AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 151225

1746 questions total · 24pages · All types, answers revealed

Page 2

Page 3 of 24

Page 4
151
MCQeasy

A company is building a microservices architecture on Amazon ECS with Fargate. Each service must be isolated and communicate only via APIs. The company needs to enforce that services cannot directly access each other's databases. Which approach should be used?

A.Use a single VPC with network ACLs to block database ports between services.
B.Use IAM policies to restrict database access at the API level.
C.Place all services in the same VPC and use security groups to restrict database access.
D.Create a separate VPC for each service and use VPC peering for API communication only.
AnswerD

Separate VPCs provide strong isolation; VPC peering allows controlled API traffic.

Why this answer

Placing each service in its own VPC with VPC peering (Option B) provides network isolation and controlled access. Option A (same VPC) does not isolate databases. Option C (security groups) is less granular.

Option D (IAM roles) does not prevent network access.

152
MCQmedium

A company is designing a multi-region active-active application with a relational database. The application requires strong consistency and read-after-write consistency globally. Which AWS database service should the company choose?

A.Amazon Aurora Global Database
B.Amazon RDS for MySQL with Multi-AZ
C.Amazon DynamoDB Global Tables
D.Amazon ElastiCache for Memcached
AnswerA

Aurora Global Database supports active-active multi-region with low-latency replication and strong consistency.

Why this answer

Amazon Aurora Global Database is designed for multi-region active-active applications requiring strong consistency and read-after-write consistency. It uses a primary region for writes and replicates data to up to five secondary regions with typical latency under one second, while still providing global read-after-write consistency through its storage-based replication layer. This makes it the only AWS relational database service that meets the stated requirements for a multi-region active-active setup with strong consistency.

Exam trap

The trap here is that candidates often confuse DynamoDB Global Tables (NoSQL, eventual consistency) with a relational database that provides strong consistency, or they assume Multi-AZ RDS can be extended to multi-region active-active, when in fact it is single-region only.

How to eliminate wrong answers

Option B is wrong because Amazon RDS for MySQL with Multi-AZ only provides high availability within a single region, not multi-region active-active capability, and it does not offer global read-after-write consistency. Option C is wrong because Amazon DynamoDB Global Tables is a NoSQL database, not a relational database, and while it offers multi-region replication, it provides eventual consistency by default, not strong consistency or read-after-write consistency globally. Option D is wrong because Amazon ElastiCache for Memcached is an in-memory caching service, not a relational database, and it does not provide persistent storage, strong consistency, or multi-region replication.

153
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets are encrypted with AWS KMS and prohibit public access. Which TWO actions should the team take?

Select 2 answers
A.Use AWS Config rules to automatically remediate non-compliant buckets.
B.Enable AWS CloudTrail to monitor and automatically remediate non-compliant buckets.
C.Create an SCP to deny s3:PutObject actions without the x-amz-server-side-encryption header set to aws:kms.
D.Create an S3 bucket policy in each account to enforce encryption and block public access.
E.Create an SCP to deny s3:PutBucketPublicAccessBlock and s3:PutBucketPolicy actions unless encryption is enabled.
AnswersC, E

This SCP enforces KMS encryption for all PutObject requests.

Why this answer

Options B and D are correct. Service control policies (SCPs) can deny actions that do not meet encryption and public access conditions. Option A is wrong because resource-level policies are per bucket.

Option C is wrong because CloudTrail cannot enforce. Option E is wrong because Config rules only detect, not enforce.

154
MCQhard

A company is migrating a data warehouse from on-premises to Amazon Redshift. The current workload runs complex queries that join large tables. The company wants to optimize query performance after migration. Which design should the company implement?

A.Use distribution style AUTO and let Redshift decide
B.Use distribution style EVEN on all tables
C.Use distribution style ALL on all large tables
D.Use distribution style KEY on the join columns of large tables
AnswerD

Co-locates rows from different tables on the same node, avoiding data movement.

Why this answer

Option D is correct because distribution style KEY on join columns ensures data is co-located, minimizing data movement. Option A (ALL) is not suitable for large tables. Option B (EVEN) distributes randomly.

Option C (AUTO) may not use optimal distribution.

155
MCQeasy

A company is migrating a monolithic application to AWS. They want to minimize changes to the application code while taking advantage of AWS managed services. Which migration strategy should they use?

A.Rehost / Lift-and-Shift
B.Repurchase / Drop and Shop
C.Replatform / Lift, Tinker, and Shift
D.Refactor / Re-architect
AnswerA

Moves the application as-is, minimizing code changes.

Why this answer

Option B (Rehost) is correct because it involves moving the application as-is to AWS, often using services like EC2, without code changes. Option A (Refactor) requires code changes. Option C (Replatform) involves some optimizations but still requires changes.

Option D (Repurchase) replaces the application with a SaaS solution.

156
MCQhard

A company manages multiple AWS accounts using AWS Organizations. They want to enforce that any EC2 instance launched with a public IP address must have a specific security group attached. What is the MOST effective way to enforce this?

A.Create an IAM policy that requires the security group when launching instances with a public IP.
B.Use AWS Config rules to detect non-compliant instances and automatically terminate them.
C.Use AWS CloudFormation StackSets to deploy a template that only allows instances with the required security group.
D.Apply a service control policy (SCP) that denies ec2:RunInstances when the instance has a public IP and does not include the required security group.
AnswerD

Prevents non-compliant launches.

Why this answer

Service control policies (SCPs) in AWS Organizations allow you to centrally control the maximum available permissions for all accounts in the organization. By crafting an SCP with a condition that denies ec2:RunInstances when the instance has a public IP (using ec2:AssociatePublicIpAddress) and does not include the required security group (using ec2:SecurityGroup), you can proactively prevent non-compliant instances from being launched at the API level, rather than detecting and remediating after the fact.

Exam trap

The trap here is that candidates often choose AWS Config (Option B) because it is a well-known compliance tool, but they overlook that Config is reactive (detect and remediate) rather than proactive (prevent at the API call), which is the key distinction for 'enforce' in this question.

How to eliminate wrong answers

Option A is wrong because IAM policies are attached to users, roles, or groups and cannot enforce conditions based on the instance's runtime configuration (like public IP assignment) at the time of launch across all accounts in an organization; they also cannot prevent launches by users with full admin privileges. Option B is wrong because AWS Config rules are detective, not preventive—they can detect non-compliant instances and trigger auto-remediation (e.g., termination), but this allows a window of non-compliance and potential cost/security exposure before remediation. Option C is wrong because CloudFormation StackSets deploy templates but cannot enforce a blanket policy across all accounts; users with sufficient IAM permissions can still launch instances manually via the console, CLI, or SDK outside of CloudFormation, bypassing the template's constraints.

157
MCQmedium

A company runs a batch processing application on AWS. The application reads input files from an S3 bucket, processes them on EC2 instances, and writes results to another S3 bucket. The processing job runs once a day and takes approximately 3 hours. The company wants to reduce costs and operational overhead. The Solutions Architect suggests using AWS Lambda for processing, but the processing time per file can exceed the Lambda maximum execution time of 15 minutes. The architect also considers using AWS Batch. The company wants to minimize the need for infrastructure management. Which solution should the Solutions Architect recommend?

A.Provision a fleet of EC2 instances and use Auto Scaling to manage the processing.
B.Use AWS Lambda with a larger memory allocation to increase CPU and reduce processing time.
C.Use AWS Batch with a managed compute environment that uses Spot Instances and a job queue.
D.Use Amazon ECS with Fargate launch type and run the processing as a task.
AnswerC

AWS Batch manages infrastructure and supports long-running jobs.

Why this answer

Option B is correct because AWS Batch manages the compute environment, automatically scales, and handles long-running jobs without managing EC2 instances directly. Option A is wrong because Lambda has a 15-minute limit. Option C is wrong because it requires manual management of EC2 instances.

Option D is wrong because Fargate launch type for ECS can run long tasks but requires more setup than AWS Batch for batch jobs.

158
Multi-Selecteasy

A company is designing a new serverless application using AWS Lambda. The application needs to access an Amazon RDS database. Which THREE steps are required to secure the database access? (Choose THREE.)

Select 3 answers
A.Place the Lambda function in a VPC with access to the RDS instance
B.Enable encryption on the RDS instance
C.Store database credentials in the Lambda function code
D.Assign an IAM role to the Lambda function with permissions to connect to RDS
E.Use a public IP address for the RDS instance
AnswersA, B, D

Lambda in VPC can access RDS.

Why this answer

Option A is correct because placing the Lambda function in the same VPC as the RDS instance allows it to communicate over a private IP address, eliminating exposure to the public internet. This is essential for secure database access, as Lambda functions outside the VPC cannot directly connect to RDS instances that are not publicly accessible.

Exam trap

The trap here is that candidates often confuse IAM roles with direct database authentication, thinking that assigning an IAM role alone is sufficient without also configuring IAM database authentication on the RDS side, or they overlook the necessity of VPC placement for private network connectivity.

159
MCQmedium

A company runs a stateful web application on EC2 instances in an Auto Scaling group. The application uses a shared file system mounted on each instance. The company wants to minimize downtime during deployments. What should they use?

A.Use an in-place update without any hooks.
B.Use a rolling update with a lifecycle hook to gracefully handle connections and unmount the file system before instance termination.
C.Perform a blue/green deployment.
D.Terminate all instances and launch new ones.
AnswerB

Lifecycle hooks allow graceful shutdown.

Why this answer

Option D is correct because a rolling update with a lifecycle hook allows draining connections and unmounting the file system gracefully. Option A is for immutable deployments but stateful apps may not support it. B and C do not minimize downtime.

160
MCQmedium

A company has an AWS Lambda function that processes files uploaded to an S3 bucket. The Lambda function has been running successfully for months. Recently, the company updated the Lambda function code and started seeing occasional throttling errors (HTTP 429) from the Lambda service. The function's reserved concurrency is set to 100. The company is unsure why throttling is occurring only after the code update. What is the MOST likely cause?

