AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 226300

1746 questions total · 24pages · All types, answers revealed

Page 3

Page 4 of 24

Page 5
226
MCQhard

A company is designing a new solution to ingest real-time clickstream data from a website. The data volume varies from 100 to 100,000 events per second. The solution must buffer the data for up to 5 minutes and then deliver it to Amazon S3 for analysis. The company wants to minimize operational overhead and cost. Which service should be used to buffer the data?

A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon Kinesis Data Firehose
D.Amazon SQS
AnswerC

Firehose provides serverless buffering and delivery to S3.

Why this answer

Option D is correct. Amazon Kinesis Data Firehose can buffer incoming data for up to 15 minutes and then deliver it to S3, with no server management. Option A is wrong because Kinesis Data Streams requires managing shards and consumers.

Option B is wrong because SQS is not designed for large-scale streaming. Option C is wrong because Lambda has concurrency limits and is not a buffer.

227
Multi-Selectmedium

A company is building a serverless application using AWS Lambda and Amazon API Gateway. They need to authenticate users. Which TWO services can be used for authentication?

Select 2 answers
A.AWS Security Token Service
B.AWS IAM
C.Amazon SQS
D.Amazon Cognito
E.Amazon CloudFront
AnswersB, D

IAM can authenticate users via API Gateway IAM authorization.

Why this answer

AWS IAM is correct because it can be used to authenticate users by attaching IAM authorization to API Gateway, allowing the API to verify the caller's identity via AWS Signature Version 4 signing. This is commonly used for machine-to-machine or internal service calls where the caller has AWS credentials.

Exam trap

The trap here is that candidates often confuse AWS STS (which issues temporary credentials) with an authentication service, or think SQS or CloudFront can handle authentication, when in fact only IAM and Cognito directly support user authentication for API Gateway in this context.

228
MCQmedium

A solutions architect deployed the above CloudFormation template. However, the Lambda function is not triggered when objects are uploaded to the S3 bucket. What is the most likely cause?

A.The BucketNotification resource depends on MyLambdaFunction, but the notification configuration is incorrect.
B.The Lambda function lacks a resource-based policy that allows S3 to invoke it.
C.The Lambda execution role does not have permission to access S3.
D.The Lambda function code does not read the S3 object content.
AnswerB

Without an 'InvokeFunction' permission for S3, the trigger will fail.

Why this answer

Option D is correct. The Lambda function's resource-based policy must allow S3 to invoke it. The template does not add any resource-based policy.

Option A is wrong because the bucket notification is configured. Option B is wrong because the role allows CloudWatch Logs. Option C is wrong because the Lambda function code does not need to read S3 for the trigger to work.

229
MCQhard

A company has a complex AWS environment with hundreds of accounts. They want to implement a tagging strategy that allows them to track costs by department and project. The tags must be propagated from resources to cost reports automatically. Which approach meets these requirements with minimal ongoing maintenance?

A.Create a CloudFormation template that applies tags to all resources and deploy it via StackSets.
B.Use AWS Organizations tag policies to enforce required tags on resources, and activate cost allocation tags in the management account.
C.Use AWS Config rules to detect untagged resources and trigger a Lambda function to add tags.
D.Use AWS Cost Explorer to filter by resource tags after they are manually applied.
AnswerB

Tag policies enforce tags across accounts, and cost allocation tags are automatically activated.

Why this answer

Option B is correct because AWS Organizations tag policies allow you to define and enforce required tags across all accounts in the organization, ensuring consistent tagging. When you activate cost allocation tags in the management account, these tags are automatically propagated to AWS Cost Explorer and cost reports without any manual intervention or ongoing maintenance, meeting the requirement for minimal ongoing effort.

Exam trap

The trap here is that candidates often confuse reactive remediation (like Config rules with Lambda) with proactive enforcement (like tag policies), and overlook that cost allocation tags must be explicitly activated in the management account to appear in cost reports.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can only apply tags to resources created by CloudFormation stacks, not to resources created outside of CloudFormation or pre-existing resources, and maintaining templates for hundreds of accounts introduces significant ongoing overhead. Option C is wrong because AWS Config rules with Lambda remediation is a reactive, event-driven approach that adds tags after resource creation, which does not guarantee propagation to cost reports automatically and requires ongoing maintenance of Lambda functions and Config rules. Option D is wrong because Cost Explorer can only filter by tags that are already applied and activated; manually applying tags does not ensure automatic propagation to cost reports and requires manual effort, failing the minimal ongoing maintenance requirement.

230
MCQmedium

A company uses Amazon S3 to store critical data. They need to ensure that data is automatically replicated to another AWS Region for disaster recovery. Which configuration meets this requirement with minimal operational overhead?

A.Enable S3 Versioning on the source bucket.
B.Use S3 Transfer Acceleration to upload objects to both Regions.
C.Configure an S3 Lifecycle policy to transition objects to S3 Glacier.
D.Enable S3 Cross-Region Replication (CRR) on the source bucket.
AnswerD

CRR automatically replicates objects to a destination bucket in a different Region for disaster recovery.

Why this answer

Option D is correct because S3 Cross-Region Replication (CRR) automatically replicates objects to a destination bucket in a different AWS Region, providing disaster recovery with minimal operational overhead. Option A is wrong because S3 Versioning alone does not replicate data. Option B is wrong because S3 Lifecycle policies manage storage tiers, not replication.

Option C is wrong because S3 Transfer Acceleration speeds up uploads but does not replicate data.

231
Multi-Selecthard

A company uses AWS CodePipeline to deploy a serverless application. They want to automatically test the deployment in a staging environment before promoting to production. Which THREE actions should they include in their pipeline? (Choose THREE.)

Select 3 answers
A.A build stage that packages the application using AWS CodeBuild.
B.A manual approval step before deploying to production.
C.A deploy stage that deploys to production after staging tests pass.
D.A test stage that deploys to a staging environment and runs integration tests.
E.A deploy stage that deploys to a canary environment.
AnswersA, C, D

Building is a necessary first step.

Why this answer

A typical deployment pipeline includes: build the application, run automated tests in a staging environment, and then deploy to production after approval. Option A (build) is needed. Option C (test in staging) is needed.

Option D (deploy to production after staging tests pass) is needed. Option B (manual approval to production) is common but not required for automated testing. Option E (deploy to staging) is redundant if already included in test stage.

232
MCQeasy

A company uses a central IT team to manage multiple AWS accounts. The team wants to provide developers with the ability to launch EC2 instances but restrict them to using only specific instance types. How should this be enforced?

A.Create a service control policy in AWS Organizations that restricts instance types for all accounts.
B.Use AWS Config to automatically terminate instances that are not of allowed types.
C.Create an IAM policy that denies ec2:RunInstances unless the instance type matches an allowed list, and attach it to the developers' IAM group.
D.Configure an S3 bucket policy that only allows specific instance types to be used.
AnswerC

IAM policies can restrict RunInstances actions based on instance type.

Why this answer

Option C is correct because an IAM policy with a condition key like ec2:InstanceType can deny or allow ec2:RunInstances based on specific instance types. This policy is attached to the developers' IAM group, ensuring that only permitted instance types can be launched, while still allowing other EC2 actions. This approach directly controls the API call at the IAM level, which is the most precise and scalable method for restricting resource creation across multiple accounts managed by a central IT team.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking SCPs can restrict specific users or groups within an account, when in fact SCPs only set account-wide permission boundaries and require additional IAM policies to enforce fine-grained restrictions.

How to eliminate wrong answers

Option A is wrong because a service control policy (SCP) in AWS Organizations sets permissions boundaries for all accounts in the organization, but it cannot be used to restrict specific IAM users or groups within an account; it only defines the maximum allowed permissions for the entire account, and developers could still launch instances if the account-level permissions are not further restricted. Option B is wrong because AWS Config is a compliance and auditing service that can detect non-compliant instances and trigger remediation (e.g., termination), but it does not prevent the launch in real time; instances could be running and incurring costs before being terminated, and the termination itself might cause data loss or disruption. Option D is wrong because an S3 bucket policy controls access to S3 resources, not EC2 instance launches; it has no effect on the ec2:RunInstances API call and cannot restrict instance types.

233
MCQmedium

A company is migrating a legacy application to AWS. The application requires a static IP address that can be used for whitelisting by third-party partners. The application will be deployed in multiple Availability Zones for high availability. The company wants to use a load balancer to distribute traffic. The solution must provide a single static IP address that does not change even if the underlying instances are replaced. Which combination of services should the company use?

A.Use an Application Load Balancer (ALB) with a static Elastic IP address attached to the ALB.
B.Use AWS Global Accelerator with an ALB as the endpoint.
C.Use Amazon CloudFront with an ALB as the origin.
D.Use a Network Load Balancer (NLB) with Elastic IP addresses assigned to each subnet.
AnswerD

NLBs support static IPs via Elastic IPs.

Why this answer

Option D is correct because a Network Load Balancer (NLB) supports static IP addresses by allowing you to assign Elastic IP addresses to each Availability Zone subnet. This provides a single static IP per AZ that does not change even when backend instances are replaced, meeting the requirement for a fixed whitelisting address across multiple AZs.

Exam trap

The trap here is that candidates often assume an ALB can have a static IP attached because it is a common load balancer, but ALBs are Layer 7 and inherently use dynamic IPs, while only NLBs (Layer 4) support Elastic IP assignment per subnet.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer (ALB) does not support attaching Elastic IP addresses directly; ALBs are assigned dynamic DNS names and cannot provide a static IP. Option B is wrong because AWS Global Accelerator provides static anycast IP addresses but uses an ALB as an endpoint, which still requires the ALB's DNS name and does not give the ALB itself a static IP; the static IPs are at the accelerator level, not the load balancer. Option C is wrong because Amazon CloudFront provides static IP addresses for edge locations, but the origin (ALB) still uses a dynamic DNS name and does not receive a static IP; CloudFront is a CDN, not a load balancer for direct traffic distribution.

