AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 14261500

1746 questions total · 24pages · All types, answers revealed

Page 19

Page 20 of 24

Page 21
1426
MCQhard

A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?

A.The SCP is overridden by a service control policy that allows the action.
B.The SCP does not have an explicit deny; it uses a default deny.
C.SCPs cannot evaluate the current state of a resource; they can only deny actions based on request parameters.
D.The SCP is not applied to the root organizational unit.
AnswerC

SCPs cannot check existing bucket configuration.

Why this answer

Option D is correct because SCPs are evaluated before the actual API call, but they cannot see the current state of the bucket. The SCP denies the PutBucketVersioning action only if the condition checks for the current setting, but SCPs cannot access the bucket's current configuration. Therefore, the SCP as described would not block the action.

Option A is wrong because SCPs apply to all users. Option B is wrong because SCPs are not optional. Option C is wrong because SCPs do not require explicit allow.

1427
MCQeasy

A startup is designing a new web application that will be hosted on AWS. The application consists of a static frontend and a backend API. The frontend is built with React and the backend is a RESTful API built with Node.js. The startup expects low traffic initially but wants to be able to scale to millions of users. The team wants to minimize operational overhead and cost. Which architecture should they use?

A.Host the frontend and backend on a single EC2 instance using Amazon Lightsail.
B.Host the frontend on Amazon S3 with static website hosting and the backend as AWS Lambda functions behind Amazon API Gateway.
C.Host the frontend on EC2 instances behind an ALB and the backend on EC2 instances behind another ALB.
D.Host the frontend on S3 and the backend on Amazon Elastic Beanstalk with a load balancer.
AnswerB

Serverless architecture minimizes operational overhead and scales automatically.

Why this answer

Option B is correct. S3 for static hosting and API Gateway with Lambda provides a serverless, scalable solution with low overhead. Option A is wrong because EC2 requires management.

Option C is wrong because Lightsail has limited scalability. Option D is wrong because Elastic Beanstalk has more overhead than serverless.

1428
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. Which TWO benefits does this approach provide? (Choose TWO.)

Select 2 answers
A.Centrally enforce policies using service control policies (SCPs).
B.Automatically create VPC peering connections between accounts.
C.Simplify cross-region replication for Amazon RDS databases.
D.Isolate workloads and provide a boundary for security and cost management.
E.Reduce the total cost of EC2 instances by aggregating usage across accounts.
AnswersA, D

SCPs apply to all accounts in the organization.

Why this answer

Service control policies (SCPs) allow you to centrally manage permissions for all accounts in your AWS Organizations hierarchy. SCPs act as a guardrail, enabling you to define the maximum available permissions for IAM roles and users across member accounts without granting any permissions themselves. This ensures consistent enforcement of security and compliance policies across the entire organization.

Exam trap

The trap here is that candidates often confuse consolidated billing with direct cost reduction for EC2 instances, not realizing that aggregation only enables volume discounts and does not lower the per-instance price automatically.

1429
Multi-Selecteasy

A company is planning to migrate its on-premises infrastructure to AWS. The company wants to assess the current environment and create a migration plan. Which THREE AWS services should be used for discovery and assessment?

Select 3 answers
A.AWS Server Migration Service (SMS)
B.AWS Migration Hub
C.Amazon CloudWatch
D.AWS Application Discovery Service
E.AWS Trusted Advisor
AnswersA, B, D

Can automate server migration and provide server inventory.

Why this answer

Option A (Migration Hub), Option B (Application Discovery Service), and Option C (Server Migration Service - though SMS is for migration, it can also help with discovery) are correct. Note: SMS is used for migration but also provides server inventory. Option D (Trusted Advisor) is for cost optimization, not discovery.

Option E (CloudWatch) is for monitoring.

1430
MCQeasy

A company wants to build a serverless backend for a mobile application. The backend provides user authentication, a REST API for data access, and stores data in a NoSQL database. The company expects the application to have unpredictable traffic, and wants to minimize costs. Which solution should a Solutions Architect recommend?

A.Use IAM for authentication, EC2 instances behind an ALB for the API, and DynamoDB for the database.
B.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon DynamoDB for the database.
C.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon RDS for the database.
D.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon S3 for the database.
AnswerB

All services are serverless, fully managed, and scale automatically; DynamoDB is NoSQL.

Why this answer

Option B is correct because Cognito provides authentication, API Gateway + Lambda provides serverless API, and DynamoDB is a NoSQL database that scales automatically. Option A is wrong because RDS is relational, not NoSQL. Option C is wrong because EC2 instances are not serverless.

Option D is wrong because S3 is not a database; it can store data but not suitable for transactional data access.

1431
MCQmedium

A company is designing a data lake on AWS using Amazon S3. They need to query the data using standard SQL without moving it to a separate analytics store. Which AWS service should they use?

A.Amazon Athena
B.AWS Glue
C.Amazon QuickSight
D.Amazon Redshift Spectrum
AnswerA

Athena is serverless, queries S3 directly with SQL.

Why this answer

Option C is correct because Amazon Athena allows querying data directly in S3 using standard SQL. Option A (Redshift Spectrum) also queries S3 but requires Redshift cluster. Option B (Glue) is for ETL, not querying.

Option D (QuickSight) is for visualization.

1432
MCQhard

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances launched in any account must have a specific tag key 'CostCenter'. Which approach should be used?

A.Create an IAM policy in each account that requires the tag for ec2:RunInstances.
B.Use a Service Control Policy (SCP) that denies ec2:RunInstances unless the request includes the required tag.
C.Use AWS Config rules to detect untagged instances and trigger an AWS Lambda function to tag them.
D.Configure the EC2 service to automatically add the tag to all instances.
AnswerB

SCPs can conditionally deny actions based on tags.

Why this answer

Option B is correct because you can use an SCP to deny ec2:RunInstances if the request does not include the required tag. Option A is wrong because AWS Config can detect non-compliance but not prevent it. Option C is wrong because tagging is not automatic; it must be enforced.

Option D is wrong because IAM policies in individual accounts can be overridden by SCPs, but SCPs are more effective for organization-wide enforcement.

1433
MCQmedium

A company has an S3 bucket with server-side encryption using S3-Managed Keys (SSE-S3). The IAM policy shown in the exhibit is attached to a user. When the user attempts to download an object using the AWS CLI with no encryption headers, the request fails. What is the MOST likely reason?

A.The object is encrypted with SSE-KMS, not SSE-S3.
B.The user does not have the s3:GetObject permission.
C.The bucket has a bucket policy that denies all requests.
D.The policy condition requires the encryption header in the request.
AnswerD

The condition 's3:x-amz-server-side-encryption': 'AES256' requires the request to include that header.

Why this answer

The policy requires that the request include the encryption header 'x-amz-server-side-encryption: AES256'. SSE-S3 uses AES256, but the condition requires the header to be present in the request. Without the header, the request does not satisfy the condition.

Option B is correct. Option A is wrong because the user has GetObject permission. Option C is wrong because the bucket policy does not need to match.

Option D is wrong because SSE-S3 is enabled by default.

1434
MCQmedium

A company is building a serverless data processing pipeline. Data is uploaded to an S3 bucket, which triggers a Lambda function to transform the data and store the result in another S3 bucket. The Lambda function needs to access a VPC-hosted database for enrichment. What is the MOST secure way to allow the Lambda function to access the VPC resources?

A.Assign a public IP to the Lambda function and route through an Internet Gateway.
B.Configure the Lambda function to access the VPC and use a VPC endpoint for S3.
C.Use Lambda@Edge to process data at the edge location.
D.Place the Lambda function in a public subnet and use a NAT Gateway.
AnswerB

VPC access enables private connectivity to VPC resources; VPC endpoint keeps S3 traffic private.

Why this answer

Configuring Lambda to access a VPC (option C) allows it to reach VPC resources while using a VPC endpoint for S3 (option D) keeps S3 traffic within AWS network. Option A (NAT Gateway) is less secure and adds cost. Option B (Internet Gateway) exposes the function.

Option C with option D is best.

1435
MCQmedium

A company has a production Amazon ECS service running on Fargate. The service needs to be updated to use a new task definition with different environment variables. The company wants to perform a rolling update with minimal impact. What is the correct way to update the service?

A.Delete the existing service and recreate it with the new task definition.
B.Modify the task definition and then restart the service.
C.Update the service with the new task definition and use a rolling update deployment controller.
D.Create a new service with the new task definition and delete the old one.
AnswerC

Rolling update replaces tasks gradually.

Why this answer

Option B is correct because updating the service with the new task definition and a rolling update deployment controller achieves a rolling update. Option A is wrong because deleting and recreating causes downtime. Option C is wrong because updating the task definition alone does not trigger deployment.

Option D is wrong because creating a new service is unnecessary.

1436
MCQhard

A company is designing a new real-time analytics platform that processes streaming data from IoT devices. The data must be ingested, processed with windowed aggregations, and stored in Amazon S3 for long-term analytics. The solution must handle late-arriving data and provide exactly-once processing semantics. Which combination of AWS services should the architect use?

A.Use Amazon Kinesis Data Firehose to ingest data and AWS Glue for processing.
B.Use Amazon EMR with Spark Streaming to process data from Kinesis Data Streams.
C.Use AWS Lambda to process records from Kinesis Data Streams and store in S3.
D.Use Amazon Kinesis Data Analytics for Apache Flink to process data from Kinesis Data Streams and output to S3.
AnswerD

Flink provides exactly-once processing and handles late data.