A.The Lambda function is writing logs to CloudWatch Logs at a rate that exceeds the CloudWatch throttling limit.
B.The S3 bucket is receiving more uploads than before, causing more Lambda invocations.
C.The updated Lambda function no longer has the required IAM permissions to access S3, causing retries that throttle.
D.The code update increased the execution time of the Lambda function, leading to a higher number of concurrent executions that exceed the account-level concurrency limit.
AnswerD

Longer execution time means more invocations overlap, increasing concurrency and potentially hitting account limits.

Why this answer

Option B is correct because if the function invocation rate exceeds the account-level concurrency limit (default 1000), throttling occurs. The code update may have increased execution time, causing more concurrent invocations to pile up. Option A is wrong because increasing S3 events would increase invocations, but the reserved concurrency of 100 might still be within account limits.

Option C is wrong because Lambda execution role permissions don't cause throttling errors. Option D is wrong because CloudWatch Logs throttling would cause logs to be dropped, not Lambda throttling.

161
Multi-Selecteasy

A company is hosting a static website on Amazon S3. The website uses JavaScript to make API calls to a backend API hosted on Amazon API Gateway. The company wants to reduce latency for users worldwide. Which combination of AWS services should the solutions architect use? (Choose two.)

Select 2 answers
A.Use CloudFront with API Gateway as an origin.
B.Use AWS Global Accelerator for the S3 website.
C.Use Lambda@Edge to process API calls at the edge.
D.Use Amazon CloudFront for both the S3 website and the API Gateway endpoint.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, D

This allows API calls to be served from edge locations.

Why this answer

Option B and Option E are correct. CloudFront can be used as a CDN for both the S3 static website and to accelerate API calls via CloudFront with API Gateway as an origin. S3 Transfer Acceleration speeds up uploads to S3, but for API calls, CloudFront is better.

Option A is incorrect because S3 Transfer Acceleration is for uploads, not for latency reduction for API calls. Option C is incorrect because Global Accelerator improves TCP performance but is not typically used for static websites. Option D is incorrect because Lambda@Edge runs at CloudFront edge, but does not replace API Gateway.

162
MCQmedium

Refer to the exhibit. A company is migrating an application to AWS and has attached the IAM policy shown to an IAM role. The application runs on an EC2 instance and needs to upload files to an S3 bucket. However, the uploads are failing with an access denied error. What is the most likely cause?

A.The IAM policy does not allow the s3:PutObject action
B.The IAM policy uses an incorrect resource ARN
C.The IAM policy restricts access based on source IP, but the EC2 instance's public IP is not in the allowed range
D.The S3 bucket policy denies access from the instance
AnswerC

Correct: The IP condition is likely blocking the instance.

Why this answer

The policy restricts the source IP to 203.0.113.0/24, but EC2 instances have dynamic private IPs (unless using Elastic IP). The condition aws:SourceIp checks the public IP, which for an EC2 instance is the public IP of the instance or NAT gateway. The instance's private IP is not the source IP.

The condition is too restrictive. Option A is incorrect because the bucket policy is not shown. Option B is incorrect because the action is allowed.

Option D is incorrect because the resource ARN is correct.

163
MCQhard

A company has a multi-account AWS environment with over 500 accounts managed through AWS Organizations. The accounts are organized into OUs by business unit. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled (SSE-S3 or SSE-KMS). They also want to automatically remediate any existing non-compliant buckets and prevent creation of new non-compliant buckets. Currently, there is no centralized logging or monitoring. The team has tried using AWS Config rules with auto-remediation, but they found that Config rules are not triggered for buckets created before the rule was enabled, and some teams are creating buckets via AWS CloudFormation that bypass the Config rule evaluation. The team needs a solution that covers all buckets, regardless of creation method or time. What should the team do?

A.Use AWS CloudFormation StackSets to deploy a bucket template that enforces encryption across all accounts.
B.Apply an SCP that denies s3:CreateBucket if encryption is not specified, and use AWS Config rules with Lambda auto-remediation to fix existing non-compliant buckets.
C.Use AWS CloudTrail to detect non-compliant bucket creation and send alerts to administrators.
D.Use S3 bucket policies to deny PutObject if encryption is not set.
AnswerB

SCP prevents new non-compliant buckets; Config remediates existing ones.

Why this answer

Option B is correct because an SCP applied at the root or OU level can deny s3:CreateBucket when encryption settings are not specified, preventing creation of non-compliant buckets regardless of the method (console, CLI, CloudFormation). For existing non-compliant buckets, AWS Config rules with Lambda auto-remediation can scan and fix them, and Config rules can be configured to evaluate all existing resources by running a manual or scheduled evaluation after the rule is enabled, addressing the gap where buckets created before the rule was enabled were not evaluated.

Exam trap

The trap here is that candidates often assume AWS Config rules automatically evaluate all existing resources when enabled, but they only evaluate resources on configuration changes after enablement unless a manual or scheduled evaluation is triggered, leading to the misconception that Config alone cannot cover pre-existing buckets.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can deploy templates but cannot enforce encryption on buckets created outside of CloudFormation, and teams can still create buckets via other methods (console, CLI) that bypass the template. Option C is wrong because CloudTrail only detects and alerts on bucket creation events but does not prevent creation of non-compliant buckets or remediate existing ones, leaving the security gap open. Option D is wrong because S3 bucket policies can deny PutObject without encryption but do not enforce encryption at the bucket level (SSE-S3 or SSE-KMS) during bucket creation, and they cannot prevent creation of buckets without encryption settings.

164
MCQeasy

A company is migrating a legacy application to AWS. The application runs on a single Windows Server instance and uses a local MySQL database. The company wants to minimize changes to the application code. Which migration strategy should the company use?

A.Rehost the application on Amazon EC2 with MySQL installed on the same instance
B.Retire the application and replace it with a SaaS alternative
C.Refactor the application to use a serverless architecture with AWS Lambda and Amazon DynamoDB
D.Replatform the application by moving the database to Amazon RDS for MySQL
AnswerA

Rehosting moves the application without changes, minimizing risk.

Why this answer

Option B is correct: Rehost (lift-and-shift) moves the application as-is to EC2 with MySQL. Option A (Refactor) requires code changes. Option C (Replatform) changes the database to RDS, which may require code changes.

Option D (Retire) is not appropriate.

165
MCQeasy

A company uses AWS CodePipeline to deploy a web application. They want to automatically roll back the deployment if the new version fails CloudWatch alarm-based health checks. Which feature should they use?

A.AWS Lambda function invoked by CloudWatch Events.
B.Amazon Route 53 health checks with failover routing.
C.AWS CodeBuild with post-build actions.
D.CodeDeploy automatic rollback configuration with CloudWatch alarm.
AnswerD

CodeDeploy supports automatic rollback when a CloudWatch alarm is in ALARM state.

Why this answer

CodeDeploy can be configured to automatically roll back a deployment when a CloudWatch alarm is triggered. This is a native feature. Option B is correct.

Options A, C, and D are not directly applicable: Lambda can be used but is not the primary feature; R53 health checks are not integrated with CodeDeploy; CodeBuild is for building, not deploying.

166
MCQeasy

A company is designing a new web application that will serve static content (HTML, CSS, JS, images) to users globally. The application must have low latency and high availability. Content changes infrequently, but when updated, the changes must be reflected immediately. Which solution should the architect recommend?

A.Store content in an S3 bucket and use Amazon CloudFront with S3 as origin
B.Store content on an EC2 instance behind an Application Load Balancer and use CloudFront
C.Store content in Amazon ElastiCache for Redis and use CloudFront
D.Store content in an S3 bucket and use S3 Transfer Acceleration
AnswerA

CloudFront provides global edge caching for low latency, and invalidations allow immediate content updates.

Why this answer

Option B is correct because CloudFront can serve static content from an S3 bucket with low latency, and invalidations can be used to immediately update content. Option A is wrong because S3 alone does not provide global low latency. Option C is wrong because CloudFront with an ALB adds unnecessary complexity and cost for static content.

Option D is wrong because ElastiCache is not designed for serving static files.

167
MCQmedium

A company is designing a new application that will store sensitive user data in Amazon S3. The data must be encrypted at rest and in transit. The solution must use AWS managed keys and must be compliant with PCI DSS. Which combination of encryption options should be used?

A.SSE-S3 for at-rest encryption and HTTPS for in-transit encryption
B.Client-side encryption for at-rest and HTTPS for in-transit
C.SSE-KMS for at-rest encryption and HTTP for in-transit encryption
D.SSE-C for at-rest encryption and HTTPS for in-transit
AnswerA

SSE-S3 uses AWS managed keys and HTTPS is standard for in-transit.

Why this answer

Option A is correct because SSE-S3 provides server-side encryption at rest using AWS-managed keys (S3-managed keys), which satisfies the requirement for AWS managed keys. HTTPS ensures encryption in transit, and both are compliant with PCI DSS standards for protecting sensitive data.

Exam trap

The trap here is that candidates may confuse SSE-KMS (which also uses AWS managed keys but adds additional control and cost) with SSE-S3, but SSE-S3 is simpler and fully compliant; the key requirement is 'AWS managed keys,' not necessarily KMS, and SSE-S3 meets that without extra overhead.

How to eliminate wrong answers

Option B is wrong because client-side encryption does not use AWS managed keys; it uses keys managed by the client, which violates the requirement for AWS managed keys. Option C is wrong because HTTP does not provide encryption in transit, leaving data vulnerable to interception, and PCI DSS requires encrypted transmission (e.g., HTTPS/TLS). Option D is wrong because SSE-C uses customer-provided keys, not AWS managed keys, failing the requirement for AWS managed keys.

168
Multi-Selectmedium

A company has multiple AWS accounts. They want to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should be taken to enforce this across all accounts?

Select 2 answers
A.Use AWS CloudTrail to detect console logins without MFA and send alerts.
B.Attach an SCP that denies all AWS actions if the aws:MultiFactorAuthPresent condition is false.
C.Require each IAM user to have a virtual MFA device assigned.
D.Create an IAM group for users without MFA and deny them console access.
E.Attach an IAM policy to all users that denies console access if MFA is not present.
AnswersB, E

This denies actions when MFA is not used.

