AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 16511725

1746 questions total · 24pages · All types, answers revealed

Page 22

Page 23 of 24

Page 24
1651
MCQeasy

A company is using Amazon S3 to store critical data. The security team requires that all data at rest be encrypted using AWS KMS with automatic rotation of the customer master key (CMK) every year. What should a solutions architect do to meet this requirement?

A.Use SSE-S3 (Amazon S3-managed keys) and rely on S3's automatic key rotation.
B.Enable S3 default encryption with AWS KMS and enable automatic rotation of the KMS key.
C.Use SSE-C (customer-provided keys) and manage key rotation manually.
D.Use client-side encryption with a KMS CMK and upload the encrypted data.
AnswerB

This ensures all objects are encrypted at rest with a rotating KMS key.

Why this answer

Option A is correct because using S3 default encryption with an AWS KMS CMK and enabling automatic key rotation meets the requirement. Option B is wrong because SSE-S3 uses Amazon S3-managed keys, not KMS. Option C is wrong because SSE-C uses customer-provided keys, not KMS.

Option D is wrong because client-side encryption does not use S3 server-side encryption.

1652
MCQhard

A company uses an AWS CodePipeline to deploy a serverless application. The pipeline includes a build stage that runs on AWS CodeBuild and a deploy stage that updates an AWS Lambda function. The company wants to add a manual approval step before the deploy stage. What is the most efficient way to implement this?

A.Add an AWS Lambda function that sends an email for approval.
B.Use an AWS CloudFormation stack with a wait condition.
C.Configure an Amazon SNS topic to notify approvers.
D.Add a manual approval action in the CodePipeline stage before deploy.
AnswerD

CodePipeline supports manual approval actions.

Why this answer

Option C is correct because CodePipeline has a built-in approval action that can be added to the pipeline. Option A is wrong because using a Lambda function for approval is unnecessary. Option B is wrong because SNS alone does not provide approval.

Option D is wrong because CloudFormation is not needed for a simple approval step.

1653
MCQmedium

A company is planning to migrate a large-scale Hadoop cluster to Amazon EMR. The cluster currently processes batch jobs using a mix of MapReduce and Spark. The company wants to minimize changes to the existing code and operational processes. Which migration approach should the architect recommend?

A.Refactor all jobs to use only Apache Spark on Amazon EMR
B.Retire the cluster and use Amazon Athena for ad-hoc queries
C.Replatform the data processing to use Amazon Redshift Spectrum
D.Rehost the cluster on Amazon EMR using the same MapReduce and Spark configurations
AnswerD

This preserves existing code and processes, minimizing changes.

Why this answer

Rehosting the Hadoop cluster on Amazon EMR with the same configuration allows the existing MapReduce and Spark code to run with minimal changes. Refactoring to use only Spark would require code changes. Replatforming to Amazon Redshift would change the architecture.

Retiring and using Athena would require significant changes to data storage and queries.

1654
MCQmedium

A company is implementing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS and that access must be logged. The data lake has millions of objects, and the security team wants to detect any changes to bucket policies or encryption settings. Which combination of services should be used?

A.Amazon CloudWatch Events and Amazon S3 event notifications
B.Amazon CloudWatch Logs and VPC Flow Logs
C.AWS Config and AWS CloudTrail
D.AWS CloudTrail for management events and Amazon S3 server access logs
AnswerD

CloudTrail records S3 API calls for bucket-level actions; S3 server access logs provide object-level access details.

Why this answer

Option A is correct because CloudTrail logs S3 management events (including bucket policy changes and encryption settings) and S3 server access logs record object-level access. Option B is wrong because CloudWatch Logs does not directly log S3 configuration changes. Option C is wrong because AWS Config can track configuration changes but not access logs.

Option D is wrong because CloudWatch Events can trigger on events but not provide historical logging.

1655
MCQmedium

A company is designing a new microservices architecture on AWS. Each service must be independently deployable and scale based on demand. The company wants to minimize operational overhead for container orchestration. Which AWS service should the company use?

A.Amazon Elastic Kubernetes Service (EKS)
B.Amazon EC2 with Auto Scaling
C.Amazon Elastic Container Service (ECS) with AWS Fargate
D.AWS Lambda
AnswerC

ECS with Fargate is serverless and reduces operational overhead for container orchestration.

Why this answer

Option D is correct because Amazon ECS with Fargate is a fully managed container orchestration service that reduces operational overhead. Option A is wrong because EC2 requires manual management of instances. Option B is wrong because Lambda is for serverless functions, not container orchestration.

Option C is wrong because EKS requires managing the Kubernetes control plane.

1656
Multi-Selectmedium

A company is migrating a critical application to AWS and must ensure high availability across multiple Availability Zones. Which TWO AWS services can be used to distribute traffic across instances in multiple AZs?

Select 2 answers
A.Amazon CloudFront
B.AWS Global Accelerator
C.Application Load Balancer (ALB)
D.Amazon Route 53
E.Network Load Balancer (NLB)
AnswersC, E

ALB distributes traffic across targets in multiple AZs.

Why this answer

Options A and B are correct. ALB and NLB both distribute traffic across AZs. Option C (CloudFront) is a CDN, not regional load balancing.

Option D (Route 53) is DNS, not a load balancer. Option E (Global Accelerator) uses edge locations and then routes to a load balancer.

1657
Multi-Selecthard

A company is designing a new serverless application using AWS Lambda. The application must be invoked by an Amazon S3 bucket event. The company wants to ensure that the Lambda function has the necessary permissions to be invoked. Which THREE steps are required?

Select 3 answers
A.Add a resource-based policy to the Lambda function that grants S3 permission to invoke it.
B.Configure an S3 bucket notification event to send events to the Lambda function.
C.Attach an IAM role to the S3 bucket that allows it to invoke Lambda functions.
D.Create an event source mapping in Lambda for the S3 bucket.
E.Create an IAM role for the Lambda function with permissions to read from the S3 bucket.
AnswersA, B, E

A resource-based policy (function policy) allows S3 to invoke the Lambda function.

Why this answer

Options A, B, and D are correct. A resource-based policy on the Lambda function allows S3 to invoke it. An S3 bucket notification configuration triggers the Lambda.

IAM permissions on the S3 bucket are not required for invocation; the resource-based policy is. Option E is wrong because the event source mapping is not needed for S3.

1658
MCQhard

A company has a web application behind an Application Load Balancer that uses sticky sessions. The application is deployed on EC2 instances in an Auto Scaling group. During a deployment, the team notices that users are experiencing errors after new instances are launched. What is the MOST likely cause?

A.The target group's deregistration delay is too short.
B.The stickiness duration is set too long, causing requests to be routed to terminated instances.
C.The Auto Scaling group's scale-in policy is terminating instances with active sessions.
D.The ALB health check is not configured for the new instances.
AnswerC

Stickiness ties sessions to instances; if an instance is terminated, users lose session data. The correct fix is to externalize session state.

Why this answer

Option A is correct because stickiness binds users to specific instances; new instances don't have session data, causing errors. Option B is wrong because deregistration delay helps drain connections. Option C is wrong because health checks would detect unhealthy instances.

Option D is wrong because scaling policies don't affect session stickiness.

1659
Multi-Selectmedium

A company is designing a new application on AWS that requires a highly available and scalable web tier. The web servers must be stateless and scale automatically based on CPU utilization. Which TWO actions should the company take to meet these requirements?

Select 2 answers
A.Configure an Auto Scaling group with a launch template that includes a user data script to bootstrap the web server
B.Attach the Auto Scaling group to an Application Load Balancer
C.Configure lifecycle hooks in the Auto Scaling group to drain connections
D.Use a single large EC2 instance (e.g., c5n.18xlarge) to handle all traffic
E.Use a Network Load Balancer to distribute traffic to web servers
AnswersA, B

Auto Scaling group provides automatic scaling and high availability.

Why this answer

Option A is correct because a launch template with user data allows the Auto Scaling group to bootstrap web server software automatically when new instances launch, ensuring they are stateless and ready to serve traffic. Option B is correct because attaching an Application Load Balancer (ALB) distributes incoming traffic across the Auto Scaling group's instances, enabling horizontal scaling and high availability. Together, these actions support stateless web servers that scale based on CPU utilization via Auto Scaling policies.

Exam trap

The trap here is that candidates may confuse lifecycle hooks (Option C) as necessary for scaling or connection draining, when in fact the ALB handles connection draining automatically, and lifecycle hooks are an optional feature for custom workflows like patching or logging.

1660
MCQmedium

A company attaches the above SCP to the root organizational unit. The development team in a member account wants to launch an EC2 instance in the ap-southeast-1 region. What will happen?

A.The EC2 instance launch will be denied only if there is an explicit allow for us-east-1 and eu-west-1.
B.The EC2 instance launch will succeed because SCPs only restrict permissions, not deny.
C.The EC2 instance launch will be denied because the SCP denies actions in regions not listed.
D.The EC2 instance launch will succeed if the developer has IAM permissions to launch in ap-southeast-1.
AnswerC

The SCP explicitly denies ec2:* in disallowed regions.

