AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 15761650

1746 questions total · 24pages · All types, answers revealed

Page 21

Page 22 of 24

Page 23
1576
MCQhard

A company is migrating a large Hadoop cluster to Amazon EMR. The cluster uses HDFS for storage. The company wants to decouple compute and storage to reduce costs. Which approach should the company take?

A.Use Amazon S3 as the data store and EMRFS
B.Use Amazon FSx for Lustre
C.Use Amazon EFS for HDFS
D.Use EBS volumes for HDFS
AnswerA

Decouples storage, allows compute to be ephemeral.

Why this answer

Option C is correct because using Amazon S3 as the data lake with EMR allows separation. Option A (EBS) is still attached to compute. Option B (EFS) is not optimized for Hadoop.

Option D (FSx for Lustre) is for high-performance computing but not decoupling.

1577
MCQmedium

A company uses AWS Organizations and has a central IT team that manages VPCs. The team wants to ensure that only authorized accounts can create VPCs, and that all VPCs must have a specific tag. Which solution enforces this?

A.Use AWS Config to detect and delete untagged VPCs.
B.Use IAM policies in each account to require tags.
C.Apply an SCP that denies ec2:CreateVpc if the request does not include the required tag.
D.Use AWS CloudFormation StackSets to deploy VPC templates with tags.
AnswerC

Prevents creation at the organization level.

Why this answer

Option C is correct because AWS Organizations Service Control Policies (SCPs) can centrally restrict actions across all member accounts. By applying an SCP that denies ec2:CreateVpc unless the request includes a specific tag (using the ec2:ResourceTag condition key), the central IT team ensures that only authorized accounts (which cannot bypass the SCP) can create VPCs, and all VPCs must have the required tag at creation time.

Exam trap

The trap here is that candidates often confuse AWS Config's detective capabilities with preventive controls, or assume IAM policies in individual accounts can be centrally enforced, when only SCPs provide organization-wide preventive enforcement that cannot be bypassed by account-level administrators.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect and report untagged VPCs, but it cannot prevent their creation; it only provides post-hoc compliance evaluation and can trigger remediation, not enforce the tag at creation time. Option B is wrong because IAM policies in each account can require tags, but they are managed per-account and cannot be enforced centrally across all accounts in the organization; a user with sufficient permissions in their own account could modify or remove the IAM policy. Option D is wrong because AWS CloudFormation StackSets can deploy VPC templates with tags, but they do not prevent users from creating VPCs outside of CloudFormation using the console, CLI, or SDK, so they do not enforce the tag requirement.

1578
MCQmedium

A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?

A.Use AWS Traffic Mirroring to mirror all traffic to a central inspection appliance.
B.Enable VPC Flow Logs and publish them to a central S3 bucket, then use Amazon Athena to query the logs.
C.Enable VPC Flow Logs for each VPC and stream them to Amazon CloudWatch Logs in each account.
D.Place a network load balancer in each VPC and capture traffic using a packet sniffer.
AnswerB

Scalable and cost-effective.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic metadata (not full packets) and can be centrally published to an S3 bucket across accounts using a central logging account. Querying with Athena is serverless, scales automatically, and incurs cost only for data scanned, making it the most scalable and cost-effective solution for security analysis of inter-VPC traffic.

Exam trap

The trap here is that candidates may over-engineer the solution by choosing Traffic Mirroring or NLB-based packet capture, thinking full packet inspection is needed, when metadata from Flow Logs is sufficient for security analysis and far more cost-effective at scale.

How to eliminate wrong answers

Option A is wrong because Traffic Mirroring copies full packet contents to a central appliance, which incurs high data transfer and processing costs, and requires managing a separate inspection instance that does not scale elastically. Option C is wrong because streaming Flow Logs to CloudWatch Logs in each account creates a decentralized, harder-to-query setup with higher per-log ingestion and storage costs, and lacks a single pane of glass for cross-account analysis. Option D is wrong because placing a Network Load Balancer in each VPC does not inherently capture traffic; packet sniffers require agent installation and cannot capture all traffic without significant performance overhead and architectural complexity.

1579
MCQeasy

A company is building a serverless application using AWS Lambda. The Lambda function needs to process files uploaded to an S3 bucket. The function should be triggered as soon as a new object is created. How should the architect configure this?

A.Configure S3 to send event notifications to the Lambda function directly
B.Configure S3 to send event notifications to an SNS topic, which triggers the Lambda function
C.Configure S3 to send event notifications to an SQS queue, and have the Lambda function poll the queue
D.Configure S3 to send event notifications to Amazon CloudWatch Events, which triggers the Lambda function
AnswerA

S3 event notifications can directly invoke Lambda functions.

Why this answer

S3 can send events directly to Lambda via an S3 event notification. Option A (SNS) adds unnecessary intermediate service. Option B (CloudWatch Events) is not designed for S3 object creation triggers.

Option D (SQS) adds latency and complexity.

1580
Multi-Selecthard

A company is migrating a monolithic application to microservices on Amazon ECS. They want to implement a service mesh for observability and traffic management. Which THREE AWS services should they consider?

Select 3 answers
A.Amazon Route 53
B.AWS X-Ray
C.Amazon CloudWatch
D.AWS App Mesh
E.AWS Step Functions
AnswersB, C, D

X-Ray provides distributed tracing.

Why this answer

Options B, C, and D are correct. AWS App Mesh is a service mesh that provides observability and traffic management. AWS X-Ray provides tracing for microservices.

Amazon CloudWatch provides monitoring and logs. Option A is wrong because AWS Step Functions is for orchestrating workflows, not service mesh. Option E is wrong because Amazon Route 53 is DNS, not a service mesh.

1581
MCQeasy

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts. The company has an existing identity provider (IdP) that supports SAML 2.0. Which AWS service should be used to integrate with the IdP?

A.AWS Directory Service for Microsoft Active Directory.
B.Amazon Cognito user pools.
C.AWS IAM Identity Center.
D.AWS Identity and Access Management (IAM) with SAML federation.
AnswerC

IAM Identity Center integrates with SAML 2.0 IdPs and provides SSO across multiple AWS accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the recommended service for centrally managing SSO access to multiple AWS accounts. It natively integrates with external SAML 2.0 identity providers, allowing you to define permissions sets that govern user access across accounts without creating IAM users. This provides a single place to manage user assignments and enforce least-privilege access across your AWS Organization.

Exam trap

The trap here is that candidates often confuse IAM SAML federation (which works for a single account) with IAM Identity Center (which is the correct multi-account SSO solution), leading them to select Option D because they know SAML 2.0 is supported, but they miss the requirement for multiple AWS accounts.

How to eliminate wrong answers

Option A is wrong because AWS Directory Service for Microsoft Active Directory is a managed AD service that supports SAML federation but is designed for integrating with Microsoft AD workloads, not as a general-purpose SAML IdP broker for multiple AWS accounts; it would require additional configuration with IAM roles and does not natively manage cross-account permissions sets. Option B is wrong because Amazon Cognito user pools are intended for customer-facing identity and access management in applications, not for workforce SSO to AWS accounts; they lack the ability to assign permissions sets across multiple AWS accounts. Option D is wrong because IAM with SAML federation allows you to federate a single IdP into a single AWS account, but it does not provide centralized management across multiple accounts; you would need to manually configure roles and trust policies in each account, which is not scalable for multi-account SSO.

1582
MCQeasy

A company uses AWS CodePipeline for CI/CD. The deployment stage uses AWS CodeDeploy to deploy to EC2 instances. The team wants to automatically test the application after deployment and roll back if tests fail. Which approach should the team use?

A.Create a separate CodePipeline for testing and use a cross-pipeline trigger to initiate rollback.
B.Add a manual approval step after deployment to run tests manually.
C.Use a CloudWatch alarm to monitor test results and trigger a rollback.
D.Add a test stage in CodePipeline after the deployment stage and configure CodeDeploy to automatically roll back on pipeline failure.
AnswerD

CodePipeline can automatically roll back on stage failure.

Why this answer

Option C is correct because CodePipeline can have a test stage after deployment, and CodeDeploy can trigger a rollback if the test stage fails. Option A is wrong because manual testing is not automatic. Option B is wrong because CloudWatch alarms are not for test results.

Option D is wrong because a separate pipeline adds complexity.

1583
Multi-Selecthard

A company is designing a microservices architecture on Amazon ECS with Fargate. The services need to communicate securely and efficiently. The company wants to implement service-to-service authentication and authorization. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Use AWS Secrets Manager to store and rotate service credentials.
B.Configure mutual TLS (mTLS) between services using certificates from ACM.
C.Enable ECS Service Connect between services for automatic DNS and TLS encryption.
D.Deploy an API Gateway in front of each microservice.
E.Use IAM roles for tasks and attach policies that allow access to other services.
AnswersA, C, E

Secrets Manager securely stores credentials for database or API keys.

Why this answer

Options A, C, and E are correct. A: ECS Service Connect provides DNS and encryption. C: IAM roles for tasks grant permissions.

E: Secrets Manager stores secrets. Option B is not needed with Service Connect. Option D is for public APIs.

1584
MCQeasy

A company is building a new application that will run on AWS Lambda. The application needs to store and retrieve user preferences in a key-value format. The data is accessed frequently and must be highly available. The company expects low latency for reads and writes. Which AWS service should be used as the data store?

A.Amazon S3
B.Amazon ElastiCache for Memcached
C.Amazon RDS for PostgreSQL
D.Amazon DynamoDB
AnswerD

DynamoDB is a key-value database with low latency and high availability.

Why this answer

Option B is correct because Amazon DynamoDB is a key-value store designed for low-latency, high-availability access. Option A: S3 is object storage, not key-value. Option C: RDS is relational.

Option D: ElastiCache is in-memory but not persistent by default.

1585
Drag & Dropmedium

Drag and drop the steps to configure an S3 bucket as a static website hosting in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the bucket, enable hosting, upload content, set policy, then test.