Why this answer

Kinesis Data Analytics for Apache Flink (option D) provides exactly-once processing and handles late data. Option A (Kinesis Data Firehose) does not provide exactly-once. Option B (Lambda) is not ideal for streaming analytics.

Option C (EMR) is more complex.

1437
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. The operations team wants to automatically roll back a stack update if it fails, and receive a notification. What should be configured to meet these requirements?

A.Use AWS CloudTrail to monitor the UpdateStack API call and trigger a rollback via a Lambda function.
B.Use AWS Config rules to detect stack failure and revert changes.
C.Enable rollback on failure in the CloudFormation stack and configure an SNS notification topic.
D.Create a custom resource in the CloudFormation template that performs rollback.
AnswerC

CloudFormation can automatically roll back on failure and send SNS notifications.

Why this answer

Option C is correct because CloudFormation natively supports automatic rollback on stack update failure via the 'Rollback on failure' setting. By configuring an SNS notification topic on the stack, the operations team receives alerts when a rollback occurs, meeting both requirements without additional custom logic.

Exam trap

The trap here is that candidates may overcomplicate the solution by adding unnecessary services like Lambda or Config, overlooking CloudFormation's native rollback and notification capabilities that directly satisfy the requirements.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail logs API calls but does not trigger actions directly; invoking a Lambda function from CloudTrail would require additional Amazon EventBridge rules and custom rollback logic, which is unnecessary when CloudFormation provides built-in rollback. Option B is wrong because AWS Config rules evaluate resource compliance against desired configurations and cannot detect stack update failures or revert changes; they are designed for continuous compliance, not stack lifecycle management. Option D is wrong because a custom resource in a CloudFormation template runs during stack operations but cannot perform a rollback of the entire stack; rollback is a stack-level operation controlled by CloudFormation, not by individual resources.

1438
MCQhard

A company is modernizing a .NET Framework application to run on AWS. The application currently uses Windows Communication Foundation (WCF) services. The company wants to minimize code changes and run on Linux. Which approach should the company take?

A.Use AWS App2Container to generate Windows containers and run on Amazon ECS with Windows.
B.Rewrite the WCF services as AWS Lambda functions using a custom runtime.
C.Port the application to .NET Core and deploy on Amazon ECS with Linux containers.
D.Containerize the application using AWS Fargate and run on Windows containers.
AnswerC

.NET Core runs on Linux, enabling deployment on Linux containers with minimal changes.

Why this answer

Option B is correct because .NET Core (now .NET 5+) is cross-platform and supports Linux, allowing the company to run on Linux with minimal code changes. Option A is wrong because AWS Fargate is a compute platform, not a framework. Option C is wrong because Windows containers require Windows, not Linux.

Option D is wrong because Lambda with custom runtime requires significant refactoring.

1439
MCQhard

A company is designing a multi-region active-active application using Amazon Aurora Global Database. The application writes to a custom domain endpoint that routes to the primary cluster. To minimize write latency, the application should write to the nearest region. Which configuration should the solutions architect use?

A.Configure Aurora Global Database with multiple primary clusters, each in a different region, and use Route 53 to route writes.
B.Use Amazon DynamoDB global tables instead of Aurora Global Database, as DynamoDB supports multi-region writes.
C.Use Aurora cross-region read replicas and failover to a secondary region for writes.
D.Use Route 53 latency-based routing to direct writes to the nearest region. Each region has its own Aurora cluster.
AnswerB

DynamoDB global tables allow active-active multi-region writes. Aurora Global Database does not.

Why this answer

Option B is correct because an Aurora Global Database has one primary region and multiple secondary regions. The primary region handles all writes; secondary regions are read-only. To allow writes from multiple regions, you would need a different architecture, such as using DynamoDB global tables.

Option A is incorrect because Route 53 latency-based routing does not change the fact that only the primary cluster accepts writes. Option C is incorrect because there is only one primary cluster. Option D is incorrect because cross-region read replicas do not accept writes.

1440
Multi-Selectmedium

A company uses AWS CodeBuild to compile and test code. The build process takes a long time because dependencies are downloaded from the internet each time. The company wants to speed up the build process. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Use AWS CodeArtifact to store and retrieve dependencies
B.Use a custom Docker image in CodeBuild that includes the dependencies
C.Use local build agents to run builds in parallel
D.Increase the compute type of the build environment
E.Enable the cache feature in CodeBuild to store dependencies in Amazon S3
AnswersB, E

Pre-installed dependencies eliminate download time.

Why this answer

Option A avoids downloading dependencies on every build by using a custom Docker image with pre-installed dependencies. Option B caches dependency files in a persistent S3 bucket. Option C (increase compute) may help but does not address the root cause.

Option D (parallel builds) may increase complexity. Option E (CodeArtifact) is for storing artifacts but does not speed up initial download as much as caching.

1441
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header for authentication. The security team wants to ensure that requests are only accepted from authenticated users. Which TWO actions should the team take?

Select 2 answers
A.Place an Amazon CloudFront distribution in front of the ALB and use signed URLs.
B.Configure the ALB to forward the custom header to the target group and validate it on the application.
C.Use AWS WAF to create a rule that inspects the custom header and blocks requests without it.
D.Use Amazon Cognito to authenticate users and pass the header.
E.Configure the ALB's security group to allow traffic only from known IP addresses.
AnswersB, C

The application can validate the header if forwarded by ALB.

Why this answer

Options B and D are correct. WAF can inspect custom headers, and ALB can forward headers to the target. Option A is wrong because Security Groups do not inspect headers.

Option C is wrong because Cognito is for user pools, not custom headers. Option E is wrong because CloudFront is a CDN, not a security service.

1442
Multi-Selecteasy

A company is designing a new cloud-native application on AWS. The application will use a microservices architecture and requires a way to manage configuration data and secrets. Which THREE AWS services can be used to meet these requirements? (Choose THREE.)

Select 3 answers
A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS AppConfig
D.Amazon DynamoDB
E.Amazon S3
AnswersA, B, C

Stores and rotates secrets like database credentials.

Why this answer

AWS Secrets Manager stores secrets with automatic rotation. AWS Systems Manager Parameter Store stores configuration data and secrets. AWS AppConfig manages application configuration.

Option C (DynamoDB) is a database, not a configuration store. Option E (S3) can store config files but is not as integrated for secrets.

1443
Multi-Selectmedium

A company is migrating its on-premises applications to AWS. The company has a mix of Windows and Linux servers. The migration team wants to automate the discovery of application dependencies and track the migration progress. Which TWO AWS services should the team use? (Choose TWO.)

Select 2 answers
A.AWS Systems Manager
B.AWS Config
C.AWS Application Discovery Service
D.AWS CloudTrail
E.AWS Migration Hub
AnswersC, E

Discovers on-premises servers and their dependencies.

Why this answer

Option B (AWS Application Discovery Service) and Option D (AWS Migration Hub) are correct. Application Discovery Service automatically discovers dependencies. Migration Hub tracks migration progress across multiple tools.

Option A (AWS Config) tracks configuration changes but not dependencies. Option C (AWS Systems Manager) manages instances but does not discover dependencies. Option E (AWS CloudTrail) logs API calls.

1444
MCQhard

A company uses AWS Organizations with hundreds of accounts. They want to centrally manage VPC security group rules to ensure that only approved CIDR ranges are allowed for SSH access. Which solution is MOST scalable and auditable?

A.Use AWS Config rules to detect non-compliant security groups and trigger a Lambda function to remove the offending rules.
B.Create an SCP that denies ec2:AuthorizeSecurityGroupIngress for SSH ports unless the CIDR is in an approved list.
C.Use AWS Firewall Manager to centrally manage security group rules across accounts.
D.Use AWS CloudFormation StackSets to deploy security groups with approved rules, and use an SCP to deny creation or modification of security groups outside of CloudFormation.
AnswerD

This ensures that only compliant security groups are created, and any changes must go through the central template.

Why this answer

Option D is correct because it combines CloudFormation StackSets for deploying approved security groups across hundreds of accounts with an SCP that denies ec2:CreateSecurityGroup and ec2:AuthorizeSecurityGroupIngress actions unless they originate from CloudFormation (using the aws:ViaAWSService condition key). This ensures that only centrally managed, auditable deployments can create or modify security groups, providing both scalability and a clear audit trail via CloudFormation change sets and StackSet operations.

Exam trap

The trap here is that candidates often confuse Firewall Manager’s capabilities—it manages web ACLs and network firewalls, not VPC security group rules—and overlook the powerful combination of CloudFormation StackSets with SCPs using the aws:ViaAWSService condition key for preventive, auditable governance.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are reactive—they detect non-compliance after the fact and rely on a Lambda function to remediate, which introduces latency and potential race conditions; it is not a preventive control and does not scale well for hundreds of accounts with frequent changes. Option B is wrong because SCPs cannot deny actions based on the content of API parameters like CIDR ranges in ec2:AuthorizeSecurityGroupIngress; SCPs operate at the service action level, not on specific resource configuration values, so they cannot enforce approved CIDR lists. Option C is wrong because AWS Firewall Manager is designed for managing AWS WAF rules, AWS Shield Advanced protections, and Network Firewall policies, not for centrally managing VPC security group rules; it does not support security group rule management across accounts.