Why this answer

Option B is correct. The SCP denies EC2 actions in all regions except us-east-1 and eu-west-1. Since ap-southeast-1 is not in the allowed list, the action will be denied.

Option A is wrong because the SCP explicitly denies. Option C is wrong because SCPs apply to all IAM principals. Option D is wrong because there is no explicit allow; the default is allow but this deny overrides.

1661
MCQeasy

A company has an AWS Organization with a management account and several member accounts. The management account hosts a central S3 bucket that stores CloudTrail logs from all accounts. The company wants to ensure that only the management account can delete objects from this bucket. Which policy should be applied to the bucket?

A.An SCP that denies s3:DeleteObject for all member accounts.
B.An SCP that denies s3:DeleteObject for all accounts except the management account.
C.A bucket policy that allows s3:DeleteObject only for the organizational unit containing the management account.
D.A bucket policy that denies s3:DeleteObject unless the request is from the management account's root user.
AnswerD

This policy explicitly restricts deletion to the management account.

Why this answer

Option B is correct because a bucket policy with a condition that denies DeleteObject actions unless the account is the management account achieves the goal. Option A is wrong because it does not prevent other accounts from deleting. Option C is wrong because SCPs cannot be applied to resources.

Option D is wrong because bucket policies cannot be attached to organizational units.

1662
MCQeasy

A company is migrating to AWS and plans to use a multi-account strategy. The management account will be used solely for administrative purposes. Which best practice should be followed when setting up AWS Organizations?

A.Enable all AWS services in the management account to centrally manage them.
B.Use the management account as the payer account and also host production workloads.
C.Restrict access to the management account and use it only for organization management tasks.
D.Use the management account for development environments to avoid creating additional accounts.
AnswerC

This minimizes the attack surface.

Why this answer

Option C is correct because the management account should have limited access and be reserved for organization management tasks. Option A is wrong because enabling all services in the management account increases risk. Option B is wrong because the management account cannot be used as a payer account if it is also used for production.

Option D is wrong because the management account should not be used for development.

1663
MCQhard

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

A.The Lambda function does not have permission to create log groups.
B.The Lambda function is not in the same VPC as DynamoDB.
C.The DynamoDB table 'Orders' does not exist.
D.The IAM role lacks a trust policy that allows Lambda to assume it.
AnswerD

The exhibit shows only permission policies; the trust policy is missing.

Why this answer

The IAM role shown in the exhibit likely includes a permissions policy that grants DynamoDB write access, but it is missing a trust policy that allows the Lambda service (lambda.amazonaws.com) to assume the role. Without this trust relationship, Lambda cannot obtain temporary credentials to execute the function, resulting in an AccessDeniedException when attempting to write to DynamoDB.

Exam trap

The trap here is that candidates often focus on the permissions policy (e.g., DynamoDB actions) and overlook the trust policy, assuming any IAM role can be used by Lambda, but AWS requires an explicit trust relationship for service-to-service role assumption.

How to eliminate wrong answers

Option A is wrong because Lambda automatically creates log groups via the AWSLambdaBasicExecutionRole managed policy if the function has logs:CreateLogGroup permission; a missing log group permission would cause a different error (e.g., 'Unable to write to CloudWatch Logs'), not an AccessDeniedException on DynamoDB writes. Option B is wrong because Lambda functions do not need to be in the same VPC as DynamoDB; DynamoDB is a fully managed service accessible over the public internet or via VPC endpoints, and VPC placement does not affect IAM authorization. Option C is wrong because if the table 'Orders' did not exist, the error would be a ResourceNotFoundException, not an AccessDeniedException.

1664
MCQeasy

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The Lambda function is CPU-bound and takes close to the 15-minute timeout. The operations team notices that the function sometimes times out during peak hours. What is the SIMPLEST way to improve the function's performance?

A.Increase the reserved concurrency of the Lambda function.
B.Increase the batch size in the SQS event source mapping.
C.Use a Lambda function URL instead of SQS invocation.
D.Increase the memory (and CPU) allocation for the Lambda function.
E.Migrate the Lambda function to run on Amazon ECS with Fargate using a larger task size.
AnswerD

Lambda allocates CPU proportionally to memory, so more memory speeds up CPU-bound tasks.

Why this answer

Option C is correct because increasing the Lambda function's memory also increases CPU allocation, which can speed up processing. Option A is wrong because concurrency limit reduces parallelism, making timeouts worse. Option B is wrong because increasing the batch size may cause the function to process more messages per invocation, increasing the chance of timeout.

Option D is wrong because reserving concurrency does not affect per-invocation performance. Option E is wrong because using a larger instance type is not applicable to Lambda.

1665
MCQeasy

A company is migrating an on-premises Oracle database to Amazon Aurora PostgreSQL. They need to minimize downtime and ensure data integrity. Which AWS service should they use for the migration?

A.AWS Schema Conversion Tool (SCT)
B.AWS Database Migration Service (DMS)
C.AWS DataSync
D.AWS Snowball Edge
AnswerB

DMS supports ongoing replication to minimize downtime.

Why this answer

AWS Database Migration Service (DMS) supports homogeneous and heterogeneous migrations with minimal downtime. Option A is wrong because SCT only helps with schema conversion, not the actual data migration. Option B is wrong because DataSync is for file storage.

Option D is wrong because Snowball is for large-scale data transfer, not database migration.

1666
MCQeasy

A company has a multi-account AWS environment with a centralized network account that hosts a transit gateway. The company wants to share the transit gateway with multiple member accounts. Which AWS service should be used to share the transit gateway?

A.AWS Resource Access Manager (RAM)
B.AWS PrivateLink
C.VPC peering connection
D.AWS Direct Connect
AnswerA

RAM enables sharing of transit gateways across accounts.

Why this answer

AWS Resource Access Manager (RAM) enables you to share a transit gateway owned by a central network account with other AWS accounts in your organization. This eliminates the need to create separate transit gateway attachments or VPC peering connections, simplifying network architecture and reducing operational overhead.

Exam trap

The trap here is that candidates often confuse VPC peering (which is point-to-point and non-transitive) with transit gateway sharing via RAM, which provides transitive routing and centralized management across multiple accounts.

How to eliminate wrong answers

Option B is wrong because AWS PrivateLink is used to expose services privately within a VPC via interface endpoints, not for sharing transit gateways across accounts. Option C is wrong because VPC peering connects individual VPCs directly but does not provide a centralized hub-and-spoke model or support transitive routing between multiple VPCs and accounts. Option D is wrong because AWS Direct Connect establishes dedicated network connections from on-premises to AWS, not for sharing transit gateways between accounts.

1667
MCQeasy

A company wants to provide its developers with access to a shared development environment in AWS. The developers are in different AWS accounts, and they need to assume an IAM role in the development account. What is the secure way to allow cross-account access?

A.Use a service control policy to allow access from other accounts
B.Create IAM users in the development account for each developer
C.Share the access keys of an IAM user in the development account
D.Create an IAM role in the development account with a trust policy that allows the developers' accounts to assume it
AnswerD

This follows AWS best practices for cross-account access.

Why this answer

Option C is correct because the standard cross-account access pattern uses IAM roles with trust policies. Option A is wrong because IAM users are per-account and not scalable. Option B is wrong because access keys are not secure for cross-account access.

Option D is wrong because SCPs are for restrictions, not granting access.

1668
MCQeasy

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?

A.Use Cost Explorer to filter by linked account, which automatically groups by business unit.
B.Use AWS Budgets to create budgets per account and manually aggregate.
C.Apply tags to resources and enable cost allocation tags in Billing and Cost Management.
D.Create a separate payer account for each business unit.
AnswerC

Correct: Tagging enables filtering by business unit.

Why this answer

Option C is correct because applying tags to resources and enabling cost allocation tags in AWS Billing and Cost Management allows the finance team to categorize costs by business unit without additional overhead. Each business unit's AWS account can have resources tagged with a key like 'BusinessUnit', and once cost allocation tags are activated, Cost Explorer and cost reports can filter and group by these tags, providing automated cost tracking across accounts in AWS Organizations.

Exam trap

The trap here is that candidates may think filtering by linked account in Cost Explorer is sufficient, but they overlook that without tags or a structured account naming convention, linking accounts to business units requires manual effort, which violates the 'without additional overhead' requirement.

How to eliminate wrong answers

Option A is wrong because Cost Explorer can filter by linked account, but it does not automatically group by business unit unless accounts are tagged or organized in a way that maps to business units; filtering by linked account alone requires manual mapping of account IDs to business units, which adds overhead. Option B is wrong because AWS Budgets is a budgeting tool, not a cost reporting and aggregation tool; manually aggregating budgets per account introduces significant overhead and does not provide a scalable, automated solution for generating cost reports filtered by business unit. Option D is wrong because creating a separate payer account for each business unit defeats the purpose of consolidated billing and increases management complexity, as AWS Organizations is designed to consolidate multiple accounts under a single payer for centralized billing and cost management.