1586
MCQmedium

A company is designing a new serverless application using AWS Lambda. The function must process a file uploaded to S3 and then send a notification to an external API. The external API has a rate limit of 10 requests per second. Which approach should they use to handle throttling?

A.Use Amazon SQS to buffer the requests and set a Lambda reserved concurrency to limit the processing rate
B.Increase the Lambda function timeout and retry on failure
C.Configure a Lambda function destination on failure to reprocess
D.Use Amazon SNS to fan out the notification to multiple Lambda functions
AnswerA

SQS can buffer requests and Lambda reserved concurrency can limit concurrency, effectively throttling the rate.

Why this answer

Option D is correct because using SQS as a dead-letter queue with a Lambda reserved concurrency and a throttle can control the rate. Option A is wrong because increasing timeout does not handle rate limiting. Option B is wrong because SNS does not provide rate control.

Option C is wrong because Lambda destination on failure alone does not throttle.

1587
MCQeasy

A company uses Amazon RDS for PostgreSQL and needs to apply a minor version upgrade. They want to minimize downtime. Which approach should they use?

A.Apply the upgrade during the maintenance window
B.Create a read replica, upgrade it, and promote it
C.Use a Multi-AZ deployment and apply the upgrade
D.Modify the DB parameter group to set the version
AnswerC

Multi-AZ allows rolling upgrade with minimal downtime.

Why this answer

Option B is correct because Multi-AZ deployments can be upgraded with minimal downtime as the standby is upgraded first, then failover occurs. Option A is wrong because upgrades always require some downtime unless Multi-AZ. Option C is wrong because creating a read replica and promoting it is a manual process that can cause data loss if not careful.

Option D is wrong because modifying the DB parameter group does not upgrade the version.

1588
Multi-Selecthard

A company has a multi-account AWS environment with a centralized logging account. The security team needs to analyze VPC Flow Logs from all accounts using Amazon Athena. Which THREE steps are required to enable this analysis? (Choose THREE.)

Select 3 answers
A.Create an AWS Glue table or use Athena's CREATE TABLE statement to define the schema of the Flow Logs.
B.Ensure the Flow Logs are delivered in GZIP format (default) or uncompressed.
C.Deliver VPC Flow Logs from each account to a centralized S3 bucket in the logging account.
D.Replicate the S3 bucket to a single AWS Region for consistency.
E.Configure a Kinesis Data Firehose delivery stream to convert Flow Logs to Parquet format.
AnswersA, B, C

Athena needs a table definition to query the data.

Why this answer

Option B is correct because Athena requires a table defined over the data. Option C is correct because Flow Logs should be stored in a central S3 bucket. Option D is correct because Flow Logs are delivered to S3 in GZIP format, which Athena can query.

Option A is incorrect because Kinesis Data Firehose is not needed; Flow Logs can go directly to S3. Option E is incorrect because the logs must be in the same region as the Athena queries.

1589
MCQeasy

A company has a centralized logging solution using Amazon OpenSearch Service (Elasticsearch) and wants to ensure logs from all AWS accounts are shipped to a central account. Which AWS service can be used to collect and forward logs from multiple accounts to a single destination?

A.Amazon S3 bucket with cross-account bucket policy
B.Amazon Kinesis Data Firehose delivery stream with cross-account access
C.Amazon CloudWatch Logs subscription filter
D.AWS Lambda function in each account that sends logs to a central API
AnswerB

Firehose can accept data from multiple accounts via IAM roles and deliver to a central OpenSearch domain.

Why this answer

Option B is correct because Amazon Kinesis Data Firehose can receive logs from multiple accounts via subscriptions and deliver to OpenSearch. Option A is wrong because CloudWatch Logs subscription can forward logs but requires each account to have a subscription filter. Option C is wrong because S3 is a destination, not a forwarding mechanism.

Option D is wrong because Lambda can process logs but is not designed for centralized cross-account ingestion.

1590
Multi-Selecthard

Which THREE design patterns can help a microservices application achieve loose coupling and independent deployability? (Choose three.)

Select 3 answers
A.Shared database schema across services
B.Circuit breaker pattern to handle service failures
C.Synchronous RESTful HTTP calls between services
D.Event-driven communication using Amazon SNS and SQS
E.API Gateway as a facade for service endpoints
AnswersB, D, E

Circuit breakers isolate failures, allowing services to degrade gracefully without impacting others.

Why this answer

Options B, C, and D are correct. B: Event-driven communication via SNS/SQS decouples services. C: API Gateway provides a facade that routes to different services independently.

D: Circuit breaker pattern prevents cascading failures, allowing independent failure handling. Option A is wrong because shared database creates tight coupling. Option E is wrong because synchronous HTTP calls create tight coupling.

1591
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts use AWS CloudTrail with logs delivered to a central S3 bucket. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Create an IAM role in each account that requires CloudTrail to be enabled
B.Use CloudFormation StackSets to deploy a CloudTrail trail in each account
C.Use AWS Config rules to detect when CloudTrail is not configured correctly and trigger remediation
D.Use AWS Lambda to automatically re-enable CloudTrail if it is disabled
E.Use a service control policy (SCP) to deny actions that disable CloudTrail or modify the trail configuration
AnswersC, E

Config rules can monitor and auto-remediate to ensure compliance.

Why this answer

Options A and D are correct. SCPs can prevent disabling CloudTrail or modifying the trail. AWS Config rules can detect missing or misconfigured trails.

Option B is wrong because IAM roles do not enforce CloudTrail. Option C is wrong because Lambda can create but not enforce. Option E is wrong because CloudFormation can deploy but not prevent removal.

1592
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization have server-side encryption enabled. Which is the MOST efficient way to enforce this policy?

A.Use AWS CloudTrail to monitor and alert on unencrypted buckets
B.Enable S3 default encryption in each account
C.Apply a service control policy (SCP) that denies creation of S3 buckets without encryption
D.Use S3 bucket policies to require encryption
AnswerC

SCP can be applied to the entire organization or OU to enforce encryption at account creation.

Why this answer

Option C is correct because a service control policy (SCP) can centrally deny the creation of S3 buckets that do not have server-side encryption enabled across all accounts in an AWS Organization. This approach enforces the security team's requirement at the organizational level, preventing non-compliant buckets from being created regardless of individual account configurations, which is the most efficient and scalable method.

Exam trap

The trap here is that candidates often confuse S3 bucket policies (which control access to objects) with SCPs (which control API actions at the account level), leading them to choose option D, which cannot enforce encryption on the bucket itself.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail only provides logging and monitoring capabilities; it cannot proactively enforce or prevent the creation of unencrypted buckets, only alert after the fact. Option B is wrong because enabling S3 default encryption in each account relies on individual account administrators to configure it correctly, and it does not prevent users from explicitly overriding the default during bucket creation. Option D is wrong because S3 bucket policies can require encryption for objects uploaded to a bucket, but they do not enforce encryption on the bucket itself (i.e., the bucket's default encryption setting) and cannot prevent the creation of a bucket without encryption enabled.

1593
MCQhard

Refer to the exhibit. A company is using AWS CloudFormation to migrate a serverless application. The stack creation failed. Based on the stack events, what is the root cause of the failure?

A.The CloudFormation template has a syntax error.
B.The AWS Lambda runtime specified in the template is not supported in the us-east-1 region.
C.The IAM role for the Lambda function does not have sufficient permissions.
D.The Lambda function code exceeds the maximum size limit.
AnswerB

The runtime is not supported.

Why this answer

Option C is correct because the error message explicitly states 'The runtime parameter of nodejs18.x is not supported'. Option A is wrong because the error is specifically about the runtime. Option B is wrong because the error is not about permissions.

Option D is wrong because it is a Lambda runtime issue, not a CloudFormation template issue.

1594
MCQeasy

A company wants to deploy a new web application on AWS that uses a microservices architecture. The company expects rapid growth and wants to decouple services to allow independent scaling and development. The team wants to use Docker containers for consistency across environments. Which solution should a Solutions Architect recommend?

A.Use Amazon Lightsail containers to deploy each microservice as a container service.
B.Deploy each microservice on separate EC2 instances behind an Application Load Balancer.
C.Use Amazon ECS with Fargate to run each microservice as a separate task definition, with service auto scaling.
D.Use AWS Elastic Beanstalk with Docker platform to deploy each microservice as a separate environment.
AnswerC

ECS with Fargate is a fully managed container service that decouples services and scales independently.

Why this answer

Option D is correct because ECS with Fargate is a managed container service that scales automatically and decouples services. Option A is wrong because EC2 instances are not containerized. Option B is wrong because Elastic Beanstalk is a PaaS that abstracts containers but may not provide as much control.

Option C is wrong because Lightsail is for simpler workloads, not microservices at scale.

1595
Multi-Selecteasy

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application must be highly available and fault-tolerant across multiple Availability Zones. Which TWO actions should be taken to achieve this? (Choose two.)

Select 2 answers
A.Use an Auto Scaling group to launch instances only in one Availability Zone.
B.Use a Network Load Balancer instead of ALB for better performance.
C.Launch EC2 instances in at least two Availability Zones.
D.Configure the ALB to be internet-facing and register instances from multiple AZs.
E.Launch all EC2 instances in a single Availability Zone for low latency.
AnswersC, D

Multiple AZs provide fault tolerance if one AZ fails.

Why this answer

Option C is correct because launching EC2 instances in at least two Availability Zones (AZs) ensures that if one AZ fails, the application continues to run from the other AZ, providing fault tolerance and high availability. Option D is correct because configuring the ALB to be internet-facing and registering instances from multiple AZs allows the ALB to distribute incoming traffic across healthy instances in different AZs, automatically rerouting traffic if an AZ becomes impaired.

