AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 301375

1746 questions total · 24pages · All types, answers revealed

Page 4

Page 5 of 24

Page 6
301
MCQeasy

A retail company is migrating its on-premises e-commerce application to AWS. The application currently runs on a single server with a MySQL database. The company wants to minimize operational overhead and improve scalability. Which migration strategy should be used?

A.Re-platform the application to use AWS Elastic Beanstalk and Amazon RDS.
B.Repurchase a new SaaS-based e-commerce solution.
C.Refactor the application as microservices on Amazon ECS with Amazon Aurora Serverless.
D.Rehost the application on Amazon EC2 and use Amazon RDS for MySQL.
AnswerD

Rehosting is quick and reduces operational overhead via RDS.

Why this answer

Option A is correct because lift-and-shift (rehosting) is the fastest way to migrate with minimal changes, reducing operational overhead. Option B is wrong because refactoring takes more time. Option C is wrong because re-platforming still requires modifications.

Option D is wrong because repurchasing would involve changing the application.

302
MCQhard

Refer to the exhibit. A solutions architect has attached this IAM policy to an IAM role used by an application. The application is trying to upload an object to the S3 bucket example-bucket with server-side encryption using AWS KMS (SSE-KMS). What will happen?

A.The upload succeeds because the policy allows s3:PutObject for the bucket.
B.The upload fails because the policy requires SSE-S3.
C.The upload fails because the bucket policy does not allow SSE-KMS.
D.The upload succeeds because the condition only applies to encryption at rest.
AnswerB

The condition StringEquals on s3:x-amz-server-side-encryption must be AES256, but the request uses SSE-KMS.

Why this answer

Option B is correct. The policy only allows s3:PutObject when the encryption header is AES256 (SSE-S3). Since the application uses SSE-KMS, the condition is not met, and the request is denied.

Option A is incorrect because the condition explicitly requires AES256. Option C is incorrect because the bucket policy is not mentioned, and IAM policy alone can deny. Option D is incorrect because the policy denies the action due to unmet condition.

303
MCQhard

A company runs a stateful application on Amazon EC2 instances in an Auto Scaling group. The application stores data on an Amazon EBS volume attached to each instance. The company wants to implement a patching strategy that minimizes downtime and preserves data. What should a solutions architect do?

A.Use a rolling update with a new Auto Scaling group and delete old instances.
B.Create a new launch template with a patched AMI, then perform a rolling update that detaches and reattaches the existing EBS volumes.
C.Terminate all instances and launch new ones with a patched AMI.
D.Use Systems Manager Patch Manager to apply patches to running instances.
AnswerB

This replaces instances while preserving data by reattaching volumes, minimizing downtime.

Why this answer

Option D is correct because replacing instances with a new launch template and attaching the existing EBS volumes preserves data. Option A is wrong because it causes downtime. Option B is wrong because it does not preserve state.

Option C is wrong because it does not preserve data.

304
MCQmedium

A company is migrating a monolithic e-commerce application to AWS. The application currently runs on a single on-premises server running Windows Server and SQL Server. The company wants to minimize re-architecting effort and time to migrate. Which migration strategy should the company use?

A.Retire the application and replace it with a SaaS solution
B.Refactor the application to use microservices on Amazon ECS
C.Rehost the application on Amazon EC2 Windows instances with SQL Server
D.Replatform the application to use Amazon RDS for SQL Server
AnswerC

Rehosting moves the application as-is, minimizing effort and time.

Why this answer

Option C is correct: Rehost (lift-and-shift) involves moving the application as-is to AWS, minimizing changes and time. Option A (Refactor) requires significant re-architecting. Option B (Replatform) involves some optimization but still requires changes.

Option D (Retire) is not applicable as the application is needed.

305
MCQeasy

A company is migrating an e-commerce website to AWS. The website has a MySQL database. The company wants to automate the migration of the database schema and data. Which AWS service should they use?

A.AWS Glue
B.AWS Database Migration Service (DMS)
C.AWS Data Pipeline
D.AWS Schema Conversion Tool (SCT)
AnswerB

Migrates data and can use SCT for schema conversion.

Why this answer

Option B (AWS Database Migration Service) is correct because it automates data migration and can convert schema using SCT. Option A (SCT) only schema. Option C (Data Pipeline) is for data processing.

Option D (Glue) is for ETL.

306
MCQeasy

A company uses AWS Organizations and wants to allow a development account to assume a role in the production account for deployment purposes. Which component is necessary for this cross-account access?

A.A VPC peering connection between the accounts
B.An IAM role in the production account with a trust policy allowing the development account
C.A service control policy (SCP) that permits AssumeRole
D.An AWS Config rule to validate the role
AnswerB

Trust policies enable cross-account role assumption.

Why this answer

Cross-account IAM access requires a role in the target (production) account with a trust policy that explicitly lists the source (development) account as a trusted principal. The development account then uses the STS AssumeRole API to obtain temporary credentials for that role. Without this trust policy, the role cannot be assumed from another account.

Exam trap

The trap here is confusing network connectivity (VPC peering) with IAM authorization, or assuming that an SCP alone can enable cross-account access when SCPs only act as a permission guardrail within an organization.

How to eliminate wrong answers

Option A is wrong because VPC peering connects networks at Layer 3 and does not provide any IAM-based authentication or authorization for cross-account role assumption. Option C is wrong because SCPs can only deny or allow permissions for principals within the same organization; they cannot grant cross-account access or replace the need for a trust policy on the target role. Option D is wrong because AWS Config rules evaluate resource compliance after the fact and do not enable or control the ability to assume a role across accounts.

307
MCQmedium

A company is using the 7 Rs strategy to migrate a monolithic application to AWS. They want to move the application to the cloud without modifying the code but plan to later refactor parts of it. Which migration strategy should they choose initially?

A.Relocate
B.Refactor
C.Replatform
D.Rehost
AnswerD

Rehost moves the application without code changes, allowing future refactoring.

Why this answer

Rehost (lift-and-shift) moves the application as-is without code changes. Option A is wrong because Replatform involves minor optimizations. Option C is wrong because Refactor involves code changes.

Option D is wrong because Relocate moves only the server level.

308
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and the company has a 1 Gbps AWS Direct Connect connection. They need to minimize downtime. Which approach should the solutions architect recommend?

A.Export the database using Oracle Data Pump and import into RDS
B.Use AWS Snowball Edge to transfer the database files and then restore to RDS
C.Use AWS Schema Conversion Tool to convert the schema and AWS DMS for data migration without CDC
D.Use AWS DMS with full load followed by ongoing replication using change data capture (CDC)
AnswerD

Correct: DMS with CDC minimizes downtime by replicating changes continuously.

Why this answer

AWS Database Migration Service (DMS) with change data capture (CDC) allows continuous replication and minimal downtime. Export/import would cause downtime. AWS Schema Conversion Tool (SCT) is for schema conversion, not data migration.

Snowball is for offline data transfer and would delay the process.

309
MCQhard

A company is migrating a 5 TB Microsoft SQL Server database to Amazon RDS for SQL Server. The migration must have minimal downtime. The team uses AWS DMS with ongoing replication. During the full load, the task fails with an error indicating that the source server's transaction log is full. What should the team do to resolve this issue?

A.Stop the DMS task, take a native backup of the source, restore it to RDS, and then start DMS with ongoing replication.
B.Increase the source server's transaction log size and set the log retention to a higher value.
C.Pause the DMS task, create a larger source instance, and restart the task.
D.Switch the DMS task to use batch-optimized apply mode.
AnswerB

This gives DMS more time to capture changes without filling the log.

Why this answer

Option B is correct because the error indicates the source transaction log is full during the full load phase of AWS DMS. Increasing the transaction log size and setting a higher log retention value prevents the log from filling up while DMS reads it for ongoing replication. This allows the full load to complete without interruption, addressing the root cause directly.

Exam trap

The trap here is that candidates may confuse the transaction log full error with a performance issue, leading them to choose options like resizing the instance or changing apply mode, rather than addressing the log space directly.

How to eliminate wrong answers

Option A is wrong because taking a native backup and restoring to RDS bypasses DMS's ongoing replication setup, requiring manual configuration and potentially causing data loss or inconsistency; it also does not resolve the transaction log issue on the source. Option C is wrong because pausing the task and resizing the source instance does not address the transaction log being full; it only changes compute resources, not log management. Option D is wrong because batch-optimized apply mode affects how DMS applies changes to the target, not how it reads the source transaction log; it does not prevent the log from filling up.

310
Multi-Selectmedium

A company is running a web application on EC2 instances in an Auto Scaling group behind an ALB. The application uses an Amazon RDS for MySQL database. Recently, the application has become slow, and the operations team identifies that the database is the bottleneck due to a high number of read queries. Which TWO actions should a solutions architect take to improve read performance? (Choose two.)

Select 2 answers
A.Enable Multi-AZ for the RDS instance.
B.Implement DynamoDB Accelerator (DAX) in front of the database.
C.Scale up the RDS instance to a larger instance type.
D.Add an Amazon RDS Read Replica in the same AWS Region.
E.Implement an Amazon ElastiCache for Redis cluster to cache frequent queries.
AnswersD, E

Read Replicas can handle read queries, reducing load on the primary.