234
MCQmedium

A company is using AWS Organizations with a single OU for all production accounts. The security team wants to restrict the use of specific instance types across all accounts in the OU. They create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the allowed list. However, some accounts still launch disallowed instance types. What is the most likely cause?

A.The SCP only denies future API calls; it does not affect already running instances.
B.The SCP has a delay of up to 24 hours before it takes effect.
C.The SCP is not attached to the management account.
D.The SCP condition is incorrectly formatted; SCPs cannot evaluate instance types.
AnswerA

SCPs are preventive, not detective or corrective.

Why this answer

Option C is correct because SCPs cannot affect resources created before the SCP was applied. Option A is wrong because SCPs do not affect IAM users in the management account unless explicitly applied. Option B is wrong because SCPs take effect within minutes.

Option D is wrong because SCPs can use conditions based on instance type.

235
MCQhard

A company is migrating a large-scale Hadoop cluster to Amazon EMR. The migration plan includes moving data from HDFS to Amazon S3. The company wants to minimize costs and ensure data durability. Which approach should the company use?

A.Set up a VPN connection and use rsync to copy data to S3.
B.Use Apache DistCp to copy data from HDFS to S3.
C.Use AWS Snowball Edge to physically transfer data from the cluster.
D.Use AWS Database Migration Service (DMS) to migrate the data to S3.
AnswerB

DistCp is the standard tool for copying between HDFS and S3.

Why this answer

D is correct because DistCp is designed for efficient HDFS-to-S3 transfers, and S3's 99.999999999% durability meets requirements. A is wrong because Snowball adds latency. B is wrong because it does not address data migration.

C is wrong because AWS DMS is for databases, not file systems.

236
MCQhard

A company has a multi-account AWS organization with hundreds of accounts. The security team wants to ensure that all accounts have AWS Config enabled with a specific set of rules. They also want to automatically remediate non-compliant resources. Which solution is MOST scalable and operationally efficient?

A.Use AWS CloudFormation StackSets to deploy Config rules to all accounts.
B.Use AWS Config rules in each account with AWS Lambda functions for remediation.
C.Use AWS Config conformance packs deployed via AWS Organizations with automatic remediation using Systems Manager Automation.
D.Use an AWS Config aggregator in the management account to view compliance across accounts.
AnswerC

Centralized, scalable, automated.

Why this answer

Option D is correct because AWS Config conformance packs can be deployed at the organization level using AWS Organizations, allowing centralized management of rules and automatic remediation with SSM Automation. Option A is wrong because manual deployment doesn't scale. Option B is wrong because CloudFormation StackSets require per-account management.

Option C is wrong because AWS Config aggregator only aggregates data, doesn't enforce rules.

237
MCQeasy

A company is designing a new application that will store and retrieve large files (up to 5 TB). The files must be accessible via HTTPS and must be durable. Which AWS storage service should be used?

A.Amazon S3
B.Amazon EFS
C.AWS Storage Gateway
D.Amazon EBS
AnswerA

S3 is object storage with HTTPS access and high durability.

Why this answer

Amazon S3 is the correct choice because it supports objects up to 5 TB in size, provides HTTPS access via RESTful API endpoints, and offers 99.999999999% (11 nines) durability by automatically replicating data across multiple Availability Zones. S3 is purpose-built for storing and retrieving large files over the internet with high durability and scalability.

Exam trap

The trap here is that candidates may confuse file storage (EFS) or block storage (EBS) with object storage (S3), overlooking that only S3 provides native HTTPS access and 11 nines durability for large objects without requiring an EC2 instance or additional infrastructure.

How to eliminate wrong answers

Option B (Amazon EFS) is wrong because it is a file-level storage service for Linux workloads, not designed for single objects up to 5 TB (its maximum file size is 52 TB, but it lacks native HTTPS object access and is optimized for shared file systems, not direct HTTP retrieval). Option C (AWS Storage Gateway) is wrong because it is a hybrid storage service that provides on-premises access to AWS storage, not a primary storage service for direct HTTPS access to large files; it adds latency and complexity for a purely cloud-native application. Option D (Amazon EBS) is wrong because it is block-level storage attached to a single EC2 instance, cannot be accessed directly via HTTPS, and has a maximum volume size of 16 TB but requires an EC2 instance to serve files, making it unsuitable for direct object retrieval over the internet.

238
Multi-Selectmedium

A company is using an AWS Lambda function to process files uploaded to an S3 bucket. The function is written in Python and uses the boto3 library to read the files. Recently, some files have been processed multiple times. Which TWO measures should a solutions architect implement to ensure idempotent processing?

Select 2 answers
A.Use a DynamoDB table to store processed file IDs and check for duplicates before processing.
B.Configure the S3 bucket to send events to an SQS queue and use the Lambda function to poll the queue.
C.Increase the Lambda function timeout to 15 minutes.
D.Configure S3 event notifications to filter by prefix and suffix to avoid triggering multiple times.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, D

Idempotency key store prevents duplicate processing.

Why this answer

Options B and D are correct. Using a DynamoDB table to track processed file IDs (B) allows the function to skip duplicates. Enabling S3 event notifications with a prefix and suffix filter (D) reduces the chance of multiple events for the same object.

Option A is wrong because increasing Lambda timeout doesn't prevent multiple invocations. Option C is wrong because SQS can help but needs deduplication logic as well. Option E is wrong because S3 Transfer Acceleration is for faster uploads, not idempotency.

239
MCQeasy

A company wants to migrate an on-premises Oracle database to Amazon Aurora PostgreSQL. The migration must have minimal downtime. Which AWS service should be used for the migration?

A.AWS Server Migration Service (SMS)
B.AWS DataSync
C.AWS Database Migration Service (DMS)
D.AWS Snowball
AnswerC

DMS supports continuous replication.

Why this answer

AWS DMS supports ongoing replication to minimize downtime during migration.

240
MCQmedium

A company is designing a disaster recovery solution for a critical application running on EC2 with data in an Amazon RDS MySQL Multi-AZ DB instance. The recovery time objective (RTO) is 15 minutes and recovery point objective (RPO) is 1 hour. Which strategy meets these requirements?

A.Enable Multi-AZ in a different Region.
B.Create a cross-Region read replica of the RDS DB instance.
C.Take daily snapshots of the RDS DB instance and copy them to another Region.
D.Use Amazon S3 cross-Region replication for database backups.
AnswerB

Promoting a read replica can achieve RTO under 15 minutes and RPO under 1 hour.

Why this answer

Option B is correct because a cross-Region read replica of an Amazon RDS MySQL DB instance provides asynchronous replication with a typical replication lag of seconds to minutes, meeting the RPO of 1 hour and RTO of 15 minutes by promoting the replica to a standalone instance in the event of a disaster. This approach minimizes data loss and allows rapid failover without relying on snapshot restoration or backup copying.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which is Region-bound) with cross-Region disaster recovery, or they assume daily snapshots are sufficient for a 1-hour RPO, failing to recognize that snapshot frequency must match the RPO window.

How to eliminate wrong answers

Option A is wrong because Multi-AZ in a different Region is not a supported configuration; Multi-AZ provides high availability within a single Region by synchronously replicating to a standby in a different Availability Zone, not across Regions. Option C is wrong because daily snapshots cannot achieve an RPO of 1 hour; snapshot frequency is at most once every 5 minutes, but daily snapshots would result in up to 24 hours of potential data loss, far exceeding the 1-hour RPO. Option D is wrong because Amazon S3 cross-Region replication is used for S3 objects, not for RDS database backups; RDS automated backups and manual snapshots are stored in S3, but the replication of those backups via S3 CRR does not provide the low RTO or RPO required, as it would still require restoring from a snapshot, which takes longer than 15 minutes.

241
MCQhard

A solutions architect applies the IAM policy shown in the exhibit to an IAM user. The user attempts to upload an object to the S3 bucket 'my-bucket' without specifying the 'x-amz-server-side-encryption' header. What will happen?

A.The upload succeeds because the Allow statement grants the s3:PutObject permission.
B.The upload succeeds because the Deny statement only applies when the header is present but set to a value other than AES256.
C.The upload fails because the Deny statement blocks any PutObject request that does not specify AES256 encryption.
D.The upload fails because the condition is malformed and causes an error.
AnswerC

The Deny statement with StringNotEquals denies if encryption header is not present or not AES256.

Why this answer

Option B is correct. The Deny statement with StringNotEquals will match because the condition s3:x-amz-server-side-encryption is not set (or evaluates to a value not equal to AES256). Since the Deny statement applies, the request is denied.

Option A is wrong because the Allow statement requires the condition to be true; if not specified, the condition is not met. Option C is wrong because the Deny statement explicitly denies if encryption is not AES256. Option D is wrong because the condition is evaluated.

242
MCQmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application is deployed across multiple Availability Zones. The team notices that during a recent traffic spike, some instances were terminated and replaced, causing a temporary drop in performance. How can the team improve the resilience of the application?

A.Purchase Reserved Instances to ensure capacity.
B.Use lifecycle hooks to wait for instance termination.
C.Increase the instance size to handle more traffic.
D.Configure a warm pool for the Auto Scaling group.
AnswerD

Warm pools keep pre-initialized instances ready to replace terminated ones quickly.

Why this answer

Option B is correct because using a warm pool allows instances to be pre-initialized and ready to serve traffic quickly when scaling out. Option A is wrong because increasing instance size does not address the replacement delay. Option C is wrong because purchasing Reserved Instances does not affect scaling speed.

Option D is wrong because lifecycle hooks can delay termination but do not speed up new instance readiness.

243
MCQeasy

A company is designing a new application that will be deployed on AWS. The application requires a relational database with automatic failover and high availability within a single AWS region. Which database deployment option meets these requirements?