1669
MCQmedium

A company uses AWS Organizations with consolidated billing. The finance team needs to track costs by department, which are tagged with 'department' tags. However, some resources are not tagged. The team wants to ensure that all new resources are tagged, and existing untagged resources are identified. What should they do?

A.Use a service control policy (SCP) to deny resource creation without the 'department' tag, and use AWS Config rules to detect untagged resources.
B.Use AWS Config rules to enforce tagging on existing resources and automatically tag them.
C.Use AWS Cost Explorer to report on untagged resources.
D.Create an IAM policy that requires tagging for all actions and attach it to all users.
AnswerA

SCPs prevent creation of untagged resources; Config identifies existing untagged resources.

Why this answer

Option A is correct because SCPs can deny resource creation without required tags, and AWS Config rules can identify untagged resources. Option B is wrong because SCPs cannot enforce tags on existing resources. Option C is wrong because IAM policies cannot be enforced across accounts easily.

Option D is wrong because Cost Explorer can filter by tags but does not enforce tagging.

1670
Multi-Selecthard

A company is designing a new multi-tier web application on AWS. The application uses an Auto Scaling group of EC2 instances for the web tier and an Amazon RDS for PostgreSQL DB instance for the database. To improve security, the company wants to ensure that the web tier instances can connect to the database only through a specific port and that the database is not accessible from the internet. Which steps should the company take? (Choose THREE.)

Select 3 answers
A.Launch the database instance in a public subnet.
B.Configure the database security group to allow inbound traffic on port 5432 from the web tier security group.
C.Store database credentials in AWS Systems Manager Parameter Store.
D.Launch the web tier instances in a private subnet.
E.Set the 'Publicly accessible' option of the RDS instance to 'No'.
AnswersB, D, E

Security group rules restrict traffic to only the web tier.

Why this answer

Options A, B, and D are correct. Placing web tier instances in a private subnet (A) ensures they are not internet-facing. Using a security group for the database that allows inbound traffic only from the web tier security group (B) restricts access.

Enabling the 'publicly accessible' flag to 'No' (D) ensures no public endpoint. Option C is wrong because placing the database in a public subnet would expose it. Option E is wrong because storing secrets in Parameter Store is for credentials, not network access.

1671
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?

A.Define an IAM task role with S3 access policies and reference it in the ECS task definition.
B.Attach an IAM role to the underlying EC2 instance.
C.Assign an IAM role to the ECS service using the ECS service-linked role.
D.Store AWS credentials in the container environment variables.
AnswerA

The task role grants permissions to the container application.

Why this answer

Option A is correct because an IAM task role is the recommended mechanism for granting least-privilege permissions to ECS tasks using the Fargate launch type. The task role is defined in the ECS task definition and assumed by the container runtime, allowing the application to securely access the S3 bucket without embedding credentials. This approach follows AWS best practices by scoping permissions to the specific task rather than the underlying infrastructure.

Exam trap

The trap here is that candidates may confuse the ECS service-linked role (used for ECS service management) with the IAM task role (used for granting permissions to the containerized application), or incorrectly assume that Fargate tasks require an underlying EC2 instance role.

How to eliminate wrong answers

Option B is wrong because Fargate does not use underlying EC2 instances; the infrastructure is fully managed by AWS, so attaching an IAM role to an EC2 instance is irrelevant and violates the principle of least privilege by granting permissions to all tasks on that instance. Option C is wrong because the ECS service-linked role (AWSServiceRoleForECS) is used by the ECS service itself to manage resources, not by the containers to access S3; assigning it to the service does not grant permissions to the application code. Option D is wrong because storing AWS credentials in container environment variables is insecure, violates the principle of least privilege, and is unnecessary when IAM task roles provide automatic credential rotation via the AWS STS endpoint.

1672
MCQmedium

A company is running a stateful web application on Amazon EC2 instances in an Auto Scaling group. The instances store session data in an Amazon ElastiCache for Redis cluster. The company wants to improve the application's fault tolerance and ensure that session data is not lost if an Availability Zone fails. What should the solutions architect do?

A.Enable Cluster Mode on the ElastiCache for Redis cluster and configure Multi-AZ.
B.Configure the ElastiCache for Redis cluster to have multiple read replicas in the same region.
C.Increase the instance size of the EC2 instances to handle more load.
D.Migrate from ElastiCache for Redis to ElastiCache for Memcached.
AnswerA

Cluster Mode with Multi-AZ provides replication and automatic failover across AZs, protecting against AZ failure.

Why this answer

Option B is correct because ElastiCache for Redis with Cluster Mode enabled automatically shards data across multiple nodes and provides Multi-AZ with automatic failover, ensuring high availability and data durability. Option A is wrong because increasing instance size does not protect against AZ failure. Option C is wrong because a single-node cluster has no replication; if the node fails, data is lost.

Option D is wrong because ElastiCache for Memcached does not support persistence or replication; data loss occurs on node failure.

1673
Multi-Selecthard

A company is modernizing a monolithic application into microservices on AWS. The application currently uses a single SQL database. Which THREE AWS services can help decouple the data layer and enable event-driven communication between microservices?

Select 3 answers
A.Amazon Simple Notification Service (SNS)
B.Amazon RDS
C.Amazon Simple Queue Service (SQS)
D.Amazon ElastiCache
E.Amazon EventBridge
AnswersA, C, E

Decouples via pub/sub.

Why this answer

Amazon SQS provides message queuing for async communication. Amazon SNS enables pub/sub messaging. Amazon EventBridge provides event bus for decoupled communication.

Amazon RDS is a relational database, not for decoupling. Amazon ElastiCache is caching.

1674
MCQeasy

A company runs a batch processing job on Amazon EC2 instances that are part of an Auto Scaling group. The job runs every night and takes approximately 2 hours. The instances are launched using a launch template with a Spot Instance request. Recently, the job has been failing because Spot Instances are being reclaimed before the job completes. The company wants a cost-effective solution that ensures the job completes reliably. The job can handle interruptions by checkpointing. Which solution should the company implement?

A.Increase the instance size to complete the job faster.
B.Use a mixed instances policy with a percentage of On-Demand Instances as a fallback.
C.Switch to On-Demand Instances only.
D.Use Reserved Instances for the batch job.
AnswerB

This balances cost and reliability, with checkpointing handling interruptions.

Why this answer

Using Spot Instances with a termination notice and checkpointing allows the job to save progress and resume if interrupted. Mixed Instances policy can use On-Demand as a fallback.

1675
Multi-Selecthard

A multinational corporation is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have server-side encryption enabled, and any new bucket created without encryption must be automatically remediated. Which TWO steps should the team take to achieve this? (Choose two.)

Select 2 answers
A.Use an IAM policy to deny s3:PutBucketEncryption without encryption settings
B.Use AWS Trusted Advisor to check bucket encryption and send alerts
C.Use a CloudWatch Events rule to trigger a Lambda function that enables encryption on any new bucket
D.Use an SCP to deny PutBucketEncryption without encryption settings
E.Use AWS Config with a managed rule to detect non-compliant buckets and an auto-remediation action
AnswersC, D

This remediates new buckets, but requires additional setup; combined with SCP it's effective for new buckets.

Why this answer

Option C is correct because a CloudWatch Events rule (now Amazon EventBridge) can detect the 'CreateBucket' API call and trigger an AWS Lambda function that automatically enables server-side encryption on the newly created bucket. This provides real-time, event-driven remediation without manual intervention, ensuring compliance immediately after bucket creation.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, thinking an IAM deny policy can enforce encryption organization-wide, but SCPs are the correct tool for account-level restrictions in AWS Organizations, while IAM policies are user/role-specific and cannot prevent actions by the root user or service-linked roles.

1676
Multi-Selecthard

A company is migrating a legacy application to AWS and needs to decouple the application components. The application currently uses a monolithic architecture with direct calls between components. Which AWS services can help decouple the components? (Choose THREE.)

Select 3 answers
A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.AWS Step Functions
D.Amazon Kinesis Data Streams
E.Amazon EventBridge
AnswersA, B, E

SQS provides message queues for asynchronous communication.

Why this answer

Option A (SQS), Option C (SNS), and Option D (EventBridge) are correct because they all enable asynchronous messaging and event-driven decoupling. Option B (Kinesis Data Streams) is for real-time streaming. Option E (Step Functions) is for orchestrating workflows, not primarily decoupling.

1677
Multi-Selecthard

A company is designing a new data lake on Amazon S3. The data must be encrypted at rest using envelope encryption with AWS KMS. The company wants to use an AWS managed key that rotates annually. Which THREE components are required for this design? (Choose THREE.)

Select 3 answers
A.AWS KMS data key
B.AWS KMS customer managed key
C.AWS Certificate Manager
D.AWS CloudHSM
E.Amazon S3 bucket with SSE-KMS enabled
AnswersA, B, E

Used to encrypt the actual data.