Exam trap

The trap here is that candidates often think a single AZ with Auto Scaling is sufficient for high availability, but true fault tolerance requires distributing resources across multiple AZs to survive an AZ-level failure.

1596
MCQhard

A company is migrating a legacy CRM application to AWS. The application uses a proprietary database that is not supported by Amazon RDS. The company wants to minimize licensing costs. The current on-premises deployment uses a single server. Which migration strategy should the company use?

A.Rehost the application on Amazon EC2 and install the same proprietary database on an EC2 instance.
B.Rehost the application, but replace the database with a SaaS alternative.
C.Refactor the application to use a different database engine that is supported by Amazon RDS.
D.Use AWS Database Migration Service (DMS) to migrate the database to Amazon RDS.
AnswerA

Rehosting with the same database minimizes licensing costs.

Why this answer

Option D is correct because moving the database to an EC2 instance with the same database software allows the company to bring its own license and minimize licensing costs. Option A is wrong because converting to a supported database may incur additional licensing. Option B is wrong because DMS does not support proprietary databases.

Option C is wrong because repurchasing may not fit the need.

1597
Multi-Selectmedium

A company runs a web application on EC2 instances in an Auto Scaling group. The application stores session data in an Amazon ElastiCache for Redis cluster. The operations team reports that after scaling events, users lose their sessions. Which TWO actions should the Solutions Architect take to resolve this issue?

Select 2 answers
A.Use a Network Load Balancer instead of an Application Load Balancer.
B.Enable sticky sessions (session affinity) on the Application Load Balancer.
C.Move session data storage from ElastiCache to an external store that persists across instance termination.
D.Store session data in Amazon DynamoDB.
E.Enable replication in the ElastiCache cluster to handle failover.
AnswersB, C

Sticky sessions route user to same instance.

Why this answer

Options A and C are correct: Sticky sessions ensure requests from a user go to the same instance, and placing ElastiCache outside the ASG ensures it persists. Option B is unnecessary because Redis replication does not address session loss during scaling. Option D is wrong because session stickiness at ALB is already implied but not sufficient without persistent cache.

Option E is wrong because DynamoDB is not necessary.

1598
MCQhard

A company uses AWS Organizations with 500 accounts. They want to enforce that all accounts use a specific set of allowed AMIs for EC2. What is the MOST scalable solution?

A.Apply an SCP that denies ec2:RunInstances with a condition on ec2:ImageId.
B.Use AWS Config to detect non-compliant AMIs and stop the instances.
C.Create a service catalog product for EC2 with allowed AMIs.
D.Use AWS Systems Manager to enforce AMI compliance.
AnswerA

SCP applies to all accounts in the organization.

Why this answer

An SCP that denies RunInstances unless the AMI ID is in the allowed list is scalable. Option A is wrong because it's per-account. Option C is wrong because it doesn't prevent.

Option D is wrong because it's after creation.

1599
MCQeasy

A company wants to decouple a web application frontend from a backend processing service. The frontend sends jobs that are processed asynchronously. Which AWS service is best suited for this decoupling?

A.Amazon SQS
B.Amazon SNS
C.Amazon Kinesis
D.AWS Step Functions
AnswerA

SQS provides a reliable message queue.

Why this answer

Option B is correct because Amazon Simple Queue Service (SQS) is a fully managed message queue for decoupling. Option A is wrong because SNS is pub/sub. Option C is wrong because Kinesis is for streaming.

Option D is wrong because Step Functions is for workflows.

1600
Multi-Selectmedium

A company is migrating a multi-tier web application to AWS and wants to use Infrastructure as Code (IaC) to automate provisioning. Which AWS services can the company use to define and manage infrastructure declaratively? (Choose TWO.)

Select 2 answers
A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS Cloud Development Kit (CDK)
E.AWS CodeDeploy
AnswersB, D

CloudFormation allows declarative infrastructure as code.

Why this answer

Option A (AWS CloudFormation) and Option C (AWS CDK) are correct because both allow declarative infrastructure definition. Option B (AWS Elastic Beanstalk) is a PaaS service, not IaC. Option D (AWS OpsWorks) is configuration management.

Option E (AWS CodeDeploy) is for deployment automation.

1601
MCQhard

A company is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. The company wants to minimize operational overhead and ensure that service discovery is automatically updated when services scale. Which service discovery option should be used?

A.AWS Cloud Map
B.Amazon ECS service connect
C.Elastic Load Balancing with internal NLB
D.Amazon Route 53 private hosted zones with health checks
AnswerA

Cloud Map automatically manages service discovery.

Why this answer

AWS Cloud Map provides service discovery that automatically updates with service scaling.

1602
Multi-Selecthard

A company wants to implement a data lake strategy using Amazon S3 across multiple AWS accounts. They need to ensure that data is encrypted at rest using a centralized AWS KMS key from a security account. Which THREE steps should they take?

Select 3 answers
A.Configure S3 bucket policies in each account to enforce encryption using the KMS key.
B.Configure S3 buckets in each account to use the shared KMS key for server-side encryption.
C.Create a customer managed KMS key in the security account and share it with the other accounts using AWS Resource Access Manager (RAM).
D.Create IAM users in the security account and grant them access to the KMS key.
E.Apply a service control policy (SCP) that denies s3:PutObject unless the request uses the required KMS key.
AnswersB, C, E

Buckets must be configured to use the shared key for encryption.

Why this answer

Options A, C, and D are correct. Create a KMS key in the security account and share it via RAM. In each account, use the shared KMS key when creating S3 buckets.

Apply an SCP to enforce the use of the shared KMS key. Option B is wrong because S3 bucket policies are account-specific and cannot enforce across accounts. Option E is wrong because IAM users are not the best mechanism for cross-account access; RAM is simpler.

1603
Multi-Selecteasy

A company wants to store configuration data for multiple applications securely. Each application runs on Amazon EC2 instances in an Auto Scaling group. The configuration includes database credentials and API keys. Which TWO services should be used together to achieve this?

Select 2 answers
A.AWS Secrets Manager.
B.Amazon S3 with bucket policies.
C.IAM roles for EC2 instances.
D.EC2 user data scripts.
E.AWS Systems Manager Parameter Store.
AnswersC, E

IAM roles allow instances to access Parameter Store without credentials.

Why this answer

Options A and B are correct. AWS Systems Manager Parameter Store securely stores configuration data, and IAM roles for EC2 provide secure access without hardcoding credentials. Option C is wrong because Secrets Manager is also a valid service but the question asks for two services.

Option D is wrong because EC2 user data is not secure for credentials. Option E is wrong because S3 requires managing access keys.

1604
MCQhard

A company is planning to migrate a large-scale e-commerce platform from on-premises to AWS. The platform includes a web tier, application tier, and a MySQL database. The company needs to ensure high availability and scalability. Which combination of AWS services should the company use to modernize the application architecture while minimizing operational overhead?

A.Use Elastic Load Balancer, Amazon EC2 instances for the web tier, and Amazon ECS with Fargate for the application tier, and Amazon RDS for MySQL.
B.Use Application Load Balancer, Amazon ECS with Fargate for both web and application tiers, and Amazon Aurora MySQL.
C.Use Amazon CloudFront, Amazon EC2 instances for the application tier, and Amazon DynamoDB.
D.Use Amazon EC2 Auto Scaling groups for both web and application tiers, and Amazon RDS for MySQL with Multi-AZ.
AnswerB

Fargate eliminates server management, and Aurora provides managed MySQL with high availability.

Why this answer

Option C is correct because Application Load Balancer distributes traffic, Amazon ECS with Fargate runs containers without managing servers, and Amazon Aurora is a managed MySQL-compatible database with high availability and scalability. Option A is incorrect because it lacks a load balancer and uses unmanaged EC2. Option B is incorrect because it uses unmanaged EC2 for the web tier.

Option D is incorrect because it uses unmanaged EC2 for the application tier.

1605
MCQmedium

A company is designing a new solution that uses Amazon S3 to store large amounts of archival data. The data must be retained for 7 years and then automatically deleted. Which S3 feature should they use?

A.S3 Replication
B.S3 Versioning
C.S3 Object Lock
D.S3 Lifecycle policies
AnswerD

Lifecycle policies can automatically delete objects after a set period.

Why this answer

S3 Lifecycle policies allow you to define rules that automatically expire objects after a specified period, such as 7 years. This directly meets the requirement to retain archival data for a fixed duration and then delete it without manual intervention.

Exam trap

The trap here is that candidates often confuse S3 Object Lock's retention period with automatic deletion, not realizing that Object Lock only prevents deletion during the retention window and requires a separate lifecycle rule to actually remove the objects afterward.

How to eliminate wrong answers

Option A is wrong because S3 Replication is used to copy objects across buckets for redundancy or compliance, not to manage retention or deletion based on time. Option B is wrong because S3 Versioning preserves multiple versions of an object and does not provide automatic deletion after a set period; it can actually increase storage costs if not combined with lifecycle rules. Option C is wrong because S3 Object Lock is designed to prevent object deletion or overwrites for a fixed retention period (compliance or governance mode), but it does not automatically delete objects after that period ends—it only prevents premature deletion, and objects remain until manually removed or a lifecycle rule is applied.

1606
Multi-Selectmedium

A company is running a critical application on Amazon EC2 instances in an Auto Scaling group. The application stores data on an Amazon EBS volume. To improve recovery time in the event of an AZ failure, which TWO actions should the company take? (Choose two.)

Select 2 answers
A.Create an Amazon Machine Image (AMI) from the instance.
B.Use EBS multi-attach to attach the volume to instances in another AZ.
C.Copy the EBS volume to another AZ using the AWS Management Console.
D.Take regular EBS snapshots and copy them to another region.
E.Configure the Auto Scaling group to launch instances in multiple AZs.
AnswersA, D

AMI can be used to launch instances in another AZ.

Why this answer

Options A and C are correct. Option A: Using an AMI from the instance ensures a quick launch in another AZ. Option C: EBS snapshots can be used to create volumes in another AZ.