1445
MCQeasy

A company runs a batch processing job on a schedule using AWS Lambda. The job processes files from an S3 bucket and writes results to another S3 bucket. Recently, the job has been failing with the error 'Access Denied' when trying to write to the destination bucket. The Lambda function's execution role has the following IAM policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::source-bucket/*", "arn:aws:s3:::source-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::destination-bucket/*" } ] } The Lambda function also has a VPC configuration to access an RDS instance. The S3 buckets are in the same region. The Solutions Architect verified that the destination bucket policy does not deny access. What is the MOST likely cause of the 'Access Denied' error?

A.The Lambda function is in a VPC without an S3 VPC endpoint, so it cannot reach S3.
B.The Lambda function does not have permissions to read from the source bucket.
C.The IAM policy does not allow s3:PutObject on the destination bucket.
D.The destination bucket policy denies the Lambda function's access.
AnswerA

Lambda in a VPC requires a VPC endpoint for S3 to access S3 APIs; without it, calls fail.

Why this answer

Option D is correct. When a Lambda function is configured to access a VPC, it loses internet access unless a NAT gateway or VPC endpoints are provided. To access S3, the function needs an S3 VPC endpoint (gateway type) in the same VPC and subnet.

Without it, the PutObject call fails with 'Access Denied' because the function cannot reach the S3 API endpoint. Option A is wrong because the IAM policy allows s3:PutObject. Option B is wrong because the bucket policy does not deny access.

Option C is wrong because the source bucket permissions are for read, not write; the error is on write.

1446
MCQmedium

A company is deploying a web application on AWS. The application requires a relational database with read replicas for scaling read queries. The database must support automatic failover and be Multi-AZ. Which database solution meets these requirements?

A.Amazon DynamoDB with global tables
B.Amazon Aurora with Multi-AZ and Aurora Replicas
C.Amazon ElastiCache for Redis with replication groups
D.Amazon RDS for MySQL with Multi-AZ and Read Replicas
AnswerB, D

Aurora provides Multi-AZ with automatic failover and up to 15 Aurora Replicas for read scaling.

Why this answer

Amazon RDS for MySQL with Multi-AZ and Read Replicas provides both high availability (Multi-AZ failover) and read scaling (Read Replicas). Option A (Aurora) is also relational but is a different service. Option C (DynamoDB) is NoSQL.

Option D (ElastiCache) is in-memory cache.

1447
MCQhard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application uses a custom health check that reports instance health to Amazon CloudWatch. The Auto Scaling group is configured with an EC2 health check type. Recently, the company noticed that instances failing the custom health check are not being terminated and replaced. What should the solutions architect do to ensure that instances failing the custom health check are automatically replaced?

A.Manually terminate the unhealthy instances from the EC2 console.
B.Configure the Auto Scaling group to use instance metadata to report health.
C.Create a CloudWatch alarm based on the custom health check metric and configure the alarm to terminate the instance.
D.Change the Auto Scaling group health check type to ELB and ensure the custom health check is integrated with the ELB target group.
AnswerD

ELB health checks can be customized via the target group, and Auto Scaling will replace instances that fail ELB health checks.

Why this answer

Option D is correct because Auto Scaling only uses the EC2 status checks (system/reachability) by default. To use a custom health check, you must configure the Auto Scaling group to use ELB health checks and have the custom health check reported via a target group. Alternatively, you can use Amazon EventBridge to listen for custom health check failures and terminate instances.

Option A is wrong because changing the health check type to ELB still requires a target group, and the custom health check must be integrated. Option B is wrong because CloudWatch alarms don't directly trigger instance replacement; you would need a lifecycle hook or EventBridge. Option C is wrong because manual termination defeats automation.

1448
MCQhard

Refer to the exhibit. A company applies this S3 bucket policy to a central logging bucket. CloudTrail trails in multiple accounts are configured to deliver logs to this bucket. Recently, logs stopped being delivered. What is the most likely cause?

A.CloudTrail does not automatically set the 'bucket-owner-full-control' ACL when delivering logs.
B.The Principal element uses 'cloudtrail.amazonaws.com' which is not the correct service principal.
C.The Resource ARN does not include the account ID, so it matches all accounts.
D.The policy uses 'Deny' which is not allowed in S3 bucket policies.
AnswerA

The condition requires the ACL, but CloudTrail does not set it, causing denial.

Why this answer

Option C is correct because the bucket policy requires the ACL to be 'bucket-owner-full-control'. If CloudTrail does not set this ACL, the deny statement will block the write. CloudTrail by default does not set the ACL, so the condition fails and the request is denied.

Option A is wrong because the service principal is correct. Option B is wrong because the resource ARN is correct. Option D is wrong because the policy version is fine.

1449
Multi-Selecteasy

A company is using Amazon RDS for PostgreSQL with Multi-AZ deployment. The database experiences high write latency during peak hours. The solutions architect suggests using an RDS read replica to offload read traffic. Which THREE steps are necessary to implement this solution?

Select 3 answers
A.Ensure the read replica is in the same Availability Zone as the primary.
B.Create a read replica from the source DB instance.
C.Modify the application to send read-only queries to the read replica endpoint.
D.Enable Multi-AZ on the read replica.
E.Configure the read replica to be in a different Availability Zone for high availability.
AnswersB, C, E

A read replica is needed to offload read traffic.

Why this answer

Options A, B, and D are correct. Create a read replica (A) from the source DB instance. Modify the application to use the read replica endpoint for read queries (B).

Ensure the read replica is in a different AZ for high availability (D). Option C is wrong because read replicas do not need to be in the same AZ. Option E is wrong because Multi-AZ is for the source instance, not the read replica.

1450
Drag & Dropmedium

Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The correct order is: first create the virtual interface in AWS, then configure the on-premises router, establish BGP, verify availability, and finally update route tables.

1451
MCQhard

A company is using Amazon S3 to store sensitive documents. The security team requires that all objects be encrypted at rest using a customer-managed key (CMK) stored in AWS KMS. Additionally, the CMK must be rotated automatically every year. How should the company configure this?

A.Use S3 default encryption with SSE-KMS and create a new CMK every year.
B.Use S3 bucket policies to enforce encryption and use KMS manual key rotation.
C.Use S3 default encryption with SSE-KMS and enable automatic key rotation on the CMK.
D.Use S3 default encryption with SSE-S3 and enable KMS automatic key rotation.
AnswerC

This ensures all objects are encrypted with the CMK and the key is rotated annually.

Why this answer

Enable S3 default encryption with SSE-KMS and configure automatic key rotation on the CMK. This meets both requirements.

1452
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles for cross-account access. They want to ensure that when a role is created in a member account, it automatically adheres to the principle of least privilege and is auditable. What solution should they implement?

A.Use AWS CloudFormation StackSets to deploy IAM roles from a central template in each account.
B.Use AWS Organizations service control policies (SCPs) to deny creation of IAM roles except through AWS CloudFormation, and use a centrally managed CloudFormation template via StackSets.
C.Configure AWS Config rules to detect non-compliant roles and trigger a Lambda function to remove them.
D.Create a Lambda function that monitors CloudTrail events for role creation and sends alerts.
AnswerB

SCPs can enforce that roles are only created via CloudFormation, and StackSets ensure consistent deployment and auditing.

Why this answer

Option B is correct because AWS Organizations SCPs can be used to deny the creation of IAM roles except through AWS CloudFormation, ensuring that roles are only created via a centrally managed template. By combining this with AWS CloudFormation StackSets, the security team can deploy IAM roles from a single template across all member accounts, enforcing the principle of least privilege and providing full auditability through CloudFormation stack events and AWS CloudTrail.

Exam trap

The trap here is that candidates often choose Option A, thinking that CloudFormation StackSets alone provide enforcement, but they miss the critical need for a preventive control (SCPs) to block manual role creation outside the template.

How to eliminate wrong answers

Option A is wrong because using CloudFormation StackSets alone to deploy IAM roles does not prevent users from creating roles manually outside the template, so it fails to enforce the principle of least privilege or ensure auditability. Option C is wrong because configuring AWS Config rules to detect non-compliant roles and trigger a Lambda function to remove them is a reactive approach that does not prevent the creation of non-compliant roles in the first place, leading to potential security gaps and operational overhead. Option D is wrong because creating a Lambda function that monitors CloudTrail events for role creation and sends alerts is also reactive; it only notifies after a role is created, without enforcing least privilege or preventing non-compliant roles from being created.

1453
Multi-Selectmedium

A company uses AWS Organizations and wants to centrally manage VPC flow logs for all VPCs across all accounts. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure cross-account CloudWatch Logs subscription.
B.Create a centralized S3 bucket in the logging account.
C.Use VPC Flow Logs with Amazon Kinesis Data Firehose.
D.Apply an SCP that requires VPC Flow Logs to be enabled.
E.Use AWS Config rules to enable flow logs automatically.
AnswersB, D

VPC Flow Logs can be delivered to an S3 bucket.

Why this answer

Options A and D are correct. First, create a centralized S3 bucket to store flow logs. Then, use an SCP to enforce enabling flow logs on all VPCs.

Option B is wrong because AWS Config can detect but not enforce. Option C is wrong because CloudWatch Logs cross-account subscription is not necessary if using S3. Option E is wrong because VPC Flow Logs can be delivered to S3 directly.

1454
MCQhard

A company is designing a multi-region active-active architecture for a web application using Amazon Route 53 latency-based routing. The application runs on EC2 instances in Auto Scaling groups with Application Load Balancers in each region. The application uses an Amazon Aurora global database for its data tier. The architecture must provide the lowest possible RTO and RPO for regional failures. What should the company do to meet these requirements?