Why this answer

Option D is correct because adding an Amazon RDS Read Replica offloads read traffic from the primary MySQL database, allowing read queries to be served by the replica and reducing load on the source instance. This directly addresses the high number of read queries causing the bottleneck, as read replicas are designed for read-heavy workloads and can be promoted to a standalone instance if needed.

Exam trap

The trap here is that candidates often confuse Multi-AZ with read replicas, assuming the standby instance can serve reads, when in fact Multi-AZ only provides failover and the standby is not accessible for read operations.

311
MCQmedium

A company is designing a disaster recovery solution for a web application hosted on AWS. The primary site is in us-east-1 and the DR site is in us-west-2. The application uses an Amazon RDS for MySQL database. They need to recover the database with a Recovery Point Objective (RPO) of 5 seconds and a Recovery Time Objective (RTO) of 1 hour. Which solution meets these requirements?

A.Use RDS Multi-AZ in us-east-1 and failover to DR site.
B.Use AWS DMS with ongoing replication to an RDS instance in us-west-2.
C.Use RDS Cross-Region Read Replica and promote it.
D.Use Amazon Aurora Global Database.
AnswerD

Aurora Global Database provides cross-region replication with low RPO and fast failover.

Why this answer

Option B is correct because Aurora Global Database provides replication with RPO of 1 second and failover in minutes. Option A is incorrect because RDS Multi-AZ is for high availability within a region, not cross-region DR. Option C is incorrect because RDS Cross-Region Read Replica has RPO of seconds but failover is manual.

Option D is incorrect because DMS with ongoing replication has higher RTO.

312
MCQeasy

A company runs a static website on Amazon S3 with a custom domain using Amazon Route 53. The website content is updated frequently by multiple developers. The company wants to implement a workflow where updates are automatically tested and deployed. They have existing CI/CD tools that integrate with AWS CodeCommit. The Solutions Architect needs to design a deployment pipeline that rebuilds the website only when changes are pushed to the main branch, and then invalidates the Amazon CloudFront cache if a CloudFront distribution is used. Which solution meets these requirements with the least operational overhead?

A.Use AWS CloudFormation with a custom resource that triggers a build on CodeCommit push.
B.Configure an S3 event notification to invoke an AWS Lambda function that builds and deploys the website.
C.Use AWS CodePipeline with a source stage tied to CodeCommit, a build stage using AWS CodeBuild, and a deploy stage that syncs the S3 bucket and invalidates CloudFront.
D.Use AWS Lambda@Edge to generate the website on the fly and cache at CloudFront.
AnswerC

Fully managed CI/CD pipeline.

Why this answer

Option A is correct because AWS CodePipeline integrated with CodeBuild and CodeCommit provides a fully managed CI/CD service. Option B is wrong because Lambda@Edge is for edge computing, not deployment. Option C is wrong because S3 triggers are for event notifications, not full CI/CD.

Option D is wrong because CloudFormation is for infrastructure, not deployment pipeline.

313
MCQhard

A company is migrating a legacy monolithic application to AWS. The application has tightly coupled components and high latency between them. The company wants to modernize the application into a microservices architecture. Which migration strategy should the company use?

A.Repurchase
B.Rehost
C.Refactor / Re-architect
D.Replatform
AnswerC

This strategy changes the application architecture to microservices.

Why this answer

Option B is correct because the refactor/re-architect strategy involves re-architecting the application into microservices. Option A is wrong because rehost (lift-and-shift) does not modernize. Option C is wrong because replatform (lift-tinker-and-shift) makes minor optimizations but does not change architecture.

Option D is wrong because repurchase involves buying a new product, not re-architecting.

314
MCQhard

A financial services company is designing a multi-tier application that must achieve a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes for a database tier. The application uses Amazon RDS for MySQL with Multi-AZ deployment. Which disaster recovery strategy meets these requirements at the LOWEST cost?

A.Deploy the RDS instance in Multi-AZ configuration and take frequent snapshots to another Region.
B.Use AWS Database Migration Service (DMS) for continuous replication to an RDS instance in another Region.
C.Use Amazon Aurora Global Database, which provides global replication with typical RPO of 1 second.
D.Create a cross-Region read replica of the RDS MySQL instance in another Region. In a disaster, promote the read replica to a standalone instance.
AnswerD

Cross-Region read replicas provide asynchronous replication with low RPO, and promotion takes minutes, meeting RTO at lower cost than other solutions.

Why this answer

Option D is correct because RDS Cross-Region Read Replicas provide asynchronous replication with RPO in seconds, and can be promoted to master in minutes, meeting RTO. Option A is wrong because Multi-AZ only protects against AZ failure, not Region failure. Option B is wrong because a manual snapshot and restore would take longer than 1 hour RTO.

Option C is wrong because Aurora Global Database is more expensive than RDS read replicas.

315
MCQmedium

A solutions architect is troubleshooting an EC2 instance that is not sending metrics to CloudWatch. The instance is running and has internet connectivity. Based on the exhibit, what is the MOST likely reason?

A.The instance does not have an IAM role that allows sending metrics to CloudWatch.
B.The instance's security group is blocking outbound traffic to CloudWatch endpoints.
C.The instance is in the wrong AWS region for CloudWatch.
D.The CloudWatch agent is not installed or running on the instance.
AnswerD

The monitoring state is 'disabled', indicating detailed monitoring is off, but even with basic monitoring, the CloudWatch agent is needed for system-level metrics.

Why this answer

The exhibit shows that monitoring is disabled. Detailed monitoring is required for EC2 metrics at 1-minute frequency, but basic monitoring (5-minute) is enabled by default. However, if the CloudWatch agent is not installed, custom metrics won't be sent.

The most likely reason is that the CloudWatch agent is not installed or configured. Option A (no IAM role) is possible but not shown. Option B (security group) is not shown.

Option D (wrong region) is unlikely.

316
MCQmedium

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

A.The condition uses 'BoolIfExists' instead of 'Bool' which causes the policy to fail when the key is present.
B.The role requires MFA, but the user's MFA device is not configured correctly.
C.The user is not passing the MFA serial number and token code in the assume-role API call.
D.The principal is set to the root account, which does not allow IAM users to assume the role.
AnswerC

Even if MFA is enabled, the user must provide serial number and token code in the STS AssumeRole call.

Why this answer

Option C is correct because the IAM role trust policy includes a condition that checks for the presence of both `aws:MultiFactorAuthPresent` and `aws:MultiFactorAuthAge`. Even though the user has MFA enabled and is passing the MFA token, the `aws:MultiFactorAuthSerialNumber` and `aws:MultiFactorAuthTokenCode` parameters must be explicitly included in the `sts:AssumeRole` API call. Without these, the condition evaluates to false, resulting in an 'AccessDenied' error.

Exam trap

The trap here is that candidates often assume that simply having MFA enabled and passing the token in the session is sufficient, but the `sts:AssumeRole` API call requires the MFA serial number and token code to be explicitly provided as parameters, which is a common oversight in programmatic role assumption scenarios.

How to eliminate wrong answers

Option A is wrong because `BoolIfExists` is a valid condition operator that returns true if the key exists and matches the value, or if the key is absent (missing). In this case, the condition uses `BoolIfExists` correctly to allow the role to be assumed when MFA is present; the failure is not due to the operator choice. Option B is wrong because the user has MFA enabled and is passing the MFA token, so the MFA device is configured correctly; the issue is that the MFA serial number and token code are not being passed in the API call.

Option D is wrong because setting the principal to the root account (the account ID) allows any IAM user in that account to assume the role, provided they meet the conditions; the root principal does not inherently block IAM users.

317
MCQmedium

A Solutions Architect runs the above command for an EC2 instance that is part of an Auto Scaling group. The instance is in a private subnet and should only receive traffic from an Application Load Balancer. However, the instance is accessible from the internet. Based on the output, what is the most likely reason?

A.The subnet's route table has a route to an internet gateway.
B.The instance has an Elastic IP address attached.
C.The instance has a public IP address assigned.
D.The security group attached to the instance allows inbound traffic from 0.0.0.0/0.
AnswerD

The security group 'sg-web-app' might have an inbound rule allowing all traffic, making the instance accessible even in a private subnet if there is a NAT gateway or if the instance has a public IP.

Why this answer

Option B is correct. The output shows the instance has a security group 'sg-web-app' attached to its network interface. If that security group allows inbound traffic from 0.0.0.0/0, the instance would be accessible from the internet.

The subnet being private does not matter if a security group allows public access. Option A is wrong because the instance is in a private subnet, so it should not have a public IP. Option C is wrong because the output does not show a route table.

Option D is wrong because the instance does not have a public IP attached; it's in a private subnet.

318
MCQeasy

A company has an S3 bucket that stores sensitive data. The company wants to ensure that all objects uploaded to the bucket are encrypted at rest. Which solution should the solutions architect recommend?

