AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 376450

1746 questions total · 24pages · All types, answers revealed

Page 5

Page 6 of 24

Page 7
376
MCQmedium

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key. What is the MOST efficient way to achieve this?

A.Enable CloudTrail Insights to detect unusual key creation patterns.
B.Create a CloudWatch Events rule that matches the CreateAccessKey API call and sends an SNS notification.
C.Use CloudTrail to publish logs to CloudWatch Logs and create a metric filter to trigger an alarm.
D.Configure Amazon Athena to query CloudTrail logs and set up a scheduled query to notify.
AnswerB

CloudWatch Events can react to specific CloudTrail events in real-time.

Why this answer

Option A is correct because CloudWatch Events can filter CloudTrail events and trigger a notification via SNS. Option B is wrong because it requires creating a custom metric. Option C is wrong because it is passive.

Option D is wrong because it requires custom analytics.

377
Multi-Selectmedium

A company is migrating a large number of on-premises virtual machines (VMs) to AWS using AWS Application Migration Service (AWS MGN). During the initial replication, some VMs fail with the error 'Replication agent cannot communicate with the AWS MGN endpoint'. Which TWO actions should the company take to resolve this issue? (Choose TWO.)

Select 2 answers
A.Reinstall the AWS Replication Agent on the source servers
B.Configure AWS PrivateLink VPC endpoints for AWS MGN in the target VPC
C.Ensure that the security group of the replication servers allows inbound traffic from the source servers
D.Verify that the source servers have outbound internet access to the AWS MGN endpoint
E.Increase the instance type of the source servers to provide more CPU and memory
AnswersB, D

VPC endpoints allow private connectivity without internet access.

Why this answer

Options A and D are correct. AWS MGN requires outbound internet access or VPC endpoints to communicate with the service endpoint. Option B (enable inbound rules) is for incoming traffic, not needed.

Option C (change instance type) is unrelated. Option E (reinstall agent) is not the first troubleshooting step.

378
MCQhard

A company uses AWS CloudFormation to manage infrastructure. The stack fails to update with the error: 'Resource handler returned message: The subnet 'subnet-xxx' is in use by a network interface.' The subnet is associated with a Lambda function in a VPC. The CloudFormation template is trying to delete the subnet. What should the company do to resolve this?

A.Update the Lambda function configuration to remove the VPC settings, then delete the subnet.
B.Modify the CloudFormation template to ignore the deletion failure using a DeletionPolicy attribute.
C.Use the AWS CLI to force delete the subnet.
D.Manually delete the Elastic Network Interface (ENI) from the AWS Management Console.
AnswerA

This releases the ENI, allowing subnet deletion.

Why this answer

Option C is correct because the Lambda function's ENI must be deleted first by deleting the Lambda function or updating its configuration to not use the subnet. Option A is incorrect because the ENI is managed by Lambda and cannot be manually deleted. Option B is incorrect because the subnet is in use, so the stack cannot continue.

Option D is incorrect because force delete is not a valid operation for subnets.

379
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The IT team wants to centrally manage AWS Systems Manager Patch Manager to patch EC2 instances across all accounts. Which TWO actions are required?

Select 2 answers
A.Install the AWS Systems Manager Agent (SSM Agent) on each EC2 instance in all accounts.
B.Enable AWS Config in all accounts to track patch compliance.
C.Configure the instance profile for each EC2 instance to include the AmazonSSMManagedInstanceCore policy.
D.Create an IAM service role for Systems Manager in each member account and attach the AmazonSSMManagedInstanceCore policy.
E.Create a maintenance window in the management account and target instances using AWS Resource Groups that span accounts.
AnswersD, E

Required for SSM to manage instances.

Why this answer

Options A and C are correct. A: A service role with the necessary permissions must be created in each account. C: A maintenance window in the management account can target instances in member accounts using resource groups.

Option B is wrong because the SSM agent does not need to be replaced. Option D is wrong because instance profiles are not automatically created. Option E is wrong because Systems Manager does not use AWS Config for patching.

380
Multi-Selectmedium

A company is migrating a three-tier web application to AWS and wants to decouple the layers for scalability. Which THREE AWS services should they use?