Why this answer

KMS key, data key, and S3 are required for envelope encryption.

1678
MCQhard

A company is migrating its on-premises Oracle database to Amazon Aurora PostgreSQL using AWS DMS. The database has several large tables with hundreds of millions of rows. The migration must complete within a 2-hour downtime window. During the full load, DMS is running slowly on large tables. What should the company do to improve performance?

A.Disable foreign key constraints on the target during migration.
B.Use a smaller DMS instance to avoid network bottlenecks.
C.Set the LOB mode to 'Limited LOB mode' with a high max LOB size.
D.Partition the large tables on the source and target, and use multiple DMS tasks.
AnswerD

Parallelism speeds up loading.

Why this answer

Option B is correct because partitioning tables allows parallel loading. Option A is wrong because LOB settings don't affect full load speed. Option C is wrong because disabling foreign keys is not recommended.

Option D is wrong because Aurora is not slower.

1679
MCQeasy

A company wants to automate the deployment of a three-tier web application on AWS. The deployment should include the network, security groups, EC2 instances, and an Application Load Balancer. Which AWS service should they use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS CodeDeploy
D.AWS OpsWorks
AnswerB

CloudFormation provisions infrastructure as code, including network, EC2, and ALB.

Why this answer

Option A is correct because AWS CloudFormation allows infrastructure as code to deploy all resources. Option B is incorrect because AWS Elastic Beanstalk abstracts infrastructure but doesn't give full control. Option C is incorrect because AWS CodeDeploy deploys application code, not infrastructure.

Option D is incorrect because AWS OpsWorks is configuration management, not infrastructure provisioning.

1680
MCQmedium

A company is designing a new application that will process sensitive financial data. The data must be encrypted at rest and in transit. The application runs on EC2 instances. Which combination of services meets these requirements?

A.Use Amazon S3 with server-side encryption and enforce HTTPS.
B.Use AWS Key Management Service (KMS) to generate keys and enable encryption on EBS volumes.
C.Use AWS Certificate Manager (ACM) to issue TLS certificates and configure the application to use HTTPS.
D.Enable EBS encryption on the volumes and configure the application to use TLS for all network traffic.
AnswerD

EBS encryption provides at-rest encryption; TLS provides in-transit encryption.

Why this answer

Option D is correct because EBS encryption provides at-rest encryption, and TLS provides in-transit encryption. Option A is wrong because S3 is not used for EC2 volumes. Option B is wrong because KMS alone does not encrypt data.

Option C is wrong because ACM manages certificates, not encryption.

1681
MCQmedium

A company is designing a microservices architecture using Amazon ECS with Fargate. Each microservice needs to communicate with others via REST APIs. The company wants to ensure that communication is encrypted in transit and that services can discover each other using DNS names. Which set of actions should the company take?

A.Enable ECS Service Connect on each service, and use the service discovery names provided by Service Connect.
B.Create a namespace in AWS Cloud Map, register each service, and configure service-to-service communication using the namespace.
C.Place a Network Load Balancer in front of each service and use the NLB DNS name for communication.
D.Place an Application Load Balancer in front of each service and use the ALB DNS name for communication.
AnswerA

Service Connect provides DNS and encryption out-of-the-box.

Why this answer

Option A is correct because ECS Service Connect provides DNS-based service discovery and automatic encryption via TLS. Option B uses Cloud Map but does not enforce encryption. Option C uses ALB which adds complexity and cost.

Option D uses NLB unnecessarily.

1682
Multi-Selecthard

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a build stage and a deploy stage. The company wants to add a test stage that runs automated integration tests after the build stage and before the deploy stage. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Configure AWS CodeBuild to run the integration tests as part of the test stage.
B.Use AWS CloudFormation to create a test environment.
C.Add a test stage in the CodePipeline between build and deploy.
D.Use an AWS Lambda function to run the integration tests.
E.Set up a manual approval step after the test stage.
AnswersA, C, E

CodeBuild can run test scripts.

Why this answer

Options B, C, and D are correct. Option B: Adding a test stage in CodePipeline. Option C: Using CodeBuild for test execution.

Option D: Adding a manual approval step for safety. Option A is wrong because Lambda is not suitable for running tests directly. Option E is wrong because CloudFormation is for infrastructure, not testing.

1683
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS keys managed by the security team. What is the MOST scalable and maintainable solution?

A.Apply a service control policy (SCP) at the root OU that denies s3:PutBucketAcl or s3:PutBucketPolicy actions unless encryption is configured.
B.Use AWS Trusted Advisor to check for unencrypted buckets and notify the security team.
C.Use AWS Config rules in each account to detect non-compliant buckets and trigger auto-remediation.
D.Create a CloudFormation StackSet that deploys an S3 bucket policy in every account.
AnswerA

SCPs are scalable and enforce prevention across all accounts.

Why this answer

Option A is correct because an SCP applied at the root OU can deny any S3 PutBucketAcl or PutBucketPolicy action unless the request includes a condition that the bucket encryption uses a KMS key from the security team’s account. This approach is centralized, scales across all accounts automatically, and prevents non-compliant buckets from being created or modified, making it the most scalable and maintainable solution.

Exam trap

The trap here is that candidates often assume AWS Config rules or Trusted Advisor are sufficient for enforcement, but they only detect or remediate after the fact, whereas SCPs provide preventive control at the organizational level, which is the key to scalability and maintainability.

How to eliminate wrong answers

Option B is wrong because Trusted Advisor only provides reactive checks and notifications; it does not enforce encryption or prevent non-compliant buckets from being created. Option C is wrong because AWS Config rules must be deployed in each account individually (or via delegation), and auto-remediation can be complex to maintain across many accounts; it is less scalable and centralized than an SCP. Option D is wrong because a CloudFormation StackSet deploys a bucket policy in each account, but bucket policies cannot enforce encryption on the bucket itself (they control access), and they can be overridden by the account owner; this does not prevent creation of unencrypted buckets.

1684
Multi-Selectmedium

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the 'Production' OU can disable AWS CloudTrail or delete CloudTrail log files. Which two steps should be taken? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail Insights to detect unusual activity.
B.Create an SCP attached to the 'Production' OU that denies CloudTrail and S3 actions related to stopping or deleting trails and logs.
C.Use IAM roles with a permissions boundary that restricts CloudTrail actions.
D.Add an S3 bucket policy on the CloudTrail log bucket that denies s3:DeleteObject for all principals in the 'Production' OU.
AnswersB, D

SCP prevents the actions at the account level.

Why this answer

Option B is correct because Service Control Policies (SCPs) attached to an OU can deny specific AWS actions for all accounts within that OU, including actions like cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail log bucket. This ensures that no account in the 'Production' OU can disable CloudTrail or delete its log files, regardless of IAM permissions within the account. Option D is correct because an S3 bucket policy on the CloudTrail log bucket that explicitly denies s3:DeleteObject for all principals in the 'Production' OU adds a second layer of defense, preventing deletion of log files even if an account gains elevated privileges.

Exam trap

The trap here is that candidates often think IAM permissions boundaries or CloudTrail Insights can enforce preventive controls, but only SCPs and resource-based policies (like S3 bucket policies) can deny actions across all users and roles in an account at the organizational level.

1685
MCQmedium

A company has multiple AWS accounts and wants to centralize operational data such as cost reports, security findings, and resource inventory. The solution should provide a single pane of glass for the operations team. Which AWS service should be used?

A.Use Amazon QuickSight to connect to each account's AWS Cost and Usage Report and AWS Config data.
B.Use AWS Control Tower to set up a landing zone and use the built-in dashboard for operational data.
C.Use AWS Config aggregator to collect resource configurations from all accounts.
D.Use AWS Organizations to create a central management account and use AWS Systems Manager Explorer to aggregate operational data.
AnswerD

Systems Manager Explorer provides a single dashboard for operational data.

Why this answer

Option D is correct because AWS Systems Manager Explorer, when used with AWS Organizations, provides a single-pane-of-glass dashboard that aggregates operational data (e.g., cost reports, security findings, resource inventory) across multiple accounts. The central management account in Organizations enables Explorer to collect and display data from all member accounts without requiring individual connections or manual aggregation.

Exam trap

The trap here is that candidates often confuse AWS Config aggregator (which only handles resource configurations) with a full operational data aggregator, or assume QuickSight can natively aggregate multi-account operational data without custom integration, leading them to overlook Systems Manager Explorer's purpose-built multi-account dashboard capabilities.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a business intelligence service for visualizing data, not a native aggregator for operational data; connecting to each account's Cost and Usage Report and Config data would require complex, custom pipelines and does not provide a built-in single pane of glass for operations. Option B is wrong because AWS Control Tower's built-in dashboard focuses on governance and compliance (e.g., guardrails, account factory status), not on aggregating operational data like cost reports, security findings, and resource inventory across accounts. Option C is wrong because AWS Config aggregator only collects resource configurations and compliance history, not cost reports or security findings, so it fails to meet the requirement for a comprehensive operational data view.