A.Use a bucket policy to deny uploads that do not include the x-amz-server-side-encryption header.
B.Create an AWS Lambda function that encrypts objects after they are uploaded.
C.Configure an S3 Access Point with a policy that requires encryption.
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
AnswerD

Default encryption automatically encrypts all objects at rest.

Why this answer

Option D is correct because S3 default encryption ensures that all objects are encrypted at rest using SSE-S3 or SSE-KMS, regardless of whether the upload request specifies encryption. Option A is wrong because bucket policies cannot enforce encryption; they can deny uploads without encryption headers but are not the simplest method. Option B is wrong because S3 Access Points are used for managing access, not encryption.

Option C is wrong while valid, it's more complex than simply enabling default encryption.

319
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. They want to ensure that any changes to a production stack are reviewed and approved before being applied. What is the BEST way to achieve this?

A.Enable termination protection on the stack.
B.Use AWS CodePipeline to automatically deploy changes.
C.Use Change Sets and require manual approval to execute them.
D.Use stack policies to prevent updates.
AnswerC

Change Sets show the impact of changes and can be executed after review.

Why this answer

Option B is correct because Change Sets allow you to review changes before executing them. Option A is automatic, C is for changesets but does not require approval, D is not related.

320
MCQeasy

A DevOps engineer notices that an EC2 instance's CPU utilization is consistently above 90%. They need to optimize costs without affecting performance. What should they do?

A.Add more EC2 instances behind a load balancer.
B.Rightsize the instance to a larger instance type.
C.Purchase a Reserved Instance for the current instance type.
D.Terminate the instance and launch a new one of the same type.
AnswerB

A larger instance provides more CPU capacity, improving performance.

Why this answer

Option C is correct because rightsizing the instance to a larger type can provide more CPU capacity, potentially reducing contention and allowing the same workload to run efficiently. Option A is wrong because buying Reserved Instances locks in cost but does not solve performance. Option B is wrong because terminating and recreating does not change instance type.

Option D is wrong because adding more instances may increase cost unnecessarily.

321
MCQmedium

Refer to the exhibit. A company has a trust policy on an IAM role in account 222222222222. The trust policy allows the root user of account 111111111111 to assume the role. However, a user in account 111111111111 is unable to assume the role. What is the most likely cause?

A.A service control policy in account 222222222222 is denying the sts:AssumeRole action
B.The role is not in the same region as the user
C.The trust policy only allows the root user, not individual users
D.The trust policy is malformed
AnswerC

The principal is the root user ARN; individual users need a separate ARN or permissions.

Why this answer

Option C is correct because the trust policy allows the root user but not individual users. To allow a user to assume the role, the trust policy must specify the user's ARN, or the user must have explicit permission in their account to assume the role (via an IAM policy). Option A is wrong because the policy is valid.

Option B is wrong because it is exactly that. Option D is wrong because SCPs in the role's account could deny, but the trust policy itself is the issue.

322
Multi-Selectmedium

A company is designing a new solution to store and analyze log files from multiple sources. The solution must provide near real-time analytics and the ability to query the logs using SQL. Which TWO AWS services should be used together to meet these requirements? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon Athena
C.Amazon ElastiCache
D.Amazon Redshift
E.Amazon Kinesis Data Firehose
AnswersB, E

Athena can query data in S3 using standard SQL.

Why this answer

Options A and C are correct. Amazon Kinesis Data Firehose can ingest log data in near real-time and load it into Amazon S3. Amazon Athena can then query the data in S3 using SQL.

Option B is wrong because CloudWatch Logs is for monitoring, not analytics. Option D is wrong because Redshift is for data warehousing, not near real-time analytics. Option E is wrong because ElastiCache is a cache.

323
MCQmedium

A company is designing a microservices architecture on AWS ECS with Fargate. Each service needs to store and retrieve session state. The solution must be highly available and low latency. Which AWS service should be used for session state storage?

A.Amazon ElastiCache for Redis
B.Amazon RDS for MySQL
C.Amazon S3
D.Amazon DynamoDB
AnswerA

ElastiCache for Redis is an in-memory cache with sub-millisecond latency, ideal for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides an in-memory data store with sub-millisecond latency, ideal for session state storage in a microservices architecture. Redis supports data structures like hashes and strings that map directly to session data patterns, and its replication and cluster modes ensure high availability across multiple Availability Zones. Fargate tasks can connect to ElastiCache via private subnets, maintaining low latency without the overhead of disk-based I/O.

Exam trap

The trap here is that candidates often choose DynamoDB because it is a managed, highly available database with low latency, but they overlook that session state is ephemeral and best served by an in-memory cache like Redis, which offers lower latency, automatic TTL expiration, and lower cost for transient data patterns.

How to eliminate wrong answers

Option B (Amazon RDS for MySQL) is wrong because relational databases introduce unnecessary latency and overhead for session state, which is ephemeral and requires fast reads/writes; RDS is optimized for persistent, ACID-compliant transactional data, not high-throughput key-value access. Option C (Amazon S3) is wrong because S3 is an object store with eventual consistency (unless using S3 Select or additional features) and higher latency (tens to hundreds of milliseconds), making it unsuitable for real-time session retrieval. Option D (Amazon DynamoDB) is wrong because while DynamoDB offers single-digit millisecond latency and is highly available, it is a NoSQL database with disk-based storage and higher per-request cost compared to an in-memory cache like Redis; for session state, which is transient and benefits from TTL-based expiration, Redis's in-memory model is more cost-effective and performant.

324
MCQeasy

A company has a legacy application that runs on Windows Server 2008 R2 on-premises. The application is no longer supported by the vendor, but the company still needs to run it for compliance reasons. They are migrating to AWS and want to minimize changes. What should the solutions architect recommend?

A.Refactor the application to run on a supported Windows Server version
B.Upgrade to Windows Server 2019 and use AWS License Manager
C.Replace the application with a SaaS alternative
D.Use an Amazon EC2 instance with a Windows Server 2008 R2 BYOL AMI
AnswerD

Correct: Allows the legacy OS to run as-is, minimizing changes.

Why this answer

Using a Windows Server 2008 R2 BYOL AMI allows the company to run the legacy OS without changes. AWS does not provide mainstream support for 2008 R2, but BYOL allows it. Refactoring or replacing the application would require changes.

Upgrading the OS might break the application.

325
Multi-Selecteasy

Which TWO AWS services can be used together to automate the discovery and migration of on-premises servers to AWS? (Choose two.)

Select 2 answers
A.AWS DataSync
B.AWS Database Migration Service (DMS)
C.AWS Server Migration Service (SMS)
D.AWS Application Migration Service (MGN)
E.AWS Application Discovery Service
AnswersD, E

MGN automates server migration.

Why this answer

AWS MGN automates server migration. AWS Application Discovery Service helps discover on-premises server inventory. AWS DMS is for databases.

AWS SMS is deprecated. AWS DataSync is for file/object storage.

326
MCQeasy

A company wants to design a serverless event-driven architecture where multiple downstream services need to process events from a single source. Events must be reliably delivered and each downstream service must process every event independently. Which AWS service should be used as the event router?

A.AWS Step Functions
B.Amazon Kinesis Data Streams
C.Amazon Simple Queue Service (SQS)
D.Amazon EventBridge
AnswerD

Amazon EventBridge allows you to create rules that send events to multiple targets (e.g., Lambda, SQS, SNS, Step Functions) simultaneously, enabling independent processing.

Why this answer

Option A is correct because Amazon EventBridge can route events to multiple targets (e.g., Lambda, SQS, SNS) based on rules, and each target receives the event independently. Option B is wrong because Amazon SQS is a queue, not a router; it only delivers messages to a single consumer per message. Option C is wrong because AWS Step Functions is for orchestrating workflows, not for broadcasting events.

Option D is wrong because Amazon Kinesis Data Streams is for real-time streaming, but each shard is processed by a single consumer; broadcasting requires multiple consumer applications.

327
Multi-Selecteasy

Which TWO AWS services can be used to automate the enforcement of compliance policies across multiple AWS accounts? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Organizations SCPs
C.AWS CloudFormation StackSets
D.Amazon VPC Flow Logs
E.AWS Config rules
AnswersB, E

SCPs can deny or allow actions across accounts.

Why this answer

AWS Config rules (option A) and SCPs (option C) can enforce compliance. Option B is wrong because CloudTrail is logging. Option D is wrong because CloudFormation deploys resources but does not enforce policies.

Option E is wrong because VPC Flow Logs are for network logging.

328
MCQmedium

A company is migrating an on-premises Hadoop cluster to Amazon EMR. The cluster processes large datasets that are stored on HDFS. The company wants to minimize migration effort and cost. Which storage option should the company use with Amazon EMR?

A.Amazon EBS volumes attached to the core nodes
B.Amazon S3 with EMRFS
C.Amazon FSx for HDFS
D.Amazon Elastic File System (EFS)
AnswerB

EMRFS allows EMR to use S3 as a drop-in replacement for HDFS.

Why this answer

Option A is correct because Amazon S3 is the recommended storage for EMR, providing durability, scalability, and no need to manage HDFS. Option B is wrong because EBS volumes can be used but require provisioning and management. Option C is wrong because Amazon FSx for HDFS is for workloads that require HDFS compatibility, but S3 is simpler and more cost-effective.