Why this answer

Option B is correct because AWS Organizations Service Control Policies (SCPs) can be applied to all accounts in the organization to centrally enforce that any API action is denied unless the request includes MFA. By using the `aws:MultiFactorAuthPresent` condition key set to `false`, the SCP effectively blocks all AWS actions (including console login) for any principal that has not authenticated with MFA. This ensures a blanket, unmodifiable guard across all member accounts, even preventing account administrators from bypassing the requirement.

Exam trap

The trap here is that candidates often confuse detection (CloudTrail) with enforcement (SCP or IAM policy), or they assume that assigning an MFA device is sufficient without a corresponding deny policy, leading them to pick options that only monitor or partially enforce the requirement.

169
MCQmedium

A company is migrating a multi-tier web application to AWS. The application consists of a web tier, an application tier, and a database tier. The company wants to use AWS services to improve scalability and reduce management overhead. The web and application tiers run on Linux. The database is Oracle running on Linux. Which solution meets these requirements with the LEAST operational overhead?

A.Deploy web and application tiers on Amazon EC2 instances in an Auto Scaling group. Migrate the database to an Amazon RDS for Oracle DB instance.
B.Containerize the web and application tiers and deploy them on Amazon ECS with AWS Fargate. Migrate the database to Amazon RDS for Oracle.
C.Deploy the web and application tiers using AWS Elastic Beanstalk with an Auto Scaling group. Migrate the database to Amazon RDS for Oracle.
D.Deploy web and application tiers on Amazon EC2 instances in an Auto Scaling group. Migrate the database to Oracle on Amazon RDS Custom.
AnswerC

Elastic Beanstalk automates capacity provisioning, load balancing, and scaling, reducing operational overhead.

Why this answer

Option D is correct: Elastic Beanstalk manages web and app tiers automatically, and RDS for Oracle manages the database. Option A (EC2 + Auto Scaling) requires more manual management. Option B (ECS + Fargate) is more complex for a simple migration.

Option C (ECS + EC2) requires managing EC2 instances.

170
MCQeasy

A company wants to implement a centralized logging solution for all AWS accounts in AWS Organizations. The logs include CloudTrail, VPC Flow Logs, and AWS Config configuration items. Which approach provides the MOST scalable and cost-effective solution?

A.Configure each account to deliver logs to a central Amazon S3 bucket in a logging account, and use S3 Lifecycle policies to transition logs to Amazon S3 Glacier.
B.Use Amazon Kinesis Data Firehose in each account to stream logs to a central Amazon S3 bucket.
C.Configure each account to deliver logs to its own S3 bucket and use S3 Replication to copy logs to a central bucket.
D.Send logs to Amazon CloudWatch Logs in each account and use cross-account CloudWatch Logs subscription filters to forward logs to a central account.
AnswerA

S3 is cost-effective for central log storage.

Why this answer

Option B is correct because cross-account delivery to a central S3 bucket with S3 Lifecycle policies minimizes storage costs and centralizes logs. Option A is wrong because CloudWatch Logs in each account requires separate retention and is not as cost-effective for long-term storage. Option C is wrong because Kinesis Data Firehose is more expensive and adds complexity.

Option D is wrong because S3 replication incurs additional costs.

171
MCQhard

A company has an S3 bucket that stores critical data. They need to ensure that all objects are encrypted at rest. The bucket policy currently denies uploads if the x-amz-server-side-encryption header is not set to AES256. However, some objects are still stored with SSE-KMS. How can the company enforce SSE-S3 exclusively?

A.Use S3 Lifecycle policies to transition objects to SSE-S3.
B.Enable default encryption on the bucket with SSE-S3.
C.Update the bucket policy to deny uploads with SSE-KMS.
D.Use S3 Object Lambda to change encryption.
AnswerC

Denying SSE-KMS enforces SSE-S3.

Why this answer

Option D is correct because using a bucket policy to deny uploads with SSE-KMS or without encryption ensures only SSE-S3 is allowed. Option A is incorrect because the bucket policy must be updated. Option B is incorrect because default encryption applies to new objects but does not prevent SSE-KMS.

Option C is incorrect because lifecycle rules do not change encryption of existing objects.

172
MCQmedium

A company is designing a new application that requires a relational database. The application has variable traffic, with high spikes during business hours and low traffic at night. The company wants to minimize costs while ensuring the database can handle the spikes. Which solution should the architect recommend?

A.Use Amazon RDS with Multi-AZ and read replicas, or Amazon Aurora Serverless
B.Use Amazon RDS with a Single-AZ instance and automatic scaling
C.Use Amazon DynamoDB with on-demand capacity
D.Use Amazon RDS with a Single-AZ instance and a large instance size
AnswerA

Multi-AZ provides high availability, read replicas handle read spikes, and Aurora Serverless automatically scales compute.

Why this answer

Option B is correct because RDS with Multi-AZ and read replicas provides high availability and read scaling, while Aurora Serverless automatically scales compute capacity. Option A is wrong because a single RDS instance is not highly available. Option C is wrong because DynamoDB is NoSQL, not relational.

Option D is wrong because RDS with a Single-AZ instance is not highly available and does not handle spikes.

173
Multi-Selectmedium

A company wants to implement AWS Organizations with multiple OUs to isolate development, testing, and production workloads. The company needs to ensure that production workloads are not impacted by changes in other OUs. Which TWO practices should the company follow? (Choose two.)

Select 2 answers
A.Allow all users to assume cross-account roles for easier management.
B.Share the same VPC across all OUs to simplify networking.
C.Use separate AWS accounts for each environment to provide strong isolation.
D.Use resource tagging to isolate environments instead of accounts.
E.Apply separate SCPs to each OU to enforce different security policies.
AnswersC, E

Separate accounts provide the best isolation between environments.

174
Multi-Selectmedium

A company is building a serverless data processing pipeline using AWS Lambda, Amazon DynamoDB, and Amazon S3. The pipeline processes JSON files uploaded to an S3 bucket, transforms the data, and writes results to DynamoDB. The company wants to ensure the pipeline can handle bursts of traffic without data loss. Which TWO design decisions should the solutions architect make?

Select 2 answers
A.Configure DynamoDB with on-demand capacity mode.
B.Use an Amazon SQS queue to buffer events from S3 before processing by Lambda.
C.Increase the Lambda function timeout to 15 minutes.
D.Use DynamoDB Streams to capture changes and process in batches.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, B

On-demand capacity automatically scales to handle bursts without throttling.

Why this answer

Options A and C are correct. Using an SQS queue between S3 and Lambda decouples the processing and provides a buffer to handle bursts. Configuring DynamoDB with on-demand capacity handles sudden increases in writes without throttling.

Option B is incorrect because Lambda function timeout does not prevent data loss; it only limits execution time. Option D is incorrect because DynamoDB Streams are for change capture, not for handling bursts. Option E is incorrect because S3 Transfer Acceleration is for faster uploads, not for burst handling.

175
MCQmedium

A company is using Amazon S3 to store critical data and needs to ensure that objects are automatically deleted after 30 days. The current lifecycle policy is configured to expire objects after 30 days, but objects are not being deleted. What is the most likely cause?

A.The bucket has versioning enabled, and lifecycle rules apply only to current versions.
B.The objects are stored in the S3 Glacier Deep Archive storage class.
C.The bucket has S3 Object Lock enabled with a retention period exceeding 30 days.
D.The IAM role used by S3 Lifecycle lacks the s3:DeleteObject permission.
AnswerC

Object Lock prevents object deletion before retention expires.

Why this answer

Option C is correct because S3 Lifecycle policies require proper permissions to execute actions. Option A is wrong because S3 Object Lock can prevent deletion if retention period is set. Option B is wrong because versioning does not prevent lifecycle expiration; expired delete markers are removed.

Option D is wrong because storage class transitions do not affect expiration.

176
MCQeasy

A company is migrating a web application to AWS. They want to use the same domain name for both the development and production environments, but route traffic based on the source IP address. Which AWS service can accomplish this?

A.Amazon Route 53 with geolocation routing policy
B.Elastic Load Balancer (ELB)
C.AWS Global Accelerator
D.Amazon CloudFront
AnswerA

Route 53 can route based on the geographic location of the client's IP.

Why this answer

Option C is correct because AWS Route 53 can route traffic based on source IP using geolocation or latency routing, but more specifically, using a routing policy that considers the client's IP. Option A is wrong because ELB distributes traffic within a region, not based on client IP globally. Option B is wrong because CloudFront is a CDN, not a DNS-based routing service.

Option D is wrong because Global Accelerator uses anycast IPs, not DNS.

177
MCQhard

An SCP is attached to a production OU. An IAM user in a member account under that OU attempts to launch an m5.large EC2 instance. What happens?

A.The launch succeeds because the condition evaluates to true.
B.The launch succeeds because the SCP only denies StartInstances.
C.The launch fails because the SCP denies the action.
D.The launch succeeds because the SCP allows all instance types except t3.micro.
AnswerC

The condition matches, so the deny is applied.

Why this answer

Option C is correct because the SCP denies RunInstances if the instance type is not t3.micro. Since m5.large is not t3.micro, the action is denied. Option A is wrong because the SCP denies the action.

Option B is wrong because the condition denies non-t3.micro instances. Option D is wrong because the SCP does not allow; it denies.

178
Multi-Selecteasy

A company uses Amazon S3 to store critical data. They need to ensure that data is encrypted at rest. Which TWO methods can achieve this?

Select 2 answers
A.Enable SSL/TLS for the S3 bucket
B.Configure a bucket policy to enforce encryption
C.Use client-side encryption
D.Use AWS KMS (SSE-KMS)
E.Use S3-Managed Keys (SSE-S3)
AnswersD, E

SSE-KMS uses AWS KMS for encryption.

Why this answer

Options A and D are correct. A: S3-Managed Keys (SSE-S3) is a server-side encryption option. D: AWS KMS (SSE-KMS) is another server-side encryption option.

Option B is wrong because client-side encryption is not managed by AWS. Option C is wrong because SSL/TLS encrypts data in transit, not at rest. Option E is wrong because S3 bucket policies do not encrypt data; they control access.