A.Configure Amazon RDS for MySQL with a cross-Region read replica and automatic failover.
B.Use Route 53 health checks to detect regional failure and automatically update the Aurora Global Database endpoint.
C.Use the Aurora Global Database failover capability to promote the secondary region to primary.
D.Use Amazon RDS Multi-AZ with synchronous replication across Regions.
AnswerC

Aurora Global Database supports managed failover with low RPO/RTO.

Why this answer

Aurora Global Database has a typical RPO of 1 second and RTO of 1 minute for regional failover. Failover is initiated by promoting the secondary region's cluster to primary. Option D is correct.

Option A is wrong because failover is manual; there's no automatic failover to a cross-Region read replica. Option B is wrong because Route 53 health checks do not trigger Aurora failover. Option C is wrong because RDS Multi-AZ is for single-region HA, not multi-region.

1455
MCQmedium

A company is using AWS Migration Hub to track a large-scale migration to AWS. The company wants to automate the replatforming of multiple Windows web servers to Amazon EC2 instances running Amazon Linux 2. The migration must be repeatable and minimize manual intervention. Which AWS service should the company use to achieve this?

A.AWS Application Migration Service (MGN)
B.AWS OpsWorks for Chef Automate
C.AWS Server Migration Service (SMS)
D.AWS CloudFormation templates to provision new EC2 instances and migrate data manually
AnswerA

MGN automates server migration and supports replatforming to different OS.

Why this answer

AWS Application Migration Service (MGN) is the correct choice because it automates the replatforming of Windows web servers to Amazon Linux 2 by continuously replicating source servers, performing automated conversion of the OS and applications, and enabling cutover to target EC2 instances with minimal manual intervention. It supports heterogeneous OS migrations (e.g., Windows to Linux) and provides a repeatable, automated workflow that aligns with the company's requirement for a large-scale, repeatable migration.

Exam trap

The trap here is that candidates often confuse AWS Server Migration Service (SMS) with Application Migration Service (MGN), not realizing that SMS is deprecated and only supports homogeneous migrations, while MGN is the current service that supports heterogeneous OS replatforming like Windows to Linux.

How to eliminate wrong answers

Option B (AWS OpsWorks for Chef Automate) is wrong because it is a configuration management service that automates server configuration and compliance, not a migration tool; it cannot perform OS replatforming from Windows to Amazon Linux 2. Option C (AWS Server Migration Service) is wrong because it is deprecated and only supports homogeneous migrations (e.g., VMware to EC2) with agentless replication, not OS conversion from Windows to Linux. Option D (AWS CloudFormation templates to provision new EC2 instances and migrate data manually) is wrong because it requires manual data migration and does not automate the replatforming process, violating the requirement to minimize manual intervention.

1456
MCQhard

A company has a production AWS account that is part of an AWS Organization. The account has a VPC with a NAT gateway for internet access. The security team wants to ensure that all outbound traffic to the internet flows through a centralized inspection VPC in the security account for traffic inspection. Which architecture should be used?

A.Use AWS Cloud WAN to connect the VPCs and route all outbound traffic through the inspection VPC.
B.Create a VPC peering connection between the production VPC and the inspection VPC, and route all outbound traffic through the peered connection.
C.Create a transit gateway, attach both VPCs, and configure the production VPC's route table to send all internet-bound traffic to the transit gateway, then route it through the inspection VPC's firewall.
D.Place a NAT gateway in the inspection VPC and have the production VPC route internet traffic to the NAT gateway.
AnswerC

Transit gateway enables transitive routing for inspection.

Why this answer

Option D is correct because a transit gateway with attachment to the inspection VPC (with a firewall appliance) and routing all outbound traffic through it provides centralized inspection. Option A is wrong because VPC peering does not support transitive routing. Option B is wrong because Cloud WAN can be used but it's more complex than needed.

Option C is wrong because a central NAT gateway in the security account would require routing all traffic through it, which is less flexible.

1457
MCQeasy

A company has a central IT team that manages networking resources for multiple application teams. Each application team needs to manage its own EC2 instances and RDS databases. Which AWS architecture best supports this separation of duties?

A.Use AWS Transit Gateway to connect individual VPCs managed by each team.
B.Use a shared VPC with separate subnets for each team, with IAM policies to control access.
C.Create a single VPC and use VPC peering to connect team resources.
D.Create a separate VPC for each application team and use VPC peering.
AnswerB

Shared VPC allows central management of network resources while teams manage their own resources.

Why this answer

Option B is correct because a shared VPC allows the central IT team to manage the network while application teams can create their own resources in the same VPC. Option A is wrong because individual VPCs per team would not allow central management. Option C is wrong because VPC peering does not provide central management.

Option D is wrong because AWS Transit Gateway does not control resource creation permissions within VPCs.

1458
MCQmedium

A company is centralizing its logging across multiple AWS accounts using a central logging account. Each application account delivers its CloudTrail logs and VPC Flow Logs to an S3 bucket in the logging account. The security team needs to query these logs using Amazon Athena. The logs are currently in separate S3 prefixes per account. The team wants to create a single Athena table that can query logs from all accounts without having to modify the table definition every time a new account is added. The logs are in CSV format for VPC Flow Logs and JSON format for CloudTrail. What is the MOST efficient solution?

A.Create a view that unions all the tables for each account, and update the view DDL when a new account is added.
B.Use AWS Glue crawlers configured to crawl the S3 bucket with a partition structure based on account ID and log type. Enable partition indexing to improve query performance.
C.Create an Athena table with partitions manually for each account and use MSCK REPAIR TABLE to add new partitions.
D.Convert all logs to Parquet format using AWS Glue ETL jobs and store them in a single prefix.
AnswerB

Glue crawlers automatically discover new partitions and update the table metadata.

Why this answer

Option D is correct because using AWS Glue crawlers with partition indexes allows automatic discovery of new partitions as new accounts add logs. The crawler can be scheduled to run periodically, updating the table metadata. Option A requires manual partition management.

Option B requires converting logs to a common format, which adds overhead. Option C requires manual DDL updates.

1459
MCQeasy

A company is migrating a legacy application to AWS and needs to ensure that the application can access on-premises resources securely. The company has established an AWS Direct Connect connection. Which AWS service should the company use to route traffic between the VPC and the on-premises network?

A.Virtual Private Gateway (VGW).
B.VPC Peering.
C.Internet Gateway (IGW).
D.AWS Transit Gateway.
AnswerA

VGW is used with Direct Connect to connect to on-premises.

Why this answer

Option C is correct because a virtual private gateway (VGW) is required to terminate the Direct Connect connection and route traffic. Option A is wrong because Transit Gateway is used for multiple VPCs. Option B is wrong because VPC Peering is for VPC-to-VPC.

Option D is wrong because Internet Gateway is for internet access.

1460
MCQeasy

A company is migrating a monolithic legacy application to a microservices architecture on AWS. The application currently uses a relational database with complex joins. The migration must minimize application changes. Which database strategy should be used for the new architecture?

A.Use a separate Amazon RDS instance for each microservice.
B.Use a single Amazon RDS instance shared by all microservices.
C.Use Amazon Aurora with RDS Proxy in front of it.
D.Use Amazon DynamoDB as a shared database for all microservices.
AnswerB

Minimizes application changes by preserving the existing relational database schema and joins.

Why this answer

Option B is correct because the requirement to minimize application changes means the microservices must continue to use the same relational database with complex joins. A single shared Amazon RDS instance preserves the existing SQL queries and join logic without requiring data decomposition or API-based data access patterns, which would necessitate significant application rewrites.

Exam trap

The trap here is that candidates often assume microservices require separate databases per service (database-per-service pattern) without considering the constraint of minimizing application changes, leading them to incorrectly choose option A.

How to eliminate wrong answers

Option A is wrong because using a separate RDS instance per microservice would require decomposing the monolithic database into multiple databases, breaking existing complex joins and forcing extensive application changes to handle cross-service data access. Option C is wrong because Amazon Aurora with RDS Proxy addresses connection pooling and scalability but does not change the fundamental need to share a single database; while it could be used with a shared instance, it is not a distinct strategy that minimizes changes compared to a single RDS instance. Option D is wrong because Amazon DynamoDB is a NoSQL database that does not support complex joins; migrating to it would require rewriting all queries and data access patterns, contradicting the goal of minimizing application changes.

1461
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data will be ingested from various sources and must be encrypted at rest. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption option should be used?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS)
C.Server-side encryption with S3 managed keys (SSE-S3)
D.Client-side encryption
AnswerC

SSE-S3 uses AWS-managed keys that are automatically rotated.

Why this answer

Option B is correct because SSE-S3 uses AWS-managed keys that are automatically rotated. Option A is wrong because SSE-C uses customer-provided keys. Option C is wrong because SSE-KMS uses customer-managed KMS keys.

Option D is wrong because client-side encryption is managed by the customer.

1462
MCQhard

A security engineer runs the command above and finds an ENI attached to a Lambda function. The security group sg-12345678 allows inbound traffic on port 443 from 0.0.0.0/0. The Lambda function is used to process API requests. The engineer is concerned about security. What should the engineer do?

A.Modify the Lambda function to not use a VPC.
B.Add a deny rule for inbound 0.0.0.0/0 and allow only from the Lambda function's own IP.
C.Remove the VPC attachment from the Lambda function and use a VPC endpoint.
D.Restrict the security group source to the API Gateway's VPC endpoint or the ALB security group.
AnswerD

Limits inbound traffic to only the expected source.

