AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 76150

1746 questions total · 24pages · All types, answers revealed

Page 1

Page 2 of 24

Page 3
76
MCQmedium

A company runs a critical workload on EC2 instances in an Auto Scaling group across three Availability Zones. The application needs to maintain a consistent IP address for outbound traffic to external partners. The current design uses a NAT gateway in each AZ, but partners whitelist a single IP. How can the company provide a fixed outbound IP while maintaining high availability?

A.Use a proxy fleet of EC2 instances behind an Application Load Balancer.
B.Use a single NAT gateway across all three AZs and assign an Elastic IP.
C.Use a NAT instance with an Elastic IP in one AZ.
D.Deploy a Network Load Balancer with Elastic IPs in front of NAT instances in each AZ.
AnswerD

NLB provides a static IP and distributes traffic to NAT instances across AZs for HA.

Why this answer

Option C is correct because a NAT gateway with an Elastic IP can be placed in a single AZ, but if that AZ fails, the workload fails. A Network Load Balancer with EIPs and NAT instances provides a fixed IP and HA. Option A is wrong because multiple NAT gateways have different IPs.

Option B is wrong because it's not HA. Option D is wrong because a proxy fleet still uses multiple IPs.

77
MCQhard

A company is designing a microservices architecture on ECS with Fargate. Services need to communicate securely within a VPC and be accessible from the internet via an Application Load Balancer. The solution must minimize operational overhead. Which networking configuration should be used?

A.Services in private subnets with a NAT Gateway and an ALB in public subnets.
B.Services in private subnets with a VPC endpoint and an NLB.
C.Services in a single public subnet with an ALB.
D.Services in public subnets with Internet Gateways and an ALB.
AnswerA

Private subnets provide isolation, NAT for outbound, ALB for inbound.

Why this answer

Option A is correct because placing services in private subnets with a NAT Gateway and ALB in public subnets provides secure internal communication and internet access. Option B is wrong because public subnets expose services directly. Option C is wrong because an NLB is for TCP, not HTTP.

Option D is wrong because a single public subnet lacks redundancy.

78
MCQhard

A global company uses AWS Organizations with many OUs and accounts. The finance team needs to track costs by cost center, which is tagged on each resource. However, some resources are not tagged. Which solution will provide the MOST accurate cost allocation?

A.Enable cost allocation tags and use AWS Cost Explorer to filter by tag.
B.Create AWS Budgets reports for each cost center using tag filters.
C.Export AWS Cost and Usage Reports to Amazon QuickSight and use tag-based filtering.
D.Use AWS Cost Categories to group costs by tag value and set a default rule for untagged resources.
AnswerD

Cost Categories can group costs by tags and assign untagged resources to a default category.

Why this answer

Option D is correct because AWS Cost Categories allow you to group costs by tag values and, crucially, set a default rule for untagged resources. This ensures that all resources—tagged or not—are assigned to a cost center, providing the most accurate cost allocation across the entire organization. Other options only filter or report on tagged resources, leaving untagged costs unallocated.

Exam trap

The trap here is that candidates assume tag-based filtering or reporting tools (Cost Explorer, Budgets, QuickSight) can handle untagged resources, but they cannot—only Cost Categories with a default rule can allocate costs for untagged resources.

How to eliminate wrong answers

Option A is wrong because enabling cost allocation tags and using Cost Explorer to filter by tag only reports on resources that already have the tag; untagged resources are excluded, leading to incomplete cost allocation. Option B is wrong because AWS Budgets reports with tag filters also only apply to tagged resources; they do not handle untagged resources, so costs from untagged resources are not tracked by cost center. Option C is wrong because exporting CUR to QuickSight and using tag-based filtering still requires tags to be present on resources; untagged resources are not assigned to any cost center, resulting in inaccurate allocation.

79
MCQeasy

A retail company is migrating its e-commerce platform from a monolith running on a single on-premises server to AWS. The current application consists of a Java-based web server, a MySQL database, and a caching layer using Redis. The company wants to modernize the architecture by adopting microservices, using serverless where possible, and minimizing operational overhead. The migration must be completed within six months with minimal disruption to ongoing operations. The solutions architect proposes the following initial steps: containerize the Java application and run it on Amazon ECS with Fargate, migrate the MySQL database to Amazon Aurora Serverless v2, and replace Redis with Amazon ElastiCache for Redis Serverless. However, the team is concerned about the complexity of the migration and the potential for downtime. Which recommendation should the solutions architect make to address these concerns?

A.Rewrite the entire application as microservices from scratch and deploy them in a new AWS environment. Cut over all traffic at once after testing.
B.Use AWS Blue/Green deployment for the monolith to reduce downtime, then migrate to microservices after the deployment is stable.
C.Use the Strangler Fig pattern to incrementally replace monolith functionality with microservices, routing traffic to new services as they are built.
D.Perform a lift-and-shift migration of the monolith to EC2 instances, then gradually refactor into microservices over the next year.
AnswerC

This pattern allows gradual migration with minimal disruption, aligns with the timeline, and enables modernization in steps.

Why this answer

Option C is correct because the Strangler Fig pattern allows the team to incrementally replace specific functionalities of the monolithic e-commerce platform with microservices, routing traffic to the new services as they are built. This minimizes disruption and downtime by avoiding a big-bang cutover, and it aligns with the goal of modernizing to microservices and serverless within the six-month timeline. The pattern leverages an existing ingress controller (e.g., an Application Load Balancer with path-based routing) to gradually shift requests from the monolith to new services running on Amazon ECS with Fargate, while the database and caching layers are migrated separately with minimal impact.

Exam trap

The trap here is that candidates often confuse Blue/Green deployments (which reduce downtime for a single application version) with the Strangler Fig pattern (which is specifically designed for incremental migration from a monolith to microservices), leading them to choose Option B as a safe but incomplete solution.

How to eliminate wrong answers

Option A is wrong because rewriting the entire application from scratch as microservices and performing a single cutover introduces high complexity, significant risk of downtime, and likely exceeds the six-month timeline, contradicting the requirement for minimal disruption. Option B is wrong because Blue/Green deployment for the monolith reduces downtime during deployment but does not address the migration to microservices; it keeps the monolith intact and defers the modernization, failing to meet the goal of adopting microservices and serverless. Option D is wrong because a lift-and-shift to EC2 instances postpones refactoring for over a year, which violates the six-month migration deadline and does not minimize operational overhead, as it retains the monolithic architecture and requires managing EC2 instances.

80
MCQeasy

A company is designing a new microservices architecture on Amazon ECS with Fargate. Each microservice must be isolated and able to communicate with others only through defined APIs. Which solution provides the BEST isolation and security?

A.Use AWS App Mesh with Envoy sidecars to control traffic between services.
B.Place all microservices in the same security group and allow all traffic.
C.Use an Application Load Balancer per microservice with listener rules.
D.Use VPC peering between each microservice's VPC.
AnswerA

App Mesh provides service-level security and observability.

Why this answer

Using a service mesh like App Mesh (option C) provides fine-grained traffic control and security between microservices. Option A (same security group) is too permissive. Option B (ALB per service) adds complexity.

Option D (VPC peering) is for VPC-level, not service-level.

81
MCQmedium

A company runs a batch processing application on a scheduled EC2 instance that starts every night. The instance processes a large number of files from an S3 bucket and writes results to another S3 bucket. The job takes approximately 6 hours to complete. Recently, the job has been failing after 4 hours with an error indicating that the instance's EBS root volume is full. The instance type is t3.medium with a 20 GB gp2 root volume. The application writes temporary files to the root volume. The company wants to fix this with minimal changes to the application and infrastructure. What should a solutions architect recommend?

A.Create an additional EBS volume and mount it to the instance.
B.Change the instance type to one with instance store volumes.
C.Increase the size of the EBS root volume to 100 GB.
D.Modify the application to compress temporary files.
AnswerC

More space on root volume resolves the issue without code changes.

Why this answer

Option B is correct because increasing the root volume size provides more space for temporary files without application changes. Option A is wrong because instance store is ephemeral and may not be available on t3 instances. Option C is wrong because mounting an EBS volume would require application changes to write to a different path.

Option D is wrong because reducing file size may not be feasible and requires code changes.

82
Multi-Selecteasy

A company is designing a new VPC with public and private subnets. The company wants to ensure that instances in the private subnets can download updates from the internet, but cannot be directly accessed from the internet. Which THREE components are required to meet these requirements? (Choose THREE.)

Select 3 answers
A.A route table for private subnets with a default route pointing to the NAT Gateway.
B.An Internet Gateway attached to the VPC.
C.A Virtual Private Gateway (VGW).
D.A NAT Gateway in a public subnet.
E.A VPC endpoint for S3.
AnswersA, B, D

This route ensures that outbound traffic from private subnets is directed to the NAT Gateway.

Why this answer

The correct answers are A, B, and C. Option A is correct because an Internet Gateway allows outbound traffic to the internet. Option B is correct because a NAT Gateway provides outbound internet access to instances in private subnets.

Option C is correct because the route table for private subnets must point to the NAT Gateway for default route. Option D is wrong because a Virtual Private Gateway is used for VPN connections, not internet access. Option E is wrong because VPC endpoints are for private access to AWS services, not for internet access.

83
MCQeasy

A company is designing a new web application that will be accessed by users worldwide. The application will serve static content (HTML, CSS, images) and dynamic API responses. The company wants to minimize latency for all users. Which combination of AWS services should the company use?

A.Amazon Route 53 and Amazon S3
B.Amazon CloudFront and Amazon API Gateway
C.Amazon S3 and Amazon CloudFront
D.Application Load Balancer (ALB) and Amazon CloudFront
AnswerB

CloudFront provides edge caching for static content and can route API requests to API Gateway, reducing latency.

Why this answer

Amazon CloudFront is a CDN that serves static content from edge locations, and Amazon API Gateway can host the API and integrate with CloudFront. Option A is wrong because S3 alone does not provide CDN. Option B is wrong because ALB is regional.