179
MCQmedium

A CloudFormation stack update failed with the above error. What is the likely cause?

A.The S3 bucket does not contain the zip file.
B.The IAM role ARN is incorrect.
C.The timeout value is too high.
D.The runtime is no longer supported by AWS Lambda.
AnswerD

Node.js 14.x is deprecated.

Why this answer

Option D is correct because the error message explicitly states that the runtime 'nodejs14.x' is not supported. Option A is wrong because the S3 bucket is not the issue. Option B is wrong because the role ARN is correct.

Option C is wrong because the timeout is within limits.

180
Multi-Selectmedium

A company is designing a new application that will use Amazon S3 to store user-uploaded images. The application must enforce that all uploads are encrypted in transit and at rest. Additionally, the bucket must be configured to block all public access. Which TWO actions should be taken to meet these requirements?

Select 2 answers
A.Use server-side encryption with customer-provided keys (SSE-C).
B.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
C.Use Amazon CloudFront to serve the images and enforce HTTPS.
D.Create a bucket policy that denies uploads without encryption in transit.
E.Configure the S3 Block Public Access settings to block all public access.
AnswersB, E

Default encryption ensures all objects are encrypted at rest automatically.

Why this answer

Option A is correct because enabling S3 default encryption ensures objects are encrypted at rest. Option D is correct because blocking public access via the Block Public Access settings is a bucket-level control. Option B is wrong because bucket policies are not used for encryption.

Option C is wrong because CloudFront is not related to S3 encryption. Option E is wrong because SSE-C is client-managed, but the question does not specify client-managed keys.

181
MCQhard

A company is migrating a legacy Windows-based .NET application to AWS. The application uses a SQL Server database and a proprietary authentication mechanism that relies on Active Directory. The company wants to reduce operational overhead and licensing costs. Which combination of AWS services should the architect recommend for the migration?

A.Migrate the application to Amazon EC2 Linux instances and use Amazon Aurora with PostgreSQL compatibility
B.Migrate the application to Amazon EC2 Windows instances and the database to Amazon RDS for SQL Server
C.Containerize the application on Amazon ECS with Windows containers and use Amazon RDS for SQL Server
D.Migrate the application to AWS Elastic Beanstalk for Windows and the database to Amazon RDS for MySQL
AnswerB

This minimizes changes and reduces database overhead and licensing costs through RDS.

Why this answer

Using EC2 for the application (lift-and-shift) and RDS for SQL Server reduces overhead from database management and licensing. Moving to RDS for MySQL would require code changes for compatibility. Moving to Windows containers would require containerization effort.

Moving to Aurora would not support SQL Server.

182
MCQmedium

A company is using AWS Organizations and wants to allow only specific AWS services to be used in member accounts. The security team needs to block the use of Amazon EC2 and Amazon RDS, but allow all other services. Which SCP configuration should be used?

A.Deny effect with "*" as the action.
B.Deny effect with NotAction set to ec2:* and rds:*.
C.Allow effect with ec2:* and rds:* as the actions.
D.Deny effect with ec2:* and rds:* as the actions.
AnswerD

This denies all EC2 and RDS operations.

Why this answer

Option D is correct because AWS SCPs use an explicit deny to block specific services. By applying a Deny effect with ec2:* and rds:* as the actions, the SCP will block all operations for Amazon EC2 and Amazon RDS in the member accounts, while allowing all other services by default (since SCPs do not grant permissions; they only filter what is allowed by IAM policies).

Exam trap

The trap here is that candidates confuse NotAction with a targeted deny, mistakenly thinking it blocks only the specified services, when in fact NotAction denies everything except those services.

How to eliminate wrong answers

Option A is wrong because a Deny effect with '*' as the action would block all AWS services, not just EC2 and RDS. Option B is wrong because NotAction with ec2:* and rds:* would deny everything except EC2 and RDS, which is the opposite of the requirement. Option C is wrong because an Allow effect in an SCP does not override an implicit deny; SCPs are deny-only filters and cannot grant permissions, so this would not block EC2 and RDS.

183
MCQhard

A company is modernizing its application by migrating from a monolithic architecture to microservices on Amazon ECS Fargate. The application uses an on-premises Oracle database, which is being migrated to Amazon Aurora PostgreSQL as part of the modernization. The team has refactored the application into several microservices, each with its own database schema in the same Aurora cluster. During load testing, the team notices that one microservice's heavy write operations cause increased latency for other microservices' read queries. The Aurora cluster uses a single writer and multiple readers. The team needs to isolate the write-heavy microservice without changing the application code. What should the solutions architect do?

A.Use Amazon RDS Proxy to manage database connections.
B.Create a separate Aurora cluster for the write-heavy microservice and point the microservice to that cluster.
C.Configure Aurora read replicas to offload read queries from the writer.
D.Increase the instance size of the Aurora writer to handle the write load.
AnswerB

A separate cluster provides complete isolation of write operations.

Why this answer

Using a separate Aurora cluster for the write-heavy microservice physically isolates the workload, preventing impact on other microservices. The application code points to different cluster endpoints. Using a larger instance might help but does not isolate; read replicas do not help with write contention; RDS Proxy is for connection pooling, not isolation.

184
MCQhard

A company is designing a multi-region disaster recovery solution for a critical application. The application uses Amazon RDS for MySQL with Multi-AZ in the primary region. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 1 minute. Which solution meets these requirements?

A.Create an RDS MySQL cross-region read replica in the secondary region and promote it during a disaster.
B.Take manual snapshots of the RDS instance every 5 seconds and copy them to the secondary region.
C.Use AWS Database Migration Service (DMS) to continuously replicate to a database in the secondary region.
D.Use Amazon Aurora Global Database with a primary instance in the primary region and one secondary in the secondary region.
AnswerD

Aurora Global Database provides low-latency replication and fast failover.

Why this answer

Amazon Aurora Global Database is the only solution that can achieve an RPO of 5 seconds and an RTO of 1 minute for a multi-region disaster recovery setup. It uses storage-based replication with typical latency under 1 second, and failover to a secondary region can be completed in about 1 minute by promoting the secondary cluster. Aurora Global Database also avoids the replication lag and promotion delays inherent in cross-region read replicas or DMS-based replication.

Exam trap

The trap here is that candidates often assume a cross-region read replica (Option A) can meet a 5-second RPO because MySQL replication is 'near real-time,' but in practice, replication lag is unpredictable and often exceeds 5 seconds, especially during peak loads or network issues.

How to eliminate wrong answers

Option A is wrong because an RDS MySQL cross-region read replica typically has replication lag of several seconds to minutes, making it impossible to guarantee a 5-second RPO, and promoting a read replica takes longer than 1 minute due to the need to stop replication and apply any pending changes. Option B is wrong because manual snapshots cannot be taken every 5 seconds (the minimum interval is 5 minutes for automated snapshots, and manual snapshots have no such frequency guarantee), and copying snapshots to another region adds significant delay, far exceeding the 5-second RPO. Option C is wrong because AWS DMS continuous replication introduces latency that often exceeds 5 seconds, and the failover process to promote the target database as the primary typically takes more than 1 minute, especially if schema changes or data consistency checks are required.

185
MCQeasy

A company has a management account and several member accounts in AWS Organizations. They want to allow a developer in a member account to create an organization trail. What should they do?

A.Register the member account as a delegated administrator for CloudTrail in AWS Organizations.
B.Create a resource-based policy on the CloudTrail service to allow the member account to create trails.
C.Create an IAM role in the management account and grant the developer permission to assume it.
D.Attach an SCP to the member account that allows CloudTrail actions.
AnswerA

Allows the member account to create organization trails.

Why this answer

Option A is correct because registering a member account as a delegated administrator for CloudTrail in AWS Organizations allows that account to create organization trails on behalf of the management account. This delegation grants the member account the necessary permissions to call CreateTrail with the OrganizationTrail parameter set to true, which is required for organization-wide logging.

Exam trap

The trap here is that candidates often assume creating an IAM role in the management account (Option C) is sufficient, but they miss that organization trails require the member account to be explicitly registered as a delegated administrator in AWS Organizations to bypass the default restriction that only the management account can create organization trails.

How to eliminate wrong answers

Option B is wrong because CloudTrail does not support resource-based policies; it uses IAM policies and service-linked roles for access control. Option C is wrong because while an IAM role in the management account could be assumed, this approach does not enable the member account to create an organization trail directly—organization trails require the member account to be a delegated administrator or have explicit permissions from Organizations. Option D is wrong because SCPs are used to restrict permissions, not to grant them; attaching an SCP that allows CloudTrail actions would not grant the developer the ability to create an organization trail without additional IAM permissions.

186
MCQmedium

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. The application must handle millions of requests per day. To reduce latency and offload traffic from the EC2 instances, which AWS service should be placed in front of the load balancer?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS Shield Advanced
D.AWS WAF
AnswerA

CloudFront caches content at edge locations, reducing latency and offloading EC2 instances.

Why this answer

Option A is correct because CloudFront is a CDN that caches content at edge locations, reducing latency and offloading traffic. Option B is wrong because Global Accelerator improves performance via AWS global network but does not cache. Option C is wrong because WAF is a web application firewall.

Option D is wrong because Shield is for DDoS protection.

187
MCQhard

A global company with 50 AWS accounts uses AWS Organizations and wants to centralize CloudTrail logs. The security team requires that all accounts send their CloudTrail logs to a central S3 bucket in the audit account. Which combination of steps will ensure this?

A.Use AWS Config to forward logs to a central S3 bucket.
B.Enable CloudTrail in each account and use AWS Organizations to aggregate logs.
C.Create a CloudTrail trail in the audit account that logs all accounts via CloudWatch Logs.
D.Create a CloudTrail trail in the audit account with an S3 bucket, and add a bucket policy that grants cross-account permissions for each member account to deliver logs. Then configure each member account to use the same trail.
AnswerD

This is the standard cross-account CloudTrail setup.