Why this answer

Option B is correct because the Lambda function should only be invoked via the API Gateway, not directly from the internet. The security group should restrict inbound traffic from the API Gateway's source, not from all IPs. Option A is incorrect because outbound traffic is needed for the function to send responses.

Option C is incorrect because VPC attachment is necessary for accessing internal resources. Option D is incorrect because the Lambda function is already in a VPC.

1463
MCQeasy

A company wants to automate the creation of new AWS accounts and apply baseline security configurations. Which combination of services should be used to achieve this?

A.AWS Service Catalog and AWS Config.
B.AWS Organizations API and CloudTrail.
C.AWS Control Tower and Service Control Policies (SCPs).
D.AWS CloudFormation StackSets and IAM.
AnswerC

Control Tower provides account factory and guardrails via SCPs.

Why this answer

AWS Control Tower provides a managed service to automate the creation of new AWS accounts through Account Factory, while Service Control Policies (SCPs) enforce baseline security guardrails across all accounts in the organization. This combination ensures that every new account is provisioned with consistent security policies without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Control Tower with AWS Organizations alone, forgetting that Control Tower adds automated account provisioning and pre-built security guardrails (SCPs) that Organizations alone does not provide.

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog is used for creating and managing approved IT service catalogs, not for automating account creation, and AWS Config is a configuration auditing service, not a provisioning tool. Option B is wrong because the AWS Organizations API can create accounts programmatically but lacks built-in baseline security configuration enforcement; CloudTrail only logs API activity and does not apply security policies. Option D is wrong because AWS CloudFormation StackSets deploy infrastructure templates across accounts but do not automate account creation itself, and IAM manages user permissions but not account provisioning or baseline security guardrails.

1464
MCQhard

A company uses AWS Organizations and wants to implement a policy that prevents any account from disabling AWS CloudTrail or deleting CloudTrail log files. The solution must be enforceable across all accounts. Which combination of actions should be taken?

A.Enable CloudTrail with a trail that logs to a bucket in a separate account, and use IAM policies to deny CloudTrail deletion.
B.Create an SCP that denies cloudtrail:DeleteTrail and cloudtrail:StopLogging, and rely on S3 versioning to recover deleted logs.
C.Create an IAM policy in each account that denies CloudTrail deletion and attach it to all IAM users and roles.
D.Create an SCP that denies cloudtrail:DeleteTrail, cloudtrail:StopLogging, and s3:DeleteObject on the log bucket. Also attach a bucket policy to the log bucket that denies s3:DeleteObject for all principals except the management account.
AnswerD

Combines SCP and bucket policy for comprehensive protection.

Why this answer

Option A is correct because an SCP can deny CloudTrail deletion and disabling, and an S3 bucket policy on the log bucket can prevent log deletion. Option B is wrong because IAM policies in each account are not centralized. Option C is wrong because CloudTrail cannot be protected from deletion by the same account.

Option D is wrong because SCP alone cannot protect the S3 bucket.

1465
MCQeasy

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with a specific KMS key. What is the MOST efficient way to achieve this?

A.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to encrypt them retroactively.
B.Attach a service control policy (SCP) to the root organizational unit that denies s3:PutBucketEncryption unless the specified KMS key is used.
C.Deploy a CloudFormation StackSet that creates a bucket policy in each account requiring encryption.
D.Create an IAM policy in each account that denies PutBucketEncryption unless the specified KMS key is used.
AnswerB

SCPs can enforce policies across all accounts in an OU, including preventing non-compliant actions.

Why this answer

Using an SCP under the root OU prevents any account from creating unencrypted buckets or using a different KMS key. Option A is wrong because individual account IAM policies are harder to manage at scale. Option C is wrong because AWS Config can detect but not enforce.

Option D is wrong because CloudFormation StackSets require manual deployment to each account.

1466
MCQhard

A company is using AWS Organizations with hundreds of accounts. They need to ensure that no account can modify the VPC default security group. Which SCP should they apply to the root OU?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:DeleteSecurityGroup","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifySecurityGroup*","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:ModifySecurityGroupRules","Resource":"arn:aws:ec2:*:*:security-group/*","Condition":{"StringEquals":{"ec2:Vpc":"arn:aws:ec2:*:*:vpc/*"}}}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:CreateSecurityGroup","Resource":"*"}]}
AnswerC

Denies modification of rules on any security group but not creation/deletion.

Why this answer

Option A is correct because it denies the ec2:ModifySecurityGroupRules action on the default security group. Option B is wrong because it denies all security group modifications. Option C is wrong because it denies creation.

Option D is wrong because it denies deletion.

1467
MCQhard

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

A.The S3 bucket has a lifecycle policy that deletes logs after a short period.
B.The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
C.The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
D.The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.
AnswerC

The bucket policy likely restricts access to the logging account's role, so the analyst's direct access is denied.

Why this answer

Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.

Exam trap

The trap here is that candidates often overlook bucket policy conditions that restrict principal types, assuming that granting read-only access to the S3 bucket via IAM is sufficient, when in fact the bucket policy itself may explicitly deny access to non-service principals.

How to eliminate wrong answers

Option A is wrong because a lifecycle policy that deletes logs after a short period would cause logs to be missing, but the analyst cannot access any logs at all, indicating a permissions issue rather than data absence. Option B is wrong because requiring the analyst to assume a role in the logging account is a valid cross-account access pattern; if the bucket policy allowed it, the analyst could assume the role and access the logs, so this is not the most likely cause. Option D is wrong because while KMS encryption could block access if the analyst lacks decrypt permissions, the question states the analyst has read-only access to the S3 bucket, and KMS key permissions are separate from S3 bucket policies; the most likely cause is a bucket policy restriction, not encryption.

1468
Multi-Selecthard

A company is designing a new CI/CD pipeline for a containerized application. They want to automatically build, test, and deploy the application to Amazon EKS. Which THREE AWS services should they use to implement this pipeline?

Select 3 answers
A.AWS CloudFormation
B.AWS CodePipeline
C.AWS CodeCommit
D.AWS CodeBuild
E.AWS CodeDeploy
AnswersB, C, D

CodePipeline orchestrates the build, test, and deploy stages.

Why this answer

AWS CodePipeline is correct because it orchestrates the CI/CD workflow by integrating with other AWS services to automate the build, test, and deployment stages. For a containerized application on Amazon EKS, CodePipeline can pull source code from CodeCommit, trigger CodeBuild to build and test the Docker image, and then deploy the image to an EKS cluster using a deployment action or a custom action. This provides a fully managed, continuous delivery pipeline that automates the entire release process.

Exam trap

The trap here is that candidates may incorrectly select AWS CodeDeploy (Option E) because they assume it supports all deployment targets, including EKS, but CodeDeploy does not natively support Kubernetes clusters; instead, EKS deployments are typically handled via CodeBuild or a custom action in CodePipeline.

1469
MCQhard

A company with multiple AWS accounts wants to centralize CloudTrail logging. They create a CloudTrail trail in the management account that logs all events across all accounts and regions. However, the security team notices that some management events from member accounts are not being logged. What is the most likely cause?

A.The SCPs applied to member accounts are blocking CloudTrail from sending logs.
B.CloudTrail is a regional service and the trail is only in one region.
C.Member accounts have IAM policies that deny CloudTrail logging.
D.The trail was not created as an organization trail.
AnswerD

An organization trail must be enabled to log events from all accounts.

Why this answer

Option B is correct because a single trail in the management account can log events for all member accounts only if CloudTrail is configured to include all accounts (organization trail). Option A is wrong because SCPs do not affect CloudTrail logging. Option C is wrong because CloudTrail is not a regional service; organization trails log all regions.

Option D is wrong because IAM permissions do not affect logging once the trail is configured.

1470
MCQeasy

A company uses Amazon S3 to store critical data. The company wants to ensure that data is protected against accidental deletion and that deleted objects can be recovered within 30 days. Which S3 feature should the company enable?

A.S3 Versioning
B.S3 Server Access Logging
C.S3 Object Lock in governance mode
D.S3 Intelligent-Tiering
AnswerA

Preserves all versions, allowing recovery of deleted objects.

Why this answer

Option D is correct because S3 Versioning keeps all versions, and when combined with a lifecycle policy to expire after 30 days, it allows recovery. Option A is wrong because it is for access logs. Option B is wrong because it prevents overwrites but not deletions.

Option C is wrong because it is for archive, not immediate recovery.

1471
MCQmedium

An S3 bucket contains thousands of objects under the 'logs/' prefix. The above AWS CLI command is run to list objects larger than 1000 bytes. The command returns an empty array, but there are known objects larger than 1000 bytes. What is the most likely reason?

A.The command only returns the first 1000 objects due to pagination
B.The prefix 'logs/' is case-sensitive and should be 'Logs/'
C.The command has a syntax error in the JMESPath query
D.The bucket policy does not allow listing objects
AnswerA

The list-objects API paginates; large objects may be in later pages.

Why this answer

The CLI command uses single quotes for the query, which is correct in Linux shells, but the issue is that the `Size` field is a number, and the comparison `Size > 1000` should work. However, the command might be returning an empty array because the bucket has a large number of objects and the API returned only a subset (truncated). The command does not include pagination, so it only returns the first 1000 objects.

If the large objects are after the first 1000, they won't appear. Also, the query syntax is correct. The bucket policy or permissions would cause an error, not an empty array.