Option D is wrong because Route 53 is DNS only.

84
MCQeasy

A company is migrating a legacy application that uses a proprietary binary protocol over TCP. The application must be migrated with minimal changes and requires high throughput. Which AWS service should the architect recommend for load balancing?

A.Network Load Balancer (NLB)
B.AWS Global Accelerator
C.Application Load Balancer (ALB)
D.Classic Load Balancer (CLB)
AnswerA

NLB operates at Layer 4 and handles TCP traffic with high throughput.

Why this answer

Option C is correct because NLB handles TCP traffic at high throughput with minimal latency. Option A is wrong because ALB is for HTTP/HTTPS. Option B is wrong because CLB is legacy.

Option D is wrong because Global Accelerator is not a load balancer.

85
MCQhard

A company is designing a new real-time analytics platform that ingests data from thousands of IoT devices. The devices send JSON messages every second to an AWS IoT Core topic. The messages must be processed and stored in Amazon S3 for long-term analysis. The processing includes enrichment by calling a third-party API to add location data. The company expects the workload to vary significantly, with peak traffic of 100,000 messages per second. The solution must be cost-effective and minimize operational overhead. The current architecture uses a Lambda function subscribed to the IoT topic, which processes each message and writes to S3. However, during initial testing, the Lambda function frequently times out due to the third-party API latency, causing message loss. What should the company do to resolve this issue while meeting all requirements?

A.Increase the Lambda function timeout to 15 minutes and memory to 10240 MB
B.Use Amazon Kinesis Data Firehose to buffer data and write to S3, then trigger a Lambda function to enrich data asynchronously
C.Enable Provisioned Concurrency on the Lambda function to reduce cold starts
D.Configure the IoT rule to write messages to an Amazon SQS queue. Then use a Lambda function with reserved concurrency to poll the queue and process messages at a controlled rate
AnswerD

SQS decouples ingestion from processing, preventing message loss, and reserved concurrency ensures consistent performance.

Why this answer

Option D is correct because decoupling the ingestion from the processing using an SQS queue allows the Lambda function to poll messages at a controlled rate, preventing timeouts from third-party API latency. The SQS queue acts as a buffer, absorbing traffic spikes of up to 100,000 messages per second, and Lambda can process messages asynchronously without loss. This approach is cost-effective and minimizes operational overhead by leveraging managed services.

Exam trap

The trap here is that candidates may think Kinesis Data Firehose is the best choice for buffering and enrichment, but they overlook that Firehose does not support real-time enrichment via Lambda before writing to S3; it only supports transformation with a Lambda function that has a limited timeout (60 seconds) and cannot handle asynchronous API calls reliably.

How to eliminate wrong answers

Option A is wrong because increasing the Lambda timeout to 15 minutes and memory to 10240 MB does not resolve the underlying issue of third-party API latency; it only delays the timeout, and Lambda has a maximum execution time of 15 minutes, but the function may still fail if the API is slow, and high memory increases cost without solving the buffering problem. Option B is wrong because Kinesis Data Firehose writes directly to S3, but triggering a Lambda function asynchronously from S3 events would not enrich data before storage; the enrichment would need to happen after the data is already in S3, which does not meet the requirement to enrich before storage and could lead to duplicate processing or data loss. Option C is wrong because Provisioned Concurrency reduces cold starts but does not address the timeout issue caused by third-party API latency; the function would still time out if the API is slow, and it does not provide buffering for traffic spikes.

86
MCQhard

A CloudFormation stack creation command is run with a parameter. The template.yaml includes a parameter declared as follows: Parameters: InstanceTypeParameter: Type: String Default: t2.micro AllowedValues: - t2.micro - t2.small - t2.medium The stack creation fails with the error: "Value (t2.nano) for parameter InstanceTypeParameter is invalid. Must be one of: t2.micro, t2.small, t2.medium". What is the most likely cause?

A.The AWS CLI is using a deprecated version
B.The template.yaml file was modified after the command was run
C.The parameter was overridden by a previous stack operation or a different parameter file
D.The CLI command had a typo in the parameter value
AnswerC

The error shows 't2.nano', which must have come from an override.

Why this answer

The error indicates that the value passed is 't2.nano', but the command shows 't2.micro'. This suggests that the parameter value was overridden elsewhere, perhaps in a different command or a previous stack operation. The command itself is correct.

The template defines allowed values. The issue is not a typo in the command, but an override. The most likely cause is that the parameter was passed incorrectly in a prior run or the CLI used a different value.

87
MCQmedium

A company wants to centrally manage access to multiple AWS accounts using AWS Organizations. The security team requires that all IAM users and roles be created in a single master account and assume roles in member accounts. Which configuration ensures that cross-account role assumptions are auditable and enforced?

A.Enable AWS CloudTrail in the master account and log sts:AssumeRole events.
B.Create an IAM Access Analyzer in each member account to monitor cross-account access.
C.Use AWS Config to record IAM role configurations and trigger Lambda functions on changes.
D.Configure a service control policy (SCP) to deny all IAM actions except sts:AssumeRole.
AnswerA

CloudTrail logs all STS API calls, providing a centralized audit trail for cross-account role assumptions.

Why this answer

Option A is correct because AWS CloudTrail in the master account can log all sts:AssumeRole API calls across the organization when management events are enabled. This provides a centralized, immutable audit trail of who assumed which role in which member account, meeting the security team's requirement for auditable cross-account role assumptions. CloudTrail captures the source identity, target role ARN, and timestamp, enabling full forensic analysis.

Exam trap

The trap here is that candidates often confuse AWS Config (which records resource configuration changes) with CloudTrail (which records API calls), leading them to choose Option C even though it cannot log the actual sts:AssumeRole events needed for auditing.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is designed to identify resources shared with external entities (outside the organization), not to audit or enforce cross-account role assumptions within the same organization. Option C is wrong because AWS Config records configuration changes to IAM roles but does not log the actual sts:AssumeRole API calls; it cannot provide an audit trail of role assumption events. Option D is wrong because a service control policy (SCP) that denies all IAM actions except sts:AssumeRole would prevent users from creating, modifying, or deleting IAM resources in member accounts, but it does not enforce that all IAM users and roles are created only in the master account, nor does it provide auditing of role assumptions.

88
MCQeasy

A company wants to allow developers to launch EC2 instances only in the us-east-1 Region. They have a single AWS account. What is the simplest way to enforce this?

A.Create an IAM policy that denies EC2 actions unless the region is us-east-1.
B.Use AWS Config to terminate instances in other Regions.
C.Apply an SCP to the account.
D.Configure the default VPC in us-east-1 only.
AnswerA

IAM policy directly restricts user actions.

Why this answer

An IAM policy with a condition on ec2:Region is the simplest. Option B is wrong because SCPs are for Organizations. Option C is wrong because it's per-VPC.

Option D is wrong because it's reactive.

89
Multi-Selectmedium

A company is designing a multi-account AWS Organizations architecture. Which TWO considerations should be taken into account when designing the organizational structure?

Select 2 answers
A.Accounts cannot be moved between OUs once created.
B.Each organizational unit (OU) should contain only one account for security isolation.
C.AWS CloudTrail can be configured to log management events across all accounts from the management account.
D.Service control policies (SCPs) can be used to centrally restrict permissions across accounts.
E.SCPs can only be applied to root accounts, not OUs.
AnswersC, D

CloudTrail can be enabled for all accounts via Organizations.

Why this answer

Option C is correct because AWS CloudTrail can be configured from the management account to log management events for all accounts in the organization. This is done by creating a CloudTrail trail that applies to all accounts in the organization, which centralizes logging and eliminates the need to configure CloudTrail individually in each account.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can only be applied to the root account, when in fact they can be attached to any OU or account within the organization.

90
MCQeasy

Refer to the exhibit. A company is using an S3 bucket to store migration logs. The company has set a lifecycle policy to transition objects to Glacier after 30 days and expire them after 365 days. After 45 days, the company notices that the objects are still in S3 Standard. What is the most likely reason?

A.The lifecycle policy has a filter that excludes these objects.
B.The objects were created after the lifecycle policy was applied, so they have not reached 30 days of age yet.
C.The lifecycle policy is not enabled for the bucket.
D.The S3 bucket versioning is disabled, so lifecycle rules do not apply.
AnswerB

Lifecycle rules are based on object age.

Why this answer

Option A is correct because lifecycle policies transition objects based on the object's age, not the creation date of the policy. The objects are less than 30 days old if they were created after the policy was applied. Option B is wrong because the policy is enabled.

Option C is wrong because the filter is empty (applies to all). Option D is wrong because the policy defines a transition.

91
MCQeasy

A company is using Amazon S3 to store sensitive data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. The company also needs to ensure that any attempt to upload an unencrypted object is blocked. How can the company enforce this requirement?

A.Use a bucket policy that denies s3:PutObject if the request does not include the x-amz-server-side-encryption header with value aws:kms
B.Enable default encryption on the bucket with AWS KMS
C.Use AWS CloudTrail to monitor PutObject calls and alert on unencrypted uploads
D.Enable S3 Object Lock on the bucket
AnswerA

This policy condition ensures encryption is used.

Why this answer

Option B is correct because a bucket policy that denies PutObject without x-amz-server-side-encryption header set to aws:kms will enforce encryption at upload time. Option A is not possible at the bucket level. Option C (default encryption) does not enforce on existing uploads if the header is omitted.

Option D (CloudTrail) is detective, not preventive.

92
MCQmedium

A company is migrating a multi-tier web application to AWS. The application consists of a stateless web tier and a stateful application tier that uses sticky sessions. The company wants to reduce operational overhead and improve elasticity. Which architecture should the solutions architect recommend?