Why this answer

Option D is correct because it uses a single CloudTrail trail in the audit account with a central S3 bucket, and the bucket policy grants the necessary s3:PutObject permissions to each member account's CloudTrail service principal. Each member account then configures CloudTrail to use the same trail (the audit account's trail), which allows CloudTrail to deliver logs from all accounts to the central bucket without requiring separate trails or manual log forwarding.

Exam trap

The trap here is that candidates often think they need to enable CloudTrail in each account individually (Option B) or use a different service like AWS Config (Option A), when the correct approach is to create a single organization trail in the audit account with cross-account permissions and have member accounts reference that trail.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing service, not a log delivery mechanism; it cannot forward CloudTrail logs to an S3 bucket. Option B is wrong because enabling CloudTrail in each account individually would create separate trails and separate log deliveries, not centralize logs into a single bucket; AWS Organizations can aggregate trails only when a single organization trail is created from the management account. Option C is wrong because CloudTrail cannot log all accounts via CloudWatch Logs; CloudWatch Logs is a destination for CloudTrail logs, not a mechanism to aggregate logs from multiple accounts.

188
MCQeasy

An organization is modernizing a legacy application by breaking it into microservices on AWS. The application processes customer orders and sends notifications. The team wants to decouple the order processing from the notification service to improve scalability. Which AWS service should they use to asynchronously pass messages between the services?

A.Amazon Kinesis Data Streams
B.Amazon EventBridge
C.Amazon Simple Notification Service (Amazon SNS)
D.Amazon Simple Queue Service (Amazon SQS)
AnswerD

SQS provides a durable message queue that decouples the order processing service from the notification service, allowing asynchronous processing.

Why this answer

Amazon SQS is a fully managed message queue service that enables decoupling of application components. SNS is pub/sub; EventBridge is event bus; Kinesis is for real-time streaming. For simple point-to-point async messaging, SQS is the best fit.

189
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences high request latency during peak traffic. A solutions architect discovers that the ALB is not distributing traffic evenly across the instances. The instances have different sizes (t3.large and t3.xlarge). Which TWO actions should the solutions architect take to improve load distribution?

Select 2 answers
A.Enable connection draining on the target group.
B.Replace all instances with the same instance type.
C.Change the ALB routing algorithm from round robin to least outstanding requests.
D.Enable sticky sessions (session affinity) on the target group.
E.Increase the deregistration delay (connection draining) on the target group to 300 seconds.
AnswersA, C

Connection draining ensures in-flight requests complete before an instance is deregistered, improving reliability during scaling events.

Why this answer

Option A and Option D are correct. Changing the routing algorithm to least outstanding requests ensures that instances with fewer pending requests receive new traffic, balancing load based on current capacity. Enabling connection draining ensures that in-flight requests complete before an instance is deregistered, preventing abrupt termination.

Option B is wrong because sticky sessions would cause uneven load. Option C is wrong because increasing the deregistration delay helps but doesn't improve distribution. Option E is wrong because using the same instance type does not address the imbalance caused by different sizes; LOR algorithm handles that.

190
MCQhard

A healthcare company is storing sensitive patient data in Amazon S3. The compliance team requires that all data be encrypted at rest and that the encryption keys be rotated every 90 days. Additionally, the company must maintain an audit trail of all key usage. Which solution meets these requirements with the LEAST operational overhead?

A.Use S3 server-side encryption with customer-provided keys (SSE-C) and implement a Lambda function to rotate keys every 90 days.
B.Use S3 server-side encryption with S3-managed keys (SSE-S3) and enable S3 server access logs.
C.Use S3 server-side encryption with AWS KMS-managed keys (SSE-KMS) and enable automatic key rotation every 90 days. Enable AWS CloudTrail for KMS key usage logging.
D.Use client-side encryption with the AWS Encryption SDK and store the keys in AWS Secrets Manager with automatic rotation.
AnswerC

SSE-KMS allows automatic key rotation with customizable interval (minimum 90 days for custom key stores), and CloudTrail provides audit trail of key usage with minimal operational burden.

Why this answer

Option D is correct because AWS KMS automatic key rotation handles rotation every 365 days (configurable to 90 days for custom key stores) and CloudTrail logs key usage. Option A is wrong because SSE-S3 does not provide key rotation control. Option B is wrong because SSE-C requires manual key management and rotation.

Option C is wrong because client-side encryption places the burden on the application.

191
MCQmedium

A company has multiple AWS accounts managed via AWS Control Tower. The DevOps team wants to deploy a shared CI/CD pipeline that can deploy applications across all accounts. The pipeline must use the same source repository and artifact store. What is the MOST secure and scalable approach?

A.Deploy the pipeline in a central DevOps account. Use cross-account IAM roles to deploy to target accounts.
B.Create a separate pipeline in each account using the same source repository.
C.Use AWS CodePipeline with cross-account actions by assuming IAM roles in each target account.
AnswerA, C

Central pipeline with cross-account roles provides centralized control and secure access.

Why this answer

Option A is correct because deploying the pipeline in a central DevOps account and using cross-account IAM roles to deploy to target accounts follows the principle of least privilege and centralizes management. This approach avoids duplicating resources, ensures a single source of truth for the source repository and artifact store, and scales easily as new accounts are added via AWS Control Tower. Cross-account IAM roles allow the pipeline to assume a role in each target account with scoped permissions, eliminating the need for long-term credentials.

Exam trap

The trap here is that candidates may confuse 'cross-account actions' (Option C) with the central DevOps account pattern (Option A), not realizing that Option A explicitly describes the recommended architecture for AWS Control Tower environments, while Option C is a generic feature that could be implemented without a dedicated central account, which is less secure and scalable.

How to eliminate wrong answers

Option B is wrong because creating a separate pipeline in each account duplicates infrastructure, increases management overhead, and does not use a shared artifact store or source repository consistently, leading to potential drift and inconsistency. Option C is wrong because while it mentions cross-account actions, it is essentially the same as Option A but less specific about the central account pattern; however, the question asks for the MOST secure and scalable approach, and Option A explicitly describes the best practice of a central DevOps account with cross-account IAM roles, which is more aligned with AWS Control Tower's multi-account governance model than simply using cross-account actions in CodePipeline without a dedicated central account.

192
MCQhard

A company is migrating a legacy application that uses a proprietary binary protocol over TCP. They want to modernize to a containerized microservices architecture on Amazon EKS. The protocol must be preserved for backward compatibility. Which approach should they take?

A.Use Amazon API Gateway to expose the legacy service as a REST API
B.Deploy a sidecar proxy container in the same pod to translate the protocol
C.Refactor the legacy application to use HTTP
D.Use a Network Load Balancer to route TCP traffic to the legacy container
AnswerB

The sidecar can translate the proprietary protocol to HTTP for internal communication.

Why this answer

A sidecar proxy running on the same pod as the legacy container can handle the proprietary protocol and translate it to HTTP for other microservices. Option A (Network Load Balancer) cannot translate protocols. Option B (API Gateway) requires HTTP.

Option D (Refactor the protocol) is too risky and time-consuming.

193
Multi-Selecteasy

A company is migrating a large number of on-premises virtual machines to AWS. The company wants to automate the migration process and reduce manual effort. Which TWO AWS services can be used together to achieve this goal? (Choose TWO.)

Select 2 answers
A.AWS Database Migration Service (DMS)
B.AWS CloudFormation
C.AWS Application Migration Service (MGN)
D.AWS DataSync
E.AWS Schema Conversion Tool (SCT)
AnswersB, C

CloudFormation automates infrastructure deployment.

Why this answer

A and B are correct because AWS MGN automates server migration, and AWS CloudFormation automates infrastructure provisioning. C is wrong because DMS is for databases. D is wrong because SCT is for schema conversion.

E is wrong because DataSync is for file transfers.

194
MCQmedium

A company is using AWS Organizations and wants to centralize the management of Amazon EC2 instance security groups. The security team needs to enforce that certain ports are not open to the internet across all accounts. The company currently uses AWS Firewall Manager. Which approach should the security team use to enforce this policy?

A.Use AWS Config rules to detect non-compliant security groups and trigger a Lambda function to remediate.
B.Use AWS Firewall Manager to create a security group policy that defines rules, and apply it across all accounts. Firewall Manager will automatically create and manage security groups.
C.Use AWS Firewall Manager to audit security groups against a baseline policy and generate reports.
D.Use an SCP to deny ec2:AuthorizeSecurityGroupIngress for ports that should not be open.
AnswerB

Firewall Manager can enforce security group rules centrally.

Why this answer

AWS Firewall Manager can centrally create, apply, and manage security group policies across all accounts in an AWS Organization. By defining a security group policy with rules that block specific ports from 0.0.0.0/0, Firewall Manager automatically creates the required security groups and attaches them to the designated resources, ensuring compliance without manual intervention. This approach directly enforces the policy rather than just detecting or reporting violations.

Exam trap

The trap here is that candidates often confuse AWS Firewall Manager's audit-only mode (which generates reports) with its enforcement mode (which automatically creates and manages security groups), leading them to choose the reporting option instead of the correct enforcement option.

How to eliminate wrong answers

Option A is wrong because AWS Config rules with Lambda remediation are reactive—they detect non-compliant resources after creation and then attempt to fix them, which is not a preventive enforcement mechanism and can introduce latency or race conditions. Option C is wrong because auditing and generating reports only provides visibility into non-compliance but does not actively enforce the policy or prevent insecure security groups from being used. Option D is wrong because SCPs cannot deny specific API actions like ec2:AuthorizeSecurityGroupIngress based on port numbers or IP ranges; SCPs operate at the API action level and cannot inspect the parameters of the request, so they cannot block opening a specific port to the internet.

195
Multi-Selectmedium

A company is designing a new application that will use Amazon S3 to store sensitive customer data. The data must be encrypted at rest and in transit. The company also needs to ensure that only authorized users can access the data. Which three steps should the company take? (Choose THREE.)

Select 3 answers
A.Enable S3 default encryption with SSE-KMS.
B.Use client-side encryption with a customer key.
C.Use bucket policies to restrict access based on IAM roles.
D.Configure the bucket policy to deny requests that do not use HTTPS.
E.Make the bucket publicly accessible for ease of access.
AnswersA, C, D

Encrypts data at rest with KMS-managed keys.