Option D is wrong because Amazon EFS is a file system, not optimized for Hadoop workloads.

329
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The stack creation fails with the error 'Resource handler returned message: 'User: arn:aws:sts::123456789012:assumed-role/Admin/MySession is not authorized to perform: ec2:RunInstances'. What is the MOST likely cause?

A.The IAM role used by CloudFormation does not have ec2:RunInstances permission.
B.The region specified in the template is disabled.
C.The CloudFormation template has a syntax error.
D.The AWS account is not subscribed to EC2 service.
AnswerA

The error clearly states the role is not authorized.

Why this answer

Option C is correct because the IAM role assumed by CloudFormation lacks the necessary permissions. Option A is wrong because the error is about the user/role, not AWS. Option B is wrong because the error does not mention S3.

Option D is wrong because the region is specified in the template.

330
MCQmedium

A company is building a data lake on Amazon S3 using Parquet files. The data will be queried by multiple teams using Amazon Athena. The security team requires that access to sensitive columns (e.g., PII) be restricted based on the user's role. Which solution provides column-level access control with the LEAST administrative overhead?

A.Use AWS Lake Formation to define column-level permissions in the Data Catalog.
B.Create separate S3 buckets for sensitive and non-sensitive data and apply bucket policies to restrict access.
C.Load the data into Amazon Redshift and use Redshift Spectrum to query S3, then apply column-level security through Redshift.
D.Use IAM policies with condition keys to restrict access based on the Athena workgroup.
AnswerA

Lake Formation integrates with Athena and allows fine-grained column-level access control with minimal effort.

Why this answer

Option C is correct because Lake Formation allows column-level permissions via the Data Catalog. Option A is wrong because S3 bucket policies are at the object level, not column level. Option B is wrong because IAM policies can restrict actions but not columns.

Option D is wrong because Redshift Spectrum queries through Redshift but adds complexity.

331
MCQeasy

A company is designing a new application that requires secure storage of secrets such as database passwords and API keys. The application runs on Amazon EC2 instances. The company wants to centralize secret management and automatically rotate secrets. Which AWS service should be used?

A.AWS Key Management Service (KMS)
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager provides secret storage with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed for storing and rotating secrets centrally. Option A: Systems Manager Parameter Store can store secrets but does not natively rotate them. Option C: KMS is for encryption keys, not secret storage.

Option D: CloudHSM is for hardware security modules.

332
MCQmedium

An administrator attached the above IAM policy to a group of developers. A developer tries to launch a t3.medium EC2 instance and receives an 'AccessDenied' error. What is the MOST likely reason?

A.The policy denies all instance types except t3.micro and t3.small.
B.The policy has a syntax error that causes all actions to be denied.
C.The policy does not explicitly allow ec2:RunInstances.
D.The policy requires a specific Amazon Machine Image (AMI) that the developer is not using.
AnswerA

The condition denies if the instance type is not in the list.

Why this answer

Option B is correct because the policy denies ec2:RunInstances for instance types that are not t3.micro or t3.small. Since t3.medium is not in the allowed list, the action is denied. Option A is wrong because the policy allows the action for allowed types.

Option C is wrong because the condition is on instance type, not AMI. Option D is wrong because there is no explicit allow, but the default implicit deny is overridden by the explicit deny.

333
MCQhard

A company has a multi-account setup with AWS Organizations. The security team wants to enforce that all IAM users must have MFA enabled. Which approach is most effective?

A.Use AWS Config rules to detect users without MFA and send alerts.
B.Use AWS CloudTrail to monitor and disable users without MFA.
C.Set an IAM password policy that requires MFA for all users.
D.Apply an SCP that denies all actions if the principal does not have MFA.
AnswerD

Forces MFA for all API calls.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations can enforce preventive security controls across all accounts in the organization. By denying all actions when a principal does not have MFA, the SCP effectively blocks any API call from IAM users or roles that haven't authenticated with MFA, ensuring compliance at the organizational level regardless of individual account configurations.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config alerts) with preventive controls (like SCPs), or mistakenly think IAM password policies can enforce MFA, when in fact password policies only govern password characteristics, not multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive; they can detect users without MFA and send alerts, but they cannot enforce MFA or block actions. Option B is wrong because AWS CloudTrail is a logging service that records API calls; it cannot disable users or enforce MFA, and monitoring alone does not prevent non-compliant actions. Option C is wrong because an IAM password policy cannot require MFA for all users; password policies control password complexity, rotation, and reuse, but MFA enforcement must be done via IAM policies or SCPs, not password policies.

334
MCQmedium

A company has a centralized security account and wants to enable AWS Config in all accounts. They want to centrally manage Config rules and view compliance. What should they do?

A.Apply an SCP to enable AWS Config in all accounts.
B.Use CloudFormation StackSets to deploy Config rules, then view in each account.
C.Enable AWS Config in the security account only and use cross-account roles.
D.Enable AWS Config in each account and use an aggregator in the security account.
AnswerD

Aggregator collects compliance data from multiple accounts.

Why this answer

AWS Config aggregator allows viewing compliance from multiple accounts. Option B is wrong because it doesn't aggregate. Option C is wrong because CloudFormation is per-account.

Option D is wrong because SCPs cannot enable Config.

335
MCQeasy

A company is designing a new application that will run on AWS. The application needs to store and retrieve user session data with low latency. The session data is small (less than 1 KB per user) and must be highly available. The company expects up to 10 million active users per day. Which AWS service should be used as the session store?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon RDS for MySQL
D.Amazon ElastiCache for Redis
AnswerD

Redis is an in-memory store ideal for session data with low latency and high throughput.

Why this answer

Option B is correct because Amazon ElastiCache for Redis is designed for low-latency session storage and can scale to millions of users. Option A: DynamoDB is good for persistence but has higher latency than in-memory stores. Option C: RDS is relational and slower for session data.

Option D: S3 has high latency for small, frequent reads/writes.

336
MCQhard

A company has a centralized AWS account for security tools and multiple member accounts. They want to use AWS GuardDuty to detect threats across all accounts. They have enabled GuardDuty in the management account and invited all member accounts. GuardDuty is set to send findings to a central S3 bucket in the security account. However, findings from member accounts are not appearing in the central S3 bucket. The security account has a bucket policy that allows the GuardDuty service principal to write findings. What is the most likely cause?

A.The GuardDuty detector in the management account is not configured to publish findings to S3.
B.GuardDuty cannot send findings from member accounts to a central S3 bucket; it only supports CloudWatch Events.
C.The S3 bucket policy does not grant the GuardDuty service principal from member accounts write access.
D.Each member account must individually configure the S3 bucket as a publishing destination for its own findings.
AnswerD

Each account must set up its own publishing destination.

Why this answer

Option D is correct because for GuardDuty to send findings to a central S3 bucket, each member account must configure the publishing destination as well. Simply enabling GuardDuty in the management account does not automatically forward findings from member accounts to a central bucket. Option A is wrong because the bucket policy is already in place.

Option B is wrong because GuardDuty supports cross-account. Option C is wrong because there is no such setting.

337
Multi-Selectmedium

A company is planning to migrate its on-premises Oracle database to Amazon RDS for Oracle using AWS DMS. The database is 5 TB in size with continuous changes. Which TWO steps should the company take to minimize downtime during the migration?

Select 2 answers
A.Set up ongoing replication using change data capture (CDC) from the start.
B.Enable Multi-AZ on the target RDS instance during migration.
C.Use AWS Direct Connect to establish a dedicated network connection.
D.Use a large DMS replication instance to improve throughput.
E.Perform a full load migration first, then apply CDC after the cutover window.
AnswersA, D

CDC minimizes downtime by replicating changes continuously.

Why this answer

Option A is correct because using a large instance type for DMS improves performance. Option C is correct because setting up ongoing replication reduces downtime. Option B is wrong because the full load should be done before CDC.

Option D is wrong because direct connect is not required. Option E is wrong because Multi-AZ is for high availability, not migration speed.

338
MCQmedium

A company has a CI/CD pipeline that builds and deploys a containerized application to Amazon ECS Fargate. The pipeline uses AWS CodeBuild to run tests and build Docker images. Recently, the pipeline has been failing intermittently with the error 'CannotPullContainerError: Error response from daemon: manifest for <image> not found'. The image is stored in Amazon ECR. The team suspects the issue is related to image tag inconsistency. The pipeline tags images with the commit hash. Which change will prevent this error?

A.Store the Docker image in Amazon S3 instead of ECR.
B.Ensure the pipeline builds and pushes the image with a unique tag, such as the commit hash, and uses that tag in the ECS task definition.
C.Use the 'latest' tag for all images.
D.Retry the failed pipeline step after a delay.
AnswerB

Unique tags prevent collisions and ensure the correct image is used.

Why this answer

Ensuring that the image tag is unique and not reused prevents stale image references. Using the commit hash ensures uniqueness.

339
MCQeasy

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts and business applications. The company uses Microsoft Active Directory on-premises. Which AWS service should be used to integrate with the existing directory?