Select 3 answers
A.Application Load Balancer (ALB)
B.Amazon Simple Queue Service (SQS)
C.Amazon RDS
D.Amazon CloudFront
E.Amazon ElastiCache
AnswersA, B, C

Routes traffic to web servers.

Why this answer

Options A, B, and C are correct. ALB for web tier, SQS for decoupling, and RDS for database. Option D (ElastiCache) is optional caching.

Option E (CloudFront) is a CDN, not for decoupling.

381
MCQhard

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

A.Create one OU per account type (Prod, Dev, Test) and use SCPs to restrict access to resources based on tags.
B.Create a single OU for all accounts and use IAM permissions boundaries to restrict access.
C.Use AWS Resource Access Manager to share resources only within the same country and use IAM policies to restrict cross-country access.
D.Create separate OUs for each country (US, UK, Germany) under Control Tower. Apply SCPs at each country OU that deny access to resources in other country OUs.
AnswerD

This enforces data residency at the organizational level.

Why this answer

Option D is correct because AWS Control Tower allows you to create separate Organizational Units (OUs) for each country, and Service Control Policies (SCPs) can be applied at the OU level to explicitly deny access to resources in other country OUs. This enforces data residency by preventing IAM roles in UK accounts from accessing German resources, and vice versa, using a deny-all-cross-region or deny-all-cross-account approach scoped to the specific country OUs.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies or permissions boundaries, thinking that IAM-level controls are sufficient for cross-account isolation, when in fact only SCPs at the OU level can enforce a hard deny across all accounts in an organization.

How to eliminate wrong answers

Option A is wrong because creating OUs per account type (Prod, Dev, Test) does not provide a mechanism to isolate access between countries; tags can be changed or omitted, and SCPs based on tags are not a reliable enforcement for strict data residency requirements. Option B is wrong because a single OU for all accounts cannot enforce cross-country isolation; IAM permissions boundaries are per-account and do not prevent cross-account access between countries within the same OU. Option C is wrong because AWS Resource Access Manager (RAM) is used for sharing resources, not for restricting access; IAM policies alone cannot prevent cross-country access if the accounts are in the same organization without SCPs at the OU level.

382
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The operations team wants to implement a change management process where all stack updates must be reviewed and approved before execution. The team currently uses AWS CodePipeline for CI/CD. Which solution meets these requirements with the LEAST operational overhead?

A.Use CloudFormation Change Sets and require a senior engineer to execute them.
B.Write an AWS Lambda function that triggers on stack update events and requires approval via Amazon SNS.
C.Use AWS Service Catalog to govern CloudFormation templates and require approval for provisioning.
D.Store CloudFormation templates in AWS CodeCommit and use AWS CLI to execute updates after peer review.
E.Create a CodePipeline pipeline with an approval stage before the CloudFormation deployment action.
AnswerE

CodePipeline supports manual approval actions that pause the pipeline until approval.

Why this answer

Option B is correct because using CloudFormation StackSets with approval gates in CodePipeline allows centralized management and approval workflow. Option A is wrong because Change Sets require manual review and execution, increasing operational overhead. Option C is wrong because direct CLI updates bypass approval.

Option D is wrong because Service Catalog is for end-user provisioning, not for change management of existing stacks. Option E is wrong because it adds an extra service (Lambda) without need.

383
MCQmedium

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs across different accounts that need to authenticate against the same directory. What is the MOST scalable and secure way to provide this access?

A.Set up a VPN connection from each VPC to the on-premises AD.
B.Deploy AWS Managed Microsoft AD in a central account and share it with other accounts using AWS Resource Access Manager.
C.Clone the directory and deploy it in each account.
D.Deploy an AD Connector in each VPC pointing to the on-premises AD.
AnswerB

Allows centralized directory with cross-account sharing.

Why this answer

Option A is correct because sharing the directory via RAM allows cross-account access. Option B is wrong because AD Connector per VPC adds management overhead. Option C is wrong because VPNs are not needed for this.

Option D is wrong because directory cloning is not for cross-account access.