Option B is wrong because EBS volumes are AZ-specific. Option D is wrong because EC2 instances are AZ-specific. Option E is wrong because EBS multi-attach is for specific use cases, not AZ recovery.

1607
Multi-Selectmedium

A company is designing a new solution to host a static website with global low latency. The website content is stored in an S3 bucket. The company wants to use a custom domain name and SSL/TLS termination. Which THREE services should the company use together to meet these requirements? (Choose THREE.)

Select 3 answers
A.Amazon CloudFront with an S3 origin.
B.AWS WAF to protect the website.
C.Amazon S3 to store the website content.
D.Application Load Balancer to distribute traffic across multiple S3 buckets.
E.Amazon Route 53 to point the custom domain to CloudFront.
AnswersA, C, E

CloudFront provides global content delivery and SSL termination.

Why this answer

CloudFront can serve content from S3 globally, with custom domain and SSL. S3 is the origin. Route 53 manages DNS for the custom domain.

Option A, B, and D are correct. Option C is wrong because ALB is not needed for static content. Option E is wrong because AWS WAF is for security, not required.

1608
Multi-Selectmedium

A company is migrating a large number of files from on-premises to Amazon S3. The files are accessed frequently and require low latency. Which TWO AWS services can help accelerate the migration? (Choose TWO.)

Select 2 answers
A.AWS Storage Gateway
B.AWS CloudFormation
C.AWS DataSync
D.Amazon S3 Transfer Acceleration
E.AWS Snowball Edge
AnswersC, E

DataSync automates and accelerates data transfer.

Why this answer

AWS DataSync can transfer data over the network with optimization. AWS Snowball Edge is for large-scale offline data transfer. Option B is wrong because S3 Transfer Acceleration speeds up uploads but is not a migration service.

Option D is wrong because AWS Storage Gateway is for hybrid storage. Option E is wrong because AWS CloudFormation is for infrastructure provisioning.

1609
MCQeasy

A company needs to share a VPC subnet with multiple accounts in the same AWS Organization. What is the MOST secure way to achieve this?

A.Create a Transit Gateway and attach all accounts.
B.Set up a VPN connection between accounts.
C.Use AWS RAM to share the subnet with the organization.
D.Create a VPC peering connection between each account and the VPC owner.
AnswerC

RAM allows sharing subnets with accounts in the organization.

Why this answer

AWS Resource Access Manager (RAM) allows sharing subnets securely without VPC peering. Option A is wrong because VPC peering is one-to-one. Option C is wrong because VPN adds complexity.

Option D is wrong because it doesn't share the subnet.

1610
MCQhard

A company is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. The migration must have minimal downtime and support ongoing replication. The application uses stored procedures and advanced Oracle features. The company has already set up an AWS DMS replication instance and validated connectivity. However, during the full load, DMS reports errors for certain tables containing LOBs. What is the most likely cause and solution?

A.The DMS replication instance does not have enough memory. Increase the instance size.
B.The target Aurora PostgreSQL cluster does not have enough storage. Increase the allocated storage.
C.The LOB mode is set to 'Limited LOB mode' and some LOBs exceed the maximum allowed size. Set LOB mode to 'Full LOB mode'.
D.The source database is not configured for change data capture (CDC). Enable supplemental logging.
AnswerC

Limited LOB mode has a size limit; Full LOB mode handles large LOBs but may impact performance.

Why this answer

Option D is correct because DMS has limitations with LOBs in certain modes. Option A is wrong because TCP keepalive is unrelated. Option B is wrong because CDC is for ongoing changes.

Option C is wrong because storage is not an issue.

1611
MCQhard

A company is migrating a legacy application to AWS. The application requires a fixed IP address for whitelisting by a third-party service. The application will run on EC2 instances behind an Application Load Balancer. The company needs a solution that provides a static IP address for outbound traffic. What should a solutions architect do?

A.Replace the ALB with a Network Load Balancer and assign Elastic IPs.
B.Assign an Elastic IP address to the Application Load Balancer.
C.Place the EC2 instances in a private subnet and route outbound traffic through a NAT Gateway with an Elastic IP.
D.Attach an Internet Gateway to the VPC and assign an Elastic IP to it.
AnswerC

NAT Gateway with Elastic IP provides a static source IP for outbound traffic.

Why this answer

Option D is correct because a NAT Gateway in a public subnet with an Elastic IP provides a static IP for outbound traffic from private instances. Option A is wrong because ALBs do not have Elastic IPs; they use dynamic IPs. Option B is wrong while an NLB can have static IPs, it is for inbound traffic, not outbound.

Option C is wrong because an Internet Gateway does not provide a static IP; it is a routing target.

1612
Multi-Selecteasy

A company wants to implement a serverless data processing pipeline on AWS. The pipeline reads CSV files from Amazon S3, transforms the data, and loads it into Amazon Redshift. Which THREE AWS services should be used to build this pipeline?

Select 3 answers
A.AWS Database Migration Service (DMS)
B.Amazon EC2
C.AWS Lambda
D.AWS Glue
E.Amazon Redshift
AnswersC, D, E

Lambda can be triggered by S3 events to start the pipeline.

Why this answer

AWS Lambda is correct because it can be triggered by S3 events when a CSV file is uploaded, and it can execute lightweight data transformation logic (e.g., parsing CSV rows, filtering, or converting formats) before loading the data into Amazon Redshift. Lambda is serverless, scales automatically, and integrates natively with S3 and Redshift via the AWS SDK, making it ideal for event-driven, short-running transformations in a serverless pipeline.

Exam trap

The trap here is that candidates often confuse AWS DMS (option A) as a data loading tool for Redshift, but DMS is for database migration, not for serverless file transformation and loading from S3.

1613
MCQmedium

A company is designing a new microservices application on AWS. Each microservice will be deployed as a containerized application using Amazon ECS with Fargate launch type. The company expects variable traffic patterns and needs to ensure that the application can scale automatically based on demand. Which scaling solution should be used?

A.Use Amazon EC2 Auto Scaling to add more Fargate tasks.
B.Configure Application Auto Scaling with a target tracking scaling policy based on average CPU utilization.
C.Use AWS Auto Scaling Plans with predictive scaling.
D.Manually adjust the desired count of tasks in the ECS service based on traffic analysis.
AnswerB

Application Auto Scaling with target tracking is the standard method to automatically scale ECS services based on a metric like CPU.

Why this answer

Amazon ECS with Fargate uses Application Auto Scaling to automatically adjust the desired count of tasks based on demand. A target tracking scaling policy based on average CPU utilization is the correct approach because it allows you to define a target value (e.g., 70% CPU) and Application Auto Scaling will add or remove tasks to maintain that target, matching the variable traffic patterns described.

Exam trap

The trap here is confusing EC2 Auto Scaling (which manages instances) with Application Auto Scaling (which manages ECS tasks), leading candidates to choose Option A despite Fargate being serverless and not requiring EC2 instance management.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling manages EC2 instances, not Fargate tasks; Fargate tasks are serverless and scaled via Application Auto Scaling, not EC2 Auto Scaling. Option C is wrong because AWS Auto Scaling Plans with predictive scaling is designed for recurring, predictable traffic patterns (e.g., based on historical data), not for variable, unpredictable traffic patterns as described in the question. Option D is wrong because manually adjusting the desired count of tasks does not meet the requirement for automatic scaling based on demand; it requires human intervention and analysis, which is not automated.

1614
MCQeasy

A company has a decentralized IT structure where each business unit manages its own AWS accounts. The central IT team wants to enforce security policies across all accounts but allow business units to retain administrative control. Which solution should the central IT team implement?

A.Deploy AWS CloudFormation StackSets to each account with security templates.
B.Create a shared services account and use IAM cross-account roles for each business unit.
C.Use AWS Organizations with service control policies (SCPs) to enforce baseline permissions, and delegate administration to organizational units (OUs) for each business unit.
D.Migrate all workloads to a single AWS account and use IAM roles for each business unit.
AnswerC

SCPs enforce policies across all accounts while OUs allow delegation.

Why this answer

AWS Organizations with SCPs allows the central IT team to enforce baseline security policies across all accounts without removing administrative control from business units. By delegating administration to OUs for each business unit, the central team sets guardrails while business units retain full IAM management within their accounts, satisfying the decentralized structure requirement.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs remove all administrative control, when in fact SCPs only set upper permission boundaries and allow business units to retain full administrative autonomy within those limits.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets deploy resources and templates but do not enforce ongoing security policies; business units could modify or delete the deployed resources, and StackSets lack the ability to set permission guardrails. Option B is wrong because a shared services account with cross-account roles centralizes access control, which contradicts the requirement for business units to retain administrative control over their own accounts. Option D is wrong because migrating all workloads to a single account violates the decentralized IT structure and removes business unit autonomy, while IAM roles alone cannot enforce baseline security policies across separate accounts.

1615
MCQeasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. They need to offload SSL/TLS termination to reduce CPU usage on the instances. What should they do?

A.Install a self-signed certificate on each EC2 instance
B.Use a Network Load Balancer (NLB) with SSL pass-through
C.Configure the ALB with an SSL certificate
D.Use Amazon CloudFront for SSL termination
AnswerC

ALB can terminate SSL/TLS, reducing compute load on instances.

Why this answer

ALB can terminate SSL/TLS by installing a certificate on it. Option B (NLB) does not support SSL termination natively, Option C (CloudFront) is a CDN, and Option D (self-signed certificate) is less secure and not recommended for production.

1616
MCQhard

A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The team wants to decouple the database layer and allow each microservice to own its data. Which design pattern should the team implement?

A.Implement an event-driven architecture using Amazon SQS and AWS Lambda with CQRS.
B.Deploy a read replica of the database for each microservice to offload queries.
C.Use a single Amazon RDS instance with multiple schemas for each microservice.
D.Use a database-per-service pattern with each microservice having its own Amazon DynamoDB table or RDS instance.
AnswerD

Database-per-service ensures each microservice owns its data, enabling independent development and scaling.