A.Amazon RDS Single-AZ deployment
B.Amazon RDS with Read Replicas
C.Amazon RDS Multi-AZ deployment
D.Amazon RDS cross-region replication
AnswerC

Multi-AZ provides automatic failover and high availability within a region.

Why this answer

Option C is correct because RDS Multi-AZ provides automatic failover and high availability within a region. Option A is wrong because Single-AZ does not provide failover. Option B is wrong because Read Replicas are for read scaling, not failover.

Option D is wrong because cross-region replication is for disaster recovery, not primary failover.

244
MCQmedium

A company uses AWS Lambda to process events from an Amazon SQS queue. The Lambda function is invoked with a batch size of 10. Recently, the function started failing with timeout errors when processing large batches. Which solution would improve the reliability of event processing without losing messages?

A.Increase the SQS queue visibility timeout to match the function timeout.
B.Increase the Lambda function reserved concurrency to handle more invocations.
C.Increase the Lambda function timeout to the maximum 15 minutes.
D.Reduce the batch size to a smaller value, such as 5.
AnswerD

Smaller batches reduce processing time per invocation.

Why this answer

Option C is correct because reducing the batch size decreases the processing time per invocation, reducing the chance of timeout. Option A is wrong because increasing the timeout may not help if the issue is total processing time. Option B is wrong because increasing reserved concurrency does not help with timeout.

Option D is wrong because SQS queues do not send batches to Lambda as SQS batch size; the Lambda batch size is the relevant parameter.

245
Multi-Selectmedium

A company is designing a real-time analytics platform that ingests data from thousands of IoT devices. The platform must process and store high-velocity data with low latency. Which TWO AWS services should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon Kinesis Data Analytics
D.Amazon S3
E.Amazon SQS
AnswersB, C

Ingests large amounts of data from IoT devices in real time.

Why this answer

Amazon Kinesis Data Streams ingests high-velocity streaming data. Amazon Kinesis Data Analytics performs real-time analytics on the stream. Option B (Lambda) can be used but not as the primary analytics engine.

Option C (S3) is for storage, not real-time. Option D (DynamoDB) is for low-latency queries but not for stream analytics. Option E (SQS) is for message queuing, not real-time analytics.

246
MCQmedium

Refer to the exhibit. A solutions architect is designing a new application that requires three EC2 instances running in different Availability Zones in us-east-1. The architect runs the AWS CLI command shown and sees three instances running in three AZs. However, the application is not highly available because if one AZ fails, the application loses one-third of its capacity. The architect needs to ensure that the application can survive the loss of an entire AZ without manual intervention. What should the architect do?

A.Create a launch configuration and manually associate it with the instances.
B.Create an Auto Scaling group with a minimum size of 2 and a maximum size of 6, spread across three AZs.
C.Use EC2 Auto Recovery to automatically recover instances in case of failure.
D.Manually launch additional instances in other AZs.
AnswerB

Auto Scaling automatically replaces failed instances.

Why this answer

Option C is correct. An Auto Scaling group across three AZs with minimum 2 instances ensures that if one AZ fails, the instances in the other two AZs continue running, and Auto Scaling will launch new instances in the remaining AZs to maintain the desired count. Option A is wrong because it does not automatically replace failed instances.

Option B is wrong because a launch configuration is not enough; you need an Auto Scaling group. Option D is wrong because spreading across two AZs only protects against one AZ failure partially.

247
MCQeasy

A company wants to provide temporary access to an S3 bucket for external partners. The access must be time-limited and restricted to specific objects. Which AWS service or feature should they use?

A.S3 bucket policies
B.CloudFront signed URLs
C.Presigned URLs
D.IAM roles
AnswerC

Presigned URLs grant time-limited access to specific objects.

Why this answer

Option A is correct because presigned URLs provide temporary, limited access to specific S3 objects. Option B (bucket policies) are not time-limited. Option C (IAM roles) require AWS credentials.

Option D (CloudFront signed URLs) are for content delivery, not direct S3 access.

248
MCQhard

A company is migrating a legacy on-premises application to AWS. The application uses a proprietary database that runs on a single Windows server. The company wants to minimize downtime and avoid re-architecting the database. Which migration strategy should the solutions architect recommend?

A.Retire the application and replace it with a SaaS solution
B.Rehost using AWS Application Migration Service (CloudEndure)
C.Re-architect the application to use Amazon DynamoDB
D.Replatform by migrating the database to Amazon RDS for SQL Server
AnswerB

Correct: Allows lift-and-shift with minimal downtime and no changes to the database.

Why this answer

Rehost (lift-and-shift) is the best option because it moves the application without changes, minimizing downtime and avoiding re-architecture. Replatforming would require some changes, and re-architecting would involve significant rework. Retire is not applicable.

249
MCQmedium

A company is designing a new microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other using REST APIs. The company wants to implement a service mesh to handle traffic routing, observability, and security. Which AWS service should the company use?

A.Elastic Load Balancing for internal network load balancers.
B.AWS App Mesh.
C.AWS Cloud Map for service discovery.
D.Amazon API Gateway with VPC linking.
AnswerB

App Mesh provides service mesh capabilities for ECS.

Why this answer

AWS App Mesh is a service mesh that provides traffic management, observability, and security for microservices. Option C is correct. Option A is wrong because API Gateway is for external APIs.

Option B is wrong because Cloud Map is for service discovery. Option D is wrong because ELB is a load balancer, not a service mesh.

250
MCQmedium

A company is migrating a stateful application to AWS. The application uses local storage for temporary data that must survive instance restarts but not region failures. Which storage solution should the company use?

A.Amazon EBS
B.Instance Store
C.Amazon S3
D.Amazon EFS
AnswerB

Ephemeral storage that persists across reboots.

Why this answer

Option C is correct because Instance Store provides ephemeral storage that persists across reboots but not stops. Option A (EBS) survives stops. Option B (EFS) is network file system.

Option D (S3) is object storage.

251
Multi-Selecthard

Which THREE factors should be considered when designing a global application that requires low-latency access to static content and dynamic API responses?

Select 3 answers
A.Use VPC peering between all Regions to reduce latency.
B.Use Amazon CloudFront with multiple origins for static and dynamic content.
C.Use AWS Direct Connect for global connectivity.
D.Deploy application in multiple AWS Regions and use Route 53 latency-based routing.
E.Use AWS Global Accelerator for dynamic content.
AnswersB, D, E

CloudFront caches static content at edge and forwards dynamic requests.

Why this answer

Options A, C, and D are correct. Amazon CloudFront provides edge caching for static content and can route dynamic requests to the nearest origin. AWS Global Accelerator improves performance for dynamic content via anycast IP.

Multi-Region deployment with Route 53 latency routing reduces latency. Option B is incorrect because Direct Connect is for dedicated private connectivity, not global optimization. Option E is incorrect because VPC peering does not provide global edge caching.

252
MCQhard

A company is migrating a mission-critical application to AWS. The application requires a fixed IP address for whitelisting by external partners. The company plans to use an Application Load Balancer (ALB) to distribute traffic. However, ALB does not support static IP addresses. How can the company meet the requirement for static IP addresses while using the ALB?

A.Replace the ALB with a Network Load Balancer (NLB) that has Elastic IP addresses
B.Use AWS Global Accelerator with the ALB as an endpoint
C.Use Amazon Route 53 with a failover routing policy
D.Assign Elastic IP addresses to the ALB
AnswerB

Global Accelerator provides static IP addresses and routes traffic to the ALB.

Why this answer

Option C is correct: Using AWS Global Accelerator provides static anycast IP addresses and directs traffic to the ALB. Option A (NLB) would require a separate NLB, adding complexity. Option B (Elastic IP on ALB) is not possible.

Option D (Route 53) does not provide static IP addresses for whitelisting.

253
Multi-Selecthard

A company has a fleet of EC2 instances that process data from an SQS queue. The instances are part of an Auto Scaling group. The team notices that the queue depth is growing, but the Auto Scaling group is not scaling out quickly enough. Which THREE actions should the team take to improve the scaling responsiveness? (Choose three.)

Select 3 answers
A.Use a custom CloudWatch metric for the SQS queue depth to drive scaling.
B.Decrease the AWS CloudWatch metric warm-up time.
C.Reduce the Auto Scaling group cooldown period.
D.Use a step scaling policy instead of a simple scaling policy.
E.Increase the instance size in the launch template.
AnswersA, C, D

Custom metrics can trigger scaling based on actual queue length.

Why this answer

Options B, D, and E are correct. Option B: Using a custom metric based on queue depth allows scaling on actual workload. Option D: Reducing the cooldown period allows faster scaling actions.

Option E: Using a step scaling policy provides more aggressive scaling when queue depth is high. Option A is wrong because increasing instance size does not improve scaling speed. Option C is wrong because decreasing the warm-up time for the metric is not a standard Auto Scaling feature.

254
MCQhard

A company is designing a serverless data processing pipeline that uses AWS Lambda to process messages from Amazon SQS. Each message requires 5 minutes of processing time. The company expects a steady state of 1,000 messages per second. What is the MOST scalable and cost-effective design?

A.Deploy an Amazon ECS service with Fargate that polls the SQS queue. Use an SQS queue with long polling and auto scaling based on queue depth.
B.Use an SQS queue and a Lambda function that processes messages in batches. Set the Lambda function timeout to 15 minutes and use reserved concurrency.
C.Use an Amazon MQ broker with ActiveMQ and configure a Lambda function to consume messages from a queue.
D.Configure an SQS queue with a Lambda trigger. Set the Lambda function timeout to 5 minutes and the batch size to 1.
AnswerA

ECS can scale to thousands of tasks, each handling one message for 5 minutes, cost-effective and scalable.