Why this answer

Enforce encryption in transit (HTTPS) via bucket policy. Enable S3 default encryption with SSE-KMS. Use bucket policies to restrict access to authorized principals.

Option D (public access) is wrong. Option E (client-side encryption) is not required.

196
MCQmedium

A company is modernizing its infrastructure by moving from EC2 instances to a serverless architecture using AWS Lambda. The application processes images uploaded to Amazon S3. The current EC2-based solution uses a third-party image processing library that is not supported in Lambda's runtime environment. What is the best approach to migrate to serverless while using the same library?

A.Package the library as a Lambda layer and reference it in the function.
B.Use AWS Fargate to run the image processing library in a container.
C.Rewrite the image processing code to use AWS Rekognition.
D.Use AWS App Runner to deploy the existing application as-is.
AnswerA

Lambda layers allow inclusion of custom libraries, enabling use of the third-party library without code changes.

Why this answer

AWS Lambda supports custom runtime environments by bundling the library with the deployment package or using Lambda layers. The library can be included as a layer, allowing the Lambda function to use it. AWS Fargate runs containers but is not serverless in the same sense; it adds overhead.

Using a different library would require code changes. App Runner is for containerized applications.

197
MCQeasy

A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?

A.Create an IAM policy that requires tags on all resources and attach it to all IAM users.
B.Configure CloudFormation to reject any stack that does not include tags.
C.Define stack-level tags in CloudFormation templates and use an SCP to deny creation of stacks without required tags.
D.Use AWS Config to detect resources without tags and automatically remediate using Systems Manager Automation.
AnswerC

SCPs can enforce that all stacks have required tags, and stack-level tags propagate to resources.

Why this answer

Using CloudFormation stack-level tags with a service control policy (SCP) that requires tags is the correct approach. Option B is incorrect because IAM policies can enforce tags on resources created by CloudFormation. Option C is incorrect because AWS Config can detect but not enforce.

Option D is incorrect because CloudFormation does not natively enforce tag propagation without additional mechanisms.

198
MCQeasy

A company is migrating a monolithic application to AWS and wants to adopt a microservices architecture. The application currently runs on a single server and uses a shared MySQL database. Which AWS service can help the company decouple the microservices and enable asynchronous communication?

A.Amazon API Gateway
B.AWS Step Functions
C.Elastic Load Balancing
D.Amazon Simple Queue Service (SQS)
AnswerD

SQS provides a fully managed message queue for decoupling microservices.

Why this answer

Option A is correct because Amazon SQS is a message queue service that enables asynchronous communication between microservices. Option B is incorrect because API Gateway is for synchronous RESTful APIs. Option C is incorrect because ELB distributes traffic, not for messaging.

Option D is incorrect because AWS Step Functions is for orchestrating workflows, not for queuing messages.

199
MCQhard

Refer to the exhibit. A solutions architect runs the AWS CLI command and receives the output shown. The instance was stopped 2 hours ago. The company wants to minimize costs. What should the architect do next?

A.Keep the instance stopped; only storage costs apply.
B.Terminate the instance to avoid any further charges.
C.Start the instance to verify it works.
D.Hibernate the instance to save memory state.
AnswerA

Stopped instances incur only EBS storage costs.

Why this answer

A stopped instance incurs charges for attached EBS volumes, but not for the instance itself. Option A is wrong because termination would delete the instance. Option B is wrong because hibernation is not possible from stopped state.

Option D is wrong because starting the instance incurs costs.

200
MCQhard

A company has a monolithic application running on a single EC2 instance. The application experiences performance issues during peak hours. The company decides to migrate to a microservices architecture using AWS Lambda and Amazon API Gateway. The migration must be done incrementally without downtime. What strategy should the company use?

A.Deploy all microservices in a new VPC and cut over DNS after testing.
B.Create a new version of the monolith that calls Lambda functions as backend.
C.Use AWS CodeDeploy to perform a blue/green deployment of the monolith to Lambda.
D.Use the strangler fig pattern: implement API Gateway to route traffic to new Lambda functions for specific endpoints while keeping the monolith for others.
AnswerD

Allows incremental migration without downtime.

Why this answer

Option B is correct because the strangler fig pattern allows incremental replacement of functionality by routing specific requests to new microservices via API Gateway while keeping the monolithic application for the rest. Option A is incorrect because full migration at once risks downtime. Option C is incorrect because pattern does not require database changes initially.

Option D is incorrect because deployment pipeline is not a migration strategy.

201
MCQmedium

A company wants to centralize access control for multiple AWS accounts using AWS Organizations. They need to allow developers in a specific account to launch EC2 instances only in certain regions. What is the most scalable solution?

A.Create an IAM role in each account with a policy to deny non-compliant regions.
B.Use AWS Config rules to detect and terminate instances in non-compliant regions.
C.Use an SCP attached to the organizational unit to deny EC2 actions in non-compliant regions.
D.Create an IAM policy in each account to deny non-compliant regions.
AnswerC

SCPs provide centralized policy enforcement across accounts in an organization.

Why this answer

Option B is correct because SCPs allow you to centrally control the maximum available permissions for all accounts in an organization, enabling region restrictions at the organizational level. Option A is wrong because IAM policies in individual accounts are harder to manage across many accounts. Option C is wrong because AWS Config does not enforce policies, it only checks compliance.

Option D is wrong because Service Control Policies (SCPs) are the correct mechanism for this, not IAM roles.

202
MCQeasy

A company uses AWS Organizations and wants to centrally manage backups for EC2 instances across multiple accounts. They want to create a backup plan that backs up all EC2 instances tagged with Backup=Weekly. The backup must be stored in a central backup vault in the management account. Which solution meets these requirements?

A.Create a backup plan in each account targeting the tagged instances and store backups in the management account's vault using cross-account backup.
B.Use AWS CloudFormation StackSets to deploy a backup plan to each account.
C.Use AWS Backup with a backup policy in AWS Organizations to centrally manage backups across accounts.
D.Use Amazon Data Lifecycle Manager to create cross-account snapshot copies for tagged instances.
AnswerC

Backup policies can target resources by tags across accounts.

Why this answer

Option C is correct because AWS Backup can be configured across accounts using backup policies in AWS Organizations, which can apply a backup plan to resources in member accounts based on tags. Option A is wrong because AWS Backup does not have a central vault concept without cross-account backup policies. Option B is wrong because lifecycle manager is for EBS snapshots, not centralized backup management.

Option D is wrong because CloudFormation StackSets do not manage backups dynamically based on tags.

203
MCQmedium

A company is running a batch processing job on an EC2 instance that processes data from an S3 bucket and writes results to another S3 bucket. The job runs once per hour and takes about 20 minutes. The company wants to optimize costs by only paying for compute time when the job is running. Which solution is MOST cost-effective?

A.Convert the batch job into an AWS Lambda function.
B.Purchase a Reserved Instance for the EC2 instance to reduce hourly cost.
C.Use a t3.micro instance and keep it running 24/7 since it's low cost.
D.Use AWS Batch with spot instances to run the job only when needed.
AnswerD

Pay only for compute time, spot reduces cost.

Why this answer

Option D is correct because AWS Batch automatically provisions and terminates EC2 instances based on job queue, and can use spot instances for cost savings. Option A is wrong because Reserved Instances require 1-year commitment. Option B is wrong because keeping the instance running incurs costs even when idle.

Option C is wrong because Lambda has a 15-minute timeout limit.

204
MCQmedium

A company uses AWS Control Tower to manage a multi-account environment. They want to ensure that all accounts are enrolled in AWS Shield Advanced for DDoS protection. What is the MOST efficient way to achieve this?

A.Use AWS Control Tower Account Factory Customization to deploy a CloudFormation template that enables Shield Advanced.
B.Manually enable Shield Advanced in each account after creation.
C.Use AWS Config to detect accounts without Shield Advanced and send notifications.
D.Use AWS Organizations to create an SCP that requires Shield Advanced.
AnswerA

This automates the setup for all new and existing accounts.

Why this answer

AWS Control Tower Account Factory Customization (AFC) allows you to automatically apply AWS CloudFormation templates to accounts as they are created or updated in the landing zone. By deploying a CloudFormation template that subscribes each account to AWS Shield Advanced, you ensure consistent, automated DDoS protection across all accounts without manual intervention. This is the most efficient method because it integrates directly with the account provisioning lifecycle.

Exam trap

The trap here is that candidates often confuse SCPs with proactive resource provisioning, assuming an SCP can enable a service, when in reality SCPs only control permissions and cannot perform actions like subscribing to Shield Advanced.

How to eliminate wrong answers

Option B is wrong because manually enabling Shield Advanced in each account after creation is inefficient, error-prone, and does not scale in a multi-account environment. Option C is wrong because AWS Config can only detect non-compliance and send notifications; it cannot automatically enable Shield Advanced, so it requires additional manual or automated remediation steps, making it less efficient than a proactive deployment. Option D is wrong because AWS Organizations Service Control Policies (SCPs) can only restrict permissions (e.g., deny disabling Shield Advanced) but cannot enable a service or perform actions like subscribing to Shield Advanced; SCPs are not capable of provisioning resources.

205
MCQmedium

A company is designing a highly available application on AWS that uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application requires that the client's IP address be preserved in the application logs. The company also needs to perform SSL termination at the load balancer. How should the company configure the ALB to meet these requirements?

A.Use TCP listener on port 443 and forward to instances on port 80. Enable proxy protocol v2.
B.Use TCP listener on port 443 and forward to instances on port 443. Install SSL certificate on instances.
C.Use HTTPS listener on port 443, provide the SSL certificate, and forward to instances on port 443. Disable proxy protocol.
D.Use HTTPS listener on port 443, provide the SSL certificate, and forward to instances on port 80. Enable X-Forwarded-For header.
AnswerD

ALB terminates SSL and passes client IP via X-Forwarded-For.

Why this answer

Option C is correct because ALB with SSL termination and X-Forwarded-For header preserves the client IP. Option A terminates SSL on instances, which adds overhead. Option B is for Network Load Balancer, which does not support HTTP features.