A.Use an Application Load Balancer with sticky sessions for the web tier. Store session data in Amazon ElastiCache.
B.Use Amazon CloudFront with an origin load balancer and store session data in the web tier's local storage.
C.Use an Application Load Balancer with cross-zone load balancing and store session data in Amazon DynamoDB.
D.Use a Network Load Balancer with instance targets and Amazon EFS to share session data.
AnswerA

ALB sticky sessions route requests to the same instance, but session data is stored externally in ElastiCache, allowing any instance to serve requests.

Why this answer

Using an Application Load Balancer (ALB) with sticky sessions (session affinity) enables the web tier to be stateless and scale horizontally. The application tier can use ElastiCache for session state storage, making it stateless as well. This reduces overhead and improves elasticity.

NLB with EFS is not suitable for session state; ALB with DynamoDB is overkill; CloudFront does not support sticky sessions.

93
MCQhard

An S3 bucket contains log files. An administrator runs the above AWS CLI command. What does the output indicate?

A.Two log files are larger than 1 KB.
B.The log files are larger than 1000 KB.
C.The bucket contains only two objects with the prefix 'logs/'.
D.The bucket has versioning enabled.
AnswerA

1000 bytes = 1 KB.

Why this answer

Option B is correct because the query filters objects larger than 1000 bytes and returns only those keys. Option A is incorrect because the output shows two keys. Option C is incorrect because the command queries objects, not versions.

Option D is incorrect because size > 1000 bytes, not 1000 KB.

94
MCQmedium

A company is designing a containerized microservices architecture on Amazon ECS. The services must be able to discover each other using DNS names. Which AWS service should the company use for service discovery?

A.AWS Cloud Map
B.Amazon Route 53 Resolver
C.Elastic Load Balancing (ELB)
D.Amazon Elastic Container Registry (ECR)
AnswerA

Cloud Map provides DNS-based service discovery for microservices.

Why this answer

AWS Cloud Map is the correct choice because it provides a fully managed service discovery solution that integrates natively with Amazon ECS. It allows microservices to register their DNS names and health checks, enabling other services to discover them via DNS queries or API calls. This directly supports the requirement for containerized services to find each other using DNS names within an ECS cluster.

Exam trap

The trap here is confusing a load balancer (ELB) with service discovery; candidates often think ELB provides DNS-based discovery, but it only routes traffic to a group of targets, not per-instance DNS names for dynamic microservice-to-microservice communication.

How to eliminate wrong answers

Option B (Amazon Route 53 Resolver) is wrong because it is a DNS resolution service for hybrid networks (on-premises to AWS), not a service discovery mechanism for ECS microservices; it does not register or manage service instances. Option C (Elastic Load Balancing) is wrong because it distributes traffic to targets but does not provide DNS-based service discovery for individual service instances; it is a load balancer, not a discovery registry. Option D (Amazon Elastic Container Registry) is wrong because it is a container image repository, not a service discovery tool; it stores Docker images but has no role in DNS resolution or instance registration.

95
MCQmedium

An IAM policy is attached to an S3 bucket to allow access only from a specific IP range. Users report that they can access the bucket from IP addresses outside the range. The bucket policy also includes another statement that denies access to all principals. What is the most likely reason users outside the IP range can still access the bucket?

A.The condition key 'aws:SourceIp' is misspelled.
B.The deny statement does not apply to the users attempting to access the bucket.
C.The policy is an IAM policy, not a bucket policy, and the condition key is invalid.
D.The policy is attached to the IAM user instead of the bucket.
AnswerB

The deny statement might be scoped to a different principal, allowing access from other IPs.

Why this answer

Option A is correct because an explicit deny in another statement would override the allow, but the question says users can access from outside the range, meaning the deny is not effective. The most likely reason is that the deny statement does not apply to the users (e.g., it applies to a different principal). Option B is incorrect because the policy is a bucket policy, not an IAM policy.

Option C is incorrect because the condition is correct syntax. Option D is incorrect because the bucket policy is applied to the bucket, not IAM users.

96
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. The company wants to ensure that if a stack update fails, the stack automatically rolls back to the last known good state. Which CloudFormation stack option should the company configure?

A.Enable termination protection on the stack.
B.Configure a stack policy to prevent updates to critical resources.
C.Set the 'Rollback on failure' option to 'Yes' when performing the stack update.
D.Use a change set to review changes before updating the stack.
AnswerC

This is the default behavior; if an update fails, CloudFormation rolls back automatically.

Why this answer

Option A is correct because CloudFormation stack updates have a 'Rollback on failure' option that defaults to 'Yes'. If an update fails, CloudFormation automatically rolls back to the previous state. Option B is wrong because a stack policy prevents updates to specific resources, not rollback behavior.

Option C is wrong because change sets allow you to preview changes but do not automate rollback. Option D is wrong because termination protection prevents stack deletion, not rollback on failed updates.

97
MCQmedium

A company is migrating a legacy application from an on-premises data center to AWS. The application uses a proprietary network protocol that is not supported by AWS Application Migration Service. What should the company do to migrate this application?

A.Refactor the application to use standard protocols before migration.
B.Use the 7 Rs migration strategy to evaluate other options.
C.Use AWS Application Migration Service with a network bridge appliance.
D.Perform a manual rehost migration using Amazon EC2 and custom AMIs.
AnswerD

Manual rehost bypasses MGN's limitations.

Why this answer

A is correct because rehosting manually allows the company to replicate the environment without depending on MGN. B is wrong because it requires the protocol. C is wrong because it does not address the protocol issue.

D is wrong because it is a migration strategy, not a tool.

98
MCQmedium

A company has a multi-account AWS environment with 50 accounts. They use AWS Organizations and want to centrally manage EC2 instances across all accounts. The operations team needs to run a script on all EC2 instances that are tagged with Environment=Production. The script must be executed once immediately and requires access to a shared S3 bucket in the management account. Which solution meets these requirements with the least operational overhead?

A.Use AWS Systems Manager State Manager to create an association that runs the script on the targeted instances.
B.Use AWS Config to create a custom rule that triggers an AWS Lambda function to run the script on the instances.
C.Use AWS Lambda to directly run the script on EC2 instances using the AWS SDK.
D.Use AWS Systems Manager Run Command with a resource group that selects instances by tag across accounts.
AnswerD

Run Command can execute commands immediately on targeted instances.

Why this answer

Option D is correct because AWS Systems Manager Run Command can target instances by tags across accounts using resource data sync and cross-account delegation. Option A is wrong because AWS Systems Manager State Manager is for scheduled execution, not one-time immediate. Option B is wrong because AWS Config does not execute scripts.

Option C is wrong because AWS Lambda cannot directly run scripts on EC2 instances without additional infrastructure.

99
MCQmedium

A company is deploying a web application using the above CloudFormation template. The template fails to create the Auto Scaling group. What is the most likely cause?

A.The instance type t2.micro is not supported in us-east-1.
B.The MinSize value must be less than the DesiredCapacity.
C.The LaunchConfiguration resource type is incorrect.
D.The AvailabilityZones list is invalid because it uses names instead of zone IDs.
AnswerC

MyLaunchConfig is defined as AWS::AutoScaling::AutoScalingGroup instead of AWS::AutoScaling::LaunchConfiguration.

Why this answer

Option C is correct because the launch configuration uses the wrong resource type (AWS::AutoScaling::AutoScalingGroup) instead of AWS::AutoScaling::LaunchConfiguration. Option A is wrong because t2.micro is a valid instance type. Option B is wrong because the AvailabilityZones are valid.

Option D is wrong because MinSize=2 is valid.

100
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an Amazon RDS database that is in a private subnet. The ECS tasks are launched in a public subnet. How should they configure network access?

A.Launch the ECS tasks in the same private subnet as the RDS instance.
B.Place the ECS tasks in a public subnet and use a NAT gateway to route traffic to the database.
C.Set up a VPN connection between the ECS tasks and the database.
D.Use an Application Load Balancer to route traffic to the database.
AnswerA

Tasks in the same subnet can communicate via security groups.

Why this answer

Option D is correct because ECS tasks should be launched in the same VPC and security group as the database, or use VPC peering/transit gateway. Option A is wrong because NAT gateway is for outbound. Option B is wrong because public subnet tasks cannot directly access private RDS without proper routing.

Option C is wrong because VPN is overkill.

101
Multi-Selectmedium

A company runs a web application on EC2 instances behind an ALB. The application uses an Amazon Aurora MySQL database. The operations team notices that the database CPU utilization is consistently above 80% during business hours. The team needs to reduce database load without changing the application code. Which TWO actions should the team take? (Select TWO.)

Select 2 answers
A.Create an Aurora read replica and direct read queries to it.
B.Increase the DB instance class to a larger size.
C.Implement an ElastiCache for Redis caching layer to cache frequent queries.
D.Enable Amazon RDS Performance Insights to identify slow queries.
E.Increase the Auto Scaling group maximum size to handle more traffic.
AnswersA, C

Read replicas offload read traffic from the primary instance.

Why this answer

Option A is correct because implementing an ElastiCache caching layer can reduce repeat database queries. Option D is correct because creating an Aurora read replica and directing read traffic to it offloads the primary instance. Option B is wrong because increasing the DB instance class may help but is not a best practice for immediate load reduction.

Option C is wrong because increasing Auto Scaling group size does not affect database load. Option E is wrong because enabling Performance Insights is for monitoring, not load reduction.

102
Multi-Selecthard

A company is modernizing its monolithic Java application to a microservices architecture on AWS. The application uses a shared Oracle database. The team wants to implement an event-driven architecture. Which TWO AWS services should be used to decouple microservices and handle asynchronous communication?

Select 2 answers
A.AWS AppSync
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.Amazon EventBridge
E.Amazon Simple Queue Service (SQS)
AnswersD, E

Event bus for event-driven architecture.

Why this answer

Option C (SQS) and Option D (EventBridge) are correct. SQS provides message queuing for decoupling. EventBridge enables event-driven communication.

Option A (SNS) is pub/sub but not for decoupling queues. Option B (Kinesis) is for streaming, not typical decoupling. Option E (AppSync) is for GraphQL APIs.