Why this answer

Option B is correct because Lambda has a 15-minute timeout and can scale concurrency, but to handle 1,000 msg/s with 5 min processing, you need enough concurrency. However, Lambda concurrency per account has limits; the better approach is to use a Lambda function that reads from SQS in batches and processes each message, but the function timeout must be at least 5 min per invocation. Option A is wrong because Lambda can't run for 5 minutes (timeout is 15 min, so it's possible, but the question implies 5 min per message, so batch size of 1 is fine).

Actually, Lambda max execution is 15 min, so 5 min is fine. The main issue is that Lambda concurrency default is 1,000, and with 1,000 msg/s, each message takes 5 min, you'd need 300,000 concurrent executions, which exceeds default limits. So the best design is to use an Amazon ECS service with auto scaling.

Option B is correct.

255
MCQeasy

A company has an Amazon S3 bucket that stores sensitive data. They want to ensure that all objects in the bucket are encrypted at rest. What should they do?

A.Use AWS CloudTrail to monitor for unencrypted objects.
B.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
C.Enable S3 Versioning to protect objects.
D.Create a bucket policy that denies PutObject if the object is not encrypted.
AnswerB

Default encryption automatically encrypts all new objects.

Why this answer

Option B is correct because enabling default encryption on the bucket ensures all new objects are encrypted. Option A is wrong because bucket policy can be circumvented. Option C is wrong because CloudTrail only logs.

Option D is wrong because versioning does not enforce encryption.

256
MCQhard

A financial services company is designing a new system on AWS to process real-time stock trades. The system must handle up to 10,000 trades per second with end-to-end latency under 500 milliseconds. Trades are ingested via REST API, validated, enriched with market data, and stored in a database for regulatory compliance. The architecture must be highly available across three Availability Zones. The company wants to use AWS managed services to minimize operational overhead. Which solution should a Solutions Architect recommend?

A.Use Network Load Balancer to distribute trade requests to a fleet of EC2 instances running a custom Java application. The application processes trades and writes to Amazon RDS for MySQL with Multi-AZ.
B.Use Amazon API Gateway to ingest trades, publish to an SNS topic, subscribe an SQS queue and a Lambda function. Lambda validates and enriches, then stores in DynamoDB.
C.Use Amazon API Gateway to ingest trades, send to an SQS FIFO queue for ordered processing, trigger an AWS Lambda function for validation and enrichment, and store in DynamoDB.
D.Use Amazon API Gateway to ingest trades, send to Amazon Kinesis Data Streams for buffering, use AWS Lambda to process in parallel, and store results in DynamoDB with on-demand capacity.
AnswerD

Kinesis can handle high throughput, Lambda scales automatically, DynamoDB provides low-latency storage.

Why this answer

Option C is correct because it uses API Gateway for ingestion, Kinesis Data Streams for buffering, Lambda for processing (scale to handle 10k tps), and DynamoDB for low-latency storage. Option A is wrong because SQS does not guarantee ordering for high throughput FIFO queues (limited to 300 tps). Option B is wrong because EC2 instances introduce management overhead and may not scale as quickly.

Option D is wrong because SNS does not provide a persistent buffer; messages can be lost if subscriber is unavailable.

257
MCQhard

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS Fargate. The pipeline includes stages for source, build, and deploy. The deploy stage uses an ECS service with a blue/green deployment configuration. After a recent update, the deployment fails with the error: 'The service cannot be deployed because the target group is not in a healthy state.' The target group health checks are configured with path '/health', interval 30 seconds, unhealthy threshold 2. The application health endpoint returns 200 OK. What should the company do to resolve this issue?

A.Redeploy the previous version of the application that passed health checks.
B.Modify the target group health check to use path '/' instead of '/health'.
C.Create a new target group with the correct health check path and update the ECS service.
D.SSH into the Fargate container and restart the application.
AnswerB

A common path ensures both blue and green targets pass health checks during the transition.

Why this answer

Option B is correct because the CodePipeline deploy action uses CodeDeploy for blue/green deployments. The error indicates that the original target group (blue) is not healthy, possibly because the health check path is not valid for the original application version. Adjusting the health check to a common path like '/' allows both versions to pass.

Option A is incorrect because Fargate does not allow SSH. Option C is incorrect because redeploying the same version won't fix the underlying health check issue. Option D is incorrect because a new target group does not address the root cause.

258
Multi-Selecthard

A company is designing a hybrid cloud solution that extends its on-premises data center to AWS. The company has a 10 Gbps AWS Direct Connect connection and needs to securely connect multiple VPCs and on-premises networks with transitive routing. The solution must be highly available and use AWS managed services. Which TWO components should the company include in the design? (Choose TWO.)

Select 2 answers
A.AWS Global Accelerator endpoints in each VPC.
B.AWS Transit Gateway with attachments for each VPC and the Direct Connect Gateway.
C.AWS Site-to-Site VPN connections from on-premises to each VPC.
D.VPC peering between each VPC and the on-premises network.
E.AWS Direct Connect Gateway attached to the Transit Gateway.
AnswersB, E

Transit Gateway enables transitive routing and central management.

Why this answer

AWS Transit Gateway provides transitive routing between VPCs and on-premises networks. Direct Connect Gateway allows association of multiple VPCs via Transit Gateway. Option A and Option C are correct.

Option B is wrong because VPN CloudHub does not integrate with Transit Gateway. Option D is wrong because VPC peering does not support transitive routing. Option E is wrong because AWS Global Accelerator is not for network connectivity.

259
Multi-Selecthard

A company is migrating a stateful application that uses local disks for caching to AWS. The application requires high-performance, low-latency storage that can be attached to a single EC2 instance. Which THREE AWS services or features should the company consider for the cache storage?

Select 3 answers
A.Amazon EBS io2 Block Express
B.Amazon EFS
C.Instance store
D.Local NVMe instance store
E.Amazon S3
AnswersA, C, D

io2 Block Express provides high-performance persistent block storage for a single instance.

Why this answer

Option A (Instance store), Option C (EBS io2 Block Express), and Option E (Local NVMe instance store) are correct. Instance store provides high-performance local storage but ephemeral. EBS io2 Block Express provides high-performance persistent block storage.

Local NVMe instance store is high-performance and local. Option B (EFS) is shared file system. Option D (S3) is object storage.

260
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application experiences sudden traffic spikes. What is the most effective way to ensure the application can handle the spikes without manual intervention?

A.Use a target tracking scaling policy based on average CPU utilization.
B.Increase the instance size to handle more load per instance.
C.Manually increase the desired capacity when traffic spikes.
D.Use scheduled scaling to add instances at expected peak times.
AnswerA

Target tracking automatically adjusts capacity to maintain a target metric, handling spikes.

Why this answer

Option D is correct because a target tracking scaling policy based on CPU utilization automatically adjusts capacity in response to demand. Option A is wrong because scheduled scaling works for predictable patterns, not sudden spikes. Option B is wrong because a larger instance size may not handle spikes if only a few instances.

Option C is wrong because manual scaling is not automated.

261
MCQeasy

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by department. Each department has its own AWS account. Which feature should be used to map costs to departments?

A.Use cost allocation tags to tag resources with a department tag.
B.Use Amazon CloudWatch custom metrics to record department IDs.
C.Use service control policies (SCPs) to restrict costs per account.
D.Use AWS Budgets to create budgets per department.
AnswerA

Tags can be activated in AWS Cost Explorer to group costs.

Why this answer

Option C is correct because cost allocation tags are the standard method. Option A is wrong because CloudWatch is for monitoring, not cost tracking. Option B is wrong because SCPs are for permissions.

Option D is wrong because Budgets can alert but not map costs.

262
MCQmedium

Refer to the exhibit. A company creates this CloudFormation stack. After 30 days, what happens to objects with the prefix 'logs/'?

A.They are deleted because of the lifecycle rule.
B.They remain in Standard storage because versioning is enabled.
C.They are deleted after 30 days because no expiration is defined.
D.They are moved to the GLACIER storage class.
AnswerD

The transition rule moves objects to GLACIER after 30 days.

Why this answer

The lifecycle rule transitions objects with prefix 'logs/' to GLACIER after 30 days. Option A is wrong because the rule is enabled. Option B is wrong because versioning is enabled but doesn't affect the transition.

Option D is wrong because the transition is triggered after 30 days.

263
Multi-Selectmedium

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. The company currently uses server-side encryption with S3 managed keys (SSE-S3). The team wants to enforce encryption using a customer-managed key (CMK) from AWS KMS. Which TWO actions should the team take?

Select 2 answers
A.Configure a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
B.Enable AWS CloudTrail to audit all PutObject requests.
C.Enable default encryption on the bucket with AWS KMS (SSE-KMS) as the encryption type.
D.Configure a bucket policy that allows PutObject only if the object is encrypted.
E.Disable SSE-S3 on the bucket so that only SSE-KMS can be used.
AnswersA, C

This policy blocks uploads that do not use SSE-KMS.

Why this answer

Option A and Option C are correct. Option A (S3 Bucket Policy denying PutObject without the correct encryption header) enforces encryption at upload time. Option C (Default encryption with SSE-KMS) ensures that objects uploaded without encryption headers are encrypted with KMS.

Option B (Bucket policy allowing any encryption) does not enforce KMS. Option D (Disable SSE-S3) is not possible; you cannot disable SSE-S3, you can only set default encryption. Option E (CloudTrail logging) does not enforce encryption.

264
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team requires that all objects be encrypted at rest. The company currently uses server-side encryption with S3-managed keys (SSE-S3). The security team wants to ensure that only authorized users can access the decryption keys. What should the company do?

A.Configure an S3 bucket policy to allow only specific IAM roles to put objects.
B.Continue using SSE-S3 and enable S3 Block Public Access.
C.Use client-side encryption with an AWS KMS key.
D.Change the default encryption to server-side encryption with AWS KMS (SSE-KMS) and apply IAM policies to control key usage.
AnswerD

SSE-KMS allows key management and access control via IAM.