A.Amazon Cognito user pools
B.AWS Organizations
C.AWS Identity and Access Management (IAM)
D.AWS IAM Identity Center (AWS SSO) with an AWS Managed Microsoft AD directory
AnswerD

Integrates with on-premises AD via AD Connector or managed AD.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) can be integrated with an AWS Managed Microsoft AD directory to provide a single sign-on experience across multiple AWS accounts and business applications. This integration allows users to authenticate using their existing on-premises Active Directory credentials via AD Connector or a two-way forest trust, enabling seamless access to the AWS Management Console, command-line interface, and supported SAML 2.0 applications.

Exam trap

The trap here is that candidates often confuse AWS IAM Identity Center with AWS IAM, assuming IAM alone can provide SSO across multiple accounts, but IAM is account-scoped and lacks the centralized application portal and cross-account federation capabilities that IAM Identity Center provides.

How to eliminate wrong answers

Option A is wrong because Amazon Cognito user pools are designed for customer-facing identity and access management, not for integrating with an existing on-premises Microsoft Active Directory for employee SSO across multiple AWS accounts. Option B is wrong because AWS Organizations is a service for centrally managing and governing multiple AWS accounts, not for providing identity federation or SSO capabilities. Option C is wrong because AWS IAM is used for managing permissions for individual AWS users and roles, but it does not natively support SSO integration with on-premises Active Directory or provide a centralized portal for accessing multiple AWS accounts and business applications.

340
MCQeasy

A company wants to centrally manage backups for Amazon EBS volumes across multiple AWS accounts. They need a solution that can automatically back up volumes based on tags, retain backups according to a policy, and send notifications on failures. Which AWS service should they use?

A.AWS CloudFormation StackSets
B.Amazon RDS automated backups
C.AWS Backup
D.Amazon S3 lifecycle policies
AnswerC

AWS Backup provides centralized backup management across accounts.

Why this answer

AWS Backup is the correct service because it provides a centralized, policy-based backup solution for Amazon EBS volumes across multiple AWS accounts. It supports tag-based backup policies, retention rules, and integrates with Amazon CloudWatch Events and Amazon SNS to send notifications on failures, meeting all the stated requirements.

Exam trap

The trap here is that candidates might confuse AWS Backup with native snapshot management or assume that a service like CloudFormation StackSets can handle backup automation, but only AWS Backup provides the centralized, policy-driven, cross-account backup management with notification capabilities required by the scenario.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets is used to deploy infrastructure as code across multiple accounts and regions, not for managing backups or retention policies. Option B is wrong because Amazon RDS automated backups are specific to RDS databases and cannot back up EBS volumes or operate across multiple accounts. Option D is wrong because Amazon S3 lifecycle policies manage the transition and expiration of objects within S3 buckets, not the backup of EBS volumes.

341
MCQeasy

A company is designing a new static website hosted on Amazon S3. The website must be served over HTTPS with a custom domain name. Which AWS service should be used to achieve this?

A.Amazon Route 53 with alias record
B.Amazon CloudFront with SSL certificate
C.Amazon S3 static website hosting with bucket policy
D.Elastic Load Balancer with SSL termination
AnswerB

CloudFront can be configured with a custom SSL certificate and domain to serve HTTPS.

Why this answer

Option B is correct because CloudFront can be configured with a custom SSL certificate and domain. Option A is wrong because S3 does not natively support HTTPS with custom domains. Option C is wrong because ELB is for dynamic content.

Option D is wrong because Route 53 is DNS, not content delivery.

342
MCQmedium

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be encrypted in transit and that the load balancer use a certificate from AWS Certificate Manager (ACM). The application currently uses HTTP. What should the company do to meet the security requirement?

A.Replace the ALB with a Network Load Balancer and associate an ACM certificate with it.
B.Change the ALB listener to TCP and use a self-signed certificate on the EC2 instances.
C.Place a CloudFront distribution in front of the ALB and configure HTTPS between viewers and CloudFront.
D.Add an HTTPS listener to the ALB using an ACM certificate, and configure the HTTP listener to redirect to HTTPS.
AnswerD

This provides encryption and uses ACM for certificate management.

Why this answer

Option C is correct because creating an HTTPS listener with an ACM certificate and redirecting HTTP to HTTPS ensures encryption. Option A is wrong because CloudFront adds complexity and cost. Option B is wrong because a TCP listener does not terminate TLS.

Option D is wrong because ACM cannot be directly associated with a TCP listener.

343
MCQeasy

A Solutions Architect is reviewing an Amazon S3 bucket policy that grants access to users from another AWS account. The policy uses the Principal element with "AWS": "arn:aws:iam::123456789012:root". The users in the other account are unable to access the bucket. What is the most likely cause?

A.The policy must specify the IAM user ARN, not the root user ARN.
B.The bucket policy must also include a VPC endpoint condition.
C.Cross-account access is not supported with bucket policies.
D.The bucket policy must use the CanonicalUser ID instead of the account ID.
AnswerA

The root user ARN does not cover IAM users in that account.

Why this answer

Option A is correct because the root user ARN does not grant access to individual IAM users; the policy must allow the entire account or specific user ARNs. Option B is wrong because the bucket policy can refer to another account. Option C is wrong because S3 does not require VPC endpoints for cross-account access.

Option D is wrong because the bucket policy can use IAM user ARNs.

344
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application is deployed across multiple Availability Zones. Recently, deployments have been failing because new tasks cannot register with the Application Load Balancer (ALB) target group. The health checks are failing. What is the MOST likely cause?

A.The security group for the tasks does not allow inbound traffic from the ALB on the health check port.
B.The ECS service is configured with a desired count of zero.
C.The task definition specifies an invalid container image.
D.The ECS cluster has insufficient capacity.
AnswerA

Health checks fail if traffic is blocked.

Why this answer

Option C is correct because if the security group for the tasks does not allow inbound traffic from the ALB on the health check port, health checks fail. Options A, B, and D do not directly cause health check failures.

345
MCQmedium

A company is building a new data lake on AWS to store and analyze petabytes of data from various sources. The data includes structured (CSV, Parquet), semi-structured (JSON), and unstructured (images, videos) files. The company needs a cost-effective storage solution that allows running SQL queries directly on the data without loading it into a database. Data is accessed infrequently but must be available within minutes. Which solution should a Solutions Architect recommend?

A.Store data in Amazon S3 Glacier Deep Archive for cost savings, and use Athena for queries.
B.Store data in Amazon Redshift, use Redshift Spectrum to query data in S3.
C.Store data in Amazon S3 using lifecycle policies to transition infrequent data to S3 Standard-IA. Use Amazon Athena for SQL queries.
D.Store data in Amazon EBS volumes attached to an EC2 instance running a SQL engine.
AnswerC

S3 is cost-effective object storage; Athena is serverless and queries data directly in S3.

Why this answer

Option B is correct because S3 is the best storage for a data lake, and Athena allows serverless SQL queries directly on S3 data. Option A is wrong because Redshift is for data warehousing, not a data lake; data must be loaded. Option C is wrong because Glacier is for archival, not frequent querying.

Option D is wrong because EBS is block storage for EC2, not designed for data lakes.

346
MCQeasy

A company is building a new web application that will be accessed by users globally. They want to minimize latency and protect against DDoS attacks. Which AWS service should they use as the entry point?

A.Elastic Load Balancing
B.AWS Global Accelerator
C.Amazon CloudFront
D.Amazon Route 53
AnswerC

CloudFront provides edge caching, low latency, and integrated DDoS protection.

Why this answer

Amazon CloudFront is correct because it is a global content delivery network (CDN) that caches content at edge locations close to users, reducing latency for static and dynamic content. It also provides built-in DDoS protection through AWS Shield Standard and can integrate with AWS WAF for additional layer 7 filtering, making it the ideal entry point for a globally accessed web application requiring both low latency and DDoS mitigation.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront because both improve latency globally, but Global Accelerator does not cache content or provide application-layer DDoS protection, making it unsuitable as the primary entry point for a web application requiring both features.

How to eliminate wrong answers

Option A is wrong because Elastic Load Balancing distributes traffic only within a single AWS Region and does not provide global edge caching or native DDoS protection at the application layer; it relies on other services for global latency reduction. Option B is wrong because AWS Global Accelerator improves latency by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache content or provide application-layer DDoS protection; it focuses on TCP/UDP traffic optimization and uses static anycast IPs. Option D is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses and can perform health checks and routing policies, but it does not cache content or provide DDoS mitigation beyond basic DNS-level protection; it is not an entry point for application traffic.

347
MCQmedium

Refer to the exhibit. A solutions architect is reviewing an IAM trust policy for a Lambda function's execution role. The function needs to access an S3 bucket in the same account. The trust policy is as shown. What is missing for the Lambda function to successfully assume the role?

A.An IAM policy must be attached to the role granting permissions to the S3 bucket
B.A service control policy must allow Lambda to assume roles
C.The S3 bucket must have a resource-based policy allowing the Lambda function
D.The trust policy must specify the Lambda function name
AnswerA

The trust policy allows Lambda to assume the role, but the role itself needs an IAM policy to grant S3 access.