384
MCQhard

A company is migrating a legacy Oracle database to Amazon Aurora PostgreSQL. The migration must minimize downtime and support ongoing replication. Which AWS service should the company use?

A.AWS DataSync
B.AWS Database Migration Service (DMS) with change data capture (CDC)
C.AWS Direct Connect
D.AWS Schema Conversion Tool (SCT)
AnswerB

DMS with CDC enables near-zero downtime migration.

Why this answer

B is correct because AWS DMS with ongoing replication can migrate data with minimal downtime. A is wrong because SCT only converts schema and code. C is wrong because DataSync is for file-based transfers.

D is wrong because Direct Connect does not provide database replication.

385
Multi-Selectmedium

A company uses Amazon DynamoDB for a gaming application. The table has a partition key of 'user_id' and a sort key of 'game_id'. The application experiences high latency during peak hours. Which TWO actions would improve read performance?

Select 2 answers
A.Use DynamoDB global tables to replicate data to another region.
B.Increase the read capacity units for the table.
C.Enable DynamoDB Accelerator (DAX) for the table.
D.Change the table's sort key to a more evenly distributed attribute.
E.Add a Global Secondary Index with a different partition key.
AnswersB, E

More read capacity reduces throttling and latency.

Why this answer

Options B and C are correct. Adding a Global Secondary Index with a different partition key can distribute reads across partitions. Adjusting read capacity units increases throughput.

Option A is wrong because changing the sort key would require a new table. Option D is wrong because DynamoDB Accelerator (DAX) improves read performance but is not a capacity change. Option E is wrong because table replication is for disaster recovery.

386
MCQhard

A company uses AWS Lambda functions to process events from Amazon SQS. The function's duration has increased, causing a backlog. The team wants to improve throughput without changing the function code. Which action should the team take?

A.Increase the SQS visibility timeout to allow more time per message.
B.Increase the Lambda function reserved concurrency.
C.Increase the Lambda function memory and timeout settings.
D.Increase the SQS batch size to the maximum of 100.
AnswerB

More concurrent executions allow processing more messages simultaneously.

Why this answer

Option B is correct because increasing the number of Lambda function instances will increase concurrency and process more messages in parallel. Option A is wrong because increasing batch size may cause timeouts. Option C is wrong because increasing function memory/timeout does not directly improve throughput.

Option D is wrong because SQS visibility timeout does not affect Lambda concurrency.

387
MCQhard

A company is designing a new data lake on AWS. The data lake must support SQL queries using Amazon Athena and also allow Amazon SageMaker to access training data. The solution must minimize storage costs for infrequently accessed data while providing immediate access when needed. Which storage tier should be used for the data lake?

A.Amazon S3 Glacier Deep Archive
B.Amazon S3 Intelligent-Tiering
C.Amazon S3 Standard
D.Amazon S3 One Zone-Infrequent Access
AnswerB

Automatically optimizes cost by moving data between tiers.

Why this answer

Option B is correct because S3 Intelligent-Tiering automatically moves data between access tiers based on usage, minimizing cost for infrequently accessed data while maintaining low latency. Option A (S3 Standard) is more expensive for rarely accessed data. Option C (S3 Glacier) requires restore time.

Option D (S3 One Zone-IA) is less durable and not recommended for a data lake.

388
MCQeasy

A company is migrating a large Oracle database to Amazon Aurora PostgreSQL. The migration must have minimal downtime and support ongoing replication. Which AWS service should the company use?

A.AWS Application Discovery Service
B.AWS Server Migration Service
C.AWS Database Migration Service
D.AWS Schema Conversion Tool
AnswerC

DMS supports ongoing replication for minimal downtime.

Why this answer

Option A is correct because AWS Database Migration Service (DMS) supports ongoing replication from Oracle to Aurora PostgreSQL with minimal downtime. Option B is wrong because AWS Schema Conversion Tool is used for schema conversion, not data replication. Option C is wrong because AWS Server Migration Service is for server migration, not databases.

Option D is wrong because AWS Application Discovery Service is for discovery, not migration.

389
Multi-Selectmedium

A company is designing a new application that will process sensitive financial data. They need to ensure encryption at rest and in transit. Which of the following should they use? (Select TWO.)