Option D is wrong because ALB can be internet-facing.

206
Multi-Selecthard

A company runs a critical application on Amazon ECS with Fargate launch type. The application needs to be highly available across multiple Availability Zones. The company wants to implement blue/green deployments to minimize downtime. Which THREE steps should the solutions architect take?

Select 3 answers
A.Store the application artifacts in Amazon ECR and use an ECS service with a single task definition.
B.Use a Network Load Balancer to route traffic to the ECS service.
C.Create two separate ECS task definitions for the blue and green environments.
D.Use AWS CodeDeploy with a blue/green deployment configuration.
E.Configure an Application Load Balancer with a target group for each task set.
AnswersC, D, E

Separate task definitions allow updating one while the other serves traffic.

Why this answer

Options A, B, and D are correct. CodeDeploy with blue/green deployment automates traffic shifting. An Application Load Balancer with a target group per task set routes traffic.

Multiple task definitions per environment allow updates without downtime. Option C is wrong because storing artifacts in ECR is for images, not deployment. Option E is wrong because an NLB does not support blue/green deployments with CodeDeploy for ECS.

207
Multi-Selecteasy

A company is designing a new database solution for a global e-commerce application. The database must support high read and write throughput with single-digit millisecond latency. The company expects traffic spikes during peak hours. Which TWO AWS services should the company consider?

Select 2 answers
A.Amazon DocumentDB (with MongoDB compatibility)
B.Amazon ElastiCache
C.Amazon DynamoDB
D.Amazon Aurora
E.Amazon RDS for MySQL
AnswersB, C

ElastiCache (Redis or Memcached) provides in-memory caching for low latency.

Why this answer

Options A and C are correct. DynamoDB provides low-latency, high-throughput NoSQL database. ElastiCache provides in-memory caching for low latency.

Option B is wrong because Aurora is relational and may not match DynamoDB's throughput for simple key-value access. Option D is wrong because DocumentDB is for document workloads. Option E is wrong because RDS is relational and less scalable.

208
MCQeasy

A company is migrating a legacy monolithic application to AWS. The application currently runs on a single Windows Server with IIS and SQL Server. The company wants to adopt a microservices architecture on AWS using containers. The development team has containerized the application into several Docker containers. The company needs a solution that minimizes operational overhead for managing the container orchestration and scaling, and also integrates with AWS services like IAM, CloudWatch, and VPC. Which AWS service should the company use to run the containers?

A.Amazon ECS with the Fargate launch type.
B.Amazon EKS with managed node groups.
C.AWS Elastic Beanstalk with a Docker platform.
D.Amazon EC2 instances with Docker installed, managed by an Auto Scaling group.
AnswerA

Fargate is serverless, reducing operational overhead, and integrates well with AWS services.

Why this answer

Option C is correct because Amazon ECS with Fargate launch type provides serverless container orchestration, integrates with AWS services, and minimizes operational overhead. Option A is wrong because running containers on EC2 requires managing the underlying instances. Option B is wrong because AWS Elastic Beanstalk supports Docker but is more suited for single-container deployments and provides less control for microservices.

Option D is wrong because Amazon EKS requires managing the Kubernetes control plane, which has operational overhead.

209
MCQeasy

A company has a monolithic application running on a single Amazon EC2 instance. The application stores data on an instance store volume. The company wants to improve availability and disaster recovery with minimal architectural changes. What is the MOST cost-effective solution?

A.Replace the instance store volume with an Amazon EBS volume, create an AMI, and use Auto Scaling with an Application Load Balancer.
B.Attach an Amazon EBS volume and configure the application to write to it, then take periodic EBS snapshots.
C.Use AWS Backup to schedule backups of the instance and restore to a new instance if needed.
D.Create an AMI from the instance and launch a second instance in a different Availability Zone behind an Application Load Balancer.
AnswerA

EBS provides persistent storage, and Auto Scaling with ALB improves availability and disaster recovery.

Why this answer

Option C is correct because using EBS snapshots provides backup and recovery for instance store data? Actually instance store is ephemeral; EBS snapshots cannot back up instance store. So Option A is correct: Create an AMI from the instance and use Auto Scaling with an Application Load Balancer. This provides high availability without changing the storage to EBS? Wait, instance store data is lost on stop/terminate.

So the best solution is to migrate data to EBS and then use AMI/Auto Scaling. But the question says minimal architectural changes. Option D is correct: Replace instance store with EBS and use AMI/Auto Scaling.

Option A uses instance store which is not persistent. Option B adds cost without solving availability. Option C is wrong because EBS snapshots cannot back up instance store.

So the correct answer is D.

210
MCQmedium

A company is migrating a critical application to AWS and needs to ensure that the migration has minimal downtime. The application uses a SQL Server database. The company wants to use AWS Database Migration Service (DMS) for the migration. What should the company do to minimize downtime during the database migration?

A.Use DMS with validation enabled and then truncate the target before cutover.
B.Use DMS with ongoing replication (change data capture) to keep the target database synchronized, then perform a brief cutover.
C.Use DMS with full load only and schedule the migration during a maintenance window.
D.Perform a full load migration using DMS and then manually copy any remaining data.
AnswerB

Ongoing replication minimizes downtime by continuously syncing changes.

Why this answer

Option B is correct because using change data capture (CDC) with DMS allows ongoing replication from the source to the target, so when you cut over, only a brief pause is needed. Option A is incorrect because full load only captures a snapshot, requiring downtime for the final sync. Option C is incorrect as it describes a full load.

Option D is incorrect because validation does not help minimize downtime.

211
MCQhard

A company is migrating a large-scale .NET application to AWS. The application uses Windows authentication and requires Active Directory integration. The company wants to reduce operational overhead. Which migration approach should they use?

A.Rehost on EC2 with on-premises AD via VPN
B.Rehost on EC2 with AWS Managed Microsoft AD
C.Replatform to use Amazon Cognito for authentication
D.Replatform to AWS Elastic Beanstalk with Amazon Lightsail
AnswerB

Reduces overhead by outsourcing AD management to AWS.

Why this answer

Option C (Deploy on EC2 with Managed Microsoft AD) is correct because it provides Active Directory without managing domain controllers. Option A (Lift-and-shift to on-premises AD) doesn't reduce overhead. Option B (Use Cognito) is for web identity, not AD.

Option D (Deploy on Lightsail) has limited AD support.

212
MCQhard

A company is designing a new application that will store sensitive data in Amazon S3. The data must be encrypted at rest using a key that is rotated every 90 days. The company wants to use AWS managed services to minimize operational overhead. Which encryption solution should they choose?

A.SSE-C
B.SSE-S3
C.Client-side encryption with AWS KMS
D.SSE-KMS with automatic rotation
AnswerB

SSE-S3 automatically rotates keys every 90 days with no customer management.

Why this answer

Option A is correct because SSE-S3 uses S3-managed keys that are automatically rotated. Option B is wrong because SSE-KMS requires customer management of key rotation, though it can be automatic with KMS. Option C is wrong because SSE-C requires the customer to manage the keys.

Option D is wrong because client-side encryption adds operational overhead.

213
MCQhard

A company is migrating a legacy .NET application to AWS. The application uses Windows authentication and connects to an on-premises SQL Server database. The company wants to minimize code changes. Which migration strategy is most appropriate?

A.Replatform the application to use Amazon Aurora PostgreSQL with AWS DMS.
B.Refactor the application into microservices using AWS Lambda and Amazon DynamoDB.
C.Rehost the application on EC2 Windows instances and use Amazon RDS for SQL Server.
D.Re-platform the application to run on Amazon Linux and use Amazon RDS for MySQL.
AnswerC

Rehosting minimizes code changes and supports Windows authentication.

Why this answer

Option C is correct because rehosting on EC2 Windows with RDS SQL Server minimizes changes and supports Windows authentication. Option A is wrong because re-platforming to Linux may break .NET dependencies. Option B is wrong because refactoring to serverless requires significant code changes.

Option D is wrong because moving to Aurora PostgreSQL requires code changes.

214
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. They notice that during a failover, the application experiences a brief outage but then recovers. They want to minimize the failover time. Which action will most effectively reduce the failover time?

A.Disable Multi-AZ to avoid failover altogether.
B.Create a read replica and promote it during failover.
C.Enable Amazon RDS Proxy.
D.Increase the DB instance size to improve performance.
AnswerC

RDS Proxy maintains connections across failovers, reducing downtime.

Why this answer

Option A is correct because enabling Amazon RDS Proxy provides connection pooling and reduces failover time by keeping connections alive. Option B is wrong because read replicas are for read scaling, not for reducing failover time. Option C is wrong because increasing instance size doesn't directly affect failover time.

Option D is wrong because disabling Multi-AZ increases downtime.

215
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The security team requires that all CloudFormation stacks include a specific tag (CostCenter). The company wants to enforce this tag automatically. Which method should be used to enforce the tag?

A.Use AWS Service Catalog to enforce mandatory tags on all provisioned products.
B.Use an AWS Config rule to check for the tag and a custom IAM policy to deny stack creation without the tag.
C.Create an AWS Lambda function that checks for the tag and sends alerts.
D.Use AWS Resource Groups to tag resources after stack creation.
AnswerB

Config can detect and IAM policy can prevent non-compliant stack creation.

Why this answer

Option C is correct because an AWS Config rule with an iam policy to deny non-compliant stacks is the most automated enforcement method. Option A is wrong because AWS Service Catalog does not enforce tags on existing stacks. Option B is wrong because Lambda can remediate but not prevent non-compliant stacks.

Option D is wrong because tagging at the resource level is not automated enforcement.

216
MCQmedium

A Solutions Architect runs the AWS CLI command shown in the exhibit. Which statement accurately describes the output?

A.The command lists all instances regardless of state.
B.The command lists instances in JSON format.
C.The command lists only running instances.
D.The command fails because --query is used incorrectly.
AnswerA

The command returns all instances with their state.

Why this answer

The command uses the --query parameter to filter output and --output table. The query extracts InstanceId and State.Name, and the table format shows the results. The command does not filter by state; it returns all instances regardless of state.

