline uses AWS Step Functions to orchestrate multiple AWS Lambda functions. The first Lambda function downloads a video file from an S3 bucket, the second transcodes it using AWS Elemental MediaConvert, and the third uploads the transcoded files to a different S3 bucket. Recently, the pipeline has been failing intermittently with 'State machine execution timed out' errors. The Step Functions execution history shows that the first Lambda function takes up to 25 minutes to complete for large video files. The Step Functions state machine has a default execution timeout of 5 minutes. The company wants to fix the timeout issue without redesigning the entire pipeline. Which solution should the solutions architect recommend?

A.Increase the 'timeoutSeconds' value in the Step Functions state machine definition to 1800 (30 minutes) or more.
B.Increase the Lambda function timeout to 30 minutes in the Lambda configuration.
C.Increase the Lambda function timeout to 15 minutes and increase the state machine execution timeout to 30 minutes.
D.Replace the Lambda function with an Amazon SQS queue and have the Step Functions wait for a callback.
AnswerA

Increasing the state machine execution timeout allows the long-running Lambda to complete without timing out.

Why this answer

Option A is correct because the issue is that the first Lambda function exceeds the state machine execution timeout. By increasing the timeout in the state machine definition, the execution can run longer. The Lambda function itself has a maximum timeout of 15 minutes, but the state machine timeout must be higher than the total expected duration.

Option B is wrong because the Lambda function timeout is separate; even if increased, the state machine timeout would still cause failure. Option C is wrong because using SQS would require significant changes to the pipeline and does not directly address the long-running Lambda. Option D is wrong because increasing Lambda timeout alone does not fix the state machine timeout.

1412
MCQhard

A security engineer runs the above command to list network interfaces attached to security group sg-12345678. The engineer notices that instance i-0a1b2c3d4e5f67890 has two network interfaces but only one is shown in the output. What is the MOST likely reason?

A.The second interface is not attached to the instance.
B.The second interface has a device index of 0.
C.The command only returns interfaces that are attached.
D.The second interface is associated with a different security group.
AnswerD

Filter limits to sg-12345678.

Why this answer

Option D is correct because the command filters by security group ID, so only interfaces in that group are shown. The second interface may belong to a different security group. Option A is wrong because the filter is by group-id, not instance-id.

Option B is wrong because the command does not filter by device index. Option C is wrong because the command can list all interfaces in the group regardless of attachment.

1413
MCQeasy

A company is migrating a web application to AWS and wants to decouple the frontend and backend tiers to improve scalability. The frontend runs on Amazon EC2 behind an Application Load Balancer (ALB). The backend processes orders asynchronously. Which service should the company use to decouple the tiers?

A.Amazon MQ
B.Amazon Simple Queue Service (SQS)
C.Amazon Simple Notification Service (SNS)
D.Amazon Kinesis Data Streams
AnswerB

SQS provides a fully managed message queue for asynchronous processing.

Why this answer

Option C is correct because Amazon SQS provides a queue for asynchronous message passing between frontend and backend. Option A is wrong because Amazon MQ is for message brokers with existing protocols, but SQS is simpler for decoupling. Option B is wrong because Amazon Kinesis is for streaming data, not decoupling web tiers.

Option D is wrong because Amazon SNS is pub/sub, not designed for point-to-point decoupling with pull-based consumers.

1414
MCQeasy

Refer to the exhibit. A solutions architect is reviewing this SCP. What is the effect of this SCP when attached to an organizational unit (OU)?

A.It denies all actions if the request is not made over HTTPS.
B.It denies all actions if the request does not include multi-factor authentication.
C.It denies all actions from IP addresses outside the corporate network.
D.It allows all actions as long as the request is made over HTTPS.
AnswerA

The condition aws:SecureTransport false denies non-HTTPS requests.

Why this answer

This SCP denies all actions if the request is not made over HTTPS, effectively enforcing encrypted transport. Option A is wrong because it does not enforce MFA. Option C is wrong because it does not block specific services.

Option D is wrong because it does not allow all actions; it denies unencrypted requests.

1415
Multi-Selecthard

A company has a multi-account architecture with a shared services account that hosts a central Amazon RDS instance. Member accounts need to access this database. Which TWO actions should the company take to enable secure access?

Select 2 answers
A.Create a Transit Gateway and attach all VPCs to it, then use route tables to enable connectivity.
B.Use AWS Lambda to proxy database requests from member accounts.
C.Configure the RDS security group to allow inbound traffic from the member account VPC CIDRs.
D.Make the RDS instance publicly accessible and use IAM authentication.
E.Create a VPC peering connection between each member VPC and the shared services VPC.
AnswersA, C

Centralized connectivity for many VPCs.

Why this answer

Options A and D are correct. Option B is wrong because VPC peering is not transitive; a Transit Gateway handles many VPCs. Option C is wrong because direct Lambda access would bypass security groups.

Option E is wrong because the RDS should not be public.

1416
MCQeasy

A company is migrating a monolithic application to microservices on AWS. They want to implement a continuous improvement process for existing services. Which AWS service should they use to collect and analyze operational metrics and logs from all microservices in a centralized location?