Why this answer

Option C is correct because SSE-KMS provides centralized key management and access control. Option A is wrong because SSE-S3 keys are managed by AWS, not the customer. Option B is wrong because client-side encryption does not use S3 server-side encryption.

Option D is wrong because bucket policies control access to objects, not encryption keys.

265
MCQmedium

A social media startup uses AWS Lambda functions to process user-uploaded images. The Lambda function resizes images and stores them in Amazon S3. The function uses the S3 SDK to put objects. Recently, the team noticed that the function sometimes fails with 'Timeout' errors for large images. The Lambda function has a timeout of 5 seconds and 256 MB of memory. The team wants to improve the solution to handle larger images reliably and cost-effectively. Which solution should the team implement?

A.Migrate the image processing to a dedicated Amazon EC2 instance with an EBS volume.
B.Increase the Lambda function's timeout to 15 minutes and allocate more memory (e.g., 1024 MB).
C.Use Amazon API Gateway with a larger payload limit to offload the image processing.
D.Use AWS Elastic Transcoder to resize images instead of Lambda.
AnswerB

More memory and timeout allow processing larger images within Lambda limits.

Why this answer

Option C (increase memory and timeout) directly addresses the issue of processing large images. Option A (Elastic Transcoder) is for video. Option B (EC2 with EBS) is overkill and not serverless.

Option D (API Gateway with larger payload) does not solve the Lambda processing limit.

266
MCQmedium

Refer to the exhibit. This bucket policy is applied to a central logging bucket in account 111111111111. Account 222222222222 wants to deliver CloudTrail logs to this bucket. However, log delivery fails. What is the MOST likely cause?

A.The resource ARN is incorrect.
B.The principal should be the CloudTrail service principal, not the root account of 111111111111.
C.The bucket policy requires the x-amz-acl header, which CloudTrail does not set.
D.The bucket policy does not allow s3:PutObject for the account 222222222222.
AnswerB

CloudTrail uses a service principal to write logs across accounts.

Why this answer

Option D is correct because CloudTrail uses a service principal, not the root account. Option A is wrong because the policy allows PutObject. Option B is wrong because CloudTrail delivers logs with bucket-owner-full-control.

Option C is wrong because the resource is correct.

267
MCQhard

A company is migrating a legacy application to AWS using the rehost (lift-and-shift) strategy. The application uses a proprietary database that is not supported by Amazon RDS. The company wants to automate the migration of multiple servers and minimize downtime. Which AWS service should be used to automate the server migration?

A.AWS CloudFormation to recreate the server configuration.
B.AWS Application Migration Service (AWS MGN).
C.AWS Server Migration Service (SMS).
D.AWS Database Migration Service (AWS DMS) for the database and manual server migration.
AnswerB

Automates lift-and-shift with continuous replication and minimal downtime.

Why this answer

Option B is correct because AWS Application Migration Service (MGN) automates lift-and-shift with minimal downtime. Option A is wrong because AWS CloudFormation is for infrastructure provisioning, not migration. Option C is wrong because AWS DMS is for databases, not servers.

Option D is wrong because AWS Server Migration Service (SMS) is older and less automated compared to MGN.

268
Multi-Selectmedium

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all objects uploaded to specific S3 buckets are encrypted at rest. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Use a bucket policy that denies PutObject without the x-amz-server-side-encryption header.
B.Configure default encryption on the S3 buckets to use SSE-S3 or SSE-KMS.
C.Enable S3 Cross-Region Replication.
D.Enable S3 Versioning on the buckets.
E.Enable S3 Server Access Logs.
AnswersA, B

Denies uploads without encryption.

Why this answer

Options B and D are correct. B enforces encryption at upload time, and D provides server-side encryption. A does not enforce encryption, C is about access logging, and E is about replication.

269
MCQeasy

A company is designing a new application that will process sensitive financial transactions. The application must be deployed in a VPC with no public internet access. The application needs to send logs to Amazon CloudWatch Logs and store files in Amazon S3. Which set of actions should be taken to meet these requirements without allowing internet access?

A.Create a Gateway VPC endpoint for S3 and an Interface VPC endpoint for CloudWatch Logs
B.Place the application behind a public Application Load Balancer
C.Set up a NAT gateway in a public subnet and route traffic through it
D.Use AWS PrivateLink to connect to CloudWatch Logs and S3
AnswerA

Gateway endpoints for S3 and Interface endpoints for CloudWatch Logs provide private connectivity within the VPC, no internet required.

Why this answer

Option A is correct because VPC endpoints (Gateway for S3 and Interface for CloudWatch Logs) allow private connectivity to AWS services without internet access. Option B is wrong because a NAT gateway provides outbound internet access, which is not allowed. Option C is wrong because a public ALB would expose the application to the internet.

Option D is wrong because AWS PrivateLink is used for services in other accounts, not for CloudWatch Logs; the correct endpoint is Interface endpoint.

270
MCQhard

A company is migrating its on-premises data center to AWS. The company has over 200 applications, each with varying dependencies. The migration team wants to use AWS Migration Hub to track the migration progress. Which approach should the team take to ensure successful tracking and minimize manual effort?

A.Use Amazon CloudWatch dashboards to monitor the health of on-premises servers.
B.Use AWS Systems Manager to automate the migration of each application.
C.Use AWS Application Discovery Service to discover dependencies and then use AWS Migration Hub to track the migration of each application.
D.Manually create a spreadsheet of all applications and their dependencies, and update it weekly.
AnswerC

Application Discovery Service automates discovery, and Migration Hub provides a central tracking dashboard.

Why this answer

Option D is correct because using AWS Application Discovery Service to collect data about on-premises servers and their dependencies helps create a migration plan, and Migration Hub can then track progress across multiple tools. Option A is incorrect because manual tagging is error-prone and not automated. Option B is incorrect because CloudWatch is for monitoring, not tracking migration progress.

Option C is incorrect because Systems Manager is for management, not specifically for migration tracking.

271
MCQhard

A company runs a real-time analytics platform on Amazon Kinesis Data Streams with multiple consumers. The stream is provisioned with 10 shards. One consumer is falling behind, causing data latency. The consumer reads data using the Kinesis Client Library (KCL). Which action will improve the consumer's processing throughput?

A.Decrease the batch size in the KCL configuration.
B.Increase the number of shards in the Kinesis stream.
C.Increase the Kinesis stream's retention period to 7 days.
D.Increase the number of EC2 instances running the consumer application.
AnswerD

More workers allow parallel processing of shards.

Why this answer

Option B is correct because KCL distributes shard processing across workers; adding more workers allows parallel processing. Option A is wrong because it does not reduce per-shard load. Option C is wrong because it does not help shard distribution.

Option D is wrong because it may increase shard count but still requires more workers.

272
MCQmedium

A company is designing a cross-account backup strategy using AWS Backup. They have a central backup account that needs to manage backups for multiple member accounts. What is the minimal set of permissions required?

A.Create an IAM role in each member account that trusts the backup account and allows backup and restore actions.
B.Create a customer managed key in the backup account and share it with member accounts.
C.Grant the backup account full S3 access to member account buckets.
D.Enable AWS Config in member accounts to track backup compliance.
AnswerA

Cross-account role assumption is the standard pattern.

Why this answer

Option A is correct because AWS Backup requires cross-account role assumption and specific backup permissions. Option B is wrong because KMS permissions are needed only if using custom keys. Option C is wrong because S3 permissions are not required for backup.

Option D is wrong because Config permissions are not needed.

273
MCQmedium

A company is migrating a critical application to AWS. The application requires a relational database with high availability and automated failover. The company wants to use a fully managed database service. Which AWS service should the architect choose?

A.Amazon RDS Multi-AZ
B.Amazon ElastiCache
C.Amazon DynamoDB
D.Amazon RDS Single-AZ
AnswerA

RDS Multi-AZ provides high availability with automatic failover.

Why this answer

Amazon RDS Multi-AZ provides high availability with automated failover. Amazon Aurora is also fully managed and provides high availability, but the question asks for a relational database service; both RDS and Aurora are valid, but RDS Multi-AZ is a direct fit for the requirement. DynamoDB is NoSQL.

RDS Single-AZ does not provide failover. ElastiCache is for caching.

274
MCQmedium

A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?

A.Create IAM roles in each account that deny non-encrypted S3 operations and attach to all users.
B.Create AWS Organizations service control policies (SCPs) that deny PutBucketPolicy with anonymous effects and PutObject without encryption.
C.Use S3 bucket policies with Deny statements for anonymous access and missing encryption.
D.Deploy AWS Config rules to detect unencrypted buckets and anonymous access, with auto-remediation using Lambda.
AnswerB

SCPs centrally enforce restrictions across all accounts, covering all users including root.

Why this answer

Option C is correct because SCPs can centrally deny actions across all accounts in an organization, enforcing encryption and blocking anonymous access without requiring changes to each account. Option A (IAM roles) requires per-account setup and cannot prevent root user actions. Option B (bucket policies) must be applied per bucket.

Option D (AWS Config rules) can detect violations but not prevent them proactively.

275
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ. The operations team notices that during a failover, the application experiences errors for about 2 minutes. The application uses a JDBC connection pool. Which solution should the team implement to reduce the failover impact?

A.Use Amazon CloudWatch Events to trigger a Lambda function that restarts the application.
B.Use Amazon RDS Proxy to manage database connections.
C.Configure the JDBC connection string with a timeout and implement automatic retry logic.
D.Increase the TTL for the RDS DNS record to 60 seconds.
AnswerC

Retry logic allows the application to reconnect after failover.

Why this answer

Option C is correct because using a custom JDBC URL with a timeout and retry logic allows the application to reconnect after failover. Option A is wrong because RDS proxy does not eliminate the need for application retry logic. Option B is wrong because increasing the TTL does not affect the connection timeout.

Option D is wrong because a Lambda function does not directly improve failover recovery.