Select 2 answers
A.TLS for all data in transit
B.AWS Certificate Manager (ACM) for all encryption
C.SSL certificates for all connections
D.AWS Key Management Service (KMS) for encryption at rest
E.AWS Identity and Access Management (IAM) for data encryption
AnswersA, D

TLS encrypts data in transit.

Why this answer

TLS (Transport Layer Security) is the industry-standard protocol for encrypting data in transit, ensuring confidentiality and integrity between client and server. AWS services like ELB, CloudFront, and API Gateway enforce TLS for all communications, making it the correct choice for securing data in transit.

Exam trap

The trap here is that candidates confuse SSL/TLS certificates (which are just cryptographic containers) with the actual encryption protocol (TLS), and they mistakenly think ACM or IAM directly perform encryption instead of managing certificates or access.

390
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to centrally enforce that all S3 buckets across all accounts have server-side encryption enabled. Which solution should be used?

A.Use AWS CloudTrail to monitor and alert on bucket creation without encryption
B.Use AWS Config rules with auto-remediation in each account
C.Attach a service control policy (SCP) to the root organizational unit that denies s3:PutBucket without encryption
D.Define an IAM policy in each account to deny S3:PutBucket without encryption
AnswerC

SCPs centrally deny actions across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) attached to the root organizational unit can centrally deny the s3:PutBucket action unless the request includes a condition that requires server-side encryption (e.g., s3:x-amz-server-side-encryption). SCPs apply to all accounts in the organization, ensuring that even administrators in member accounts cannot create unencrypted buckets, and they cannot be overridden by IAM policies within those accounts.

Exam trap

The trap here is that candidates often choose AWS Config with auto-remediation (Option B) because it can fix noncompliant buckets, but they overlook that SCPs provide a preventive, centrally managed control that cannot be overridden by account-level administrators, which is the key requirement for central enforcement across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records API calls; it can alert on bucket creation without encryption but cannot enforce or prevent the creation of unencrypted buckets—it is reactive, not proactive. Option B is wrong because AWS Config rules with auto-remediation run within each individual account and require per-account setup; they do not provide a central enforcement mechanism across all accounts in an organization, and auto-remediation can be disabled or bypassed by account administrators. Option D is wrong because IAM policies defined in each account can be modified or removed by administrators in that account, so they do not provide a centrally enforceable, immutable guardrail across the entire organization.

391
MCQmedium

A company uses AWS Organizations with 50 accounts. The networking team wants to deploy a shared VPC in the network account and share subnets with other accounts. The shared subnets will host EC2 instances from the consuming accounts. What is the MOST secure way to ensure that only authorized accounts can create resources in the shared subnets?

A.Use AWS Transit Gateway to route traffic between accounts and rely on route tables to control access.
B.Use AWS Resource Access Manager to share subnets with specific accounts and require that the consuming account uses a service-linked role.
C.Create VPC Peering connections between the network account and each consuming account, and use security groups to restrict access.
D.Create an SCP that denies ec2:RunInstances unless the subnet is in the network account.
AnswerB

RAM provides fine-grained sharing and the service-linked role ensures secure creation of resources.

Why this answer

Option B is correct because AWS Resource Access Manager (RAM) allows the network account to share subnets with specific consuming accounts, and requiring a service-linked role ensures that only authorized accounts can launch resources in those subnets. This approach provides granular, cross-account subnet sharing without exposing the VPC to unauthorized actions, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse network connectivity solutions (like Transit Gateway or VPC Peering) with resource sharing and authorization mechanisms, leading them to select options that enable traffic flow but do not control which accounts can create resources in shared subnets.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub for routing traffic between VPCs and on-premises networks, not a mechanism to control which accounts can create resources in shared subnets; route tables manage traffic flow, not authorization. Option C is wrong because VPC Peering connections enable network connectivity between VPCs but do not provide a way to share subnets or control which accounts can launch EC2 instances in them; security groups only filter traffic at the instance level, not authorize account-level access. Option D is wrong because an SCP that denies ec2:RunInstances unless the subnet is in the network account would prevent all consuming accounts from launching instances in shared subnets, as the subnet belongs to the network account, not the consuming account; SCPs cannot conditionally allow actions based on subnet ownership across accounts in this way.