Why this answer

Option D is correct because the database-per-service pattern ensures each microservice has its own database, promoting loose coupling and independent scaling. Option A is wrong because a shared database contradicts the goal of decoupling. Option B is wrong because an event-driven architecture with CQRS is a separate pattern for query optimization.

Option C is wrong because a read replica does not decouple the database per service.

1617
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from the 'confidential' folder in 'my-bucket' using HTTP (not HTTPS). What will happen?

A.The request is denied because the second statement denies access from the IP range.
B.The request is denied because the first statement only allows from a specific IP range.
C.The request is denied because the second statement explicitly denies access when using HTTP.
D.The request is allowed because the first statement allows s3:GetObject.
AnswerC

The Deny statement denies all S3 actions on confidential/* when SecureTransport is false.

Why this answer

Option C is correct because the Deny statement explicitly denies s3:* actions on the confidential folder when SecureTransport is false (HTTP). Since the first statement allows GetObject for the whole bucket, but the Deny overrides (explicit deny), the request will be denied. Option A (allowed) ignores the Deny.

Option B (denied due to first statement) is wrong because first statement allows. Option D (denied due to IP condition) is wrong because the IP condition is only on the Allow statement.

1618
MCQeasy

A company uses AWS Organizations with a management account and several member accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. What should they do?

A.Create a CloudTrail trail in the management account that applies to all accounts in the organization.
B.Use AWS CloudFormation StackSets to deploy a CloudTrail configuration to all accounts.
C.Enable CloudTrail in each member account and configure it to deliver logs to the management account's S3 bucket.
D.Apply an SCP to require CloudTrail to be enabled in all accounts.
AnswerA

Organization trail simplifies management.

Why this answer

Option A is correct because AWS CloudTrail supports organization trails, which can be created in the management account and automatically apply to all member accounts within the AWS Organization. This ensures that all accounts have CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account without requiring per-account configuration.

Exam trap

The trap here is that candidates often think SCPs can enforce positive actions like enabling a service, but SCPs only deny or allow actions and cannot proactively configure resources.

How to eliminate wrong answers

Option B is wrong because AWS CloudFormation StackSets can deploy CloudTrail configurations across accounts, but this approach requires manual setup, ongoing maintenance, and does not automatically apply to new accounts added to the organization. Option C is wrong because enabling CloudTrail in each member account individually is inefficient, does not scale, and does not enforce compliance across all accounts; it also requires manual configuration for each account. Option D is wrong because Service Control Policies (SCPs) can only restrict permissions (e.g., deny disabling CloudTrail) but cannot proactively enable CloudTrail or configure it to deliver logs to a centralized bucket.

1619
MCQeasy

A solutions architect is designing a new serverless application using AWS Lambda for business logic, Amazon API Gateway for RESTful APIs, and Amazon DynamoDB for data storage. The application will experience unpredictable traffic spikes. What is the MOST cost-effective way to handle concurrency and scaling?

A.Use Lambda provisioned concurrency to pre-warm instances.
B.Use Lambda reserved concurrency to set a limit on concurrent executions.
C.Configure DynamoDB auto scaling to handle traffic spikes.
D.Set a usage plan in API Gateway with a throttling limit.
AnswerB

Reserved concurrency controls the maximum number of concurrent Lambda invocations, preventing excessive scaling and cost.

Why this answer

Option B is correct because Lambda reserved concurrency sets a hard limit on the number of concurrent executions for a function, preventing runaway scaling and controlling costs during unpredictable traffic spikes. It ensures that the function does not consume more concurrency than allocated, which avoids excessive DynamoDB read/write capacity usage and keeps costs predictable without needing to pre-warm instances.

Exam trap

The trap here is that candidates confuse provisioned concurrency (which reduces latency but adds cost) with reserved concurrency (which controls scaling and cost), or they mistakenly think DynamoDB auto scaling or API Gateway throttling directly manages Lambda concurrency.

How to eliminate wrong answers

Option A is wrong because provisioned concurrency pre-warms a fixed number of instances to reduce cold starts, but it incurs additional costs even when idle and does not control scaling or concurrency limits during spikes—it is not cost-effective for unpredictable traffic. Option C is wrong because DynamoDB auto scaling adjusts read/write capacity based on actual traffic, but it does not directly handle Lambda concurrency or scaling; it only manages the database side and can still lead to high costs if Lambda invocations spike. Option D is wrong because a usage plan in API Gateway throttles requests at the API level, but it does not control Lambda concurrency or scaling; it may reject valid requests rather than managing cost-efficient concurrency.

1620
Multi-Selecteasy

A company is migrating an on-premises application to AWS and wants to implement a continuous integration/continuous delivery (CI/CD) pipeline. Which TWO AWS services should the company use to build the pipeline?

Select 2 answers
A.AWS Cloud9
B.AWS CodePipeline
C.AWS CodeCommit
D.AWS CodeArtifact
E.Amazon CodeGuru
AnswersB, C

CodePipeline automates the build, test, and deploy phases.

Why this answer

Options A and B are correct. AWS CodeCommit is a source control service, and AWS CodePipeline orchestrates the CI/CD workflow. Option C: CodeArtifact is for artifact storage.

Option D: CodeGuru is for code reviews. Option E: Cloud9 is an IDE.

1621
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with AWS KMS and that bucket policies enforce HTTPS. What is the MOST efficient way to enforce these policies across all accounts?

A.Apply a service control policy (SCP) to the management account.
B.Create a custom AWS Lambda function to monitor and remediate non-compliant buckets.
C.Apply a service control policy (SCP) to the organizational unit (OU) containing all accounts.
D.Use AWS Config rules with automatic remediation in each account.
AnswerC

SCPs at the OU level enforce policies across all member accounts.

Why this answer

Option B is correct because SCPs can be applied at the OU level to deny non-compliant actions across all accounts, providing centralized enforcement. Option A is wrong because service control policies are not applied to the management account. Option C is wrong because AWS Config rules detect non-compliance but do not enforce.

Option D is wrong because custom Lambda functions would require per-account deployment and are less efficient.

1622
MCQhard

A company is designing a real-time analytics platform that ingests data from thousands of IoT devices. Each device sends a JSON payload every second. The company needs to store the raw data for a month and then aggregate it into hourly summaries for long-term storage. The solution must be serverless and cost-effective. Which combination of AWS services should the company use?

A.Amazon Kinesis Data Streams to ingest data, AWS Lambda to transform and aggregate, Amazon S3 for storage.
B.Amazon Kinesis Data Streams to ingest data, Amazon Kinesis Data Analytics to aggregate in real-time, Amazon Kinesis Data Firehose to deliver aggregated data to S3, and an S3 Lifecycle policy to expire raw data after 30 days.
C.Amazon Kinesis Data Streams to ingest data, Amazon Kinesis Data Firehose to deliver to S3, and Amazon Athena to query raw data.
D.Amazon SQS to ingest data, AWS Lambda to process and aggregate, Amazon DynamoDB for raw data, S3 for summaries.
AnswerB

This design uses serverless services for real-time ingestion, aggregation, and cost-effective storage.

Why this answer

Option D is correct because Kinesis Data Streams ingests real-time data, Kinesis Data Analytics performs real-time aggregation, and Firehose delivers to S3. Option A uses Lambda for aggregation, which is not ideal for streaming aggregations. Option B uses SQS, which is not designed for real-time streaming.

Option C misses the real-time aggregation step.

1623
MCQhard

A company is migrating a monolithic application to microservices on Amazon ECS with Fargate. The application has variable traffic patterns, with high traffic during business hours and low traffic at night. They want to optimize costs while maintaining performance. Which scaling strategy should they implement?

A.Use target tracking scaling with a schedule to increase minimum capacity during business hours.
B.Use step scaling policies based on memory utilization.
C.Use scheduled scaling to increase capacity during business hours.
D.Use simple scaling policies based on CPU utilization.
AnswerA

This combination handles both patterns.

Why this answer

Option A is correct because combining target tracking scaling with a scheduled action allows the application to dynamically adjust capacity based on actual demand while ensuring a higher baseline during peak business hours. This hybrid approach optimizes costs by scaling down at night and maintains performance by preventing cold starts or lag during traffic spikes, which is ideal for variable patterns on ECS Fargate.

Exam trap

The trap here is that candidates often choose scheduled scaling alone (Option C) thinking it directly handles variable traffic, but they miss that it cannot react to unexpected spikes or lulls within the scheduled window, whereas target tracking with a schedule provides both proactive and reactive scaling.

How to eliminate wrong answers

Option B is wrong because step scaling policies based on memory utilization are less responsive to traffic-driven CPU spikes and can cause thrashing if memory is not the bottleneck; they also lack the predictive baseline needed for variable patterns. Option C is wrong because scheduled scaling alone cannot adapt to real-time fluctuations within business hours, leading to either over-provisioning or under-provisioning if traffic deviates from the schedule. Option D is wrong because simple scaling policies are deprecated in AWS and lack the cooldown and metric stabilization features of target tracking, making them prone to oscillation and inefficient for variable traffic.

1624
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences high latency during peak hours. The company wants to improve performance by enabling HTTP/2. What is the simplest way to achieve this?

A.Configure the EC2 instances to support HTTP/2.
B.Place an Amazon CloudFront distribution in front of the ALB and enable HTTP/2.
C.Enable HTTP/2 on the Application Load Balancer's HTTPS listener.
D.Upgrade the load balancer to a Network Load Balancer.
AnswerC

ALB supports HTTP/2 directly.

Why this answer

Option B is correct because ALB natively supports HTTP/2 and can be enabled in the listener settings. Option A is wrong because upgrading to a Network Load Balancer does not support HTTP/2. Option C is wrong because CloudFront with HTTP/2 is more complex than directly enabling it on ALB.