1686
Multi-Selecteasy

Which TWO AWS services can be used to migrate on-premises applications to AWS without modifying the application code?

Select 2 answers
A.AWS DataSync
B.AWS VM Import/Export
C.AWS Application Migration Service (MGN)
D.AWS Database Migration Service (DMS)
E.AWS App2Container
AnswersB, C

Imports VMs as-is.

Why this answer

AWS VM Import/Export allows importing VM images as EC2 instances, preserving the OS and applications. AWS MGN automates lift-and-shift replication. AWS DMS requires some changes for database migration.

AWS DataSync is for data transfer. AWS App2Container requires containerization.

1687
Multi-Selectmedium

A company is designing a disaster recovery architecture for a critical application. The primary region runs on Amazon EC2 with an RDS database. The recovery time objective (RTO) is 15 minutes, and recovery point objective (RPO) is 1 minute. Which TWO steps should be taken to meet these objectives?

Select 2 answers
A.Configure RDS Multi-AZ in the primary region.
B.Deploy an Amazon Aurora Global Database with a secondary region.
C.Pre-warm a standby EC2 instance in the DR region.
D.Take hourly snapshots of RDS and copy them to the DR region.
E.Use Amazon S3 Cross-Region Replication for application data.
AnswersA, B

Multi-AZ provides automatic failover with low RTO.

Why this answer

Options A and C are correct. A Multi-AZ RDS instance with synchronous replication provides an RPO of seconds and can failover quickly. An Aurora Global Database with a secondary region also provides low RPO and RTO.

Option B is wrong because cross-region snapshot restore takes longer than 15 minutes. Option D is wrong because RTO would be too high. Option E is wrong because RTO includes database failover.

1688
MCQmedium

A company is designing a multi-region active-active application using Amazon DynamoDB. They need to ensure low-latency reads and writes globally. Which DynamoDB feature should they use?

A.Auto Scaling
B.DynamoDB Accelerator (DAX)
C.DynamoDB Streams
D.Global Tables
AnswerD

Global Tables replicate data across regions for low-latency access.

Why this answer

DynamoDB Global Tables provide a fully managed, multi-region, multi-active database. Option B (DAX) is a caching layer, Option C (Auto Scaling) adjusts throughput, and Option D (Streams) captures changes.

1689
Multi-Selecteasy

A company wants to implement a centralized logging solution for multiple AWS accounts. Which TWO services should be used together?

Select 2 answers
A.Amazon S3
B.AWS CloudTrail
C.Amazon RDS
D.Amazon Athena
E.AWS Config
AnswersA, D

S3 is a durable and cost-effective storage for logs.

Why this answer

Amazon S3 serves as a central log repository, and Amazon Athena allows querying logs directly in S3.

1690
MCQeasy

A company has a production AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally capture all VPC flow logs for analysis in Amazon Athena. What is the MOST cost-effective way to store the flow logs?

A.Publish VPC Flow Logs to an Amazon S3 bucket with S3 Intelligent-Tiering enabled.
B.Publish VPC Flow Logs to both CloudWatch Logs and S3 for redundancy.
C.Use Amazon Kinesis Data Firehose to stream flow logs to an S3 bucket.
D.Publish VPC Flow Logs to Amazon CloudWatch Logs and export them to S3 after 30 days.
AnswerA

S3 is cost-effective for log storage, and Intelligent-Tiering automatically moves data to lower-cost tiers.

Why this answer

Option A is correct because VPC Flow Logs can be published directly to S3, and using S3 Intelligent-Tiering optimizes costs for logs that may be accessed infrequently. Option B is wrong because CloudWatch Logs is more expensive for long-term storage. Option C is wrong because Kinesis Data Firehose adds cost and complexity.

Option D is wrong because it duplicates storage.

1691
MCQeasy

A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?

A.AWS Config rules with auto-remediation
B.AWS Service Catalog with a portfolio of approved AMIs
C.AWS Identity and Access Management (IAM) policies in each account
D.AWS Organizations Service Control Policies (SCPs)
AnswerD

Correct: SCPs can centrally restrict actions across accounts.

Why this answer

AWS Organizations Service Control Policies (SCPs) are the correct choice because they allow you to centrally define and enforce permission guardrails across all accounts in your organization. SCPs can restrict EC2 actions to specific Regions using the `aws:RequestedRegion` condition key and limit AMI usage by denying launch actions unless the AMI ID matches an approved list, ensuring compliance without requiring per-account configuration.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking that IAM policies in each account can centrally enforce controls, but SCPs are the only mechanism that applies across all accounts in an organization without requiring per-account management.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with auto-remediation are detective and reactive—they can detect non-compliant resources and trigger remediation actions, but they cannot proactively prevent developers from launching EC2 instances in unapproved Regions or with unapproved AMIs at the time of the API call. Option B is wrong because AWS Service Catalog allows you to create a portfolio of approved AMIs that developers can launch, but it does not enforce controls across all accounts; developers could still bypass Service Catalog and launch EC2 directly via the console or CLI if not restricted by other policies. Option C is wrong because IAM policies in each account would require manual duplication and management across every account, leading to inconsistency and administrative overhead, and they cannot be enforced from a central point like SCPs can.

1692
MCQeasy

A company is designing a new web application that will be accessed by users globally. The application uses Amazon CloudFront as a CDN and stores static content in Amazon S3. The dynamic content is served from EC2 instances in a single AWS Region. Which of the following will improve performance for users in distant regions with the LEAST operational effort?

A.Deploy EC2 instances in multiple AWS Regions and use Route 53 latency-based routing.
B.Use AWS Global Accelerator to route traffic to the EC2 instances via the AWS global network.
C.Move the dynamic content to Lambda@Edge functions running at CloudFront edge locations.
D.Add an Amazon ElastiCache cluster in front of the EC2 instances to cache dynamic responses.
AnswerB

Global Accelerator uses the AWS network to route traffic from edge locations to the nearest healthy endpoint, reducing latency and jitter.

Why this answer

Option A is correct because AWS Global Accelerator improves performance by routing traffic over the AWS global network to the optimal endpoint. Option B is wrong because Lambda@Edge runs at edge locations but is for lightweight compute, not for dynamic content hosting. Option C is wrong because multi-Region deployment adds significant operational complexity.

Option D is wrong because ElastiCache caches data but does not reduce network latency for distant users.

1693
MCQeasy

A company has deployed a web application on Amazon ECS with Fargate. The application needs to access an Amazon RDS database. The security team mandates that the database must not be publicly accessible. What is the best way to securely connect the ECS tasks to the RDS database?

A.Use a NAT gateway to route traffic from ECS tasks to RDS.
B.Attach an internet gateway to the VPC and route through it.
C.Enable public accessibility on the RDS instance and restrict access to the ECS task public IP.
D.Place the ECS tasks and RDS instance in the same VPC, and configure security groups to allow traffic on the database port.
AnswerD

This ensures traffic stays within the VPC.

Why this answer

Option A is correct because placing ECS tasks and RDS in the same VPC allows private communication via security groups. Option B is incorrect because NAT gateway is for outbound internet access. Option C is incorrect because a public endpoint would violate the security requirement.

Option D is incorrect because an internet gateway is not needed for private communication.

1694
Multi-Selecthard

A company runs a critical application on Amazon RDS for MySQL. They want to implement a disaster recovery (DR) strategy across AWS Regions with a Recovery Point Objective (RPO) of 1 second and Recovery Time Objective (RTO) of 1 minute. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon RDS Multi-AZ deployment in the primary Region with a standby in another Region.
B.Take manual snapshots of the RDS instance every hour and copy them to another Region.
C.Use Amazon Aurora Global Database with a primary in one Region and a secondary in another Region.
D.Use AWS Database Migration Service (DMS) for continuous replication to another Region.
E.Configure cross-Region read replicas for RDS MySQL.
AnswersA, C

Multi-AZ with cross-Region standby provides automatic failover with RTO of 1-2 minutes and synchronous replication with RPO of 1 second (for Aurora). Note: For RDS MySQL, cross-Region Multi-AZ is not supported; but Aurora Global Database is the correct service.

Why this answer

Option A is correct because a Global Database with standby in another Region provides near-zero RPO and automatic failover. Option D is correct because Multi-Region Aurora Global Database also meets RPO and RTO. Option B is wrong because cross-Region read replicas have RTO > 1 minute (manual promotion).

Option C is wrong because RTO is too long. Option E is wrong because RPO is too high.

1695
MCQhard

A company uses AWS Organizations with a large number of accounts. The networking team wants to centrally manage VPCs and subnets using AWS Resource Access Manager (RAM) and share subnets to member accounts. What must be done in the member accounts to use shared subnets?

A.The member account must create an IAM role to assume for launching resources in the shared subnet.
B.The member account must create a VPC and then associate the shared subnet.
C.The member account must accept the resource share invitation.
D.Nothing, shared subnets are automatically available to all accounts in the organization.
AnswerD

Within an organization, resource shares are automatically accepted.