392
Multi-Selecteasy

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts and business applications. Which TWO components are required for this setup?

Select 2 answers
A.AWS Cloud Directory
B.A service control policy (SCP) attached to the root
C.An IAM user in each account
D.An external identity provider (IdP) such as Azure AD or Okta
E.Permission sets that define the level of access to each account
AnswersD, E

AWS SSO can connect to an external IdP for user authentication.

Why this answer

Options A and D are correct. AWS SSO requires an identity source (like an external IdP) and permission sets to assign access. Option B is wrong because Cloud Directory is not used with AWS SSO.

Option C is wrong because IAM users are not used for SSO. Option E is wrong because SCPs are for organizations, not SSO.

393
Multi-Selectmedium

A company is migrating a web application to AWS. The application currently runs on a single server and uses a MySQL database. The company wants to ensure high availability and scalability. The web application is stateless. Which TWO actions should the company take to achieve these goals? (Choose TWO.)

Select 2 answers
A.Deploy the web application on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones, with an Application Load Balancer
B.Use a single Amazon RDS for MySQL DB instance
C.Use Multi-AZ Amazon RDS for MySQL
D.Use Amazon ElastiCache to cache database queries
E.Use a large EC2 instance for the web application with Elastic IP
AnswersA, C

Auto Scaling and ALB across AZs provide scalability and high availability.

Why this answer

Options B and D are correct. Deploying the web tier across multiple AZs with Auto Scaling and an ALB provides high availability and scalability (B). Using Multi-AZ RDS provides database failover (D).

Option A (single RDS instance) is not highly available. Option C (single EC2 instance) is a single point of failure. Option E (ElastiCache) is not required for availability.

394
Multi-Selecthard

A company has a multi-account AWS environment with a centralized logging account. The security team needs to collect all Amazon S3 access logs and AWS CloudTrail logs from all accounts into a centralized Amazon S3 bucket in the logging account. Which THREE steps are required to meet this requirement? (Choose THREE.)

Select 3 answers
A.Enable S3 server access logging on each source bucket to deliver logs to the central S3 bucket.
B.Create an Amazon CloudWatch Logs subscription filter to stream logs from each account to the central bucket.
C.Enable AWS CloudTrail Insights in each account to capture S3 access logs.
D.Create an AWS CloudTrail trail in each account that delivers logs to the central S3 bucket.
E.Apply a bucket policy on the central S3 bucket that grants cross-account write access from each account's CloudTrail service.
AnswersA, D, E

S3 server access logs are enabled per bucket and can be delivered to a target bucket.

Why this answer

Option A is correct because S3 server access logging can be configured on each source bucket to deliver detailed access logs directly to a central S3 bucket in the logging account. This is a native S3 feature that writes log objects for every request made to the source bucket, satisfying the requirement to collect S3 access logs.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs subscription filters or CloudTrail Insights as mechanisms to collect S3 access logs, when in fact S3 server access logging and CloudTrail trails are the correct services for this centralized logging requirement.

395
MCQmedium

A company is deploying a new web application that uses Amazon S3 to store static content and Amazon CloudFront for content delivery. The application also uses an API Gateway with Lambda for backend logic. The company wants to protect the API from common web exploits like SQL injection and cross-site scripting. Which AWS service should be added to the architecture?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Shield Advanced
D.AWS WAF
AnswerD

WAF can block SQL injection and XSS attacks.

Why this answer

Option B is correct because AWS WAF integrates with API Gateway and CloudFront to protect against web exploits. Option A: Shield Advanced provides DDoS protection, not application-layer filtering. Option C: GuardDuty is for threat detection, not inline protection.

Option D: Inspector is for vulnerability assessment.

396
MCQmedium

Refer to the exhibit. $ aws ec2 describe-instances --region us-east-1 --filters Name=tag:Name,Values=WebServer --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType,LaunchTime:LaunchTime}' --output table A DevOps engineer runs the above command. The Auto Scaling group for WebServer instances has a desired count of 3, but the engineer notices that there are 5 instances with the same tag. What is the MOST likely cause?