1472
Multi-Selecthard

A company is using Amazon API Gateway with a Lambda authorizer to authenticate requests. The Lambda authorizer function times out frequently during peak traffic. The company wants to improve authorization performance without changing the authentication logic. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Enable caching of authorization responses in API Gateway.
B.Use AWS WAF to block suspicious requests.
C.Increase the Lambda function timeout.
D.Increase the Lambda reserved concurrency.
E.Enable request validation in API Gateway.
AnswersA, C

Caching reduces Lambda invocations for repeated requests.

Why this answer

Option A is correct because increasing the Lambda timeout gives more time for authorization. Option C is correct because enabling caching reduces invocations of the authorizer. Option B is wrong because request validation does not affect authorizer performance.

Option D is wrong because it does not help the authorizer. Option E is wrong because concurrency is not the issue.

1473
Multi-Selectmedium

A company uses AWS Organizations with 50 accounts. They need to manage EC2 instance inventory across all accounts. Which THREE steps are necessary to achieve this?

Select 3 answers
A.Configure Amazon CloudWatch agent to send inventory data.
B.Set up an AWS Config aggregator in the management account.
C.Enable AWS Systems Manager Inventory in each account.
D.Create an IAM role in each member account that trusts the central account.
E.Enable AWS Systems Manager in each account.
AnswersC, D, E

Inventory collects instance information.

Why this answer

Option A is correct because AWS Systems Manager Inventory can collect instance metadata. Option C is correct because a cross-account role is needed for Systems Manager to access instances in other accounts. Option E is correct because enabling Systems Manager in each account is required.

Option B is wrong because Config aggregator collects configuration data, not inventory metadata. Option D is wrong because CloudWatch only collects metrics.

1474
Multi-Selectmedium

A company is designing a data lake on Amazon S3. Data is ingested from multiple sources and stored as Parquet files partitioned by date. The company needs to ensure that only authorized users can access the data, and that the data is encrypted at rest. Which TWO actions should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable default encryption with SSE-KMS on the S3 bucket.
B.Use client-side encryption before uploading to S3.
C.Enable S3 server access logging.
D.Use a bucket ACL to grant access to the data lake.
E.Configure an S3 bucket policy that allows access only from specific IAM roles.
AnswersA, E

SSE-KMS encrypts objects at rest with managed keys.

Why this answer

Options B and D are correct. B: S3 bucket policy with IAM conditions restricts access. D: SSE-KMS provides encryption with key management.

Option A is too broad. Option C does not control access. Option E is not a primary encryption method for at-rest.

1475
MCQeasy

A startup is using a single AWS account for development, testing, and production. They want to isolate environments and improve security. What is the most aligned AWS best practice?

A.Use separate VPCs within the same account.
B.Use IAM policies to restrict access per environment.
C.Create separate AWS accounts for each environment using AWS Organizations.
D.Use resource tagging to separate environments.
AnswerC

Accounts provide strong isolation boundaries.

Why this answer

Option A is correct because AWS Organizations with multiple accounts is the recommended approach for environment isolation. Option B is wrong because VPC separation is not enough within the same account. Option C is wrong because tags do not provide isolation.

Option D is wrong because IAM alone does not isolate resources.

1476
Multi-Selecthard

Which THREE design patterns are recommended for decoupling components in a microservices architecture on AWS?

Select 3 answers
A.Use Amazon EventBridge for event-driven integration.
B.Use AWS Direct Connect for private connectivity.
C.Use Amazon SNS topics for pub/sub messaging.
D.Use Amazon SQS queues between services.
E.Use Elastic Load Balancing to distribute traffic.
AnswersA, C, D

EventBridge decouples event producers and consumers.

Why this answer

Options A, C, and D are correct. Option A: SQS decouples services via message queues. Option C: SNS enables fan-out to multiple subscribers.

Option D: EventBridge supports event-driven communication. Option B is wrong because ELB is for load balancing, not decoupling. Option E is wrong because Direct Connect is for hybrid connectivity.

1477
MCQeasy

A solutions architect notices that an Auto Scaling group's instances are continuously being terminated and replaced. CloudWatch logs show that health checks are failing due to high memory usage. The instances run a memory-intensive application. What should the architect do to improve stability?

A.Change the instance type to a memory-optimized family like R5.
B.Use a scheduled scaling policy to add instances during peak hours.
C.Increase the minimum number of instances in the Auto Scaling group.
D.Create a CloudWatch alarm for memory utilization and attach it to a scaling policy.
AnswerD

Memory alarm triggers scaling before health check failures.

Why this answer

Option A is correct because adding a memory alarm allows the Auto Scaling group to scale out before memory exhaustion causes failures. Option B is wrong because increasing instance count per AZ doesn't address the root cause of memory pressure. Option C is wrong because memory-optimized instances provide more memory per instance, reducing the likelihood of failure.

Option D is wrong because a scheduled scaling policy is for predictable traffic, not for memory-driven scaling.

1478
MCQmedium

A company runs a critical application on Amazon RDS for PostgreSQL. The database experiences high read traffic. The application is read-heavy and can tolerate eventual consistency for some queries. What is the MOST effective way to improve read performance without significant architectural changes?

A.Enable Multi-AZ deployment for failover.
B.Create one or more Read Replicas in the same region.
C.Use Amazon ElastiCache to cache frequent queries.
D.Upgrade to a larger instance type.
AnswerB

Read Replicas handle read queries, reducing load on primary.

Why this answer

Option B is correct because creating Read Replicas offloads read traffic from the primary instance. Option A increases cost unnecessarily, C requires application changes, and D does not directly improve read performance.

1479
MCQhard

A company runs a stateless web application on EC2 instances behind an Application Load Balancer (ALB). During peak traffic, some instances become unhealthy and are replaced by Auto Scaling, but users experience errors. What is the MOST likely cause?

A.The EC2 instances are of a burstable performance type.
B.The Auto Scaling group's minimum size is too small.
C.The health check target path or port is misconfigured.
D.The health check interval is too long.
AnswerC

Misconfigured health checks can mark healthy instances as unhealthy, causing them to be replaced and disrupting traffic.

Why this answer

Option C is correct because if the health check target is misconfigured (e.g., wrong path or port), healthy instances may be marked as unhealthy, causing unnecessary replacements and errors. Option A is wrong because a longer health check interval would reduce unnecessary replacements. Option B is wrong because instance type does not directly affect health checks.

Option D is wrong because a smaller Auto Scaling group might cause capacity issues but not necessarily errors due to unhealthy instances.

1480
MCQeasy

A solutions architect is designing a web application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application requires that users' session data be stored and made available across all instances. Which solution is MOST cost-effective and scalable?

A.Use Amazon ElastiCache for Redis to store session data
B.Store session data on an Amazon EBS volume attached to each instance
C.Store session data in an Amazon RDS database
D.Enable sticky sessions (session affinity) on the ALB
AnswerA

Redis provides a fast, shared session store that all instances can access.

Why this answer

Amazon ElastiCache for Redis provides a distributed, in-memory cache that can store session data, is cost-effective, and scales easily. Option A (sticky sessions) couples the user to a specific instance, reducing fault tolerance. Option C (EBS) is not shared across instances.

Option D (RDS) is overkill and slower for session data.

1481
Multi-Selecthard

A company is designing a new data lake on AWS using Amazon S3. The data must be encrypted at rest. Which TWO options comply with the requirement? (Choose TWO.)

Select 2 answers
A.Enable SSL/TLS for all data transfers
B.Use S3 Access Points with a bucket policy
C.Use server-side encryption with Amazon S3 managed keys (SSE-S3)
D.Use client-side encryption before uploading
E.Use server-side encryption with AWS KMS (SSE-KMS)
AnswersC, E

SSE-S3 encrypts data at rest.

Why this answer

Options A and D are correct because SSE-S3 and SSE-KMS are both server-side encryption options that encrypt data at rest. Option B is incorrect because client-side encryption is not at rest encryption; it is before sending. Option C is incorrect because SSL/TLS is for data in transit.

Option E is incorrect because S3 Access Points do not provide encryption.

1482
MCQmedium

A company is modernizing a legacy .NET application by containerizing it on Amazon ECS. The application currently uses Windows authentication against on-premises Active Directory. After migrating, the application needs to authenticate users against AWS Managed Microsoft AD. The security team requires that credentials never leave the corporate network. Which solution should the company implement?

A.Store user passwords in AWS Secrets Manager and authenticate against it.
B.Use AWS AD Connector to proxy authentication to on-premises AD.
C.Use AWS Directory Service Simple AD with password sync.
D.Set up AWS Managed Microsoft AD with a two-way trust to on-premises AD over Direct Connect.
AnswerD

Keeps credentials on-premises.

Why this answer

Option A is correct because AWS Managed Microsoft AD connects via Direct Connect. Option B is wrong because AD Connector proxies but does not keep credentials on-premises. Option C is wrong because Simple AD lacks features.

Option D is wrong because on-premises AD is not integrated.

1483
MCQmedium

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to stop an EC2 instance with the tag 'Environment=production'. The action fails. What is the MOST likely reason?

A.The ec2:ResourceTag condition key is not supported for ec2:StopInstances.
B.The Resource element is set to '*', which does not include the specific instance.
C.The ec2:StopInstances action is not listed in the policy.
D.The policy requires a resource ARN for the condition to work.
AnswerA

The ec2:ResourceTag condition key is not supported for ec2:StopInstances or ec2:StartInstances actions.