Why this answer

Option A is correct because shared subnets automatically appear in the member account's VPC console, and they can launch resources without additional configuration. Option B is wrong because no resource share acceptance is needed if sharing within the same organization. Option C is wrong because shared subnets are already in the member account's VPC.

Option D is wrong because no IAM role is needed for subnet sharing.

1696
MCQhard

A company has multiple AWS accounts managed through AWS Organizations. The central IT team wants to allow developers to launch EC2 instances only in specific Regions, but allow full access to all other services. What is the BEST approach?

A.Configure IAM permissions boundaries on all developer roles to restrict EC2 actions to allowed Regions.
B.Apply an SCP that allows EC2 actions only in the allowed Regions.
C.Use AWS Config rules to terminate EC2 instances launched in disallowed Regions.
D.Create a Service Control Policy (SCP) that denies EC2 actions in disallowed Regions.
AnswerB

SCPs deny actions by default, so you must explicitly allow only the desired Regions.

Why this answer

Using an SCP with a Deny effect for EC2 actions outside allowed Regions is the best approach because it prevents the action across all accounts. Option A is wrong because IAM permissions boundaries are per-role. Option B is wrong because it allows EC2 in all Regions.

Option D is wrong because it allows launching in all Regions.

1697
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all new accounts created through the organization automatically have a specific AWS Config rule enabled that requires S3 buckets to be encrypted. Which TWO actions should the team take?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy the Config rule to all accounts.
B.Create a Service Control Policy (SCP) that denies PutBucketEncryption actions.
C.Create a conformance pack in the management account and deploy it to the organization.
D.Create an AWS Config rule in the management account that applies to all accounts via AWS Organizations.
E.Enable AWS Config in every account of the organization.
AnswersC, E

Conformance packs can be deployed to all accounts, including new ones.

Why this answer

Option A and Option D are correct. Option A (Enable AWS Config in all accounts) is necessary for rules to work. Option D (Use a conformance pack deployed to the organization) automatically applies rules to all accounts.

Option B (Service Control Policy) can deny non-encrypted buckets but does not enable the Config rule. Option C (AWS CloudFormation StackSets) can deploy Config rules but requires manual setup per account. Option E (Organization Config rule) is not a feature; Config rules are per account.

1698
MCQmedium

A company is migrating a large-scale batch processing system from on-premises to AWS. The system runs millions of short-lived jobs each day. The company wants to minimize operational overhead and cost. Which AWS compute service should the company use?

A.Amazon EC2 with Spot Fleet
B.Amazon ECS with AWS Fargate
C.AWS Lambda
D.AWS Batch
AnswerD

AWS Batch manages job scheduling, compute provisioning, and can leverage Spot Instances.

Why this answer

Option B is correct because AWS Batch is designed for batch computing, automatically provisions resources based on job volume, and can use Spot Instances for cost savings. Option A is wrong because EC2 with Spot Fleet requires more manual management. Option C is wrong because Lambda has a 15-minute timeout and is not suitable for long-running batch jobs.

Option D is wrong because ECS with Fargate is for containers, but AWS Batch is more specialized for batch workloads.

1699
Multi-Selecteasy

A company is migrating a batch processing workload to AWS. The workload runs on a schedule and processes large files stored on a network file system. The company wants to use serverless services. Which TWO services should the company use? (Choose TWO.)

Select 2 answers
A.Amazon EMR
B.Amazon EC2
C.Amazon S3
D.Amazon EFS
E.AWS Lambda
AnswersC, E

S3 can store large files and trigger Lambda functions.

Why this answer

Options B and D are correct. Option B: AWS Lambda can process events. Option D: Amazon S3 can store files.

Option A is wrong because EC2 is not serverless. Option C is wrong because EFS is not serverless. Option E is wrong because EMR is not serverless.

1700
MCQmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application requires that users' session data be stored durably and with low latency. The session data is accessed frequently but is rarely updated. Which solution is MOST cost-effective?

A.Use ElastiCache for Redis with replication.
B.Store session data in Amazon S3 with reduced redundancy.
C.Use DynamoDB with on-demand capacity.
D.Use ElastiCache for Memcached with multiple nodes.
AnswerA

Redis provides low latency and durability via replication, suitable for session storage.

Why this answer

ElastiCache for Redis is a fast, in-memory data store suitable for session management. It provides low latency and durability via replication, and is more cost-effective than DynamoDB for this use case because DynamoDB is optimized for heavy read/write workloads and has higher cost per request. Option A is correct.

Option B is incorrect because ElastiCache for Memcached is not durable. Option C is incorrect because DynamoDB is over-provisioned for this scenario. Option D is incorrect because S3 is too slow for session data.

1701
MCQmedium

A company is designing a data lake on AWS using Amazon S3 as the storage layer. The data includes sensitive customer information that must be encrypted at rest. The company also needs to regularly rotate the encryption keys. Which solution meets these requirements with the least operational overhead?

A.Use server-side encryption with S3 managed keys (SSE-S3) and enable S3 bucket key rotation.
B.Implement client-side encryption using the AWS Encryption SDK and store keys in AWS Secrets Manager.
C.Use server-side encryption with AWS KMS (SSE-KMS) and enable automatic key rotation in KMS.
D.Use server-side encryption with customer-provided keys (SSE-C) and rotate keys manually.
AnswerC

SSE-KMS with automatic rotation meets encryption and rotation needs with low overhead.

Why this answer

SSE-KMS with automatic key rotation provides encryption at rest with automated key rotation, minimizing operational overhead. Option A (SSE-S3) does not support key rotation. Option C (client-side encryption) requires managing keys.

Option D (SSE-C) requires managing keys.

1702
MCQeasy

A company wants to decouple a frontend API from backend processing to improve scalability and fault tolerance. The frontend sends requests that can be processed asynchronously. Which AWS service should be used to decouple the components?

A.Amazon Simple Notification Service (SNS)
B.Amazon Simple Queue Service (SQS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerB

SQS is a message queue that decouples components.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed message queue that decouples the frontend API from backend processing. The frontend can send requests to an SQS queue, and backend consumers can poll and process messages asynchronously, which improves scalability by buffering traffic spikes and enhances fault tolerance by persisting messages until they are successfully processed.

Exam trap

The trap here is that candidates often confuse SNS (push-based notification) with SQS (pull-based queue) for decoupling, but SNS does not provide the durable, asynchronous message buffer required for decoupling frontend and backend processing.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers (e.g., HTTP endpoints, Lambda, SQS) but does not provide a durable buffer for asynchronous decoupling; it is designed for fan-out notifications, not for queuing where consumers pull messages at their own pace. Option C is wrong because Amazon Kinesis Data Streams is optimized for real-time streaming of large-scale data (e.g., clickstreams, logs) with ordered records and replay capabilities, not for simple request/response decoupling where each message is processed independently by a single consumer. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message queue; it does not inherently decouple frontend from backend via asynchronous message buffering.

1703
MCQhard

A company is designing a new application that will use Amazon RDS for PostgreSQL. They need to implement read replicas to offload read traffic. However, they are concerned about replication lag affecting read consistency. Which action would minimize replication lag?

A.Increase the allocated storage on the primary instance
B.Use an encrypted connection between the primary and replica
C.Enable Multi-AZ on the primary instance
D.Use instance types with higher network performance
AnswerD

Higher network performance reduces replication lag.

Why this answer

Using db.r5.large instance types with higher network bandwidth reduces replication lag. Option B (Multi-AZ) is for high availability, not read replicas. Option C (increasing storage) does not directly affect lag.

Option D (using encrypted endpoints) does not impact lag.

1704
MCQhard

A media company runs a video processing pipeline on AWS. Videos are uploaded to an S3 bucket (input-bucket), which triggers an AWS Lambda function that starts an AWS Glue job. The Glue job processes the video metadata and stores results in a DynamoDB table. Then, a second Lambda function triggers an Amazon ECS Fargate task to transcode the video into multiple formats. The transcoded videos are stored in another S3 bucket (output-bucket). Recently, the company started receiving complaints about delays in video availability. The operations team notices that CloudWatch Logs show no errors, but the ECS tasks often take longer than expected. They also see that the DynamoDB table has a high number of throttled write events. The video upload rate has increased by 50% in the last month. The team needs to improve the pipeline's performance and reduce delays. What should they do?

A.Enable DynamoDB auto scaling on the table with a target utilization of 70%.
B.Increase the Lambda function timeout for both functions to 15 minutes.
C.Introduce an Amazon SQS queue between the second Lambda and ECS to buffer requests.
D.Set reserved concurrency on the first Lambda function to 10 to control throttling.
AnswerA

Auto scaling will dynamically adjust write capacity to handle increased traffic, reducing throttling.

Why this answer

Option D is correct. The primary bottleneck is DynamoDB throttling due to increased write load. Enabling DynamoDB auto scaling will adjust capacity dynamically to handle the increased traffic.