103
MCQhard

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon Aurora MySQL database. Recently, the application has become slow during peak hours. The operations team notices that the database CPU utilization is high, but the number of connections is within limits. The application is read-heavy. The team wants to improve performance with minimal changes to the application code. The database is currently a single Aurora instance. Which solution should the team implement?

A.Add an Aurora Replica and configure the application to use the reader endpoint for read-only queries.
B.Use Amazon DynamoDB Accelerator (DAX) to cache database queries.
C.Add an Amazon ElastiCache Redis cluster in front of the database.
D.Increase the instance size of the Aurora primary instance.
AnswerA

This offloads read traffic with minimal application changes.

Why this answer

Adding an Aurora Replica distributes read traffic, reducing load on the primary instance. The application must be configured to use the reader endpoint for read queries.

104
MCQhard

Refer to the exhibit. A CloudFormation template creates an S3 bucket with versioning and a public bucket policy. After deployment, users can access objects in the bucket via the internet. However, the security team requires that all access be logged. What is missing from this configuration?

A.The bucket is not encrypted.
B.The bucket policy does not restrict access to a specific IP range.
C.Bucket versioning is not enabled.
D.No logging configuration is specified.
AnswerD

Logging is needed for audit.

Why this answer

Option D is correct. The template does not enable S3 server access logs or AWS CloudTrail for object-level logging. Option A is wrong because versioning is enabled.

Option B is wrong because the policy is public. Option C is wrong because the bucket is not encrypted.

105
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent latency spikes. The operations team has enabled detailed CloudWatch metrics and EC2 instance status checks. The team needs to identify the root cause of the latency. Which TWO actions should the team take to diagnose the issue? (Choose two.)

Select 2 answers
A.Enable detailed monitoring (1-minute metrics) on the ALB and create a CloudWatch dashboard to view the RequestCount and TargetResponseTime metrics.
B.Integrate the application with AWS X-Ray and enable tracing on the EC2 instances to capture trace data for all requests.
C.Set up an Amazon CloudWatch Synthetics canary that follows a step-by-step guide through the application and monitor the step durations.
D.Enable access logging on the ALB and analyze the logs to find requests with high latency.
E.Enable VPC Flow Logs on the subnets where the EC2 instances reside and analyze the logs for packet loss.
AnswersC, D

Correct: Canaries can measure end-to-end latency and pinpoint slow steps.

Why this answer

Option C is correct because CloudWatch Synthetics canaries simulate user workflows step by step, and monitoring step durations helps pinpoint which specific part of the application is causing latency spikes. This provides granular, end-to-end visibility into the user experience beyond what aggregate metrics offer.

Exam trap

The trap here is that candidates often confuse network-level diagnostics (VPC Flow Logs) or aggregate metrics (ALB detailed monitoring) with the application-level, user-experience-focused diagnostics needed to pinpoint the root cause of latency spikes in a web application.

106
MCQhard

A company uses AWS Organizations and wants to delegate administration of a specific service to a member account. The service must be able to perform actions across all accounts in the organization. Which steps should the company take?

A.Use AWS Organizations to register the member account as a delegated administrator for the service.
B.Create a service-linked role in each account to allow the service to perform actions.
C.Grant the member account IAM permissions to assume the OrganizationAccountAccessRole in all accounts.
D.Create an IAM role in each account with a trust policy that allows the service to assume it.
AnswerA

Delegated administration allows the member account to manage the service across the organization.

Why this answer

Option A is correct because AWS Organizations allows you to register a member account as a delegated administrator for a service, which then allows that service to perform cross-account actions. Option B is wrong because creating a service-linked role in each account is not necessary; the delegated administrator can create them on behalf of other accounts. Option C is wrong because the Organizations management account does not need to grant cross-account access; the service can do it.

Option D is wrong because IAM roles in each account are not needed if the service supports delegated administration.

107
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team needs to allocate costs to different departments based on resource tags. However, some resources are not tagged. What is the most effective solution?

A.Use AWS Trusted Advisor to check for untagged resources.
B.Use Service Control Policies to deny creation of untagged resources.
C.Use AWS Cost Categories to create rules for untagged resources and AWS Budgets to alert when resources lack tags.
D.Use AWS Cost Explorer to filter by tags and manually identify untagged resources.
AnswerC

Cost Categories allocate costs; Budgets can trigger alerts for untagged resources.

Why this answer

Option B is correct because AWS Cost Categories allow allocation based on rules, and AWS Budgets can notify when untagged resources are created. Option A is wrong because Cost Explorer alone cannot enforce tagging. Option C is wrong because SCPs cannot enforce tagging on all resources.

Option D is wrong because Trusted Advisor does not enforce tagging.

108
MCQmedium

A company is designing a new CI/CD pipeline for a containerized application using AWS CodePipeline. The application source code is stored in an Amazon S3 bucket. The pipeline must automatically build a Docker image from the source code and push it to Amazon ECR. Which action should be used as the build provider?

A.AWS CodeDeploy
B.AWS CodeCommit
C.Amazon ECS
D.AWS CodeBuild
AnswerD

AWS CodeBuild is a fully managed build service that can compile source code, run tests, and produce software packages, including Docker images, which it can push to ECR.

Why this answer

Option B is correct because AWS CodeBuild can build Docker images and push them to ECR. Option A is wrong because AWS CodeCommit is a source control service, not a build provider. Option C is wrong because Amazon ECS is a container orchestration service, not a build service.

Option D is wrong because AWS CodeDeploy is a deployment service, not a build service.

109
MCQeasy

A company's security team wants to ensure that all S3 buckets are encrypted at rest. They have thousands of existing buckets. Which approach should a Solutions Architect use to identify noncompliant buckets?

A.Use AWS Trusted Advisor to check bucket encryption.
B.Analyze AWS CloudTrail logs for PutBucketEncryption API calls.
C.Enable S3 Inventory to list all objects and their encryption status.
D.Create an AWS Config rule to evaluate S3 bucket encryption settings.
AnswerD

Config rules can evaluate all buckets.

Why this answer

Option B is correct because AWS Config has managed rules to check S3 bucket encryption. Option A is wrong because Trusted Advisor checks only a subset of buckets. Option C is wrong because S3 Inventory provides object metadata, not encryption status.

Option D is wrong because CloudTrail logs API calls, not current state.

110
MCQmedium

A company needs to store configuration files for multiple environments (dev, test, prod) and retrieve them programmatically with versioning and access control. Which AWS service should be used?

A.AWS Secrets Manager
B.Amazon S3
C.AWS Systems Manager Parameter Store
D.Amazon DynamoDB
AnswerC

Parameter Store is designed for configuration management.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data with versioning and IAM policies. Option A is wrong because S3 is object storage, not specifically for config. Option B is wrong because Secrets Manager is for secrets.

Option C is wrong because DynamoDB is NoSQL.

111
MCQeasy

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 10 minutes. Which AWS service should be used?

A.Amazon Inspector
B.AWS Config
C.Amazon CloudWatch Alarms
D.AWS CloudTrail
AnswerC

CloudWatch Alarms monitor metrics and send notifications.

Why this answer

CloudWatch Alarms can monitor metrics and trigger actions when a threshold is breached.

112
Multi-Selectmedium

A company is designing a new application that will run on Amazon ECS with Fargate. They need to store configuration data and secrets securely. Which services should they use? (Choose TWO.)

Select 2 answers
A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS CloudFormation
E.AWS KMS
AnswersA, B

Designed for secrets management.

Why this answer

AWS Secrets Manager is correct because it is purpose-built for securely storing, rotating, and managing secrets such as database credentials and API keys throughout their lifecycle. It integrates natively with Amazon ECS to inject secrets into containers at runtime without exposing them in the task definition or environment variables, meeting the requirement for secure configuration data and secrets.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secure strings) with AWS Secrets Manager, but the exam expects you to know that Secrets Manager is the preferred service for secrets that require automatic rotation, while Parameter Store is better for configuration data that does not need rotation, and both are correct in this question because the requirement is to store both configuration data and secrets securely.

113
MCQeasy

A company uses AWS Organizations with a single OU. The management account has a service control policy (SCP) that denies all actions on EC2 instances with a specific tag. However, users in a member account can still terminate tagged instances. What is the most likely cause?

A.The SCP is attached to the root, not the OU.
B.The users have a permissions boundary that allows the actions.
C.The SCP's condition key does not match the actual tag.
D.The users are operating in the management account.
AnswerD

SCPs do not apply to the management account.

Why this answer

SCPs do not affect the management account in AWS Organizations. They can only restrict permissions in member accounts. Since the users are operating in the management account, the SCP denying EC2 termination based on a tag has no effect, allowing them to terminate the tagged instances.

Exam trap

The trap here is that candidates assume SCPs apply to all accounts in the organization, including the management account, but AWS explicitly exempts the management account from SCP evaluation.

How to eliminate wrong answers

Option A is wrong because attaching the SCP to the root or the OU does not change its applicability—SCPs apply to all member accounts under the root or OU, but never to the management account. Option B is wrong because a permissions boundary can only restrict, not allow, actions beyond what the SCP denies; SCPs are an outer boundary that overrides any IAM permissions, including boundaries. Option C is wrong because if the condition key did not match the actual tag, the SCP would not deny the action, but the question states the SCP is designed to deny actions on EC2 instances with a specific tag; the most likely cause given the scenario is that users are in the management account, not a condition mismatch.

114
MCQmedium

A media company is designing a new video transcoding pipeline on AWS. Raw video files (up to 10 GB each) are uploaded by users to an S3 bucket. Each upload must be transcoded into multiple formats (MP4, WebM, HLS) and stored in another S3 bucket. The transcoding job can take up to 30 minutes per file. The company needs a solution that is cost-effective and can handle hundreds of concurrent uploads. The operations team wants to minimize maintenance. Which solution should a Solutions Architect recommend?