Why this answer

Option A is correct because the IAM trust policy only allows the Lambda service to assume the role, but it does not grant any permissions to access the S3 bucket. For the Lambda function to successfully read or write objects in the S3 bucket, an IAM permissions policy (e.g., s3:GetObject, s3:PutObject) must be attached to the role. Without this policy, the role has no effective permissions to perform actions on the bucket, even though the trust policy allows the role to be assumed.

Exam trap

The trap here is that candidates often confuse the trust policy (which controls who can assume the role) with the permissions policy (which controls what actions the role can perform), leading them to think the trust policy alone is sufficient for accessing resources.

How to eliminate wrong answers

Option B is wrong because service control policies (SCPs) are used in AWS Organizations to restrict permissions for accounts, not to allow Lambda to assume roles; SCPs can only deny or allow permissions, but they do not grant the ability to assume roles—that is handled by IAM trust policies. Option C is wrong because the S3 bucket resource-based policy is not required when the Lambda function and the bucket are in the same account; in the same account, IAM roles alone can grant access without needing a bucket policy. Option D is wrong because the trust policy does not need to specify the Lambda function name; it only needs to specify the AWS service principal (lambda.amazonaws.com) to allow the Lambda service to assume the role on behalf of any function in the account.

348
MCQhard

A company is migrating a legacy Oracle database to Amazon Aurora PostgreSQL. The migration must be completed with minimal downtime and minimal manual effort. Which AWS service should be used?

A.AWS DataSync
B.AWS DMS with ongoing replication
C.AWS Snowball Edge
D.AWS Schema Conversion Tool (SCT)
AnswerB

DMS can migrate from Oracle to PostgreSQL with minimal downtime via ongoing replication.

Why this answer

Option A (AWS DMS with ongoing replication) is correct because DMS supports Oracle to PostgreSQL migration with ongoing replication for minimal downtime. Option B (SCT) is used for schema conversion, not data migration. Option C (Snowball) is for large data transfer offline.

Option D (DataSync) is for file data, not databases.

349
Multi-Selecteasy

A company uses Amazon CloudFront to distribute content globally. The company wants to restrict access to content based on geographic location. Which TWO actions can the company take?

Select 3 answers
A.Configure an S3 bucket policy to deny access from specific IP ranges.
B.Use CloudFront geo-restriction to allow or block countries.
C.Associate an AWS WAF web ACL with the CloudFront distribution and use a geo match condition.
D.Use CloudFront geographic restriction.
E.Use Lambda@Edge to check the request's country and return a 403.
AnswersB, C, D

Directly restricts access by country.

Why this answer

Option A is correct because CloudFront geo-restriction allows whitelisting or blacklisting countries. Option D is correct because the geographic restriction feature is built-in. Option B is incorrect because S3 bucket policies do not support geographic restrictions.

Option C is incorrect because Lambda@Edge can be used but is more complex. Option E is incorrect because WAF can block based on country using geo match conditions.

350
MCQeasy

A startup runs its application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer to distribute traffic. During a recent marketing campaign, the application experienced high latency and some requests returned 503 errors. The team suspects that the tasks are hitting resource limits. The team wants to automatically scale the tasks based on CPU utilization. Which solution should the team implement?

A.Configure Application Auto Scaling for the ECS service with a target tracking scaling policy based on average CPU utilization.
B.Create a CloudWatch alarm that triggers a Lambda function to stop idle tasks.
C.Create an Auto Scaling group for the ECS cluster and configure it to scale based on CPU utilization.
D.Use AWS Lambda to periodically check CPU utilization and update the desired count of the ECS service.
AnswerA

Target tracking automatically adjusts the desired count to maintain a target CPU utilization.

Why this answer

Option A (Application Auto Scaling with target tracking) is the correct approach for ECS services. Option B (Auto Scaling group) is for EC2. Option C (CloudWatch alarm to stop tasks) is not scaling.

Option D (Lambda to add tasks) is less efficient.

351
Multi-Selecteasy

A company is designing a new application on AWS that will store sensitive user data. The application must comply with data residency requirements, meaning data must remain within a specific geographic region. Which TWO architectural decisions should a Solutions Architect make to ensure compliance?

Select 2 answers
A.Deploy all resources in a single AWS region that meets the data residency requirement.
B.Use S3 bucket policies to deny access if the request comes from outside the required region.
C.Use Amazon CloudFront to serve content from edge locations.
D.Use AWS Key Management Service (KMS) with customer managed keys.
E.Enable cross-Region replication for data stored in Amazon S3.
AnswersA, B

Deploying in a single region ensures data is stored and processed within that region.

Why this answer

Option A is correct because S3 bucket policies can restrict access to specific regions. Option C is correct because selecting the region for deployment ensures data stays in that region. Option B is wrong because CloudFront caches data globally, which may violate data residency.

Option D is wrong because cross-Region replication moves data to another region. Option E is wrong because KMS keys are region-specific but do not prevent data movement.

352
MCQhard

A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?

A.Create a VPN connection from each VPC to a central network appliance.
B.Use AWS PrivateLink to connect each VPC to a central VPC endpoint service.
C.Create a Transit Gateway in the networking account and share it with other accounts using AWS Resource Access Manager.
D.Create VPC peering connections between each VPC and a central VPC.
AnswerC

Allows centralized management and self-service attachment via RAM.

Why this answer

Option D is correct because it allows centralized management with self-service via Resource Access Manager. Option A is wrong because VPNs are not scalable. Option B is wrong because VPC peering does not scale to hundreds of accounts.

Option C is wrong because VPC endpoints are for services, not VPC-to-VPC.

353
MCQhard

A company is migrating a stateful firewall appliance to AWS. The appliance currently inspects traffic between multiple on-premises segments. In AWS, the company wants to deploy the appliance in a VPC to inspect traffic between subnets. Which architecture should the company use to ensure that the appliance can inspect all traffic?

A.Deploy the appliance behind an Application Load Balancer and configure the VPC route tables.
B.Deploy the appliance behind a Gateway Load Balancer in an inspection VPC and use a Transit Gateway to route traffic through it.
C.Deploy the appliance behind a Network Load Balancer and configure the VPC route tables to send traffic to the NLB.
D.Use VPC Gateway Endpoints to route traffic through the appliance.
AnswerB

GWLB is designed for transparent inspection of network traffic.

Why this answer

Option A is correct because a Gateway Load Balancer (GWLB) can be deployed in the inspection VPC and route traffic from the transit gateway to the appliance for inspection. Option B is wrong because NLB cannot inspect traffic. Option C is wrong because ALB is for HTTP/HTTPS.

Option D is wrong because VPC endpoints are for accessing services.

354
MCQeasy

A company has a single AWS account that hosts multiple applications for different business units. Each business unit wants to have its own set of IAM users and permissions. The company wants to minimize administrative overhead while maintaining separation. They are considering using AWS Organizations with multiple accounts. However, the CFO is concerned about increased costs due to separate accounts. What is the best solution to address the business units' needs while managing costs?

A.Create an Organizational Unit for each business unit within the existing account.
B.Use IAM policies with conditions based on resource tags to restrict access within the single account.
C.Create a separate AWS account for each business unit and use consolidated billing to manage costs.
D.Use Service Control Policies to restrict each business unit's access to specific services.
AnswerB

Allows logical separation without additional accounts.

Why this answer

Option D is correct because it provides logical separation using IAM policies and resource tags without the overhead of multiple accounts. Option A is wrong because multiple accounts increase costs due to minimum services per account. Option B is wrong because OUs do not provide IAM user management.

Option C is wrong because SCPs are for account-level restrictions, not user-level.

355
MCQhard

A company uses this CloudFormation template to manage an S3 bucket. They notice that old object versions are not being deleted after 30 days. What is the most likely reason?

A.The bucket contains delete markers that are not being expired.
B.The bucket has a bucket policy that prevents deletion.
C.Versioning is not enabled on the bucket.
D.The lifecycle rule is disabled.
AnswerA

Lifecycle does not automatically delete delete markers; need ExpiredObjectDeleteMarker.

Why this answer

Option C is correct because NoncurrentVersionExpirationInDays applies to noncurrent versions, but if the object has no current version (e.g., all versions are delete markers), the rule doesn't clean up delete markers. Option A is wrong because the rule is enabled. Option B is wrong because versioning is enabled.

Option D is wrong because bucket policy doesn't affect lifecycle.

356
MCQeasy

A company wants to migrate its on-premises virtualized workloads to AWS using the VMware Cloud on AWS service. The company currently uses VMware vSphere for virtualization. What is the primary benefit of using VMware Cloud on AWS for this migration?

A.It allows the company to continue using existing VMware management tools and processes
B.It provides better application performance compared to running on AWS native compute
C.It reduces the total cost of ownership by eliminating the need for any hardware maintenance
D.It eliminates the need to refactor applications for the cloud
AnswerA

Correct. VMware Cloud on AWS provides a consistent VMware environment.

Why this answer

VMware Cloud on AWS allows organizations to use the same VMware tools and processes, minimizing the learning curve and operational changes. It does not automatically reduce costs, nor does it provide better performance or eliminate the need to refactor applications.