Why this answer

Option B is correct because the Condition element with the ec2:ResourceTag condition key requires that the instance have the specified tag. However, the condition key ec2:ResourceTag is not supported for ec2:StopInstances (it is supported for DescribeInstances). For StopInstances and StartInstances, the condition key is ec2:ResourceTag, but it must be used with the correct key; actually, the issue is that the condition is applied to all actions, but the condition key might not be evaluated as expected.

However, the most common reason is that the ec2:ResourceTag condition key is not supported for StopInstances and StartInstances actions. Option A is wrong because the resource is '*', which includes all instances. Option C is wrong because the action 'ec2:StopInstances' is allowed, but the condition may not match.

Option D is wrong because the policy does not specify a resource ARN, so it applies to all resources.

1484
MCQhard

A company runs a critical workload on EC2 instances in an Auto Scaling group. The application is stateless and can handle instance failures. The architect needs to ensure that the application remains available during a regional outage. What is the MOST cost-effective and resilient architecture?

A.Deploy the Auto Scaling group in a single Region with instances spread across two AZs
B.Deploy the Auto Scaling group in three Availability Zones within a single Region
C.Use an active-passive configuration with Auto Scaling groups in two Regions and Route 53 failover
D.Use an active-active configuration across two Regions with Route 53 weighted routing
AnswerC

Active-passive reduces cost; failover provides resilience.

Why this answer

A multi-Region active-passive architecture with Route 53 failover and a warm standby in the secondary region provides resilience at reasonable cost. Option A (multi-AZ within one region) does not protect against regional failure. Option C (active-active across regions) is more expensive.

Option D (single Region with spread) still vulnerable to regional failure.

1485
MCQeasy

A company is designing a new application that will be deployed on EC2 instances across multiple Availability Zones. The application must be highly available and must automatically recover from instance failures. Which solution should the architect recommend?

A.Use a single EC2 instance in one AZ and a standby instance in another AZ
B.Use AWS Elastic Beanstalk with a single instance environment
C.Use AWS CloudFormation to launch a single instance in each AZ
D.Use an Auto Scaling group with a minimum of two instances across two Availability Zones
AnswerD

Auto Scaling automatically replaces failed instances and distributes across AZs.

Why this answer

Option C is correct because an Auto Scaling group with a minimum of two instances across multiple AZs ensures high availability and automatic recovery. Option A is wrong because a single instance with a standby instance is not automatic. Option B is wrong because Elastic Beanstalk with a single instance is not highly available.

Option D is wrong because CloudFormation does not manage recovery.

1486
Multi-Selecthard

A company is running a production web application on Amazon EKS. The application experiences intermittent latency spikes. The operations team suspects that the issue is related to pod networking. Which THREE tools should they use to diagnose the issue? (Choose 3)

Select 3 answers
A.tcpdump on worker nodes
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Container Insights
E.AWS CodePipeline
AnswersB, C, D

Captures network traffic metadata.

Why this answer

Options A, C, and D are correct. VPC Flow Logs capture network traffic, Container Insights provides metrics, and CloudWatch Logs capture container logs. B is for Linux commands, not AWS services.

E is for CI/CD, not troubleshooting.

1487
MCQhard

A company is deploying a new web application on AWS that requires a highly available and scalable architecture. The application consists of a stateless web tier and a stateful database tier. The web tier runs on Amazon EC2 instances behind an Application Load Balancer. The database tier uses Amazon Aurora MySQL. The company expects variable traffic patterns and wants to automatically scale the web tier based on CPU utilization. Additionally, the company wants to ensure that the database can handle increased read traffic without manual intervention. Which combination of actions should the company take?

A.Use an Auto Scaling group with a target tracking scaling policy based on CPU utilization. Enable Aurora Auto Scaling to add read replicas based on CPU or connections.
B.Use an Auto Scaling group with a target tracking scaling policy based on CPU utilization. Use Amazon SQS to queue read requests during peak traffic.
C.Use an Auto Scaling group with a simple scaling policy based on CPU utilization. Use DynamoDB Auto Scaling for the database.
D.Use an Auto Scaling group with a step scaling policy based on CPU utilization. Use ElastiCache Auto Scaling to add cache nodes for read traffic.
AnswerA

Auto Scaling scales web tier; Aurora Auto Scaling scales read capacity automatically.

Why this answer

Option D is correct because Auto Scaling based on CPU utilization scales the web tier, and Aurora Auto Scaling adds read replicas automatically. Option A: DynamoDB is not the database; the question specifies Aurora. Option B: ElastiCache is not the database; it's a cache.

Option C: SQS does not scale the web tier.

1488
MCQhard

A company is running a stateful web application on EC2 instances in an Auto Scaling group behind an ALB. The application stores session data locally on the instance. The company notices that users are frequently logged out and lose session data during scaling events. What is the MOST operationally efficient way to preserve session state?

A.Migrate session data to ElastiCache for Redis and modify the application to use it.
B.Create a custom AMI that pre-populates session data from Amazon S3.
C.Increase the Auto Scaling group's cooldown period to 600 seconds.
D.Enable sticky sessions (session affinity) on the ALB.
AnswerA

Externalizing session state ensures data persists across instance replacements.

Why this answer

Option A is correct because migrating session state to ElastiCache for Redis provides a centralized, external, and highly available session store that persists independently of EC2 instance lifecycles. This ensures that when instances are terminated or added during Auto Scaling events, session data remains intact and accessible from any instance, eliminating user logouts and data loss. It is operationally efficient as it requires minimal application code changes and leverages a fully managed, in-memory data store optimized for low-latency access.

Exam trap

The trap here is that candidates often choose sticky sessions (Option D) thinking it solves session persistence, but they overlook that sticky sessions only route traffic to the same instance and do not protect against data loss when that instance is terminated during scaling events.

How to eliminate wrong answers

Option B is wrong because pre-populating a custom AMI with session data from S3 is impractical and inefficient: session data is dynamic and changes constantly, so a static AMI cannot reflect real-time session states, and this approach would require frequent AMI rebuilds and complex synchronization. Option C is wrong because increasing the cooldown period to 600 seconds only delays scaling events but does not prevent session loss when instances are eventually terminated; it also reduces the Auto Scaling group's ability to respond to load changes, potentially impacting availability. Option D is wrong because enabling sticky sessions (session affinity) on the ALB only binds a user's session to a specific instance, but if that instance is terminated during a scale-in event, the session data is still lost; it does not provide a durable, shared session store.

1489
MCQhard

A company is planning to migrate a legacy application to AWS. The application requires a fixed IP address that clients whitelist. The company wants to achieve high availability across two Availability Zones. Which architecture should they use?

A.AWS Global Accelerator with Application Load Balancer
B.Network Load Balancer (NLB) with Elastic IPs attached to each subnet
C.Classic Load Balancer with Elastic IPs
D.Application Load Balancer (ALB) with EC2 instances
AnswerB

NLB supports static IPs via Elastic IPs per AZ.

Why this answer

Option B (NLB with Elastic IPs) is correct because NLB supports static IP addresses and can be associated with Elastic IPs for each AZ. Option A (ALB) provides a DNS name, not fixed IP. Option C (Global Accelerator) provides two static IPs but is more complex and costly.

Option D (Classic Load Balancer) does not support Elastic IPs per AZ effectively.

1490
MCQmedium

A company uses Amazon S3 to store sensitive data. The security team requires that all S3 buckets be encrypted at rest using SSE-KMS. The company has thousands of existing buckets, some of which are not encrypted. Which approach will enforce encryption on all buckets with minimal effort?

A.Use S3 default encryption to automatically encrypt new objects.
B.Use an AWS Config rule to check for encryption and automatically remediate by enabling SSE-S3.
C.Use an SCP to deny creation of buckets without SSE-KMS and use an AWS Config rule with remediation to enable SSE-KMS on existing buckets.
D.Create an AWS Lambda function that scans all buckets and enables encryption.
AnswerC

SCP prevents new non-compliant buckets, Config remediates existing ones.

Why this answer

Option D is correct because an SCP can deny creation of unencrypted buckets and AWS Config can remediate existing buckets. Option A is wrong because a Lambda function is reactive, not proactive. Option B is wrong because S3 default encryption is not applied retroactively.

Option C is wrong because SSE-S3 does not meet the KMS requirement.

1491
MCQhard

A company is modernizing its application by breaking a monolith into microservices on Amazon EKS. The application uses a shared PostgreSQL database. The company wants to implement a database-per-service pattern. The migration must be done with zero downtime. Which approach should the company use?

A.Implement the strangler fig pattern: gradually migrate functionality and data to new services.
B.Use AWS DMS with CDC to replicate the shared database to multiple target databases.
C.Use Amazon RDS read replicas to create separate databases for each service.
D.Create new databases for each service, migrate data during a maintenance window.
AnswerA

Allows zero downtime.

Why this answer

Option C is correct because the strangler fig pattern allows gradual migration. Option A is wrong because it causes downtime. Option B is wrong because CDC from a single DB is complex.

Option D is wrong because read replicas don't solve the problem.

1492
MCQeasy

A company uses AWS Organizations and wants to ensure that all member accounts have AWS CloudTrail enabled and logs are delivered to a central S3 bucket in the management account. Which approach is MOST efficient?