A.AWS Config
B.Amazon Inspector
C.Amazon CloudWatch
D.AWS X-Ray
AnswerC

CloudWatch provides centralized metrics and logs.

Why this answer

Option B is correct because Amazon CloudWatch Logs and Metrics provide centralized monitoring. Option A is wrong because AWS X-Ray is for tracing, not metrics. Option C is wrong because AWS Config is for configuration compliance.

Option D is wrong because Amazon Inspector is for security assessment.

1417
Multi-Selecthard

A company wants to use AWS Resource Access Manager (RAM) to share a subnet in a VPC with other accounts in the organization. Which of the following are required? (Choose THREE.)

Select 3 answers
A.The subnet must be created by the owning account.
B.The consumer accounts must accept the resource share invitation.
C.The VPC must be in the same AWS Region as the shared subnet.
D.Each consumer account must create a subnet in the same VPC.
E.Enable VPC sharing in the AWS Organizations console.
AnswersA, B, C

The owner creates the subnet to share.

Why this answer

Options A, C, and D are correct. Option B is wrong because RAM does not require VPC sharing to be enabled. Option E is wrong because the subnet is shared, not created by the consumer.

1418
MCQmedium

A company uses AWS Organizations with multiple OUs. The DevOps team wants to allow developers in a specific OU to create and manage their own VPCs but restrict them from deleting VPCs created by the central networking team. How can this be achieved?

A.Use AWS Config rules to automatically recreate any VPC that is deleted.
B.Use a resource-based policy on each centrally created VPC to deny ec2:DeleteVpc to the developers' roles.
C.Create an SCP for the developers' OU that denies ec2:DeleteVpc for all VPCs.
D.Create an IAM policy for developers that denies ec2:DeleteVpc unless the VPC has a specific tag.
AnswerB

Resource-based policies allow fine-grained control per VPC.

Why this answer

Option A is correct because resource-based policies can be attached to VPCs to control deletion. SCPs can also be used but are account-wide. Option B is wrong because SCPs would restrict all accounts.

Option C is wrong because IAM policies cannot restrict by resource tag without a specific condition. Option D is wrong because AWS Config does not prevent deletion.

1419
MCQeasy

Refer to the exhibit. A company has an Amazon ECS task definition with two containers. The 'web' container is essential, and the 'sidecar' container is not. The 'sidecar' container exits unexpectedly. What will happen to the task?

A.The sidecar container will be marked as essential.
B.ECS will automatically restart the sidecar container.
C.The task continues running as normal.
D.The ECS task will be stopped.
AnswerC

Non-essential container failure does not affect the task.

Why this answer

Option C is correct because non-essential containers can fail without affecting the task. Option A is wrong because only essential container failure stops the task. Option B is wrong because ECS will not restart a non-essential container by default; it depends on the task definition restart policy.

Option D is wrong because the sidecar's CPU=0 means it can use up to the available CPU, but it still runs.

1420
MCQhard

A company uses AWS Organizations with a multi-account setup. The central IT team manages a shared services VPC in the network account, which hosts a NAT gateway, a VPN connection to the on-premises network, and a transit gateway. Several application accounts have VPCs attached to the transit gateway. Recently, the application teams report that they cannot reach the on-premises network through the VPN. The network team confirms that the VPN is up and routes are propagated in the transit gateway route tables. However, the application VPCs are not receiving the routes. What is the MOST likely cause?

A.The application VPCs have route tables that override the transit gateway routes with local routes.
B.The VPN connection is not configured to advertise the on-premises CIDR to the transit gateway.
C.The application VPCs have security groups that block traffic to the on-premises network.
D.The transit gateway route tables are not associated with the application VPC attachments.
AnswerD

For routes to be effective, the transit gateway route table that contains the VPN routes must be associated with the VPC attachments; otherwise, they won't receive the routes.

Why this answer

The most likely cause is that the transit gateway route tables are not associated with the application VPC attachments. Even if the VPN routes are propagated into the transit gateway route tables, the application VPCs will not receive those routes unless their VPC attachments are explicitly associated with the correct transit gateway route table. Without this association, the transit gateway does not propagate routes to the attached VPCs, leaving them unable to reach the on-premises network.

Exam trap

The trap here is confusing route propagation with route table association — candidates often assume that if routes are propagated into the transit gateway route table, all attached VPCs automatically receive them, but AWS requires an explicit association between the VPC attachment and the route table for route distribution.

How to eliminate wrong answers

Option A is wrong because local routes in VPC route tables have a higher priority than transit gateway routes by default, but the question states the application VPCs are not receiving the routes at all, not that they are being overridden. Option B is wrong because the network team confirmed that routes are propagated in the transit gateway route tables, meaning the VPN is correctly advertising the on-premises CIDR to the transit gateway. Option C is wrong because security groups operate at the instance level, not at the VPC routing level, and the issue is about route propagation, not traffic filtering.

1421
MCQeasy

A company uses AWS Organizations and wants to delegate administrative tasks for specific AWS services to a member account. Which AWS feature should be used?