276
MCQeasy

A startup is building a serverless application using AWS Lambda. They need to securely store and retrieve database credentials without hardcoding them in the function code. Which AWS service should they use?

A.Amazon DynamoDB
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager is the best choice for managing secrets with automatic rotation.

Why this answer

AWS Secrets Manager is designed to securely store secrets like database credentials and rotate them automatically. Lambda can retrieve them at runtime using the Secrets Manager API.

277
MCQmedium

A company is migrating a legacy application that uses a third-party identity provider (IdP) for authentication. The application currently uses SAML 2.0. The company wants to use AWS IAM Identity Center for centralized access management. What is the best approach to integrate the IdP with AWS?

A.Use AWS Directory Service for Microsoft Active Directory to synchronize with the IdP
B.Create IAM users for each employee and assign groups and permissions
C.Configure IAM Identity Center to use the existing IdP as the identity source via SAML 2.0 federation
D.Use Amazon Cognito user pools with the IdP as a SAML identity provider
AnswerC

IAM Identity Center supports SAML 2.0 federation with external IdPs.

Why this answer

Option A is correct because AWS IAM Identity Center supports SAML 2.0 federation with external IdPs. Option B is wrong because creating IAM users duplicates identities. Option C is wrong because Cognito is for customer-facing apps, not corporate SSO.

Option D is wrong because Directory Service is for Active Directory, not generic SAML.

278
MCQmedium

A company is designing a new serverless data processing pipeline. The pipeline uses AWS Lambda to process records from an Amazon Kinesis Data Stream. The company wants to ensure that failed records are automatically retried and sent to a dead-letter queue after three failed attempts. Which configuration should the company use?

A.Configure the Kinesis stream to send failed records to an SQS standard queue.
B.Configure an on-failure destination on the Kinesis event source mapping to send records to an SQS queue.
C.Configure the Lambda function's dead-letter queue property with an SQS queue.
D.Configure a Lambda destination on the function to send events to an SQS queue.
AnswerB

The event source mapping for Kinesis supports an on-failure destination for DLQ.

Why this answer

Option B is correct because Kinesis Data Streams as a Lambda event source supports on-failure destinations for DLQ. Option A is wrong because Lambda destinations are for async invocations, not streams. Option C is wrong because DLQ is not a property of Lambda function configuration.

Option D is wrong because SQS standard queue does not support retry settings like Lambda.

279
MCQhard

A large e-commerce company uses a multi-account AWS Organizations setup with a central logging account. The company has enabled AWS CloudTrail in all accounts and configured it to deliver logs to a centralized Amazon S3 bucket in the logging account. Recently, the security team noticed that some log files are missing for a period of 2 hours. The CloudTrail console shows that trails are still enabled and delivering to the bucket, but no new log files were created during that time. The team verified that there were API calls made during that period. Which action is most likely to resolve the issue and prevent recurrence?

A.Review the SCPs attached to the organization root; there might be a policy that denies CloudTrail actions.
B.Check the S3 bucket policy in the logging account to ensure it grants the required permissions to the CloudTrail service principal from all accounts.
C.Ensure that the KMS key used for encryption is accessible by the CloudTrail service.
D.Enable AWS Config to monitor CloudTrail delivery status and automatically restart the trail if logs are missing.
AnswerB

If the bucket policy inadvertently denies access, CloudTrail cannot write logs.

Why this answer

The most likely cause is that the S3 bucket policy in the central logging account does not grant the necessary permissions for CloudTrail from all accounts to write log files. Even though trails are enabled and appear to be delivering, a missing or misconfigured bucket policy can silently drop log deliveries when the CloudTrail service principal (cloudtrail.amazonaws.com) attempts to write objects. The security team verified API calls occurred, so the issue is at the delivery destination, not the trail configuration itself.

Exam trap

The trap here is that candidates assume missing logs are always due to trail misconfiguration or KMS issues, but the real cause is often a missing or overly restrictive S3 bucket policy that silently blocks CloudTrail writes without generating an obvious error in the CloudTrail console.

How to eliminate wrong answers

Option A is wrong because SCPs deny actions at the account level, but CloudTrail trails are still enabled and delivering; if an SCP denied CloudTrail actions, the trail would fail to start or stop logging entirely, not selectively miss logs for a 2-hour window. Option C is wrong because if the KMS key were inaccessible, CloudTrail would log a failure event and typically stop delivering all logs until the issue is resolved, not just miss a 2-hour period while continuing to deliver before and after. Option D is wrong because AWS Config can monitor delivery status but cannot automatically restart a trail; it only provides compliance checks and notifications, and the trail is already enabled and delivering—restarting it would not fix a missing bucket policy permission.

280
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files across any account. What is the most effective way to enforce this?

A.Use an SCP to require that CloudTrail is enabled.
B.Use IAM policies in each account to deny the same actions.
C.Use AWS Config rules to detect and remediate changes.
D.Attach an SCP to the root OU that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject actions for the CloudTrail S3 bucket.
AnswerD

SCPs can deny these sensitive actions across all accounts.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations can be attached to the root organizational unit (OU) to centrally deny specific actions across all accounts, including the management account. By denying `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, and `s3:DeleteObject` on the CloudTrail S3 bucket, the security team ensures that no principal in any account can disable CloudTrail or delete log files, regardless of their IAM permissions. SCPs are the only mechanism that can enforce such guardrails across all accounts in an organization without requiring per-account configuration.

Exam trap

The trap here is that candidates often choose Option A (SCP to require CloudTrail) because they confuse 'requiring' a service with 'preventing its disablement,' but SCPs cannot enforce that a service is running—they can only deny API actions, making Option D the only effective preventive control.

How to eliminate wrong answers

Option A is wrong because an SCP that 'requires' CloudTrail to be enabled does not prevent disabling or deleting it after it is enabled; SCPs can only deny actions, not enforce a state or configuration. Option B is wrong because IAM policies in each account can be overridden by a user with sufficient privileges (e.g., an account admin) and do not provide a centralized, unchangeable guardrail across all accounts. Option C is wrong because AWS Config rules can detect and trigger remediation (e.g., via Lambda), but they are reactive and can be bypassed if the rule or remediation role is modified or if the change occurs faster than the remediation cycle; they do not prevent the action from happening in the first place.

281
Multi-Selectmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences a sudden spike in traffic. The operations team notices that the Auto Scaling group is not scaling out quickly enough. Which TWO actions should the team take to improve the scaling responsiveness?

Select 2 answers
A.Increase the instance size to handle more traffic per instance.
B.Switch from a step scaling policy to a target tracking scaling policy based on CPU utilization.
C.Increase the health check grace period for the Auto Scaling group.
D.Decrease the cooldown period for the Auto Scaling group.
E.Decrease the minimum number of instances in the Auto Scaling group.
AnswersB, D

Target tracking provides more responsive scaling than step scaling.

Why this answer

Options A and C are correct. A buffer-based scaling policy (target tracking) is more responsive than step scaling. Decreasing the cooldown period allows faster scaling out.

B is wrong because increasing instance size does not improve scaling responsiveness. D is wrong because decreasing minimum size could worsen performance. E is wrong because increasing cooldown slows down scaling.

282
MCQhard

A company uses Amazon API Gateway with a Lambda authorizer to control access to its APIs. Recently, some requests are returning 401 Unauthorized errors even though the tokens are valid. The Lambda authorizer logs show that the function is invoked and returns an IAM policy. What is the MOST likely cause?

A.The Lambda function is returning a malformed IAM policy.
B.The token has expired.
C.The Lambda authorizer is not being invoked due to throttling.
D.The authorizer result is cached, and a previous invalid token caused a deny policy to be cached.
AnswerD

Cached deny responses cause subsequent valid tokens to be rejected.

Why this answer

Option B is correct because API Gateway caches authorizer responses; if the cache is enabled and the token is cached with a deny, subsequent requests with the same token will fail. Option A is wrong because the authorizer is being invoked. Option C is wrong because token expiration would cause a different error.

Option D is wrong because the Lambda function returns a policy.

283
MCQeasy

A company is using Amazon ECS with Fargate launch type for a microservices application. The application experiences intermittent latency spikes. CloudWatch metrics show high CPU utilization but no obvious pattern. What should the company do to identify the cause?

A.Increase the CPU and memory for all ECS tasks.
B.Enable AWS X-Ray tracing on the ECS tasks to trace requests across microservices.
C.Set up CloudWatch Synthetics canaries to monitor the endpoints.
D.Use CloudWatch Logs Insights to analyze application logs for errors.
AnswerB

Identifies latency sources.

Why this answer

Option A is correct because AWS X-Ray provides distributed tracing to pinpoint performance bottlenecks. Option B is wrong because CloudWatch Logs Insights is for querying logs, not tracing. Option C is wrong because increasing task size is a reactive fix.

Option D is wrong because CloudWatch Synthetics monitors endpoints, not internal traces.

284
MCQmedium

A company is migrating a large-scale e-commerce platform from on-premises to AWS. The migration plan includes rehosting the application servers and replatforming the database to Amazon Aurora. The company needs to ensure minimal downtime during the cutover. Which strategy should the company use for the database migration?

A.Use AWS DMS with a full load and ongoing replication to keep the target synchronized
B.Use AWS DMS with a full load only, then cut over
C.Use an application-level dual-write to both databases during the cutover
D.Take a snapshot of the on-premises database and restore it to Amazon Aurora
AnswerA

Correct. Ongoing replication reduces downtime during cutover.

Why this answer

AWS Database Migration Service (DMS) with ongoing replication allows continuous data sync, enabling a cutover with minimal downtime. Using a snapshot backup requires downtime for restoration. AWS DMS with full load only does not keep the target up-to-date.

Using an application-level dual-write is complex and error-prone.

285
MCQhard

A company has an IAM policy attached to a user as shown in the exhibit. The user is trying to stop an EC2 instance in the us-west-2 region. What will happen?