Option D is wrong because configuring EC2 instances directly does not improve latency at the load balancer level.

1625
MCQhard

An organization uses AWS Organizations with a multi-account strategy. The security team needs to ensure that all accounts must use AWS CloudTrail with logs delivered to a centralized S3 bucket. They also want to receive notifications if any account disables CloudTrail. What is the MOST efficient solution?

A.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Use an S3 event notification on the centralized bucket to trigger a Lambda function that sends an SNS alert if logs stop arriving.
B.Use AWS CloudTrail to log management events and set up a CloudWatch Events rule that triggers on StopLogging API calls.
C.Use an SCP that requires all accounts to have a specific trust policy for CloudTrail. Use CloudTrail Insights to detect anomalous activity.
D.Deploy a Lambda function in each account that periodically checks CloudTrail status and sends an SNS message if disabled.
AnswerA

SCPs prevent disabling; S3 events detect missing logs.

Why this answer

Option A is correct because it combines a preventive control (SCP) to block CloudTrail disabling actions with a detective control (S3 event notification + Lambda + SNS) to alert if logs stop arriving. The SCP ensures that even if an account has administrative privileges, it cannot stop or delete the trail, while the S3 event notification on the centralized bucket detects the absence of new log files, triggering an alert. This is the most efficient solution as it requires minimal overhead and provides both enforcement and notification.

Exam trap

The trap here is that candidates often focus only on detecting the API call (option B) or rely on periodic checks (option D), missing the need for a preventive control (SCP) to block the disabling action entirely, and the requirement for a notification mechanism that detects the absence of logs rather than just the API call.

How to eliminate wrong answers

Option B is wrong because a CloudWatch Events rule triggered on StopLogging API calls only detects the API call itself, but does not prevent it; if an account disables CloudTrail, the rule fires after the fact, and the logs may already be lost. Additionally, it does not cover the case where CloudTrail is deleted or logs stop arriving due to other reasons (e.g., misconfiguration). Option C is wrong because an SCP that requires a specific trust policy for CloudTrail does not prevent disabling CloudTrail; trust policies are for cross-account roles, not for controlling CloudTrail operations.

CloudTrail Insights detects anomalous API activity but does not enforce that CloudTrail remains enabled or send notifications for disabling. Option D is wrong because deploying a Lambda function in each account that periodically checks CloudTrail status is inefficient and introduces latency; it requires managing Lambda in every account, and the check is not real-time, potentially missing short-lived disabling events. It also does not prevent the disabling action.

1626
MCQhard

A company uses AWS CodeBuild to run unit tests. The build process is taking longer than expected. The buildspec.yml file includes a pre-build phase that downloads dependencies from a public repository. What is the most effective way to reduce build time?

A.Configure the build project to use an S3 cache for dependencies.
B.Run the build in parallel across multiple build projects.
C.Increase the compute type of the build environment to use more vCPUs.
D.Reduce the build timeout setting to force faster execution.
AnswerA

Caching eliminates repeated downloads.

Why this answer

Option B is correct because caching dependencies in S3 avoids re-downloading them each build. Option A is wrong because increasing compute resources may not help if the bottleneck is network bandwidth. Option C is wrong because parallel builds are for multiple builds, not a single build.

Option D is wrong because CodeBuild doesn't have a build timeout setting that reduces build time; it's a limit.

1627
MCQeasy

A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?

A.Enable AWS CloudTrail and set up a metric filter for CreateAccessKey
B.Apply an IAM policy to all users in each account that denies iam:CreateAccessKey
C.Attach an SCP to the root OU that denies iam:CreateAccessKey
D.Use AWS Config to detect access key creation and trigger a Lambda to delete the key
AnswerC

SCPs centrally deny actions across all accounts.

Why this answer

Option B is correct because an SCP can deny the CreateAccessKey action across all accounts. Option A is wrong because an IAM policy in each account is not centrally managed. Option C is wrong because AWS Config can detect but not prevent.

Option D is wrong because CloudTrail is for logging.

1628
MCQeasy

A company is migrating a monolithic Java application to AWS. The current architecture uses a single Oracle database. The migration plan is to refactor the application into microservices and use separate Amazon RDS for PostgreSQL databases per service. The company also wants to implement a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild. Which tool should the company use to automate the database schema changes for each microservice?

A.Flyway, integrated into the CI/CD pipeline to run database migrations as part of the application deployment.
B.AWS Database Migration Service (DMS) to continuously replicate schema changes from the source Oracle database.
C.AWS CloudFormation with custom resource Lambda functions to run SQL scripts.
D.AWS CLI scripts executed in CodeBuild to run SQL commands against the target databases.
AnswerA

Flyway is a well-known database migration tool that can be integrated into CodePipeline for versioned schema changes.

Why this answer

Flyway is a database migration tool that integrates directly into CI/CD pipelines, allowing schema changes to be version-controlled and applied automatically during application deployment. For a microservices architecture with separate PostgreSQL databases, Flyway can manage each service's schema independently, ensuring consistency and rollback capability. This aligns with the requirement to automate schema changes per microservice as part of the migration and modernization effort.

Exam trap

The trap here is that candidates may confuse data migration tools (like AWS DMS) with schema migration tools, or assume that any scripting approach (like AWS CLI) is sufficient, overlooking the need for version control, repeatability, and integration with application deployment pipelines that Flyway provides.

How to eliminate wrong answers

Option B is wrong because AWS DMS is designed for continuous data replication and one-time migrations, not for managing version-controlled schema changes in a CI/CD pipeline; it does not integrate with application deployment workflows. Option C is wrong because AWS CloudFormation with custom Lambda functions is overly complex and not purpose-built for database schema migrations; it lacks built-in versioning, rollback, and migration sequencing that tools like Flyway provide. Option D is wrong because AWS CLI scripts executed in CodeBuild to run SQL commands are fragile, error-prone, and lack version control, dependency management, and repeatability; they do not handle migration history or rollbacks reliably.

1629
MCQmedium

A company is designing a new microservices architecture on AWS. They need to ensure that services can communicate asynchronously without tight coupling. Which AWS service should they use to decouple the services while providing durable message storage?

A.Amazon SNS
B.Amazon EventBridge
C.Amazon Kinesis Data Streams
D.Amazon SQS
AnswerD

SQS provides a fully managed message queue that decouples microservices with durable, scalable message storage.

Why this answer

Amazon SQS (Simple Queue Service) is the correct choice because it provides a fully managed message queue that enables asynchronous communication between microservices, decoupling them so that producers and consumers operate independently. SQS offers durable message storage by persisting messages across multiple Availability Zones, ensuring messages are not lost even if a consumer fails. This aligns with the requirement for loose coupling and reliable message delivery.

Exam trap

The trap here is that candidates often confuse Amazon SNS (pub/sub) with SQS (queue), overlooking that SNS does not provide durable message storage or consumer-driven polling, which are essential for decoupled asynchronous communication.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers, but it does not provide durable message storage; messages are not persisted if a subscriber is unavailable, and it lacks the queue-based decoupling needed for asynchronous microservices. Option B is wrong because Amazon EventBridge is a serverless event bus for routing events between services, but it does not offer durable message storage; events are not retained after delivery, and it is designed for event-driven architectures rather than persistent queueing. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data volumes with a focus on ordered processing and replay, not for simple asynchronous decoupling with durable message storage; it requires consumers to manage checkpoints and does not provide the same at-least-once delivery semantics as SQS.

1630
MCQeasy

A company wants to assess its on-premises environment for migration to AWS. The assessment should include server utilization, dependencies, and recommendations. Which AWS service provides this capability?

A.AWS Application Discovery Service
B.AWS CloudFormation
C.AWS Migration Hub
D.AWS Systems Manager
AnswerA

Application Discovery Service collects data about on-premises servers, including utilization and dependencies.

Why this answer

Option B (AWS Migration Hub) provides a central location to track migrations, but not the discovery. Option C (AWS Application Discovery Service) is correct as it discovers on-premises servers, dependencies, and provides utilization data. Option A (AWS Systems Manager) is for management, not discovery.

Option D (AWS CloudFormation) is for provisioning.

1631
MCQmedium

A company is designing a serverless application using AWS Lambda. The application needs to store and retrieve JSON documents. The company wants the lowest cost for infrequent access. Which data store should be used?

A.Amazon RDS for MySQL
B.Amazon S3 Standard
C.Amazon ElastiCache for Redis
D.Amazon DynamoDB (on-demand)
AnswerD

DynamoDB with on-demand capacity is serverless and cost-effective for infrequent access.

Why this answer

Option D is correct because Amazon DynamoDB with on-demand capacity is serverless and cost-effective for infrequent access. Option A is wrong because S3 Standard is not ideal for small JSON documents and has higher cost for frequent updates. Option B is wrong because RDS is relational and not serverless.

Option C is wrong because ElastiCache is a cache, not a durable store.

1632
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The team wants to ensure that all resources are tagged with a CostCenter tag. They want to automatically remediate any stack that creates resources without the required tag. Which approach is MOST effective?

A.Create a Lambda function that tags resources after creation.
B.Use IAM policies to require tagging on all resource creation.
C.Use a CloudFormation stack policy with a deny effect for resource creation without tags.
D.Use an AWS Config rule with auto-remediation via SSM Automation.
AnswerC

Stack policies can be applied to CloudFormation stacks to enforce tagging.

Why this answer

Option C is correct because CloudFormation stack policies can enforce tagging at the stack level by denying creation of resources without tags. Option A is wrong because AWS Config rules can detect but may not automatically remediate without additional setup. Option B is wrong because resource-level permissions would require modifying each service's policy.

Option D is wrong because a Lambda function would be reactive and may have a delay.