A.AWS Control Tower
B.Delegated administrator for AWS services
C.Cross-account IAM roles
D.AWS CloudTrail organization trail
AnswerB

This allows a member account to administer services like GuardDuty, Macie, etc., across the organization.

Why this answer

Delegated administrator for AWS services allows you to designate a member account in AWS Organizations to perform administrative tasks for specific AWS services, such as AWS IAM Access Analyzer or AWS Security Hub, without granting full organization management access. This feature centralizes control while distributing operational responsibilities, making it the correct choice for delegating administrative tasks for specific services.

Exam trap

The trap here is that candidates often confuse the broad, role-based access of cross-account IAM roles (Option C) with the specific, service-level delegation model of delegated administrators, leading them to overlook the AWS Organizations-native feature designed for this exact purpose.

How to eliminate wrong answers

Option A is wrong because AWS Control Tower is a service for setting up and governing a multi-account environment using pre-built blueprints and guardrails, not for delegating administrative tasks for specific AWS services to a member account. Option C is wrong because cross-account IAM roles provide broad, role-based access to resources in another account but are not designed for the specific, service-level delegation model that AWS Organizations supports for delegated administrators. Option D is wrong because AWS CloudTrail organization trail logs API activity across all accounts in the organization for auditing, not for delegating administrative tasks for specific services.

1422
MCQeasy

A company wants to migrate 500 TB of data from an on-premises data center to Amazon S3. The company has a 1 Gbps dedicated network connection to AWS. What is the most cost-effective and time-efficient migration method?

A.Use AWS Snowball Edge to physically ship the data to AWS.
B.Use S3 Transfer Acceleration to upload data over the existing internet connection.
C.Use AWS DataSync to transfer data over the dedicated network.
D.Establish an AWS Direct Connect connection and use S3 multipart upload.
AnswerA

Snowball Edge provides fast, secure physical transfer; economical for large datasets.

Why this answer

Option D is correct because AWS Snowball Edge provides physical storage for large data transfers, avoiding long transfer times over a 1 Gbps link. Option A is wrong because S3 Transfer Acceleration improves speed but still uses the network. Option B is wrong because AWS DataSync is designed for smaller, ongoing transfers.

Option C is wrong because Direct Connect alone does not transfer data; you still need to copy over the connection.

1423
MCQhard

A company uses AWS Lambda with a VPC configuration to access an RDS database. After a recent change, the Lambda function times out when connecting to the database. The security group and network ACLs appear correct. What should the company check first?

A.That the database password has not been rotated.
B.That the Lambda function's reserved concurrency is not set to zero.
C.That the Lambda function has a route to the database via a NAT gateway or VPC endpoint.
D.That the Lambda function's environment variables are correctly set.
AnswerC

If the database is in a private subnet, a NAT gateway is needed for the Lambda function to access it.

Why this answer

When a Lambda function is VPC-enabled, it requires a VPC endpoint for services like S3, DynamoDB, or a NAT gateway for internet access. If the function needs to access the database via a public endpoint, a NAT gateway is needed. Option D is correct.

Option A is about Lambda's environment variables. Option B is about database credentials. Option C is about Lambda's concurrency, not connectivity.

1424
MCQhard

A solutions architect sees the above CloudWatch metric data for a Lambda function. The function is triggered by an SQS queue. The errors occur in a pattern: exactly 5 errors at 00:10, 00:30, and 00:50. What is the MOST likely cause?

A.The Lambda function is running out of memory.
B.The Lambda function is timing out due to long-running processing, and the SQS visibility timeout is set to 20 minutes, causing the same messages to be retried.
C.The Lambda function is hitting the reserved concurrency limit.
D.The Lambda function is using an incompatible runtime.
AnswerB

The pattern matches a timeout and retry cycle.

Why this answer

Option A is correct because the pattern suggests the function times out after 30 seconds of processing, and the SQS messages become visible again after the visibility timeout. The errors at regular intervals (20 minutes) indicate that the function retries the same messages. Option B is wrong because insufficient concurrency would cause throttles, not errors.

C is wrong because memory would cause out-of-memory errors, not timeouts. D is wrong because runtime updates would cause all invocations to fail.

1425
MCQmedium

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by project, but projects span multiple accounts. Which approach should be used to tag resources consistently across accounts?

A.Define cost allocation tags in the management account and activate them for all accounts.
B.Use AWS Config rules to automatically tag resources after creation.
C.Use an SCP that denies resource creation if the required tags are not present.
D.Use tag policies in AWS Organizations to enforce required tags on resources.
AnswerD

Tag policies can enforce tagging across all accounts.

Why this answer

Option C is correct because AWS Organizations provides tag policies that can enforce required tags across all accounts in the organization. Option A is wrong because cost allocation tags must be activated in each account, but they do not enforce tagging. Option B is wrong because SCPs cannot enforce tagging.

Option D is wrong because AWS Config can detect untagged resources but does not enforce at creation.

Page 18

Page 19 of 24

Page 20