A.The user cannot stop the instance because the condition checks the request region.
B.The user cannot stop the instance because the second statement denies all actions in regions other than us-east-1.
C.The user can stop the instance because the first statement allows it.
D.The user can stop the instance because the condition applies only to the Deny statement, but the Allow statement is unconditional.
AnswerB

The deny statement with condition StringNotEquals us-east-1 denies the action in us-west-2.

Why this answer

Option C is correct. The first statement allows DescribeInstances, StartInstances, StopInstances. The second statement denies all actions if the requested region is not us-east-1.

Since us-west-2 is not us-east-1, the deny applies, and the user cannot stop the instance. Option A is wrong because the deny overrides the allow. Option B is wrong because the user cannot stop the instance.

Option D is wrong because the action is explicitly denied.

286
MCQmedium

A company is designing a new microservices architecture on AWS. They need a solution for service discovery that allows services to register themselves and discover other services dynamically. The solution must be highly available and integrated with AWS-native services. Which AWS service should they use?

A.Amazon ECS Service Discovery
B.Application Load Balancer (ALB)
C.AWS Cloud Map
D.Amazon Route 53 private hosted zones
AnswerC

Cloud Map is a service discovery service that allows resources to register and discover each other, with health checks.

Why this answer

AWS Cloud Map is the correct choice because it is a fully managed service discovery service that allows microservices to register themselves dynamically and discover other services via DNS or HTTP API calls. It integrates natively with AWS services like Amazon ECS, Amazon EKS, and AWS Lambda, and provides high availability through automatic health checking and resource synchronization across AWS Regions.

Exam trap

The trap here is that candidates often confuse Amazon ECS Service Discovery (Option A) as a separate service, when it is actually a feature of AWS Cloud Map, leading them to overlook Cloud Map as the correct, standalone service for dynamic service discovery.

How to eliminate wrong answers

Option A is wrong because Amazon ECS Service Discovery is not a standalone service; it is a feature of AWS Cloud Map that is exposed through Amazon ECS, and it lacks the broader API-based discovery and health-check integration that Cloud Map provides. Option B is wrong because an Application Load Balancer (ALB) is a Layer 7 load balancer that distributes traffic to targets, not a service registry for dynamic service-to-service discovery; it does not support service registration or DNS-based discovery for internal microservices. Option D is wrong because Amazon Route 53 private hosted zones provide DNS resolution within a VPC but do not support dynamic service registration, health checking, or API-based discovery; they are a static DNS solution, not a service discovery registry.

287
MCQmedium

A company is migrating a critical application to AWS and needs to ensure business continuity. The application must be able to fail over to a different AWS Region with a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 1 minute. Which strategy should the company use?

A.Warm standby in another Region
B.Multi-Region active-active deployment with synchronous replication
C.Pilot light in another Region
D.Backup and restore to another Region
AnswerB

Provides low RTO and RPO.

Why this answer

Option B is correct because an active-active multi-Region architecture with data replication can achieve RPO of 1 minute and RTO of 15 minutes. Option A (backup restore) has higher RTO/RPO. Option C (pilot light) has longer RTO.

Option D (warm standby) may have longer RTO.

288
MCQmedium

A company is migrating a legacy on-premises .NET application to AWS. The application uses Windows Authentication and relies on Active Directory. The company wants to minimize code changes. Which solution should the architect recommend?

A.Use AWS Systems Manager to store credentials and inject them at runtime.
B.Migrate the application to Amazon WorkDocs and configure single sign-on.
C.Use Amazon Cognito user pools for authentication.
D.Deploy the application on Amazon EC2 instances joined to an AWS Managed Microsoft AD directory.
AnswerD

EC2 instances joined to Managed AD can use Windows Authentication with minimal changes.

Why this answer

Option B is correct because it allows the application to use Windows Authentication with minimal code changes by joining EC2 instances to a Managed AD domain. Option A is wrong because Cognito is for external user pools, not Windows Auth. Option C is wrong because WorkDocs is for document sharing.

Option D is wrong because SSM does not provide AD authentication.

289
MCQeasy

A company wants to store application logs in a centralized location for analysis. The logs are generated by EC2 instances in an Auto Scaling group. The solution must be cost-effective and support real-time analysis. Which service should be used to collect and analyze the logs?

A.Amazon S3
B.Amazon Kinesis Data Firehose
C.Amazon Elasticsearch Service
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs provides real-time log collection and analysis.

Why this answer

Amazon CloudWatch Logs is the correct choice because it natively integrates with EC2 instances via the CloudWatch Logs agent to collect, monitor, and analyze log data in real time. It provides a centralized log storage with built-in metric filters and subscription filters for real-time analysis, making it cost-effective for logs generated by Auto Scaling groups without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse 'real-time analysis' with needing a dedicated analytics service like Amazon Elasticsearch Service, overlooking that CloudWatch Logs provides built-in real-time monitoring and filtering capabilities without additional cost or complexity.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service that does not support real-time analysis; it is typically used for archival or batch processing, not for streaming log collection and live querying. Option B is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that requires additional downstream services (like Amazon Elasticsearch Service or S3) for analysis and storage, adding complexity and cost for a simple log collection use case. Option C is wrong because Amazon Elasticsearch Service (now Amazon OpenSearch Service) is a search and analytics engine that can ingest logs but requires separate log collection agents and additional configuration for real-time analysis, making it less cost-effective and more complex than CloudWatch Logs for this scenario.

290
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The application stores session state in an Amazon ElastiCache Redis cluster. During a traffic spike, the Redis cluster's CPU utilization reaches 90%, causing increased latency. The company wants to reduce the load on Redis without changing the application code. Which solution should the company implement?

A.Enable cluster mode on the ElastiCache Redis cluster to distribute data across multiple shards.
B.Use Amazon ElastiCache Global Datastore to distribute traffic across regions.
C.Add read replicas to the Redis cluster to offload read traffic.
D.Upgrade to a larger Redis node type with more vCPUs.
AnswerA

Cluster mode partitions data across shards, reducing CPU utilization per shard.

Why this answer

Option A is correct because enabling ElastiCache for Redis cluster mode allows data to be distributed across multiple shards, reducing CPU load per node. Option B is wrong because read replicas are for read-heavy workloads, not for reducing CPU load on the primary. Option C is wrong because a larger node type may help but is less cost-effective than sharding.

Option D is wrong because ElastiCache does not support Lambda extensions.

291
MCQmedium

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all new member accounts automatically have a specific AWS Config rule enabled. Which solution should be used?

A.Use AWS CloudFormation StackSets in each account.
B.Create an AWS Lambda function in the management account to enable Config rules.
C.Use an SCP to require Config recording.
D.Deploy an AWS Config conformance pack across accounts using AWS Organizations.
AnswerD

Conformance packs can be deployed to all accounts and regions via a single API call.

Why this answer

AWS Config conformance packs are collections of AWS Config rules and remediation actions that can be deployed across multiple accounts and Regions using AWS Organizations. By deploying a conformance pack from the management account, you ensure that all existing and new member accounts automatically inherit the specified Config rules, as the conformance pack is applied at the organization level and propagates to new accounts as they are created.

Exam trap

The trap here is that candidates often confuse SCPs with direct resource configuration, thinking they can enforce Config rules via permission boundaries, but SCPs only control API calls and cannot enable services or rules themselves.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets require manual setup or automation to target new accounts; they do not automatically apply to new member accounts unless you update the stack set instances or use automatic deployment, which is not a native feature of StackSets alone. Option B is wrong because creating an AWS Lambda function in the management account to enable Config rules would require custom code to detect new accounts and apply rules, and it does not leverage AWS Organizations' native integration for automatic propagation. Option C is wrong because Service Control Policies (SCPs) are used to restrict permissions and cannot directly enable AWS Config rules or recording; they only control what actions are allowed or denied.

292
Multi-Selecteasy

A company is designing a new application that will run on Amazon EC2 instances. The application writes logs to local disk, and the logs must be aggregated centrally for analysis. The company wants a solution that requires minimal configuration and can handle high log volume. Which TWO AWS services should the company use?

Select 2 answers
A.Amazon S3
B.AWS Lambda
C.Amazon Kinesis Data Firehose
D.Amazon CloudWatch Logs
E.Amazon CloudWatch Logs Insights
AnswersD, E

CloudWatch Logs can collect logs from EC2 instances using the CloudWatch agent.

Why this answer

Option A is correct because CloudWatch Logs can collect logs from EC2 instances via the CloudWatch agent. Option C is correct because CloudWatch Logs Insights allows querying and analyzing logs. Option B is wrong because S3 is for log storage, not analysis.

Option D is wrong because Kinesis Data Firehose is for streaming data, not for EC2 log collection. Option E is wrong because Lambda is not used for log analysis.

293
MCQmedium

A company is migrating a large .NET application to AWS. The application uses Windows authentication and integrates with Active Directory. The company wants to minimize operational overhead for the directory service. The on-premises Active Directory is already synchronized to AWS using AWS Directory Service for Microsoft Active Directory. During migration, the application fails to authenticate users. The security team confirms that the on-premises AD and AWS Managed AD are in sync. The application is running on EC2 instances that are joined to the AWS Managed AD domain. The application logs show authentication errors. What is the most likely cause of the authentication failure?

A.The application requires NTLM authentication, which is disabled by default.
B.The security group does not allow traffic on port 389 (LDAP).
C.The EC2 instances cannot resolve the domain controller DNS name.
D.The application is using a service account that is not in the AWS Managed AD.
AnswerD

Common cause: service account not migrated or created.

Why this answer

When using AWS Managed AD, the EC2 instances need to be joined to the domain. However, the application's service account or configuration must be properly set up. The most common issue is that the application is using the wrong domain credentials or the service account does not have the necessary permissions.