Option A: Increasing Lambda timeout does not address DynamoDB throttling. Option B: Using SQS between Lambda and ECS helps decouple but the immediate issue is DynamoDB throttling. Option C: Using reserved concurrency limits Lambda concurrency, which may worsen the problem.

1705
Multi-Selecthard

A company has a production AWS account that contains sensitive data. The security team wants to ensure that no one can disable AWS CloudTrail or delete the CloudTrail S3 bucket. Which THREE actions should be taken to protect these resources? (Choose three.)

Select 3 answers
A.Use IAM groups to restrict access to CloudTrail and S3.
B.Enable multi-factor authentication (MFA) delete on the S3 bucket.
C.Configure S3 bucket versioning and enable S3 Object Lock.
D.Attach a service control policy (SCP) to the account that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
E.Store CloudTrail logs in a separate account that only the security team can access.
AnswersB, C, D

MFA delete adds an extra layer of protection to prevent accidental or malicious deletion.

1706
Multi-Selecthard

A company is migrating a data warehouse from on-premises to Amazon Redshift. The source database is Teradata. The company needs to convert the schema and migrate historical data with minimal downtime. Which THREE services should the company use?

Select 3 answers
A.AWS Snowball Edge
B.AWS Data Pipeline
C.Amazon Kinesis Data Analytics
D.AWS Schema Conversion Tool (SCT)
E.AWS Database Migration Service (DMS)
AnswersA, D, E

Snowball Edge can be used to transfer large volumes of data offline.

Why this answer

Options A, B, and D are correct. AWS SCT converts schema and code. AWS DMS migrates data with ongoing replication.

AWS Snowball Edge can be used for large initial data transfer. Option C: Amazon Kinesis Data Analytics is for streaming analytics. Option E: AWS Data Pipeline is for orchestrating data transfers but not specifically for schema conversion or replication.

1707
MCQhard

A company uses AWS CodePipeline to deploy a web application to Amazon ECS. The deployment often fails because the ECS service's desired count is not met during the update. The company wants to implement a blue/green deployment with automated rollback on failure. What is the MOST effective approach?

A.Use CodePipeline with a Lambda function to swap target groups and monitor health.
B.Use CodeDeploy with an in-place deployment configuration and a manual approval step.
C.Use CodePipeline with ECS rolling update and CloudWatch alarms to trigger rollback.
D.Use CodePipeline with CodeDeploy to perform a blue/green deployment on ECS and configure automatic rollback.
AnswerD

CodeDeploy natively supports blue/green deployments on ECS with traffic shifting and automatic rollback based on CloudWatch alarms.

Why this answer

Option D is correct because CodeDeploy with ECS blue/green deployment provides built-in traffic shifting and automated rollback. Option A is wrong because it lacks traffic shifting. Option B is wrong because it does not support blue/green.

Option C is wrong because it lacks automated rollback.

1708
MCQmedium

A company is migrating a stateful web application to AWS. The application uses local storage for user sessions. Which AWS service can help make the application stateless and scalable?

A.Amazon EBS
B.Amazon ElastiCache
C.Amazon RDS
D.Amazon S3
AnswerB

ElastiCache provides fast in-memory session store.

Why this answer

Amazon ElastiCache provides an in-memory cache for session data, making the application stateless. Option A is wrong because S3 is slower for session data. Option B is wrong because EBS does not provide shared storage across instances.

Option D is wrong because RDS is for relational data, not session state.

1709
MCQeasy

A company is using AWS CloudFormation to deploy infrastructure. The security team requires that all Amazon S3 buckets created by CloudFormation must be encrypted at rest. What should a solutions architect do to enforce this requirement?

A.Enable default encryption on each bucket using SSE-S3.
B.Add an S3 bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.
C.Require that all buckets use AWS KMS managed keys for encryption.
D.Use a CloudFormation stack policy to prevent modification of bucket encryption settings.
AnswerB

The bucket policy rejects unencrypted uploads.

Why this answer

Option B is correct because an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header enforces encryption at rest for all objects uploaded to the bucket. This policy condition works regardless of how the bucket is created, including via CloudFormation, and ensures that any PutObject operation without the required encryption header is rejected, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse default encryption (which passively encrypts objects but does not enforce encryption) with a bucket policy that actively denies unencrypted uploads, leading them to choose Option A instead of the correct enforcement mechanism.

How to eliminate wrong answers

Option A is wrong because enabling default encryption on each bucket only applies encryption to objects that are uploaded without specifying encryption headers; it does not prevent unencrypted uploads, as a user could still override the default by explicitly omitting encryption headers. Option C is wrong because requiring AWS KMS managed keys is a specific encryption type, not a mechanism to enforce encryption; it does not block unencrypted uploads and may introduce additional cost and complexity without addressing the enforcement requirement. Option D is wrong because a CloudFormation stack policy prevents modifications to stack resources after deployment but does not enforce encryption on S3 buckets; it cannot block unencrypted PutObject requests at the bucket level.

1710
Multi-Selecthard

A company is designing a new containerized application on Amazon EKS. The application must be able to access secrets (e.g., database credentials) securely. The company requires that secrets be automatically rotated and audited. Which THREE actions should the company take to meet these requirements?

Select 3 answers
A.Mount the Secrets Store CSI Driver volume directly to the pod without using ASCP
B.Use IAM roles for service accounts (IRSA) to grant pods access to Secrets Manager
C.Store secrets in AWS Secrets Manager and enable automatic rotation
D.Use the AWS Secrets and Configuration Provider (ASCP) for the Secrets Store CSI Driver to inject secrets into pods
E.Store secrets in Kubernetes Secrets and use a ConfigMap to reference them
AnswersB, C, D

IRSA provides fine-grained permissions for pods.

Why this answer

Option B is correct because IAM Roles for Service Accounts (IRSA) allows pods in Amazon EKS to assume an IAM role with fine-grained permissions, enabling secure access to AWS Secrets Manager without embedding long-term credentials. This approach integrates with AWS IAM to provide temporary credentials via OIDC federation, ensuring that only authorized pods can retrieve secrets.

Exam trap

The trap here is that candidates may think mounting the CSI driver without ASCP (Option A) is sufficient, but ASCP is the critical component that bridges the CSI driver to AWS Secrets Manager, and without it, the driver cannot retrieve secrets from AWS.

1711
Multi-Selecthard

A company has multiple AWS accounts and wants to centralize logging of all API calls. Which TWO services should be used together to achieve this?

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
E.Amazon S3
AnswersB, D

CloudTrail records API calls.

Why this answer

Option B is correct because CloudTrail logs API calls. Option C is correct because CloudWatch Logs can aggregate logs from multiple accounts into a central account. Option A is wrong because S3 is storage, not aggregation.

Option D is wrong because Config records resource changes, not API calls. Option E is wrong because VPC Flow Logs capture network traffic.

1712
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent 503 errors. The ALB target group health checks are failing. Which step is MOST likely to resolve the issue?

A.Change the health check protocol from HTTP to HTTPS.
B.Use a Network Load Balancer instead of ALB.
C.Increase the number of instances in the target group.
D.Increase the health check timeout and decrease the unhealthy threshold.
AnswerD

Gives instances more time to respond and reduces sensitivity to transient failures.

Why this answer

Option C is correct because increasing the timeout for health checks can prevent false negatives due to transient delays. Option A is wrong because it does not address health check failures. Option B is wrong because it reduces the chance of healthy instances being marked unhealthy.

Option D is wrong because it does not change health check behavior.

1713
MCQeasy

A company wants to assess its on-premises environment for migration to AWS. The company needs to collect utilization data for servers and applications. Which AWS service should the company use?

A.AWS Migration Hub
B.AWS Database Migration Service (DMS)
C.AWS Application Discovery Service
D.AWS Server Migration Service (SMS)
AnswerC

Discovery Service collects data about on-premises servers and applications.

Why this answer

Option D is correct because AWS Application Discovery Service collects server and application utilization data. Option A is wrong because AWS Migration Hub tracks migrations but does not discover. Option B is wrong because AWS Server Migration Service is deprecated.

Option C is wrong because AWS DMS is for databases.

1714
Multi-Selectmedium

A company is designing a new batch processing system that processes large files from Amazon S3. The processing is CPU-intensive and can take up to 2 hours per file. The company wants to minimize cost and avoid idle compute capacity. Which THREE components should the architect include? (Choose THREE.)

Select 3 answers
A.EC2 Spot Instances to reduce compute costs.
B.AWS Lambda functions to process each file.
C.AWS Batch with a job queue and compute environment.
D.Amazon S3 Event Notifications to trigger the batch job when a new file is uploaded.
E.Auto Scaling group with scheduled scaling policies.
AnswersA, C, D

Spot Instances are cost-effective for fault-tolerant batch jobs.

Why this answer

AWS Batch (option A) manages job scheduling and scaling. Spot Instances (option C) reduce cost. S3 Event Notifications (option D) trigger jobs when files arrive.