357
MCQhard

A company uses AWS Organizations and has a requirement that all API calls to AWS services must be logged and monitored. The security team wants to create a central CloudWatch dashboard that shows API activity across all accounts. Which solution should be implemented with the least operational overhead?

A.Use Amazon EventBridge to capture API calls from all accounts and route them to a central CloudWatch Logs group.
B.Enable CloudTrail in each account and configure the trail to send logs to a CloudWatch Logs group in that account. Then create a cross-account CloudWatch dashboard.
C.Use CloudWatch cross-account observability to aggregate logs from all accounts into a single monitoring account.
D.Enable an organization trail in CloudTrail in the management account to deliver logs to a central S3 bucket. Use Amazon CloudWatch Logs to process the logs and create a metric filter, then build a dashboard.
AnswerD

Organization trail centralizes logs, and CloudWatch Logs can create metrics and dashboards.

Why this answer

Option D is correct because enabling an organization trail in CloudTrail from the management account automatically applies to all accounts in the AWS Organization, delivering logs to a central S3 bucket with minimal per-account configuration. Using CloudWatch Logs with metric filters on that S3 bucket allows the security team to create a central CloudWatch dashboard that monitors API activity across all accounts, satisfying the requirement with the least operational overhead.

Exam trap

The trap here is that candidates often assume cross-account observability (Option C) is the simplest solution for central monitoring, but it does not natively aggregate CloudTrail logs and requires additional configuration, whereas an organization trail provides automatic, centralized logging with minimal overhead.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge captures events from AWS services but does not natively capture all API calls; CloudTrail is the service designed to log API activity, and EventBridge would require custom rules and additional infrastructure to route logs centrally. Option B is wrong because enabling CloudTrail in each account individually and sending logs to separate CloudWatch Logs groups creates significant operational overhead (managing trails per account) and cross-account dashboards require complex IAM permissions and log group sharing, which is not the simplest approach. Option C is wrong because CloudWatch cross-account observability is designed for monitoring metrics, logs, and traces across accounts but does not directly aggregate CloudTrail logs; it would still require each account to send logs to a central monitoring account, adding overhead compared to a single organization trail.

358
Multi-Selectmedium

A company is migrating a web application to AWS and wants to use a multi-tier architecture with an Auto Scaling group of EC2 instances behind an Application Load Balancer. The company needs to store session state for the application. Which TWO approaches should the company use to store session state in a scalable and highly available manner? (Choose TWO.)

Select 2 answers
A.Use Amazon DynamoDB with on-demand capacity.
B.Use an EC2 instance store for each instance.
C.Use Amazon EBS snapshots shared across instances.
D.Use Amazon ElastiCache for Redis with replication.
E.Use Amazon RDS for MySQL with Multi-AZ.
AnswersA, D

DynamoDB is a fully managed NoSQL database with high availability.

Why this answer

Options A and D are correct because ElastiCache for Redis and DynamoDB are both highly available and scalable solutions for session state. Option B is wrong because EBS is tied to a single instance. Option C is wrong because instance store is ephemeral.

Option E is wrong because RDS is not optimized for session state.

359
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application currently runs on a single on-premises server with a local MySQL database. The company wants to minimize changes and reduce operational overhead. Which TWO strategies should the solutions architect recommend? (Select TWO.)

Select 2 answers
A.Refactor the application to use microservices
B.Retire the application
C.Replatform the database to Amazon RDS for MySQL
D.Rehost the application on Amazon EC2
E.Repurchase a SaaS alternative
AnswersC, D

Correct: Reduces operational overhead with managed database.

Why this answer

Rehost (lift-and-shift) minimizes changes by moving the application as-is. Replatforming the database to RDS reduces operational overhead by offloading database management. Retire is not applicable.

Refactor would require changes. Repurchase involves buying new software.

360
MCQhard

Refer to the exhibit. A company has the above AWS Organization with a management account (111111111111) and a production account (222222222222). The security administrator in the management account creates an SCP that denies s3:DeleteBucket. The SCP is attached to the root. The production account's administrator tries to delete an S3 bucket and fails. What is the MOST likely reason?

A.The production account's IAM policy denies s3:DeleteBucket.
B.The SCP only applies to the management account.
C.The SCP applies to the production account because it is attached to the root.
D.The production account is the management account.
AnswerC

SCPs at the root apply to all member accounts.

Why this answer

Option A is correct because SCPs affect all accounts in the organization. Option B is wrong because SCPs do not affect management account. Option C is wrong because the production account is not the management account.

Option D is wrong because SCPs override IAM permissions.

361
MCQmedium

A CloudFormation stack is created using the template above. The stack creation fails with the error: 'The following resource(s) failed to create: [EC2Instance]'. Logs show: 'AMI 'ami-0abcdef1234567890' does not exist.' What is the most likely cause?

A.The AMI ID is not available in the region where the stack is being deployed.
B.The SQS queue name 'my-queue' is already in use.
C.The AMI ID is invalid because it contains letters.
D.The instance type t2.micro is not supported in the region.
AnswerA

AMI IDs are region-specific; hardcoding can cause cross-region failures.

Why this answer

Option B is correct because the AMI ID is region-specific. The template uses a hardcoded AMI ID that likely does not exist in the region where the stack is being created. Option A is incorrect because the AMI ID is syntactically correct.

Option C is incorrect because the instance type is valid. Option D is incorrect because SQS queue creation succeeds.

362
MCQhard

A company has a data pipeline that uses AWS Glue to process large datasets in Amazon S3. The pipeline runs daily and takes over 12 hours to complete. The company wants to reduce the processing time. Which approach would be MOST effective?

A.Increase the Glue job timeout setting to 24 hours.
B.Enable S3 Transfer Acceleration on the source bucket.
C.Increase the number of DPUs allocated to the Glue job.
D.Convert the input data from CSV to Parquet format.
AnswerC

More DPUs provide more parallelism and reduce runtime.

Why this answer

Option D is correct because increasing the number of DPUs (data processing units) allocated to the Glue job can parallelize processing and reduce runtime. Option A is wrong because converting to Parquet is a good practice but does not reduce processing time if the job is CPU-bound. Option B is wrong because increasing the timeout does not speed up processing.

Option C is wrong because S3 Transfer Acceleration speeds up uploads, not Glue processing.

363
MCQhard

A global company uses AWS Organizations with multiple organizational units (OUs) for different business units. The networking team wants to ensure that all VPCs across all accounts can communicate through a central transit gateway. However, the security team requires that specific accounts cannot access each other's resources. Which combination of actions should the company take to meet these requirements?

A.Create a central transit gateway with a single route table. Use VPC endpoints to control traffic between VPCs.
B.Create VPC peering connections between all VPCs and use route tables to control access.
C.Create a central transit gateway with separate route tables for each VPC attachment. Use network ACLs in each VPC to restrict traffic between specific VPCs.
D.Create a central transit gateway with a single route table. Use security groups in each VPC to restrict traffic.
AnswerC

Separate route tables allow granular routing, and network ACLs can filter traffic at the subnet level.

Why this answer

Option D is correct because AWS Transit Gateway allows you to create separate route tables per VPC attachment, and you can associate a network ACL (or security group) at the VPC level to control traffic between specific VPCs. Option A is wrong because VPC endpoints are for accessing AWS services privately. Option B is wrong because a single route table would allow all VPCs to communicate.

Option C is wrong because VPC peering does not provide central management.

364
MCQhard

A company is migrating a stateful application that maintains session state in memory on a single server. The migration target is a highly available architecture on AWS. Which design should be used to preserve session state without modifying the application?

A.Use Amazon DynamoDB to store session state.
B.Use an Application Load Balancer with sticky sessions.
C.Use a Network Load Balancer with cross-zone load balancing.
D.Use Amazon ElastiCache to store session state externally.
AnswerB

No code changes; session affinity preserves state.

Why this answer

Using an Application Load Balancer with sticky sessions (session affinity) ensures that requests from a user are sent to the same target, preserving in-memory session state without code changes. Option A is wrong because ElastiCache would require application code to store/retrieve sessions. Option B is wrong because DynamoDB similarly requires code changes.

Option D is wrong because Network Load Balancer does not support sticky sessions.

365
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The operations team reports that stack updates often fail because of resource conflicts. The team wants to improve the reliability of updates without manual intervention. Which solution provides the MOST automated recovery from update failures?

A.Use CloudFormation change sets to review and approve all changes before update.
B.Write a custom AWS Lambda function that reverts changes when a stack update fails.
C.Apply a stack policy to prevent updates to critical resources.
D.Use the default CloudFormation rollback behavior that automatically reverts changes on failure.
AnswerD

CloudFormation automatically rolls back failed stack updates by default.

Why this answer

Option D is correct because CloudFormation's built-in rollback behavior automatically reverts all changes made during a failed stack update, restoring the stack to its last known stable state without requiring any custom code or manual intervention. This provides the most automated recovery mechanism as it is natively integrated into the CloudFormation service and requires no additional infrastructure or scripting.