A.Use AWS Config rules to detect accounts without CloudTrail and auto-remediate.
B.Manually enable CloudTrail in each account by logging into every account.
C.Use AWS CloudFormation StackSets to deploy a CloudTrail template to all accounts.
D.Create an SCP that requires CloudTrail to be enabled in each account.
AnswerC

StackSets allow centralized, automated deployment of CloudTrail across accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets allow you to deploy a single CloudTrail template across all member accounts in an AWS Organization from a central management account. This approach is the most efficient as it automates the deployment, ensures consistent configuration, and delivers logs to the specified central S3 bucket without requiring manual intervention or per-account scripting.

Exam trap

The trap here is that candidates often confuse the capabilities of SCPs (which only control permissions) with resource enforcement, leading them to incorrectly select Option D, not realizing that SCPs cannot create or enable resources like CloudTrail.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect non-compliance and trigger auto-remediation via Systems Manager Automation or Lambda, but they do not natively deploy CloudTrail across all accounts; they react to existing resources rather than proactively provisioning them, making them less efficient for initial deployment. Option B is wrong because manually enabling CloudTrail in each account by logging into every account is not scalable, error-prone, and violates the principle of least effort for a multi-account environment. Option D is wrong because Service Control Policies (SCPs) can only deny or allow API actions, not enforce the presence of a resource like CloudTrail; an SCP cannot require CloudTrail to be enabled—it can only block actions that disable it, which is insufficient to ensure initial enablement.

1493
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group. The application must be able to distribute incoming traffic across multiple instances. Which TWO AWS services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.Amazon CloudFront
B.AWS Global Accelerator
C.Network Load Balancer
D.Application Load Balancer
E.Amazon Route 53
AnswersC, D

NLB distributes traffic at Layer 4.

Why this answer

Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP) and can distribute incoming traffic across multiple EC2 instances in an Auto Scaling group with extremely low latency and high throughput. It is ideal for applications that require handling millions of requests per second while preserving the source IP address of clients.

Exam trap

Cisco often tests the distinction between services that perform actual load balancing (ALB, NLB) versus services that provide DNS-based routing (Route 53) or content delivery (CloudFront) or global traffic optimization (Global Accelerator), leading candidates to mistakenly select Route 53 or CloudFront as load balancers.

1494
Multi-Selecteasy

A company is designing a new application that will process images uploaded by users. The application must automatically resize images and store them in Amazon S3. The solution should be serverless and event-driven. Which THREE AWS services should be used together? (Choose three.)

Select 3 answers
A.Amazon S3
B.AWS Lambda
C.Amazon EC2
D.Amazon Simple Queue Service (SQS)
E.Amazon S3 Event Notification
AnswersA, B, E

S3 stores the uploaded and processed images.

Why this answer

Options A, B, and E are correct. Amazon S3 can trigger a Lambda function on object uploads. Lambda can process the image and store the result back in S3.

Option C is wrong because EC2 is not serverless. Option D is wrong because SQS is not needed for this event-driven flow.

1495
MCQeasy

A company is migrating a legacy application to AWS and needs to ensure compliance with data residency requirements. The application stores personally identifiable information (PII) in an on-premises MySQL database. The company wants to encrypt the data at rest and in transit during the migration. The database will be migrated to Amazon RDS for MySQL. The solutions architect must ensure that all data is encrypted end-to-end. Which combination of steps will meet these requirements?

A.Use a custom AMI with encrypted EBS volumes, enforce TLS, and use AWS DMS with SSL.
B.Enable RDS encryption at launch, use AWS DMS with SSL, and require SSL certificate verification on the RDS endpoint.
C.Enable RDS encryption at launch, enforce TLS for connections, and configure the application to use SSL/TLS.
D.Enable RDS encryption after migration, use AWS DMS with SSL, and set up a VPN connection.
AnswerC

RDS encryption encrypts data at rest; TLS encrypts data in transit; application configuration ensures end-to-end encryption.

Why this answer

To encrypt data at rest on RDS, enable encryption at launch (RDS encryption). To encrypt data in transit, enforce TLS connections from the application to RDS. The application must be configured to use TLS.

SSL certificate verification ensures trust. AWS DMS can encrypt data in transit during migration by using SSL endpoints. Enabling encryption after launch is not possible; you must create a new encrypted instance.

Using a VPN adds overhead but does not encrypt the database at rest.

1496
MCQhard

A company is modernizing a monolithic application by decomposing it into microservices. The application currently uses a single MySQL database. The company wants to use a polyglot persistence approach, with different microservices using the most appropriate database type. The team has limited experience with NoSQL databases. Which strategy should the team use to minimize risk during the migration?

A.Rewrite the entire application as microservices using a new database for each service from the start
B.Use the strangler fig pattern to incrementally replace parts of the monolith with microservices, starting with a non-critical function
C.Migrate the entire monolith to a containerized application on Amazon ECS in one go
D.Use AWS DMS to replicate the monolith's database to multiple target databases simultaneously
AnswerB

Correct. The strangler fig pattern allows gradual migration with minimal risk.

Why this answer

Using the strangler fig pattern allows incremental migration, replacing parts of the monolith with microservices one at a time. This reduces risk because each microservice can be tested independently. Starting with a non-critical service provides learning opportunity without high impact.

1497
MCQhard

A solutions architect attempts to create this stack but receives an error: "Value of property SecurityGroups must be a list of strings". What is the likely cause?

A.The SecurityGroups property should be a list, but the YAML specifies a single reference incorrectly.
B.The security group ingress rule allows SSH from anywhere.
C.There is a circular dependency between the EC2 instance and the security group.
D.The AMI ID is invalid.
AnswerA

The syntax should be SecurityGroups: [!Ref MySecurityGroup] but it is written as - !Ref MySecurityGroup under SecurityGroups, which is a list of one item, but the error suggests it's not a list of strings. Actually, the snippet shows SecurityGroups: with a dash, so it is a list. However, the error indicates that the value is not a list of strings. Possibly the YAML formatting is misinterpreted. Let's assume the issue is that SecurityGroups expects a list of strings, and the reference returns a string, but the list is fine. To align with the question, we'll say the error is because the SecurityGroups property is not a list of strings if the YAML is malformed. Given the snippet, it should work. To make the question valid, we'll assume the architect mistakenly used a single string instead of a list. So the correct answer is that the SecurityGroups property should be a list, but the snippet incorrectly provides a single string. Option C is correct.

Why this answer

The SecurityGroups property expects a list of security group IDs or names, not references to security group objects. Using !Ref returns the physical ID (name) of the security group, but in YAML, the value is a single string, not a list. Option C explains the issue.

Option A (AMI) is fine. Option B (CIDR) is valid. Option D (circular dependency) is not true.

1498
MCQmedium

A company is using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application has a health check endpoint at /health. Recently, the ALB is marking instances as unhealthy even though the application is running. The health check settings are: interval 30 seconds, timeout 5 seconds, unhealthy threshold 2. What is the most likely cause?

A.The health check interval of 30 seconds is too long.
B.The unhealthy threshold of 2 is too high.
C.The health check timeout of 5 seconds is too short for the application to respond.
D.The health check path /health is not accessible from the ALB.
AnswerC

A short timeout can cause false unhealthy markings.

Why this answer

Option A is correct because if the health check timeout is too short, the ALB may not receive a response in time. Option B is wrong because the interval is standard. Option C is wrong because the unhealthy threshold is not too high.

Option D is wrong because the path is correct.

1499
MCQhard

A company runs a high-traffic e-commerce platform on AWS. The application consists of a web tier, an application tier, and a database tier using Amazon RDS for PostgreSQL with Multi-AZ. During a recent sales event, the database experienced high CPU utilization and read replicas were added to offload read traffic. However, the application team noticed that some product detail pages were showing stale data (prices and inventory levels) even though the primary database had the correct data. The application uses read replicas for read queries. The solutions architect investigated and found that the read replica lag was minimal (under 1 second). The application uses Django ORM with default transaction isolation. What is the most likely cause of the stale data?

A.The Multi-AZ standby was promoted due to a failover, causing a brief inconsistency.
B.The application is not using a connection pool, causing connections to be established to different replicas.
C.The application is reading from read replicas, which are eventually consistent, and the data may be stale if the replica has not yet applied changes from the primary.
D.The read replica is using a different storage type (Aurora I/O-Optimized) than the primary.
AnswerC

Read replicas are eventually consistent; for critical data, the application should read from the primary.

Why this answer

Option C is correct. The issue is that the application is reading from read replicas, which are eventually consistent. Even with minimal lag, there is a chance of reading stale data after a write to the primary.

The application should read from the primary for critical data like prices and inventory. Option A is incorrect because Multi-AZ failover is for high availability, not read consistency. Option B is incorrect because Aurora I/O-Optimized is not applicable here (they are using RDS PostgreSQL).

Option D is incorrect because increasing instance size would reduce CPU but not solve stale reads.

1500
MCQmedium

An administrator runs the above command and sees that the 'Prod' account is suspended. What is the MOST likely cause?

A.The account has an unpaid AWS bill.
B.The account was suspended due to a Service Control Policy (SCP) violation.
C.The account was suspended due to a security breach detected by AWS.
D.The account was removed from the organization by the root user.
AnswerA

AWS suspends accounts with overdue payments.

Why this answer

Option C is correct because accounts are typically suspended due to non-payment of AWS bills. Option A is wrong because AWS Organizations does not suspend accounts for SCP violations. Option B is wrong because nothing in the output indicates a service compromise.

Option D is wrong because the account was created after the management account, so it was not the root.

Page 19

Page 20 of 24

Page 21