Option B (Auto Scaling) is less efficient. Option E (Lambda) has a 15-minute limit.

1715
MCQeasy

A company is using AWS Organizations and wants to allow certain member accounts to create VPCs with specific CIDR ranges. Which mechanism should be used to enforce this restriction?

A.Use AWS Config rules to automatically delete non-compliant VPCs.
B.Use IAM policies with conditions on the ec2:CreateVpc action in each account.
C.Use AWS CloudTrail to monitor VPC creation and alert the security team.
D.Use SCPs with conditions on the ec2:CreateVpc action, specifying allowed CIDR ranges.
AnswerD

SCPs can deny VPC creation if the CIDR does not match allowed ranges.

Why this answer

Option B is correct because SCPs can be attached to OUs or accounts to deny actions that do not meet conditions. Option A is wrong because IAM policies are for users/roles within an account, not for controlling actions across accounts. Option C is wrong because AWS Config can detect non-compliant VPCs but cannot prevent creation.

Option D is wrong because CloudTrail logs but does not enforce.

1716
MCQmedium

A Solutions Architect runs the above AWS CLI command and gets the output shown. The instance is 'running' but the application is not accessible. What should the Solutions Architect check next?

A.Check if the instance is terminated.
B.Check if the instance ID is correct.
C.Check the instance status checks.
D.Check the security group rules for the instance.
AnswerD

Security groups act as a virtual firewall.

Why this answer

Option C is correct because security group rules control inbound traffic. Option A is wrong because the instance is running. Option B is wrong because the status checks show health, not network access.

Option D is wrong because the instance ID is correct.

1717
MCQeasy

A company is migrating a legacy Windows application to AWS. The application requires a shared file system accessible from multiple EC2 instances in the same VPC. Which AWS service should the company use to meet this requirement with minimal application changes?

A.Amazon EBS
B.Amazon S3
C.Amazon FSx for Windows File Server
D.AWS Storage Gateway
AnswerC

Provides a fully managed native Windows file system that is accessible from multiple EC2 instances.

Why this answer

Option A is correct because Amazon EFS provides a scalable, shared file system for Linux instances; for Windows, Amazon FSx for Windows File Server is the appropriate managed share. Option B (Amazon S3) is object storage and not a file system. Option C (Amazon EBS) is block storage and can be attached to only one instance.

Option D (AWS Storage Gateway) is for hybrid storage, not native file sharing.

1718
MCQeasy

A company stores sensitive data in Amazon S3. They need to ensure that data is encrypted at rest using a key managed by the company's on-premises hardware security module (HSM). Which S3 encryption option should they use?

A.Server-Side Encryption with Customer-Provided Keys (SSE-C).
B.Client-Side Encryption using the company's own encryption library.
C.Server-Side Encryption with AWS KMS (SSE-KMS).
D.Server-Side Encryption with S3-Managed Keys (SSE-S3).
AnswerB

Client-side encryption allows the company to encrypt data with their own key before uploading to S3.

Why this answer

Option D is correct because S3 client-side encryption allows the company to encrypt data before uploading using their own key from the on-premises HSM. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS, not the company's own HSM.

Option C is wrong because SSE-C uses a customer-provided key, but the key must be provided with each request and is not stored in an on-premises HSM.

1719
MCQhard

A company is migrating a critical application to AWS using the 7 Rs migration strategy. The application has a monolithic architecture and runs on a single large on-premises server. The business wants to reduce operational overhead but cannot afford any downtime. Which strategy should the solutions architect recommend?

A.Rehost the application using AWS Application Migration Service
B.Retire the application and replace it with a SaaS solution
C.Replatform the application to use AWS managed services
D.Refactor / Re-architect the application into microservices
AnswerA

Correct: Lift-and-shift minimizes changes and downtime.

Why this answer

Rehost (lift-and-shift) moves the application as-is to minimize risk and downtime. Replatforming would require changes that could introduce downtime. Refactor/Re-architect would be too invasive.

Retire is not applicable as the application is critical.

1720
Multi-Selectmedium

A company is modernizing a legacy CRM application to a microservices architecture on AWS. They want to use AWS Lambda for compute and Amazon API Gateway for the API layer. Which THREE design patterns should they consider? (Select THREE.)

Select 3 answers
A.Use Amazon ElastiCache for session state management
B.Decompose the monolith into separate Lambda functions for each business capability
C.Use API Gateway to expose each microservice as a REST API
D.Use EC2 Auto Scaling groups for each microservice
E.Use AWS Step Functions to orchestrate multiple Lambda functions
AnswersB, C, E

Each Lambda function becomes a microservice.

Why this answer

The three key patterns for serverless microservices are: use API Gateway as the entry point for REST APIs (A), decompose the monolith into separate Lambda functions per business capability (B), and use AWS Step Functions for orchestration (C). Option D (EC2 Auto Scaling) is not serverless. Option E (ElastiCache) is for caching but not a core pattern.

1721
MCQhard

A company needs to provide temporary credentials for users to access an S3 bucket for exactly 1 hour. The solution must not require any custom code or user management. Which AWS service should be used?

A.Amazon Cognito identity pools
B.An IAM role with a trust policy
C.S3 pre-signed URLs
D.AWS STS
AnswerD

STS generates temporary credentials with a specified duration.

Why this answer

Option A is correct because AWS STS (Security Token Service) issues temporary credentials with configurable expiration. Option B is wrong because IAM roles are not directly assigned to users. Option C is wrong because Cognito is for user pools.

Option D is wrong because S3 pre-signed URLs are for objects, not bucket-level access.

1722
MCQhard

A company is migrating a critical application from on-premises to AWS using a lift-and-shift approach. The application requires consistent low-latency access to an on-premises database. Which network solution should the company implement to meet the latency requirement during the migration?

A.Set up a site-to-site VPN over the internet.
B.Create a VPC peering connection between the on-premises network and AWS VPC.
C.Use AWS Client VPN to connect from the application servers.
D.Establish an AWS Direct Connect connection between the on-premises data center and AWS.
AnswerD

Direct Connect provides consistent low-latency and high-bandwidth connectivity.

Why this answer

A is correct because AWS Direct Connect provides dedicated, consistent low-latency connectivity. B is wrong because VPN over internet introduces variability. C is wrong because Client VPN is for individual client connections.

D is wrong because VPC peering is for inter-VPC communication, not on-premises connectivity.

1723
Multi-Selectmedium

A company is designing a new system to ingest and process real-time streaming data from thousands of IoT devices. The system must be able to handle variable throughput and provide durable storage for the data. The data will be processed by a Lambda function and then stored in Amazon S3. Which two services should be used together to build this ingestion pipeline?

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Firehose
C.Amazon Simple Queue Service (SQS)
D.Amazon Kinesis Data Streams
E.Amazon Simple Notification Service (SNS)
AnswersA, D

Can process records from Kinesis Data Streams in near real-time.

Why this answer

Amazon Kinesis Data Streams provides durable, scalable ingestion, and AWS Lambda can process the data in real time. Option A and C are correct. Option B is wrong because Kinesis Data Firehose is used for loading data into destinations, not for real-time processing with Lambda (though it can invoke Lambda, but Data Streams is better for real-time).

Option D is wrong because SQS is for message queues, not streaming. Option E is wrong because SNS is for pub/sub notifications.

1724
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A recent change to a stack failed because an IAM role name already exists. The company wants to avoid this issue in the future. What should a solutions architect do?

A.Enable termination protection on the stack.
B.Use a DeletionPolicy of Retain on the IAM role resource.
C.Create a custom resource with an AWS Lambda function to generate a random role name.
D.Use the Fn::Sub function with a reference to the AWS::StackName in the IAM role name.
AnswerD

This ensures unique role names across stacks.

Why this answer

Option B is correct because using the Fn::Sub function with !Ref AWS::StackName makes the role name unique per stack. Option A is wrong because the AWS::IAM::Role resource does not have a DeletionPolicy attribute that recreates roles. Option C is wrong while EnableTerminationProtection prevents accidental deletion but does not help with naming conflicts.

Option D is wrong because a custom resource with a Lambda function is overkill and adds complexity.

1725
MCQmedium

A company is refactoring a legacy .NET application to run on AWS Lambda. The application currently uses Windows authentication and Active Directory. Which approach should the company use to support authentication in the new architecture?

A.Use Amazon Cognito user pools for authentication.
B.Use AWS Directory Service for Microsoft Active Directory and connect Lambda to the directory via VPC.
C.Use AWS Identity and Access Management (IAM) roles to authenticate users.
D.Use AWS Security Token Service (STS) to issue tokens for authentication.
AnswerB

This enables Kerberos/NTLM authentication within the VPC.

Why this answer

C is correct because AWS Managed Microsoft AD provides Active Directory integration for Lambda via VPC and AD Connector. A is wrong because Cognito is for external identities. B is wrong because IAM is for AWS service access, not Windows auth.

D is wrong because Security Token Service generates temporary credentials, not authentication.

Page 22

Page 23 of 24

Page 24