A.Use S3 event notifications to invoke an AWS Lambda function that performs transcoding and stores results.
B.Use S3 event notifications to invoke a Lambda function that submits a job to AWS Elemental MediaConvert for each file.
C.Use an Auto Scaling group of EC2 instances with transcoding software installed. Configure S3 events to send messages to an SQS queue, which the instances poll.
D.Use S3 event notifications to trigger an AWS Step Functions workflow that runs an ECS Fargate task for each file.
AnswerB

MediaConvert is a managed, scalable service designed for video transcoding; Lambda handles the orchestration.

Why this answer

Option B is correct because AWS Elemental MediaConvert is a fully managed, serverless media transcoding service designed for high-volume, multi-format video processing. Using S3 event notifications to invoke a Lambda function that submits a job to MediaConvert offloads the transcoding complexity, scales automatically to handle hundreds of concurrent uploads, and requires no infrastructure maintenance, making it both cost-effective and operationally minimal.

Exam trap

The trap here is that candidates may choose Option A (Lambda) without considering the 15-minute timeout limit, or Option D (Step Functions + Fargate) because it sounds serverless, but they overlook that MediaConvert is the fully managed, cost-optimized service specifically designed for this use case.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes, but the transcoding job can take up to 30 minutes per file, so the Lambda function would time out before completion. Option C is wrong because managing an Auto Scaling group of EC2 instances with transcoding software introduces significant maintenance overhead (patching, scaling policies, instance health) and is not cost-effective for sporadic or bursty workloads compared to a serverless service. Option D is wrong while technically possible, using ECS Fargate tasks orchestrated by Step Functions adds unnecessary complexity and cost compared to MediaConvert, which is purpose-built for video transcoding and natively integrates with S3; Fargate requires custom container images, task definitions, and more operational overhead.

115
Multi-Selecthard

A company is migrating a large number of on-premises VMs to AWS. They need to assess the current environment and track migration progress. Which THREE AWS services should be used together?

Select 3 answers
A.AWS Server Migration Service (SMS)
B.AWS Application Migration Service (MGN)
C.AWS Migration Hub
D.AWS Database Migration Service (DMS)
E.AWS Application Discovery Service
AnswersB, C, E

Automates lift-and-shift migration of VMs.

Why this answer

Options A, C, and D are correct. AWS Application Discovery Service discovers on-premises servers. AWS Migration Hub tracks migration progress across multiple tools.

AWS Application Migration Service (MGN) automates the migration of VMs. Option B is wrong because Server Migration Service (SMS) is deprecated. Option E is wrong because DMS is for database migration, not VMs.

116
MCQhard

A company has a multi-account AWS environment and uses AWS Organizations. The security team wants to automatically remediate non-compliant resources, such as S3 buckets that are publicly accessible. Which design should they implement?

A.Use Amazon Inspector to scan for public buckets.
B.Use an SCP to deny making buckets public.
C.Use AWS Config rules to detect public buckets and trigger an AWS Lambda function to make them private.
D.Use AWS CloudTrail to send alerts when a bucket becomes public.
AnswerC

Config rules can invoke Lambda for remediation.

Why this answer

Option C is correct because AWS Config rules can continuously evaluate S3 bucket configurations against a custom or managed rule (e.g., 's3-bucket-public-read-prohibited'). When a bucket is detected as publicly accessible, the rule can invoke an AWS Lambda function via an Amazon CloudWatch Events event to automatically apply a bucket policy that removes public access, achieving automated remediation.

Exam trap

The trap here is that candidates often confuse preventive controls (SCPs) with detective and corrective controls (AWS Config + Lambda), assuming SCPs can automatically fix existing non-compliant resources, when in reality SCPs only block future API actions and do not remediate current state.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is designed for vulnerability management and network accessibility assessments of EC2 instances, containers, and Lambda functions, not for scanning S3 bucket public access configurations. Option B is wrong because Service Control Policies (SCPs) can only deny or allow API actions at the account level (e.g., s3:PutBucketPolicy), but they cannot remediate already-public buckets; they prevent future changes but do not fix existing non-compliant resources. Option D is wrong because AWS CloudTrail logs API calls and can send alerts via CloudWatch alarms when a bucket becomes public, but it does not provide automated remediation; it only notifies, leaving the security team to manually fix the issue.

117
MCQhard

During an on-premises to AWS migration using AWS MGN (Application Migration Service), the replication is stuck at 99% for the last few GB. The source server is a Linux database server with a large InnoDB redo log. What is the most likely cause?

A.High disk I/O on the source server
B.The source server needs reboot after MGN agent installation
C.Insufficient network bandwidth between source and AWS
D.Continuous writes to the database redo logs preventing final sync
AnswerD

MGN cannot finalize because the changed block tracking detects ongoing changes.

Why this answer

AWS MGN uses changed block tracking (CBT) to replicate changed blocks. Large InnoDB redo logs are continuously written, causing constant changes and preventing final sync. Option A (network bandwidth) would affect all stages.

Option B (disk I/O) might slow down but not stall. Option D (source server reboot) might reset replication but not cause a stall at 99%.

118
MCQmedium

A company uses Amazon DynamoDB as its primary database. The operations team is seeing increased read latency during peak hours. The table has a provisioned read capacity of 1000 RCU, but CloudWatch metrics show that consumed read capacity frequently reaches 1000 RCU. The application uses eventually consistent reads. What is the MOST cost-effective way to reduce read latency?

A.Switch to strongly consistent reads to improve consistency.
B.Enable DynamoDB Accelerator (DAX) to cache frequently read items.
C.Create a global secondary index (GSI) on the table to offload reads.
D.Increase the provisioned read capacity to 2000 RCU.
E.Use Amazon ElastiCache for Memcached as a read cache.
AnswerB

DAX provides microsecond read latency and reduces load on the table.

Why this answer

Option C is correct because enabling DynamoDB Accelerator (DAX) provides an in-memory cache that reduces read latency without increasing provisioned RCU. Option A is wrong because increasing RCU increases cost. Option B is wrong because switching to strongly consistent reads would double RCU consumption.

Option D is wrong because adding a global secondary index does not reduce read latency for the base table. Option E is wrong because using ElastiCache adds complexity and cost.

119
MCQmedium

A company is moving a legacy application that uses a shared file system to AWS. The application requires POSIX-compliant file storage that can be accessed by multiple EC2 instances simultaneously. Which AWS storage service should they use?

A.Amazon FSx for Windows File Server
B.Amazon EFS
C.Amazon EBS with Multi-Attach
D.Amazon S3
AnswerB

Provides a scalable, POSIX-compliant NFS file system.

Why this answer

Option C (Amazon EFS) is correct because it provides a scalable, POSIX-compliant NFS file system for EC2. Option A (S3) is object storage, not POSIX. Option B (EBS) can only be attached to one instance at a time.

Option D (FSx for Windows) is for SMB, not POSIX.

120
Multi-Selecthard

A company is migrating a large-scale e-commerce platform to AWS. The platform uses a MySQL database with a 2 TB dataset. They want to modernize to Amazon Aurora MySQL with minimal downtime. Which THREE steps should they take? (Select THREE.)

Select 3 answers
A.Use AWS Schema Conversion Tool (SCT) to convert the existing schema to Aurora MySQL
B.Set up an Aurora Replica from the source MySQL instance
C.Use Amazon RDS for MySQL instead of Aurora
D.Migrate the database to Amazon DynamoDB
E.Use AWS DMS with ongoing replication using Change Data Capture (CDC)
AnswersA, B, E

SCT helps convert schema for Aurora compatibility.

Why this answer

The migration to Aurora MySQL with minimal downtime involves: using AWS SCT to convert the schema (A), using AWS DMS for ongoing replication with CDC (B), and setting up a read replica from the source to reduce load (C). Option D (DynamoDB) is a different database. Option E (RDS for MySQL) does not modernize to Aurora.

121
MCQmedium

Refer to the exhibit. An administrator runs this command and sees the output. Which statement about the accounts is correct?

A.The Suspended account was invited to the organization.
B.The Production account is the management account.
C.The Suspended account cannot be used until it is reactivated.
D.The Management account was created directly.
AnswerC

Suspended accounts are not active and must be reactivated.

Why this answer

The command output shows the account status as 'SUSPENDED'. In AWS Organizations, a suspended account cannot be used for any AWS operations until it is reactivated by the management account. This is a hard state enforced by the service, regardless of how the account was added to the organization.

Exam trap

The trap here is that candidates often confuse account status (SUSPENDED) with the method of account creation (invited vs. created), leading them to incorrectly infer that a suspended account must have been invited, when in fact suspension is independent of how the account joined the organization.

How to eliminate wrong answers

Option A is wrong because a suspended account is not necessarily one that was invited; it could have been created directly or invited and then suspended. The status alone does not indicate the invitation method. Option B is wrong because the 'Production' account is listed as a member account (not the management account), as the management account is the one that initiated the organization and is not shown in the list of member accounts.

Option D is wrong because the management account is the original account that created the organization; it is not 'created directly' within the organization — it is the root account that already existed before the organization was formed.

122
Multi-Selectmedium

A company has an Amazon RDS for PostgreSQL database that is experiencing high CPU utilization due to a large number of read queries. They need to offload read traffic and improve performance. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Enable Multi-AZ deployment for the database.
B.Create one or more read replicas in the same Region.
C.Increase the instance size of the primary database.
D.Use Amazon ElastiCache to cache query results.
E.Implement an RDS Proxy to manage connections.
AnswersB, E

Read replicas serve read traffic, reducing load on the primary.

Why this answer

Options A and D are correct. A: Creating a read replica offloads read queries from the primary database. D: Using an RDS Proxy allows connection pooling, reducing overhead.

Option B is wrong because Multi-AZ is for high availability, not read scaling. Option C is wrong because increasing instance size can help but is often more expensive than read replicas. Option E is wrong because ElastiCache is for caching data, not for offloading database queries directly.