1633
MCQhard

A large enterprise uses AWS Organizations with 200 accounts. The central security team has implemented a service control policy (SCP) that denies all actions unless the request comes from a specific set of allowed AWS services. The SCP is attached to the root OU. Recently, the DevOps team reported that they cannot launch Amazon EC2 instances in any account, even though they have full administrator access via IAM roles. The security team verifies that the SCP is correctly configured and that allowed services include EC2. However, the error message states 'Action 'ec2:RunInstances' is not authorized.' The DevOps team is using the AWS Management Console. What is the MOST LIKELY cause?

A.The SCP does not include 'ec2:RunInstances' in the list of allowed actions.
B.The SCP is attached only to the root OU and not to the specific account OUs.
C.The IAM roles used by the DevOps team do not have a trust policy that allows the EC2 service.
D.The SCP denies all actions except those from allowed services, but the console makes calls that are not from an allowed service.
AnswerD

The console may call other services (e.g., CloudFormation) to launch instances, which could be denied if not in allowed list.

Why this answer

Option D is correct because SCPs that deny all actions unless the request comes from allowed services would block the initial API call to EC2 because the console makes calls to multiple services. Option A is wrong because the SCP already allows EC2. Option B is wrong because the SCP is attached to the root OU, so it applies to all accounts.

Option C is wrong because the issue is not about resource-based policies.

1634
MCQeasy

A company has multiple AWS accounts and wants to centralize CloudTrail logs in a single S3 bucket in the security account. Which policy should be applied to the S3 bucket to allow cross-account delivery from all member accounts?

A.Add an IAM role in the security account and allow the CloudTrail service in each member account to assume that role.
B.Configure the bucket ACL to allow write access for all member account root users.
C.Add a bucket policy that grants the service principal 'logs.amazonaws.com' s3:PutObject permissions.
D.Add a bucket policy that grants the CloudTrail service principal s3:PutObject permissions for the bucket, with a condition that the source account is in the organization.
AnswerD

This is the standard method for cross-account CloudTrail log delivery.

Why this answer

Option B is correct because the bucket policy must explicitly grant the CloudTrail service principal (cloudtrail.amazonaws.com) permission to write objects, and include a condition to restrict access to the organization's accounts. Option A is wrong because CloudTrail does not use IAM roles from the source accounts to write to the bucket. Option C is wrong because the service principal is 'cloudtrail.amazonaws.com', not 'logs.amazonaws.com'.

Option D is wrong because the bucket policy must be on the destination bucket, not on the source accounts.

1635
MCQmedium

A company is designing a new data lake on AWS using Amazon S3. The data will be ingested from various sources, including IoT devices, application logs, and streaming data. The data must be processed in near real-time as it arrives. Which combination of services should be used for ingestion and processing?

A.Amazon S3 Transfer Acceleration and AWS Lambda
B.Amazon Kinesis Data Firehose and Amazon Kinesis Data Analytics
C.Amazon Athena and Amazon S3
D.AWS Glue and Amazon Redshift
AnswerB

Kinesis Data Firehose can ingest streaming data and deliver it to S3 for the data lake. Kinesis Data Analytics can process the data in near real-time.

Why this answer

Option B is correct because Amazon Kinesis Data Firehose can ingest streaming data and deliver it to S3, and Kinesis Data Analytics can process the data in near real-time. Option A is wrong because S3 Transfer Acceleration is for uploading to S3, not for streaming. Option C is wrong because AWS Glue is a batch ETL service, not real-time.

Option D is wrong because Amazon Athena is an interactive query service, not for ingestion.

1636
MCQeasy

A company has a single AWS account and wants to implement a multi-account strategy for better isolation. Which AWS service is designed to help centrally manage multiple accounts?

A.AWS IAM
B.AWS Organizations
C.AWS Control Tower
D.AWS Service Catalog
AnswerB

Organizations allows you to centrally manage multiple accounts.

Why this answer

AWS Organizations is the native AWS service designed to centrally manage multiple AWS accounts. It allows you to create a hierarchy of accounts with organizational units (OUs), apply service control policies (SCPs) for governance, and consolidate billing. This directly addresses the need for a multi-account strategy with centralized management.

Exam trap

The trap here is that candidates often confuse AWS Control Tower (a managed landing zone service) with AWS Organizations (the underlying account management service), but Control Tower relies on Organizations and is not the service designed for direct central management of multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS IAM is an identity and access management service for a single account; it cannot create or manage multiple accounts. Option C is wrong because AWS Control Tower is a higher-level service that uses AWS Organizations under the hood to set up a multi-account landing zone, but it is not the core service designed for central management—it is an orchestration layer. Option D is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., EC2, RDS) for end users; it does not manage multiple accounts or their structure.

1637
MCQeasy

A company uses AWS Organizations with several OUs for different environments (dev, test, prod). They want to restrict the use of specific EC2 instance types in the prod OU only. Which approach should they use?

A.Create a separate AWS account for prod and use an IAM policy on the account.
B.Attach a service control policy (SCP) to the prod OU that denies ec2:RunInstances for non-approved instance types.
C.Attach an IAM policy to all users in the prod accounts that denies non-approved instance types.
D.Use AWS Config to detect non-approved instance types and terminate them.
AnswerB

SCPs can be applied to OUs to restrict actions in specific accounts.

Why this answer

Service control policies (SCPs) are the correct mechanism to centrally restrict permissions across all accounts within an AWS Organizations organizational unit (OU). By attaching an SCP to the prod OU that denies ec2:RunInstances for non-approved instance types, you enforce a guardrail that applies to every principal (including root users) in all accounts under that OU, regardless of IAM policies. This ensures that even if a user or role has an IAM policy allowing all EC2 instances, the SCP will block the non-approved types.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM policies can centrally restrict all accounts in an OU, when in fact SCPs are the only AWS Organizations feature that applies a guardrail across all accounts without requiring per-account configuration.

How to eliminate wrong answers

Option A is wrong because creating a separate account for prod does not by itself restrict instance types; you would still need an SCP or IAM policy to enforce the restriction, and IAM policies on a single account cannot centrally manage multiple accounts. Option C is wrong because IAM policies attached to users in prod accounts can be overridden by other IAM policies or bypassed by users with administrative privileges, and they do not apply to the root user or services running without an explicit IAM role. Option D is wrong because AWS Config is a detective control that can detect non-approved instance types after they are launched, but it cannot prevent the launch; it would require a separate remediation action (e.g., Lambda) to terminate instances, which is reactive and not a preventive restriction.

1638
MCQhard

A company has a multi-account AWS environment with a central logging account. They want to ensure that all VPC Flow Logs are enabled for every VPC in every account and that the logs are sent to a central S3 bucket. What combination of services should they use to automatically enforce this?

A.Use AWS Lambda to scan all VPCs daily and enable Flow Logs if missing, sending logs to the central bucket.
B.Use AWS Config rules with automatic remediation to enable VPC Flow Logs, and a CloudWatch Events rule to copy logs to the central bucket.
C.Use AWS CloudFormation StackSets to deploy a VPC with Flow Logs enabled in each account.
D.Use AWS Config rules with automatic remediation to enable VPC Flow Logs that publish to a central S3 bucket, and use an SCP to prevent disabling Flow Logs.
AnswerD

Config rules can detect VPCs without Flow Logs and remediate by enabling them; SCPs prevent tampering.

Why this answer

Option D is correct because AWS Config rules can continuously evaluate whether VPC Flow Logs are enabled for every VPC, and automatic remediation (via an SSM automation document or Lambda) can enable them if they are missing, publishing directly to a central S3 bucket. An SCP (Service Control Policy) then prevents any IAM action that would disable or modify the Flow Log configuration, ensuring enforcement is permanent and cannot be bypassed by account administrators.

Exam trap

Cisco often tests the misconception that a reactive approach (like daily Lambda scans) or a deployment-only approach (like StackSets) is sufficient, when the real requirement is continuous enforcement and prevention of disabling — which demands a combination of AWS Config with remediation and an SCP.

How to eliminate wrong answers

Option A is wrong because a daily Lambda scan is reactive and not continuous; it introduces a window of non-compliance between scans, and it does not prevent disabling of Flow Logs after they are enabled. Option B is wrong because while AWS Config rules with remediation can enable Flow Logs, copying logs via CloudWatch Events to a central bucket is inefficient and adds complexity; VPC Flow Logs can be published directly to a central S3 bucket without needing a separate copy mechanism. Option C is wrong because CloudFormation StackSets can only deploy resources where they are explicitly defined; they cannot enforce Flow Logs on existing VPCs or prevent future VPCs from being created without Flow Logs, nor can they prevent disabling of Flow Logs.

1639
MCQeasy

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

A.Enable AWS CloudTrail and use Amazon Athena to query logs periodically and send a report.
B.Enable AWS CloudTrail in all accounts with a trail that logs management events and delivers to a centralized S3 bucket. Use Amazon CloudWatch Events to create a rule that matches root user API calls and sends notifications via Amazon SNS.
C.Use AWS Config rules to detect root user activities and trigger an AWS Lambda function to send an email.
D.Use AWS Trusted Advisor to check for root user usage and generate a weekly report.
AnswerB

This provides real-time alerting on root activities.

Why this answer

Option B is correct because it combines AWS CloudTrail logging of management events across all accounts into a centralized S3 bucket with Amazon CloudWatch Events (now Amazon EventBridge) to detect root user API calls in real time. This setup ensures immediate notification via Amazon SNS, meeting the requirement for instant reporting without manual polling or batch processing.

Exam trap

The trap here is that candidates may confuse AWS Config rules (which monitor resource configurations) with CloudTrail event monitoring, or assume periodic tools like Athena or Trusted Advisor can satisfy an immediate reporting requirement.