Exam trap

The trap here is that candidates may overthink the solution and choose a custom Lambda function (Option B) thinking it provides more control, when in fact CloudFormation's native rollback is the most automated and reliable approach, and custom solutions often introduce additional failure points.

How to eliminate wrong answers

Option A is wrong because change sets are a review and approval mechanism that helps prevent errors before an update is executed, but they do not provide any automated recovery after a failure occurs. Option B is wrong because writing a custom Lambda function to revert changes introduces unnecessary complexity, potential for errors, and is not as reliable or automated as CloudFormation's native rollback, which handles state management and resource dependencies correctly. Option C is wrong because stack policies only prevent updates to specific critical resources during a stack update, but they do not provide any recovery mechanism if the update fails due to conflicts elsewhere.

366
MCQhard

A company is migrating a legacy on-premises application to AWS. The application uses a monolithic architecture and a MySQL database. The company wants to refactor the application into microservices and use a NoSQL database for better scalability. The new application will be deployed on Amazon EKS. The database must be highly available and support automatic scaling. Which database service should the company use?

A.Amazon Aurora Serverless
B.Amazon DynamoDB
C.Amazon DocumentDB (with MongoDB compatibility)
D.Amazon RDS for MySQL with Multi-AZ deployment
AnswerB

DynamoDB is a fully managed NoSQL database with high availability and auto scaling.

Why this answer

Option D is correct because Amazon DynamoDB is a NoSQL database that supports high availability and automatic scaling. Option A: RDS for MySQL is relational, not NoSQL. Option B: Aurora is relational.

Option C: DocumentDB is NoSQL but is MongoDB-compatible; DynamoDB is more fully managed and serverless.

367
MCQeasy

A company is migrating a legacy application to AWS. The application uses a proprietary binary protocol that is not HTTP-based. The application currently runs on a single server and communicates with clients over TCP port 4444. The company wants to use AWS Elastic Load Balancing to distribute traffic across multiple EC2 instances for high availability. Which load balancer type should the company use?

A.AWS Global Accelerator
B.Classic Load Balancer (CLB)
C.Network Load Balancer (NLB)
D.Application Load Balancer (ALB)
AnswerC

NLB supports TCP at Layer 4 and can handle proprietary protocols.

Why this answer

Option D is correct because Network Load Balancer (NLB) supports TCP traffic at the transport layer and can handle proprietary protocols. Option A is wrong because Application Load Balancer (ALB) only supports HTTP/HTTPS. Option B is wrong because Classic Load Balancer is legacy and not recommended for new applications; also, it supports TCP but lacks advanced features.

Option C is wrong because AWS Global Accelerator uses anycast IP but does not replace a load balancer; it works with ALB or NLB.

368
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances. The application needs to access an Amazon S3 bucket to read and write objects. The company wants to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. Which TWO steps should the company take?

Select 2 answers
A.Attach the IAM role to the EC2 instance profile.
B.Store the AWS access key and secret access key in a configuration file on the instance.
C.Create an S3 bucket policy that allows access from the EC2 instance's IP address.
D.Configure the EC2 security group to allow outbound traffic to S3.
E.Create an IAM role with a policy that grants the required S3 permissions.
AnswersA, E

Attaching the role to the instance profile allows the instance to assume the role.

Why this answer

Option A and Option D are correct. An IAM role with an S3 policy is attached to the EC2 instance profile, allowing the instance to assume the role and access S3 without credentials. Option B: Access keys should not be stored on instances.

Option C: S3 bucket policy can be used but is not required if the IAM role grants access. Option E: Security groups do not apply to S3 access.

369
MCQmedium

A media company is designing a video transcoding pipeline. They receive raw video files in Amazon S3, which need to be transcoded into multiple formats. The pipeline must handle sporadic bursts of uploads and complete processing within 30 minutes for each video. The cost should be minimized. Which design should they use?

A.Use AWS Lambda with layers containing FFmpeg to transcode videos.
B.Use Amazon S3 event notifications to trigger an AWS Elemental MediaConvert job.
C.Provision a cluster of EC2 instances running FFmpeg, with Auto Scaling based on SQS queue depth.
D.Use Amazon Elastic Transcoder, which is fully managed and triggers from S3 events.
AnswerB

MediaConvert is serverless, scales automatically, and is cost-effective for sporadic jobs.

Why this answer

Option A is correct because AWS Elemental MediaConvert is a serverless transcoding service that scales automatically and is cost-effective for sporadic workloads. Option B is wrong because EC2 Auto Scaling requires management and incurs costs even when idle. Option C is wrong because Elastic Transcoder is being deprecated and has less features.

Option D is wrong because Lambda has a 15-minute timeout and is not suitable for transcoding.

370
MCQmedium

A company is designing a new microservices application using Amazon ECS with Fargate. The services need to communicate securely within the VPC. Which approach should be used for service discovery?

A.Amazon Route 53 private hosted zones with health checks
B.AWS Cloud Map
C.VPC peering connections between services
D.Application Load Balancer with path-based routing
AnswerB

Managed service discovery for microservices.

Why this answer

Option A is correct because AWS Cloud Map is a fully managed service discovery service that works with ECS. Option B (ELB) is for load balancing, not discovery. Option C (Route 53 private hosted zones) can be used but requires manual management.

Option D (VPC peering) is for connecting VPCs, not service discovery.

371
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on AWS. They want to use an event-driven design where services react to state changes. Which AWS service should they use to capture, store, and replay events?

A.Amazon SNS
B.Amazon Kinesis Data Streams
C.Amazon EventBridge
D.Amazon SQS
AnswerC

EventBridge supports event archiving and replay.

Why this answer

Option D is correct because Amazon EventBridge captures events and can replay them. Option A (SQS) is queue-based, not event storage. Option B (SNS) is pub/sub, no replay.

Option C (Kinesis Data Streams) can replay but is for streaming data, not event sourcing.

372
MCQeasy

A startup is building a web application on AWS that requires a relational database. They expect unpredictable traffic patterns and want to minimize costs while ensuring high availability. Which database solution should they choose?

A.Amazon Redshift with concurrency scaling
B.Amazon Aurora Serverless (MySQL-compatible)
C.Amazon RDS for MySQL with Single-AZ deployment
D.Amazon DynamoDB with on-demand capacity
AnswerB

Aurora Serverless provides auto-scaling and high availability, cost-effective for unpredictable traffic.

Why this answer

Option B is correct because Aurora Serverless automatically scales based on demand and provides high availability with multi-AZ storage. Option A is wrong because DynamoDB is NoSQL, not relational. Option C is wrong because RDS Single-AZ lacks high availability.

Option D is wrong because Redshift is for data warehousing, not transactional workloads.

373
MCQmedium

Refer to the exhibit. A company has this IAM policy attached to a group. A user in the group tries to terminate an EC2 instance in us-east-1 with the tag 'Environment: staging'. What happens?

A.The instance is terminated because the policy allows TerminateInstances.
B.The termination is denied because the condition requires the 'Environment' tag to be 'production'.
C.The termination is denied because the Resource is not the instance's ARN.
D.The instance is terminated because the condition is not evaluated.
AnswerB

The condition StringEquals requires the tag value to be 'production'.

Why this answer

The TerminateInstances action has a condition that requires the tag 'Environment: production'. Since the instance has 'staging', the condition is not met, so the action is denied. Options A, B, and D are incorrect because the condition explicitly requires 'production'.

374
MCQmedium

A company is using AWS CloudFormation to manage its infrastructure. They have a production stack that creates an Amazon RDS DB instance. The company wants to update the DB instance class to a larger size with minimal downtime. Which approach should they use?

A.Modify the DBInstanceClass property in the CloudFormation template and use an UpdatePolicy of AutoScalingReplacingUpdate.
B.Create a new CloudFormation stack with the new DB instance class and delete the old stack.
C.Edit the CloudFormation template to change the DBInstanceClass and update the stack directly.
D.Use AWS OpsWorks to manage the DB instance and apply the change.
AnswerA

This allows CloudFormation to create a new DB instance and switch over with minimal downtime.

Why this answer

Option A is correct because modifying the DBInstanceClass property in CloudFormation with an UpdatePolicy of AutoScalingReplacingUpdate will cause a replacement with minimal downtime. Option B is wrong because changing the template and updating the stack directly may cause downtime. Option C is wrong because creating a new stack and deleting the old one is not minimal downtime.

Option D is wrong because AWS OpsWorks is not relevant.

375
MCQeasy

A company is migrating to AWS and wants to use AWS CloudFormation to manage infrastructure as code. The DevOps team needs to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

A.AWS CloudFormation Drift Detection
B.AWS CloudFormation StackSets
C.AWS CloudFormation Change Sets
D.AWS CloudFormation Nested Stacks
AnswerC

Change Sets provide a preview of changes before execution.

Why this answer

Option A is correct because Change Sets allow you to preview changes before applying them. Option B is wrong because StackSets are for managing stacks across multiple accounts. Option C is wrong because Drift Detection identifies differences, not review changes.

Option D is wrong because Nested Stacks are for reusing templates, not for review.

Page 4

Page 5 of 24

Page 6