123
MCQmedium

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

A.Use a VPN connection from each application VPC to the shared VPC.
B.Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
C.Use VPC peering between the shared VPC and each application VPC.
D.Create IAM roles in each application account that allow the networking team to create VPC attachments.
AnswerB

RAM allows sharing the Transit Gateway, and the networking team can accept or reject attachments via RAM.

Why this answer

AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource-based policies to grant access only to designated accounts, and scalable because it avoids the administrative overhead of managing individual VPNs or VPC peering connections as the number of application VPCs grows.

Exam trap

The trap here is that candidates often confuse IAM permissions (Option D) with resource-based sharing via RAM, thinking that granting IAM roles to create attachments is sufficient, but RAM provides explicit authorization at the resource level, which is more secure and scalable for cross-account access.

How to eliminate wrong answers

Option A is wrong because using a VPN connection from each application VPC to the shared VPC introduces unnecessary complexity, latency, and bandwidth limitations compared to using a Transit Gateway, and it does not scale well as the number of VPCs increases. Option C is wrong because VPC peering requires a one-to-one connection between each application VPC and the shared VPC, which does not scale and creates a mesh of connections that is difficult to manage, and it also does not provide centralized routing or transitive connectivity. Option D is wrong because creating IAM roles in each application account that allow the networking team to create VPC attachments does not control which VPCs can connect; it only grants permission to create attachments, but any VPC in the application account could potentially attach, and it does not enforce authorization at the resource level like RAM does.

124
Multi-Selecthard

A company has a multi-account environment and wants to centralize logging for all AWS API calls. Which TWO services should they use together to achieve this?

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.Amazon GuardDuty
D.Amazon S3
E.AWS Config
AnswersA, B

Logs API calls.

Why this answer

AWS CloudTrail is the service that records all AWS API calls made in an account, capturing the who, what, when, and source IP for every action. To centralize these logs from multiple accounts into a single location, you can configure CloudTrail to deliver log files to a centralized Amazon S3 bucket, and then use Amazon CloudWatch Logs to monitor, search, and alert on those API events in real time. Together, they provide a complete, centralized logging and monitoring solution for API activity across a multi-account environment.

Exam trap

The trap here is that candidates often confuse Amazon S3 as a logging service rather than a storage destination, or they mistakenly think GuardDuty or AWS Config can replace CloudTrail for capturing API calls.

125
MCQmedium

A company is migrating a monolithic application to microservices on AWS. They have identified that some services require high-throughput, low-latency data sharing. Which AWS service should they use for this purpose?

A.Amazon ElastiCache for Redis
B.Amazon RDS
C.Amazon S3
D.AWS Glue
AnswerA

ElastiCache for Redis provides high-throughput, low-latency in-memory caching.

Why this answer

Amazon ElastiCache for Redis provides an in-memory data store with microsecond latency, ideal for high-throughput data sharing. Option A (Amazon RDS) is a relational database, Option C (Amazon S3) is object storage, and Option D (AWS Glue) is an ETL service.

126
Multi-Selectmedium

A company is designing a new serverless application using AWS Lambda. The application needs to access an Amazon RDS for PostgreSQL database. The database credentials must be rotated automatically every 30 days. Which THREE steps should the company take to securely manage the credentials? (Choose three.)

Select 3 answers
A.Store the database credentials in AWS Secrets Manager.
B.Configure automatic rotation for the secret in AWS Secrets Manager.
C.Grant the Lambda function's IAM role permission to access the RDS database directly.
D.Write custom rotation logic in the Lambda function to change the database password.
E.Grant the Lambda function's IAM role permission to retrieve the secret from Secrets Manager.
AnswersA, B, E

Secrets Manager is designed for storing secrets.

Why this answer

Options A, C, and D are correct. Store credentials in Secrets Manager, configure automatic rotation, and grant Lambda access to retrieve secrets via IAM policy. Option B is wrong because Lambda does not need direct access to RDS for credential management.

Option E is wrong because rotation is handled by Secrets Manager, not by Lambda.

127
MCQeasy

A company is planning to migrate its on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and the company has a high-speed network connection to AWS. Which AWS service should the company use to migrate the database with minimal downtime?

A.Amazon S3 Transfer Acceleration
B.AWS Database Migration Service (DMS)
C.AWS Snowball Edge
D.AWS Schema Conversion Tool (SCT)
AnswerB

DMS can migrate Oracle to RDS for Oracle with minimal downtime using CDC.

Why this answer

Option B is correct because AWS DMS supports Oracle to RDS for Oracle migration with ongoing replication for minimal downtime. Option A is incorrect because SCT is used for schema conversion, not data migration. Option C is incorrect because Snowball Edge is for offline data transfer and not suitable for databases with minimal downtime.

Option D is incorrect because S3 Transfer Acceleration is for uploading to S3, not for database migration.

128
MCQmedium

A company is running a production web application on AWS Auto Scaling EC2 instances behind an Application Load Balancer. Recent deployments have caused intermittent errors. The team wants to implement a deployment strategy that minimizes downtime and allows for quick rollback. Which strategy should they use?

A.Deploy a new version to a single instance, test, then scale out.
B.Use blue/green deployment with a second Auto Scaling group and switch the ALB target group.
C.Perform rolling updates with a single Auto Scaling group, updating a few instances at a time.
D.Use an immutable deployment by launching a new Auto Scaling group and terminating the old one.
AnswerB

Blue/green allows instant switch and immediate rollback.

Why this answer

Option B is correct because blue/green deployment with a second Auto Scaling group and ALB switch allows instant rollback by switching back to the original environment. Option A is wrong because rolling updates with a single ASG can still cause partial downtime and slower rollback. Option C is wrong because it does not minimize downtime and requires manual intervention.

Option D is wrong because immutable deployments replace instances, but rollback requires redeployment.

129
MCQhard

Refer to the exhibit. A company has an S3 bucket policy that allows GetObject access from two IP ranges (10.0.0.0/16 and 192.168.0.0/16). The policy also denies all S3 actions on the 'confidential/' prefix unless the request comes from the 10.0.0.0/16 range. Which of the following statements is true?

A.Users from 192.168.0.0/16 can access objects in the confidential/ prefix.
B.Users from 10.0.0.0/16 can access objects in the confidential/ prefix, but users from 192.168.0.0/16 cannot.
C.Users from 10.0.0.0/16 cannot access objects in the confidential/ prefix.
D.The policy has no effect because the Allow and Deny statements cancel each other.
AnswerB

The Deny statement denies access to confidential/ for IPs not in 10.0.0.0/16, so only 10.0.0.0/16 is allowed.

Why this answer

The S3 bucket policy includes an explicit Deny statement that blocks all S3 actions on the 'confidential/' prefix unless the request originates from the 10.0.0.0/16 IP range. Since explicit Deny statements override any Allow statements in AWS IAM policy evaluation, users from 192.168.0.0/16 are denied access to the 'confidential/' prefix even though the GetObject Allow statement includes that range. Only users from 10.0.0.0/16 satisfy the condition in the Deny statement and can therefore access objects in the 'confidential/' prefix.

Exam trap

The trap here is that candidates often assume an Allow statement for a broader set of IPs will grant access to all prefixes, overlooking that an explicit Deny with a condition can carve out exceptions, and that AWS evaluates Deny statements before Allow statements.

How to eliminate wrong answers

Option A is wrong because the explicit Deny statement on the 'confidential/' prefix blocks all requests not coming from 10.0.0.0/16, so users from 192.168.0.0/16 are denied access. Option B is correct as explained. Option C is wrong because the Deny statement specifically allows requests from 10.0.0.0/16, so users from that range can access the 'confidential/' prefix.

Option D is wrong because the Allow and Deny statements do not cancel each other; AWS IAM policy evaluation uses an explicit Deny override, so the Deny statement takes precedence over the Allow statement for requests from 192.168.0.0/16, while the Allow statement still applies to other objects.

130
MCQmedium

A company is migrating a legacy Citrix XenApp environment to AWS. The application requires Windows-based virtual desktops for 200 users. Users need to access the desktops from various devices, including thin clients and mobile devices. Which solution is most cost-effective and scalable?

A.Use Amazon AppStream 2.0 to stream the application to users.
B.Launch Amazon EC2 Windows instances and enable Remote Desktop Services (RDS).
C.Deploy Amazon WorkSpaces with Windows-based bundles.
D.Use Amazon WorkDocs for document access and collaboration.
AnswerC

WorkSpaces provides managed virtual desktops accessible from any device.

Why this answer

Option C is correct because Amazon WorkSpaces provides managed Windows desktops accessible from various devices. Option A is wrong because EC2 with RDS is not a managed desktop solution. Option B is wrong because AppStream 2.0 is for streaming individual applications.

Option D is wrong because WorkDocs is a document service.

131
MCQeasy

A company is modernizing a monolithic application into microservices on Amazon ECS. They want to decouple services and improve resilience. Which AWS service should they use for asynchronous communication between microservices?

A.Amazon SQS
B.Amazon Kinesis Data Streams
C.Amazon API Gateway
D.Amazon SNS
AnswerA

SQS provides a queue for asynchronous decoupled messaging.

Why this answer

Amazon SQS provides a fully managed message queue for asynchronous communication, decoupling services. Option A (Amazon SNS) is pub/sub, not point-to-point queue. Option C (Amazon Kinesis) is for streaming data.

Option D (Amazon API Gateway) is for synchronous REST APIs.

132
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate launch type. The application needs to store session state that is shared across multiple tasks. The session data must be highly available and low-latency. Which AWS service should be used to store the session state?

A.Amazon EFS
B.Amazon ElastiCache for Redis
C.Amazon RDS for MySQL
D.Amazon DynamoDB
AnswerB

Redis is an in-memory data store that provides sub-millisecond latency and supports session management features.

Why this answer

Option B is correct because Amazon ElastiCache for Redis provides an in-memory data store with low latency and high availability, ideal for session state. Option A is wrong because DynamoDB is a NoSQL database with higher latency than in-memory. Option C is wrong because EFS is a file system, not optimized for session state.