Option A is wrong because if instances are domain-joined, they can resolve DNS. Option B is wrong because the firewall rules are for network access, not authentication. Option D is wrong because NTLM is enabled by default.

294
Multi-Selecthard

A company uses AWS Organizations to manage multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted at rest. Currently, some buckets are not encrypted. Which THREE steps should the team take to enforce encryption? (Select THREE.)

Select 3 answers
A.Apply an S3 bucket policy on each bucket that denies PutObject without encryption.
B.Create an SCP that denies PutBucketAcl or PutBucketPolicy actions if the bucket does not have encryption enabled.
C.Use AWS CloudTrail to monitor S3 API calls and alert on unencrypted bucket creation.
D.Enable AWS Config managed rule s3-bucket-server-side-encryption-enabled to detect non-compliant buckets.
E.Enable default encryption on all S3 buckets using the AWS S3 console or API.
AnswersB, D, E

SCPs can restrict actions that create unencrypted buckets.

Why this answer

Option A is correct because a service control policy can prevent creating unencrypted buckets. Option C is correct because AWS Config rules can detect non-compliant buckets. Option D is correct because S3 default encryption ensures new objects are encrypted.

Option B is wrong because S3 bucket policies enforce encryption at upload time, not after creation. Option E is wrong because CloudTrail logs events but does not enforce encryption.

295
MCQeasy

A company runs a containerized microservices application on Amazon ECS with Fargate launch type. The application consists of a frontend service and a backend service. The backend service is CPU-intensive and experiences high load during business hours. The operations team observes that the frontend service sometimes returns 503 errors during peak load. The team has already configured an ECS service auto scaling policy for the backend service based on average CPU utilization with a target value of 70%. The backend service is currently running 4 tasks, and the frontend is running 2 tasks. The errors seem to correlate with the backend scaling up. Which solution should the team implement to improve the application's performance and reduce errors?

A.Update the backend service auto scaling policy to use a combination of CPU and memory utilization metrics with a step scaling policy, and increase the cooldown period to allow tasks to stabilize before additional scaling actions.
B.Reduce the target CPU utilization for the backend auto scaling policy from 70% to 50% to trigger scaling earlier and keep CPU lower.
C.Change the backend service from Fargate to EC2 launch type and use larger instance types to provide more CPU capacity.
D.Increase the desired count of the frontend service to 4 tasks to handle more requests and reduce the load on the backend service.
AnswerA

Multiple metrics and step scaling with proper cooldown prevent premature scaling and handle spikes better.

Why this answer

Option A is correct because the 503 errors during backend scale-up are likely caused by the backend tasks not being fully ready to handle traffic immediately after launch. By using a combination of CPU and memory utilization metrics with a step scaling policy, the team can make scaling decisions more responsive to actual load patterns. Increasing the cooldown period prevents additional scaling actions from being triggered prematurely, giving new tasks time to stabilize and reducing the window where the backend is overwhelmed, which in turn reduces frontend timeouts.

Exam trap

The trap here is that candidates often assume the solution is to scale earlier (Option B) or add more frontend capacity (Option D), when the real issue is the instability during the scaling event itself, which is addressed by stabilizing the scaling process with step policies and cooldowns.

How to eliminate wrong answers

Option B is wrong because simply reducing the target CPU utilization to 50% would cause the backend to scale up even more aggressively, potentially increasing the frequency of 503 errors during the scaling event itself, without addressing the root cause of instability during scale-up. Option C is wrong because switching to EC2 launch type and larger instances does not solve the transient overload during scaling; it only changes the underlying compute platform, and the same scaling instability would persist. Option D is wrong because increasing the frontend desired count does not reduce the load on the backend; it would only distribute incoming requests across more frontend tasks, but the backend would still be the bottleneck and could continue to return errors when it cannot keep up.

296
MCQmedium

A company has multiple AWS accounts managed under AWS Organizations. The security team wants to enforce that all new S3 buckets created in any account are automatically tagged with the cost center and environment (e.g., dev, prod). Which solution should the team implement?

A.Use AWS CloudFormation StackSets to deploy a bucket template with tags.
B.Use IAM policies in each account to require tags on bucket creation.
C.Use a Service Control Policy (SCP) in AWS Organizations that denies s3:CreateBucket if the request does not include the required tags.
D.Use AWS Config rules to automatically tag buckets after creation.
AnswerC

SCPs prevent the action at the account level.

Why this answer

Option C is correct because a Service Control Policy (SCP) in AWS Organizations can centrally deny the s3:CreateBucket action if the request does not include the required tags (cost center and environment). SCPs apply to all accounts in the organization, enforcing the tagging requirement at the API level before the bucket is created, which is the most effective preventive control.

Exam trap

The trap here is that candidates often choose a reactive solution like AWS Config (Option D) because it can tag buckets, but they miss that the question requires enforcement at creation time, which only a preventive control like an SCP can achieve.

How to eliminate wrong answers

Option A is wrong because CloudFormation StackSets can deploy a bucket template with tags, but they do not enforce tagging on buckets created outside of that template (e.g., via the console, CLI, or SDK). Option B is wrong because IAM policies in each account can require tags, but they are not centrally managed and can be overridden by account administrators; also, IAM policies cannot enforce tags on the s3:CreateBucket action because the condition key for tags (aws:RequestTag) is not evaluated for all services in the same way. Option D is wrong because AWS Config rules can detect and tag buckets after creation (reactive), but they do not prevent untagged buckets from being created, which violates the security team's requirement to enforce tagging automatically at creation time.

297
MCQmedium

A migration engineer is using AWS Application Migration Service (MGN) to migrate a Windows server from on-premises. The engineer runs the command above and sees the source server is in the "READY_FOR_TEST" state. What should the engineer do next?

A.Launch a test instance to validate the migration
B.Perform the cutover to the AWS environment
C.Modify the source server's recommended instance type to a smaller size
D.Resume data replication from the source server
AnswerA

Correct. Testing is the standard next step after initial replication.

Why this answer

The READY_FOR_TEST state indicates the initial replication is complete and a test instance can be launched. The next step is to launch a test instance to validate the migration. Cutting over immediately without testing is risky.

Resuming data replication is for troubleshooting. Checking the recommended instance type is optional but not the next required step.

298
MCQmedium

A company is designing a new application on AWS that requires a relational database with read replicas across multiple AWS Regions. The database must have automated failover and a recovery point objective (RPO) of less than 5 seconds. Which database solution should the company choose?

A.Amazon Aurora Global Database
B.Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas
C.Amazon RDS for PostgreSQL with cross-Region read replicas and Multi-AZ
D.Amazon DynamoDB Global Tables
AnswerA

Aurora Global Database provides RPO of 1 second and automated failover across Regions.

Why this answer

Amazon Aurora Global Database is the correct choice because it is designed for cross-Region replication with a typical RPO of less than 1 second and automated failover from the primary Region to a secondary Region in under 1 minute. This meets the requirement for a relational database with read replicas across multiple Regions and an RPO of less than 5 seconds, as Aurora Global Database uses a dedicated, fast replication channel that minimizes lag.

Exam trap

The trap here is that candidates often confuse Multi-AZ failover (which is Region-bound) with cross-Region failover, or they assume that RDS cross-Region read replicas can achieve the same low RPO as Aurora Global Database, but RDS cross-Region replication is asynchronous and cannot guarantee sub-5-second RPO.

How to eliminate wrong answers

Option B is wrong because Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas uses asynchronous replication for cross-Region replicas, which can introduce replication lag exceeding 5 seconds, and Multi-AZ only provides automated failover within a single Region, not across Regions. Option C is wrong because Amazon RDS for PostgreSQL with cross-Region read replicas and Multi-AZ also relies on asynchronous replication for cross-Region copies, which cannot guarantee an RPO of less than 5 seconds, and Multi-AZ failover is limited to the same Region. Option D is wrong because Amazon DynamoDB Global Tables is a NoSQL database, not a relational database, and the question explicitly requires a relational database solution.

299
MCQmedium

A company is using AWS CodePipeline to automate deployments of a web application. The deployment to an Amazon ECS cluster often fails during the 'Deploy' stage due to insufficient capacity in the target group. The operations team wants to improve the pipeline to automatically handle such failures without manual intervention. Which solution is MOST operationally efficient?

A.Use Amazon CloudWatch Alarms to trigger an AWS Lambda function that restarts the pipeline.
B.Modify the CodeBuild project to run integration tests after deployment.
C.Add a manual approval step before the deploy stage to verify capacity.
D.Configure the ECS service to automatically scale down the desired count on deployment failure.
E.Add a retry action in the CodePipeline stage for the ECS deployment.
AnswerE

Correct because CodePipeline supports retry actions that automatically retry the stage on failure, reducing operational overhead.

Why this answer

Option C is correct because configuring CodePipeline with a manual approval action that retries on failure would require manual intervention, which is not operationally efficient. Option A is correct because adding a retry action in the pipeline stage automatically retries the deployment on failure. Option B is wrong because scaling down the ECS service would reduce capacity, making the problem worse.

Option D is wrong because modifying the CodeBuild project to run smoke tests does not address capacity failures. Option E is wrong because using CloudWatch Alarms to trigger a Lambda function adds complexity and latency compared to a built-in retry mechanism.

300
MCQmedium

An ALB is configured with a target group for HTTP:80. The health check returns a 302 redirect. What is the most likely cause of the unhealthy instances?

A.The application is returning a 500 Internal Server Error.
B.The application is taking too long to respond.
C.The security group is blocking health check traffic.
D.The application is redirecting health checks to another URL.
AnswerD

A 302 redirect suggests the application is redirecting the health check request.

Why this answer

Option C is correct because a 302 redirect indicates the application is redirecting health checks, which is not expected. Option A is wrong because 302 is not a timeout. Option B is wrong because 302 is not a 4xx error.

Option D is wrong because 302 is a redirect, not a 5xx.

Page 3

Page 4 of 24

Page 5