How to eliminate wrong answers

Option A is wrong because using Amazon Athena to query logs periodically introduces a delay (not immediate reporting) and requires manual or scheduled queries, which does not meet the real-time requirement. Option C is wrong because AWS Config rules are designed for resource configuration compliance and change detection, not for monitoring API calls like root user activities; they cannot directly capture CloudTrail events or root user login actions. Option D is wrong because AWS Trusted Advisor provides a weekly report on root user usage, which is not immediate and fails the requirement for real-time notification.

1640
MCQeasy

A company wants to deploy a containerized web application on AWS. They need to manage container orchestration, automatic scaling, and service discovery. Which AWS service should they use?

A.Amazon Lightsail
B.Amazon Elastic Container Service (ECS)
C.Amazon Elastic Kubernetes Service (EKS)
D.AWS Elastic Beanstalk
AnswerB

ECS provides orchestration, auto scaling, and service discovery.

Why this answer

Option B is correct because Amazon ECS provides container orchestration, auto scaling, and service discovery. Option A (EKS) also does but is Kubernetes-based, more complex. Option C (Lightsail) is for simple projects.

Option D (Beanstalk) is for PaaS, not container-native.

1641
MCQhard

A CloudFormation stack creation failed with the status shown in the exhibit. The stack was created using a template that defines an EC2 instance, a security group, and an Elastic IP address. What is the MOST likely cause of the failure?

A.The AWS account has reached the Elastic IP address limit.
B.The security group rule is invalid.
C.The EC2 instance failed to associate with the Elastic IP.
D.The EC2 instance type is not supported in the region.
AnswerA

The error message explicitly states the maximum number of addresses has been reached.

Why this answer

The reason for the EIP creation failure is 'The maximum number of addresses has been reached', indicating the AWS account has reached the limit of Elastic IP addresses. Option D is correct. Option A is wrong because the EC2 instance was created successfully.

Option B is wrong because the security group was created successfully. Option C is wrong because the EIP resource failed, not the instance.

1642
MCQeasy

A company is migrating an on-premises Oracle database to AWS. The database is 2 TB in size and has a low-latency connection to AWS via AWS Direct Connect. The company wants to minimize downtime during the migration. Which AWS service should the architect use for the initial data load?

A.AWS DataSync
B.AWS Snowball Edge
C.AWS Server Migration Service (AWS SMS)
D.AWS Database Migration Service (AWS DMS)
AnswerD

AWS DMS supports continuous replication, minimizing downtime.

Why this answer

AWS Database Migration Service (AWS DMS) with Oracle as source and target (e.g., RDS for Oracle) supports ongoing replication to minimize downtime. AWS Snowball is for offline data transfer and would involve longer downtime. S3 Transfer Acceleration is for S3 uploads, not database migration.

Server Migration Service is for server migration, not databases.

1643
MCQmedium

A company is migrating a web application to AWS and wants to automatically scale the application based on CPU utilization. The application runs on a set of EC2 instances behind an Application Load Balancer. Which combination of AWS services should they use?

A.AWS Lambda with scheduled scaling
B.Amazon CloudFront with origin scaling
C.AWS Elastic Beanstalk with environment scaling
D.Auto Scaling group with a simple scaling policy based on CloudWatch CPU alarm
AnswerD

Auto Scaling group can scale based on CPU utilization.

Why this answer

Option A (Auto Scaling group with a scaling policy based on CPU) is correct because it directly scales EC2 instances. Option B (Lambda scheduled scaling) is not dynamic. Option C (Elastic Beanstalk) is a PaaS, but the question asks for services: Auto Scaling group is the service.

Option D (CloudFront) is a CDN.

1644
MCQeasy

A company has a multi-account AWS environment. They want to use AWS CloudTrail to log all API calls across all accounts and deliver the logs to a central S3 bucket in the logging account. They have configured a trail in the management account that logs management events for all accounts. However, they notice that the logs from member accounts are not being delivered to the central S3 bucket. What is the most likely cause?

A.CloudTrail cannot log management events for member accounts from the management account.
B.The S3 bucket policy does not grant the CloudTrail service principal from member accounts write access.
C.The trail is configured to log only read events.
D.The member accounts have disabled CloudTrail.
AnswerB

Cross-account log delivery requires proper bucket policy.

Why this answer

Option B is correct because a trail in the management account can log management events for all accounts, but it requires that the trail be created with the option 'Apply trail to all accounts in the organization' and the S3 bucket policy must allow CloudTrail to write from member accounts. Option A is wrong because there is no such limitation. Option C is wrong because CloudTrail supports cross-account delivery.

Option D is wrong because the bucket policy is likely the issue.

1645
MCQhard

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?

A.Partition the data by account ID, region, and date in the S3 bucket, and use partitions in Athena.
B.Use S3 object-level compression (e.g., gzip) to reduce data volume.
C.Create AWS Glue partition indexes on the table.
D.Create separate Athena tables for each account and region.
AnswerA

Partition pruning ensures Athena scans only relevant partitions.

Why this answer

Partitioning the S3 data by account ID, region, and date allows Athena to use partition pruning, which limits the amount of data scanned to only the relevant partitions based on query filters. This directly reduces query cost because Athena charges per amount of data scanned, and partitioning is the most effective way to minimize scanned data without additional compression or indexing overhead.

Exam trap

The trap here is that candidates often confuse performance optimization (e.g., compression, indexes) with cost optimization (reducing data scanned), and they may overlook that partition pruning is the primary mechanism to minimize Athena query costs, not just speed up queries.

How to eliminate wrong answers

Option B is wrong because S3 object-level compression (e.g., gzip) reduces storage size and can reduce data scanned if Athena supports reading compressed files, but it does not limit which files are scanned; Athena still must read all compressed objects unless partitions are used. Option C is wrong because AWS Glue partition indexes improve query performance by reducing metadata lookup time, but they do not reduce the amount of data scanned; they only speed up partition discovery, not cost. Option D is wrong because creating separate Athena tables for each account and region increases management overhead and does not inherently reduce data scanned; queries would still scan entire tables unless partitions are used within each table, and this approach duplicates schema management without cost benefit.

1646
MCQeasy

A company wants to deploy a containerized application on AWS. The application requires persistent storage that can be shared across multiple containers running on different EC2 instances. Which AWS service should be used?

A.EC2 Instance Store
B.Amazon EFS
C.Amazon S3
D.Amazon EBS
AnswerB

EFS provides a shared file system for multiple instances.

Why this answer

Option D is correct. Amazon EFS provides a shared file system that can be mounted by multiple EC2 instances. Option A is wrong because EBS volumes can only be attached to one instance at a time.

Option B is wrong because S3 is object storage, not a file system. Option C is wrong because Instance Store is ephemeral.

1647
Multi-Selectmedium

A company uses an Amazon RDS for MySQL DB instance. The database is experiencing high read latency. The team wants to improve read performance with minimal application changes. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Create one or more read replicas and direct read queries to them.
B.Enable Multi-AZ deployment for failover support.
C.Migrate the database to Amazon Aurora.
D.Increase the max_connections parameter.
E.Increase the DB instance size (e.g., from db.r5.large to db.r5.xlarge).
AnswersA, E

Read replicas offload read traffic, reducing latency.

Why this answer

Options A and C are correct. Option A: Read replicas offload read traffic from the primary instance, reducing latency. Option C: Increasing instance size (e.g., moving to a larger instance class) can improve I/O performance.

Option B is wrong because Multi-AZ is for high availability, not read performance. Option D is wrong because increasing max_connections does not improve read latency. Option E is wrong because switching to Aurora is a major change and may not be minimal.

1648
Drag & Dropmedium

Drag and drop the steps to set up a cross-region VPC peering connection in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First initiate, then accept, then add routes, then update security groups, and finally network ACLs.

1649
MCQmedium

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all new member accounts automatically have AWS Config enabled with a specific set of rules. Which solution is the MOST efficient?

A.Create an AWS Config aggregator in the management account and enable Config for each account manually.
B.Use AWS CloudFormation StackSets to deploy a Config template to each account, and manually add new accounts to the StackSet.
C.Use AWS Lambda functions triggered by AWS CloudTrail to enable Config and deploy rules whenever a new account is created.
D.Create an SCP to deny disabling AWS Config, and use an AWS Config conformance pack in a delegated admin account to enforce rules across the organization.
AnswerD

SCP enforces Config enablement; conformance pack enforces rules automatically on new accounts.

Why this answer

Option C is correct because using an SCP in the root OU to prevent disabling Config, combined with AWS Config conformance packs in a delegation admin account, ensures accounts are created with Config enabled and rules enforced without manual intervention. Option A is wrong because it requires manual setup per account. Option B is wrong because CloudFormation StackSets require manual stack instance updates.

Option D is wrong because Lambda functions triggered by account creation can be delayed and may not cover all cases.

1650
MCQeasy

A company is migrating its on-premises file server to AWS. The file server contains 50 TB of data stored on a Windows Server with NTFS permissions. The company needs to maintain the folder structure and permissions after migration. The migration must be completed within one week. The company has a 100 Mbps internet connection. Which approach should the solutions architect recommend?

A.Use AWS Storage Gateway File Gateway to cache data on-premises and sync to S3.
B.Use AWS Snowball Edge to transfer data to an S3 bucket, then use AWS DataSync to copy to Amazon FSx for Windows File Server.
C.Use AWS DataSync to transfer data directly to Amazon EFS over the internet.
D.Use AWS CLI to copy data directly to an S3 bucket, then mount S3 as a file system.
AnswerB

Offline transfer bypasses bandwidth; FSx preserves Windows permissions.

Why this answer

Given the data size and limited bandwidth, network transfer would take over 46 days. Using AWS Snowball Edge allows offline transfer of data to AWS, and then using AWS DataSync to copy to Amazon FSx for Windows File Server preserves permissions and structure. Option A is wrong because network transfer is too slow.

Option B is wrong because Storage Gateway File Gateway requires network transfer for initial seeding. Option D is wrong because S3 does not support NTFS ACLs natively.

Page 21

Page 22 of 24

Page 23