Option D is wrong because RDS is a relational database with higher latency.

133
Multi-Selectmedium

A company is using AWS CodePipeline to automate deployments. They want to add a manual approval step before deploying to production. Which TWO actions are required?

Select 2 answers
A.Create a Lambda function to trigger the approval
B.Add a manual approval action to the pipeline
C.Set up a CloudWatch Events rule to invoke the approval
D.Configure an SNS topic to notify the approver
E.Create an IAM role that allows the approver to perform the approval action
AnswersB, E

The pipeline must include a manual approval stage.

Why this answer

Options A and D are correct. A: You need an IAM role for the approval action to allow the approver to review. D: The pipeline must be configured with a manual approval action.

Option B is wrong because SNS is optional for notification, not required. Option C is wrong because a Lambda function is not required for manual approval. Option E is wrong because CloudWatch Events can be used but not required.

134
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. They want to detect drift from the intended template configuration. Which service should they use?

A.AWS Config
B.AWS Service Catalog
C.AWS CloudTrail
D.CloudFormation Drift Detection
AnswerD

CloudFormation Drift Detection directly compares stack resources to the template.

Why this answer

AWS CloudFormation Drift Detection is a native feature that compares the actual resource configuration with the template. Option A is correct. Options B, C, and D are other services but not specifically for CloudFormation drift detection.

135
MCQhard

Refer to the exhibit. A company applies this SCP to all accounts in an AWS Organization. What is the effect of this policy?

A.Allows only t3.micro and t3.small instances to be launched.
B.Denies launching instances that are not t3.micro or t3.small for IAM users and roles, but not root.
C.Has no effect because SCPs cannot deny actions.
D.Denies launching any instance except t3.micro and t3.small for all users including root.
AnswerB

SCPs apply to IAM users and roles, not to root user.

Why this answer

The SCP uses a Deny effect with a condition that denies any EC2:RunInstances action unless the instance type is t3.micro or t3.small. However, SCPs do not affect the root user (the management account's root user) because SCPs cannot restrict the root user in the management account. Therefore, the policy denies launching non-compliant instance types for IAM users and roles, but not for the root user.

Exam trap

The trap here is that candidates often forget that SCPs do not apply to the root user of the management account, leading them to incorrectly assume the policy denies all users including root.

How to eliminate wrong answers

Option A is wrong because the SCP does not allow only those instance types; it denies all others, but the effect is a deny, not an allow, and it does not apply to root. Option C is wrong because SCPs can deny actions; they are a type of policy that can explicitly deny API actions. Option D is wrong because SCPs do not apply to the root user in the management account; root is exempt from SCP restrictions.

136
MCQhard

A company is designing a new application that must be highly available across multiple AWS Regions. The application will run on EC2 instances behind an Application Load Balancer. The company needs a DNS-based routing policy that routes users to the nearest healthy endpoint based on latency. Which Amazon Route 53 routing policy should be used?

A.Latency routing policy
B.Failover routing policy
C.Weighted routing policy
D.Simple routing policy
AnswerA

Latency routing policy routes traffic to the region that provides the lowest latency for the user based on historical latency data.

Why this answer

Option D is correct because Latency-based routing directs traffic to the region with the lowest latency for the user. Option A is wrong because Simple routing is for a single resource. Option B is wrong because Weighted routing distributes traffic based on weights, not latency.

Option C is wrong because Failover routing is for active-passive setups.

137
MCQmedium

A company is migrating a batch processing workload to AWS. The workload runs on a schedule and processes large files stored on a network file system. The company wants to use a serverless architecture to reduce costs. Which combination of AWS services should the company use?

A.AWS Step Functions, Amazon EMR, and Amazon EFS.
B.Amazon CloudWatch Events, AWS Lambda, and Amazon Kinesis Data Firehose.
C.AWS Step Functions, AWS Lambda, and Amazon S3.
D.Amazon CloudWatch Events, Amazon EC2, and Amazon EBS.
AnswerC

Step Functions orchestrates Lambda functions, and S3 stores files.

Why this answer

Option A is correct because AWS Step Functions can orchestrate the workflow, Lambda can process files, and S3 can store the files. Option B is wrong because EMR is not serverless. Option C is wrong because EC2 is not serverless.

Option D is wrong because Kinesis is for streaming.

138
MCQhard

A company is designing a global application that requires a highly available and low-latency API. The API will be consumed by clients across the world. The backend consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances in a single AWS Region. The company wants to improve performance for global users. Which solution meets these requirements with minimal operational overhead?

A.Deploy the application in multiple Regions and use Amazon Route 53 latency-based routing with active-passive failover.
B.Create an Amazon CloudFront distribution with Lambda@Edge to proxy requests to the ALB.
C.Create an AWS Global Accelerator accelerator with the ALB as an endpoint.
D.Create an Amazon CloudFront distribution with the ALB as the origin.
AnswerC

Global Accelerator uses the AWS global network and anycast IPs to route traffic to the nearest healthy endpoint, reducing latency without multi-Region deployment.

Why this answer

Option D is correct because AWS Global Accelerator uses the AWS global network to route traffic to the optimal endpoint, providing low latency and high availability. Option A is wrong because Lambda@Edge is for content transformation, not API proxying. Option B is wrong because CloudFront can cache API responses but is not ideal for dynamic APIs that require low latency; Global Accelerator is better for non-cacheable traffic.

Option C is wrong because active-passive setup with Route 53 failover does not optimize latency for global users.

139
MCQhard

A financial services company needs to store sensitive customer data in Amazon S3 with encryption at rest. They require that the encryption keys be stored in AWS CloudHSM and that the S3 bucket must not be able to access the keys without explicit permission. Which S3 encryption option should they use?

A.SSE-S3
B.SSE-C
C.Client-side encryption
D.SSE-KMS
AnswerB

Allows customer to provide keys stored in CloudHSM.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) is correct because it allows the customer to supply their own encryption keys, which can be stored in AWS CloudHSM, and S3 will use those keys to encrypt data at rest. With SSE-C, the customer manages the keys outside of AWS, and S3 cannot access the keys without explicit permission because the keys are provided per request and not stored by AWS. This meets the requirement of storing keys in CloudHSM and ensuring S3 has no independent access to them.

Exam trap

The trap here is that candidates often choose SSE-KMS assuming it supports CloudHSM via a custom key store, but SSE-KMS still allows S3 to access the key through KMS policies without requiring the key to be provided per request, which does not meet the 'explicit permission per access' requirement as strictly as SSE-C does.

How to eliminate wrong answers

Option A (SSE-S3) is wrong because it uses AWS-managed keys stored and managed entirely by S3, not in CloudHSM, and S3 inherently has access to the keys without explicit customer permission. Option C (Client-side encryption) is wrong because it encrypts data before sending to S3, which does not use S3's server-side encryption at rest and does not involve S3 managing keys or encryption; the requirement specifies S3 encryption at rest. Option D (SSE-KMS) is wrong because it uses AWS KMS keys, which are not stored in CloudHSM; while KMS can use a CloudHSM key store (custom key store), the keys are still managed by KMS, and S3 can access them via KMS policies without requiring per-request key provision, which does not satisfy the explicit permission requirement as strictly as SSE-C.

140
MCQmedium

A company wants to migrate its on-premises Active Directory to AWS Managed Microsoft AD to support Windows-based workloads on AWS. The company has a complex Active Directory structure with multiple domains, group policies, and trusts with external directories. Which migration approach should the company use?

A.Replace Active Directory with AWS Identity and Access Management (IAM) for all authentication
B.Establish a forest trust between the on-premises AD and AWS Managed Microsoft AD, then gradually move resources to AWS
C.Rebuild the entire Active Directory structure from scratch in AWS Managed Microsoft AD
D.Use AD Connector to proxy authentication requests from AWS to the on-premises AD
AnswerB

Correct. A trust allows seamless coexistence and incremental migration.

Why this answer

Setting up a trust between the on-premises AD and AWS Managed Microsoft AD allows gradual migration of resources. This maintains existing authentication and group policies during the transition. Replacing AD with IAM is not suitable for Windows workloads.

Replicating the entire AD structure via AD Connector is not possible. A full rebuild is complex and risky.

141
MCQhard

A company is deploying a multi-tier web application on AWS. The application must be highly available across three Availability Zones. The web tier runs on EC2 instances behind an Application Load Balancer (ALB). The application tier runs on EC2 instances behind a Network Load Balancer (NLB). The database tier uses a Multi-AZ RDS instance. To reduce cross-AZ data transfer costs, which design should be implemented?

A.Use AWS Global Accelerator to reduce data transfer costs
B.Place all web tier instances in one AZ and all application tier instances in another AZ
C.Use a single AZ for all tiers to avoid cross-AZ traffic
D.Place web and application tier instances in the same subnets across all three AZs
AnswerD

ALB and NLB can route to targets in the same AZ, reducing cross-AZ traffic.

Why this answer

Option D is correct because placing web and application tier EC2 instances in the same subnets across all three Availability Zones ensures that traffic between the ALB and NLB, as well as between the NLB and application instances, stays within the same AZ whenever possible. This design leverages the ALB's cross-zone load balancing behavior (enabled by default) and the NLB's ability to route traffic to targets in the same AZ, minimizing cross-AZ data transfer costs. AWS charges for data transfer between AZs, so keeping traffic within the same AZ reduces those costs while maintaining high availability across three AZs.

Exam trap

The trap here is that candidates may think placing all resources in a single AZ (Option C) is acceptable for cost savings, but the question explicitly requires high availability across three AZs, making that option invalid despite its cost advantage.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves performance and availability by routing traffic over the AWS global network, but it does not reduce cross-AZ data transfer costs within a single region; it primarily reduces latency and improves fault tolerance for global traffic. Option B is wrong because placing all web tier instances in one AZ and all application tier instances in another AZ violates the high availability requirement (single AZ failure would take down the entire tier) and actually increases cross-AZ traffic, incurring higher data transfer costs. Option C is wrong because using a single AZ for all tiers eliminates cross-AZ traffic but completely defeats the requirement for high availability across three Availability Zones, making the application vulnerable to AZ failures.