217
MCQeasy

A company has multiple AWS accounts managed through AWS Organizations. The security team requires that all VPC flow logs be enabled in every account and region. What is the MOST efficient way to enforce this requirement?

A.Apply a service control policy (SCP) that requires all VPCs to have flow logs enabled.
B.Use AWS CloudFormation StackSets to deploy a stack that enables VPC Flow Logs in every account and region.
C.Create an AWS Config rule in each account to check for flow logs and trigger an auto-remediation action.
D.Use AWS Service Catalog to create a VPC product that includes flow logs, and require accounts to use it.
AnswerB

StackSets can deploy stacks across accounts and regions from a single admin account.

Why this answer

AWS CloudFormation StackSets allows you to deploy a single CloudFormation template across multiple accounts and regions in a single operation, making it the most efficient way to enforce VPC Flow Logs across all accounts and regions. This approach ensures consistent configuration without requiring manual per-account or per-region setup, and it integrates with AWS Organizations for automated deployment to new accounts.

Exam trap

The trap here is that candidates often confuse SCPs with resource policies, thinking they can enforce resource configurations, but SCPs only control IAM permissions and cannot directly enable features like VPC Flow Logs.

How to eliminate wrong answers

Option A is wrong because SCPs cannot enforce resource configurations like enabling VPC Flow Logs; they only restrict permissions (e.g., deny actions) and cannot create or modify resources. Option C is wrong because while an AWS Config rule can detect non-compliant VPCs and trigger auto-remediation, it is reactive and requires each account to have the rule deployed, making it less efficient than a proactive, centralized deployment. Option D is wrong because AWS Service Catalog provides a pre-approved product template but does not enforce its use; accounts can still create VPCs without flow logs, so it does not guarantee compliance.

218
MCQeasy

A company is using Amazon DynamoDB as the primary database for a web application. The application experiences occasional throttling on writes. The company wants to implement a solution that automatically increases write capacity during traffic spikes. Which solution should they use?

A.Switch to DynamoDB On-Demand capacity mode.
B.Implement DynamoDB Accelerator (DAX) for caching.
C.Use DynamoDB Global Tables to distribute writes.
D.Enable DynamoDB Auto Scaling for write capacity.
AnswerD

Auto Scaling adjusts capacity based on actual utilization.

Why this answer

Option A is correct because DynamoDB Auto Scaling automatically adjusts write capacity based on utilization. Option B is wrong because Global Tables do not address throttling. Option C is wrong because DAX is a cache, not a scaling solution.

Option D is wrong because On-Demand mode is not automatic scaling based on traffic patterns.

219
Multi-Selectmedium

A company is migrating a legacy application to Amazon ECS. The application has a stateful component that stores data on the local filesystem. Which TWO storage options can be used to persist data beyond the lifecycle of the container?

Select 2 answers
A.Amazon EBS
B.Amazon ECS Fargate ephemeral storage
C.Amazon ECR
D.Amazon S3
E.Amazon EFS
AnswersA, E

EBS volumes can be attached to EC2 instances for persistent block storage.

Why this answer

Options B and D are correct. EFS provides persistent shared file storage, and EBS volumes can be attached to EC2 instances running ECS tasks. Option A is wrong because Fargate ephemeral storage is not persistent.

Option C is wrong because S3 is object storage, not a file system. Option E is wrong because ECR is a container registry.

220
MCQhard

An e-commerce company runs a customer-facing application on AWS. The application architecture includes an Application Load Balancer (ALB), EC2 instances in an Auto Scaling group, and an Amazon RDS for MySQL Multi-AZ DB instance. The application uses a custom web server that stores session data in a local file system. During peak traffic, users experience session timeouts and errors. The operations team observes that the Auto Scaling group launches new instances and terminates old ones frequently. The team wants to improve the user experience and ensure session persistence. The Solutions Architect proposes to modify the application to store session data in an external store. However, due to a legacy code dependency, the application cannot be modified in the short term. Which solution should the Solutions Architect implement to resolve the session persistence issue without modifying the application?

A.Replace the local file system storage with an Amazon ElastiCache for Redis cluster that is external to the instances.
B.Enable sticky sessions (session affinity) on the ALB and configure the Auto Scaling group to use a lifecycle hook to drain connections before instance termination.
C.Store session data in Amazon DynamoDB and configure the application to use the DynamoDB session handler.
D.Configure the Auto Scaling group to scale down based on memory utilization rather than CPU, to reduce termination frequency.
AnswerB

Sticky sessions route user to same instance; lifecycle hook ensures sessions complete before termination.

Why this answer

Option A is correct because enabling sticky sessions on the ALB ensures that a user's requests are always routed to the same instance, preserving the local session files. Option B is wrong because ElastiCache still requires application code changes to use it. Option C is wrong because DynamoDB also requires code changes.

Option D is wrong because scaling down based on memory does not prevent session loss; it may cause more terminations.

221
Multi-Selectmedium

A company is using AWS Organizations with a centralized logging account. They want to collect VPC Flow Logs from all member accounts into a single S3 bucket in the logging account. Which TWO steps are required to achieve this?

Select 2 answers
A.Create a bucket policy in the logging account that grants the member accounts permission to write flow logs.
B.Attach an SCP to the logging account that allows PutObject to the bucket.
C.Configure the bucket policy to include a condition that the principal is the VPC Flow Logs service.
D.Use AWS Resource Access Manager (RAM) to share the bucket with member accounts.
E.Attach an SCP to the member accounts that allows them to create flow logs.
AnswersA, C

Bucket policy allows cross-account writes.

Why this answer

Options A and D are correct. Option A: VPC Flow Logs can be published to a central bucket using a bucket policy that allows the member accounts to write. Option D: The bucket policy must grant s3:PutObject permissions to the member accounts' VPC Flow Logs service.

Option B is wrong because bucket policies cannot be applied via SCP. Option C is wrong because SCPs cannot be attached to resources. Option E is wrong because sharing the bucket via RAM is not needed; bucket policy suffices.

222
Multi-Selectmedium

An e-commerce company runs its application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon Aurora MySQL DB cluster with one writer and two reader instances. During a sales event, the database CPU utilization is high, and read replicas show high replica lag. The company needs to improve the read scalability and reduce replica lag. Which THREE actions should the company take? (Choose THREE.)

Select 3 answers
A.Add more reader instances to the cluster to distribute the read traffic.
B.Enable Multi-AZ for the cluster to improve read availability.
C.Increase the instance size of the writer instance to improve write throughput.
D.Increase the instance size of the reader instances to larger instance types.
E.Enable Aurora Auto Scaling for the reader instances.
AnswersA, D, E

More readers improve read scalability.

Why this answer

Adding more reader instances (Option A) distributes the read workload across additional nodes, reducing the load on each reader and helping to lower replica lag. Aurora Auto Scaling (Option E) automatically adjusts the number of reader instances based on metrics like CPU utilization or replica lag, providing dynamic scaling during traffic spikes. Increasing the instance size of reader instances (Option D) provides more CPU and memory resources to each reader, enabling them to process more read queries and apply changes from the writer faster, which directly reduces replica lag.

Exam trap

The trap here is that candidates may confuse Multi-AZ with read scaling, but Multi-AZ in Aurora is for high availability only and does not distribute read traffic, while the real solutions involve adding more readers, scaling readers up, or using Auto Scaling to handle variable load.

223
Multi-Selecthard

A company is using AWS CodePipeline to automate deployments. The pipeline includes a build stage that compiles code and runs tests. The build stage fails intermittently due to network timeouts when downloading dependencies. Which THREE actions could improve the reliability of the build stage?

Select 3 answers
A.Increase the build timeout to allow more time for downloads.
B.Use CodeBuild local cache to store dependencies across builds.
C.Run the CodeBuild project in a VPC with a NAT gateway to ensure consistent outbound connectivity.
D.Store dependencies in an S3 bucket and configure the build to use cached dependencies.
E.Use a larger compute type for CodeBuild to improve network speed.
AnswersB, C, D

Local cache reduces download frequency.

Why this answer

Options A, B, and D are correct: Caching dependencies, using a VPC with NAT gateway for consistent networking, and using CodeBuild local caching reduce failures. Option C is wrong because increasing timeout only delays failure. Option E is wrong because using a larger instance type may not fix network timeouts.

224
MCQhard

A company is deploying a serverless application using AWS Lambda. The application processes high-resolution images and stores them in Amazon S3. The processing time for each image is variable, but some images require more than 15 minutes to process. Lambda has a maximum execution time of 15 minutes. How can the company process these long-running image transformations?

A.Use AWS Step Functions to chain multiple Lambda functions, each processing a part of the image.
B.Use AWS Batch to run the image processing as a job on EC2 or Fargate.
C.Use Amazon SQS to queue the images and have Lambda poll the queue; the Lambda function can process one image per invocation.
D.Increase the Lambda timeout to 20 minutes.
AnswerB

AWS Batch can run jobs with longer execution times and can scale based on demand.

Why this answer

Using AWS Step Functions to orchestrate Lambda functions with a task timeout of 15 minutes does not solve the 15-minute limit. However, splitting the work into parallel Lambda functions each under 15 minutes can process larger images if the work is parallelizable. But if processing a single image takes >15 minutes, you need to use a different compute service like AWS Batch.

Option B is correct. Option A is wrong because Lambda still has the 15-minute limit. Option C is wrong because SQS doesn't extend Lambda execution time.

Option D is wrong because Step Functions cannot extend Lambda timeout.

225
MCQeasy

A company is migrating a legacy on-premises application to AWS. The application currently runs on a Windows Server with a SQL Server database. The company wants to minimize changes to the application code. Which migration strategy should the company use?

A.Rehost (lift-and-shift)
B.Refactor / re-architect
C.Replatform (lift-and-resize)
D.Rebuild
AnswerA

Correct. Rehosting moves the application to AWS with minimal changes.

Why this answer

Rehosting (lift-and-shift) involves moving the application as-is to AWS, minimizing code changes. Replatforming (lift-and-resize) may involve some changes, but rehosting requires the least modification. Refactoring and rebuilding involve significant changes.

Page 2

Page 3 of 24

Page 4