142
MCQmedium

A company has a centralized logging solution using Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) in a central logging account. Application logs from hundreds of EC2 instances across multiple accounts are shipped to the OpenSearch cluster via Amazon Kinesis Data Firehose. The security team requires that all log data be encrypted at rest and in transit. The logging account has a KMS key used to encrypt the OpenSearch cluster and the Firehose delivery stream. Recently, the security team noticed that some log deliveries are failing with 'AccessDenied' errors. The CloudWatch Logs delivery to Firehose is configured correctly. What is the most likely cause of the failure?

A.The CloudWatch Logs subscription filter does not have permissions to write to Firehose.
B.The OpenSearch cluster's access policy denies write access from the Firehose stream.
C.The KMS key policy does not grant the Firehose delivery stream permission to use the key for encryption.
D.The Firehose delivery stream does not have a TLS certificate configured.
AnswerC

Firehose needs kms:Encrypt and kms:Decrypt permissions on the key.

Why this answer

The most likely cause is that the KMS key policy does not grant the Firehose delivery stream permission to use the key for encryption. Even though the CloudWatch Logs subscription filter is correctly configured to send data to Firehose, Firehose must have kms:Decrypt and kms:GenerateDataKey permissions on the KMS key to encrypt the data at rest in the OpenSearch cluster and in transit. Without these permissions, Firehose cannot encrypt the data, resulting in 'AccessDenied' errors.

Exam trap

The trap here is that candidates often assume the error is due to network or access policies (Options A or B) rather than recognizing that KMS key policies must explicitly grant encryption permissions to intermediate services like Firehose, which is a subtle but critical requirement for encrypted log pipelines.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that the CloudWatch Logs delivery to Firehose is configured correctly, meaning the subscription filter already has the necessary permissions to write to Firehose. Option B is wrong because the OpenSearch cluster's access policy controls access to the cluster itself, not the Firehose delivery stream's ability to write; the error occurs before data reaches OpenSearch, during Firehose's encryption step. Option D is wrong because TLS certificates are used for encrypting data in transit between Firehose and OpenSearch, but the 'AccessDenied' error is related to KMS permissions, not TLS configuration; Firehose automatically uses TLS for data delivery to OpenSearch.

143
Multi-Selecthard

A company runs a containerized application on Amazon ECS with Fargate. They want to improve the security of their container images without slowing down the CI/CD pipeline. Which THREE measures should they implement?

Select 3 answers
A.Use AWS CodePipeline with approval gates for security checks.
B.Require manual vulnerability scanning before each deployment.
C.Encrypt all container images using AWS KMS.
D.Integrate Amazon ECR scanning into the CI/CD pipeline.
E.Implement image signing using AWS Signer.
AnswersA, D, E

Approval gates allow security review without manual scanning.

Why this answer

Correct answers are A, B, and C. Option A catches vulnerabilities before deployment. Option B provides centralized control and enforcement.

Option C ensures only approved images are used. Option D is wrong because manual scanning slows down the pipeline. Option E is wrong because encryption alone doesn't address vulnerabilities.

144
Multi-Selecthard

A company has a centralized logging account and multiple member accounts. The member accounts generate VPC Flow Logs that need to be sent to a central S3 bucket in the logging account. Which TWO steps must be taken to enable this cross-account delivery?

Select 2 answers
A.Add a bucket policy on the central S3 bucket that grants the service principal 'delivery.logs.amazonaws.com' s3:PutObject permission.
B.Create an IAM role in the logging account that the member accounts can assume to put objects.
C.Create an S3 bucket in each member account to receive Flow Logs, and replicate to the central bucket.
D.Configure VPC Flow Logs in each member account to deliver to the central S3 bucket.
E.Enable AWS CloudTrail in the management account to aggregate logs.
AnswersA, D

This allows the Flow Logs service to write to the bucket.

Why this answer

Option A is correct because VPC Flow Logs can be published to a cross-account S3 bucket, but the bucket policy must allow the delivery service. Option C is correct because the bucket policy must grant the VPC Flow Logs service principal (delivery.logs.amazonaws.com) permission to write. Option B is wrong because the bucket should be in the logging account, not in member accounts.

Option D is wrong because IAM roles are not used for VPC Flow Logs delivery. Option E is wrong because the management account is not needed for this setup.

145
MCQmedium

A company has an IAM policy attached to a user. The user is trying to download an object from the S3 bucket 'my-bucket' that was uploaded with SSE-S3 encryption. What will happen?

A.The user will be allowed only if the object was uploaded with SSE-KMS.
B.The user will be denied access because the condition is not met.
C.The user will be allowed to download the object.
D.The user will be denied because SSE-S3 is not AES256.
AnswerC

The condition requires SSE-S3 (AES256), which matches the object's encryption.

Why this answer

Option A is correct because the condition requires s3:x-amz-server-side-encryption to be AES256, which matches SSE-S3. Option B is wrong because the condition is satisfied. Option C is wrong because SSE-S3 uses AES256.

Option D is wrong because the condition is for get requests, not put.

146
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application requires static IP addresses for whitelisting by external partners. The company will use a Network Load Balancer (NLB) to distribute traffic to EC2 instances. Which TWO actions should the company take to provide static IP addresses for the partners to whitelist?

Select 2 answers
A.Attach an Elastic IP to each EC2 instance.
B.Assign Elastic IP addresses to the Network Load Balancer.
C.Configure an Application Load Balancer instead of NLB.
D.Use AWS WAF to allow traffic from the partners' IP ranges.
E.Use AWS Global Accelerator with the NLB as an endpoint.
AnswersB, E

NLB supports Elastic IP per AZ, providing static IPs.

Why this answer

Options B and D are correct because assigning an Elastic IP to the NLB provides static IPs, and using a Global Accelerator provides two static IPs. Option A is wrong because it doesn't provide static IPs. Option C is wrong because it's for ALB, not NLB.

Option E is wrong because EIPs cannot be attached to instances behind NLB directly.

147
MCQhard

A company has a multi-account AWS environment. The security team wants to centrally manage VPC flow logs for all accounts. They already have a centralized logging account. What is the MOST scalable solution?

A.Deploy a third-party log collector agent on each EC2 instance.
B.Configure AWS Transit Gateway to aggregate flow logs.
C.Use a CloudFormation StackSet to deploy VPC Flow Logs to an S3 bucket in the central account using bucket policies.
D.Enable VPC Flow Logs in each account and publish to a CloudWatch Logs group in the central account.
AnswerC

StackSet can create flow logs with cross-account delivery to a central S3 bucket.

Why this answer

Using VPC Flow Logs with a delivery to a central S3 bucket via cross-account permissions is scalable. Option A is wrong because it requires per-VPC setup. Option C is wrong because it adds cost and complexity.

Option D is wrong because it doesn't centralize.

148
MCQhard

A financial services company is designing a multi-account AWS environment using AWS Organizations. They need to enforce that all newly created S3 buckets in any account have server-side encryption enabled using AWS KMS (SSE-KMS) with a customer managed key. Additionally, they want to prevent any S3 bucket from being publicly accessible. What is the MOST efficient and comprehensive way to enforce these policies?

A.Use a service control policy (SCP) to deny the s3:PutBucketAcl action that grants public access, and rely on bucket policies to enforce encryption.
B.Use AWS Config rules with automatic remediation to enable encryption and block public access on any non-compliant bucket.
C.Create an SCP that denies s3:PutObject without the x-amz-server-side-encryption-aws:kms header, and another SCP that denies s3:PutBucketPublicAccessBlock with a condition key. Also, use a resource-based policy on the S3 service to block public access.
D.Create an SCP that denies the s3:PutBucketPublicAccessBlock action and attach it to the root OU.
AnswerC

SCPs can deny actions based on conditions, and resource policies can prevent public access proactively.

Why this answer

Option C is correct because SCPs and resource-based policies can be combined to enforce encryption and prevent public access across all accounts. Option A is wrong because SCPs cannot enforce encryption on resources directly; they only control permissions. Option B is wrong because Config rules require remediation steps and are not preventive.

Option D is wrong because it misses public access prevention.

149
MCQeasy

A company is planning to migrate 50 TB of data from on-premises to Amazon S3 over a 100 Mbps internet connection. The data is not time-sensitive and can tolerate some latency. Which migration method is MOST cost-effective and suitable?

A.Use AWS DataSync over the existing internet connection.
B.Enable S3 Transfer Acceleration on the destination bucket.
C.Use AWS Snowball Edge devices to transfer the data.
D.Provision a 1 Gbps AWS Direct Connect connection.
AnswerC

Cost-effective for large data volumes over slow network.

Why this answer

Option C is correct because AWS Snowball Edge is cost-effective for large data volumes over slow connections. Option A is wrong because AWS Direct Connect is expensive and not justified. Option B is wrong because AWS DataSync over the internet would be slow.

Option D is wrong because S3 Transfer Acceleration is for accelerating transfers, but the slow link still limits speed.

150
MCQeasy

A company is migrating a batch processing workload to AWS. The workload runs daily on a single on-premises server and takes 6 hours to complete. The company wants to reduce processing time and cost. Which approach should the solutions architect recommend?

A.Use AWS Batch to run the workload in parallel on multiple compute resources
B.Use AWS Lambda with a 6-hour timeout
C.Use AWS Step Functions to orchestrate the workload sequentially
D.Use a single larger EC2 instance with more vCPUs
AnswerA

Correct: AWS Batch can parallelize the workload to reduce processing time.

Why this answer

AWS Batch can orchestrate parallel processing across multiple EC2 or Fargate resources, reducing time. A single larger instance may not reduce time as much as parallel processing. Lambda has a 15-minute execution limit.

Step Functions alone does not provide compute.

Page 1

Page 2 of 24

Page 3