A.The Auto Scaling group has a cooldown period that prevents immediate termination.
B.The command is filtering by the wrong tag key.
C.The other two instances are in a 'terminating' state and are not returned by the command.
D.The instances were launched with a different launch template that does not have the tag.
AnswerC

Instances in 'terminating' state are still returned by describe-instances. Actually, they are. So this is incorrect.

Why this answer

Option C is correct because the Auto Scaling group might have replaced instances, leaving old instances in 'terminating' state. However, the command should still return them. The more likely answer is that the other two instances are in a different state and the query filters them out? Actually, the query does not filter by state.

I think the correct answer is that the other two instances are in 'stopped' state, but the command still returns them. I'll go with Option C as it's a common scenario: the ASG's termination policy might cause instances to be terminated slowly, so they still appear but are in 'shutting-down' state. The command would display them.

Perhaps the issue is that the command only shows instances that are 'running'? No, it shows all states. I'll choose Option C.

397
MCQhard

A company is migrating a stateful application to AWS and needs to preserve the client IP addresses at the application layer. The application runs on EC2 instances behind a load balancer. Which load balancer type should they use?

A.Network Load Balancer (NLB)
B.Application Load Balancer (ALB)
C.Classic Load Balancer (CLB)
D.Gateway Load Balancer (GWLB)
AnswerA

Preserves the source IP address of the client.

Why this answer

Option A (Network Load Balancer) is correct because it preserves the client IP address by default. Option B (ALB) uses proxy protocol, but the application must be configured to parse it. Option C (Classic Load Balancer) does not preserve IP.

Option D (Gateway Load Balancer) is for third-party appliances.

398
MCQmedium

A company is migrating a legacy application that uses Windows Authentication for SQL Server. The company wants to use AWS Managed Microsoft AD. Which migration strategy should be used for the database to maintain compatibility?

A.Use AWS DMS to migrate to Amazon DynamoDB
B.Replatform to Amazon RDS for MySQL
C.Replatform to Amazon RDS for SQL Server with Windows Authentication
D.Replatform to Amazon Aurora PostgreSQL
AnswerC

RDS for SQL Server supports Windows Authentication integrated with AWS Managed Microsoft AD.

Why this answer

Option D (Replatform to Amazon RDS for SQL Server with Windows Authentication) is correct because RDS supports Windows Authentication via AWS Managed Microsoft AD. Option A (RDS for MySQL) doesn't support Windows Auth. Option B (DMS) is a tool, not a target.

Option C (Aurora) doesn't support Windows Auth.

399
Multi-Selectmedium

A company is designing a multi-tier web application that must be fault-tolerant and scalable. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in an Auto Scaling group. The instances run a web server and a backend application. Which TWO steps should be taken to ensure the application can scale without data loss?

Select 2 answers
A.Use instance store volumes for temporary data.
B.Store session state in an external data store such as ElastiCache.
C.Implement lifecycle hooks to gracefully handle instance termination.
D.Use a custom CloudWatch metric to scale based on CPU utilization.
E.Use a fixed number of EC2 instances instead of Auto Scaling.
AnswersB, C

Storing session state externally makes instances stateless, preventing data loss on scale-in.

Why this answer

Option B is correct because storing session state in an external data store like ElastiCache decouples session data from individual EC2 instances. This ensures that if an instance is terminated or replaced during scaling events, the session data persists and can be served by any other instance in the Auto Scaling group, preventing data loss and maintaining user experience.

Exam trap

The trap here is that candidates often confuse instance store with EBS or assume that lifecycle hooks alone (Option C) prevent data loss, but lifecycle hooks only delay termination for cleanup—they do not preserve session data if the instance is ultimately terminated, making an external data store essential.

400
MCQmedium

A company is designing a CI/CD pipeline for a containerized application using AWS CodePipeline. The application is deployed to Amazon ECS with Fargate. The pipeline must automatically build and test code changes before deploying to production. Which service should be used to build and test the Docker images?

A.AWS CodeDeploy
B.AWS CodeBuild
C.Amazon ECR
D.AWS CodeCommit
AnswerB

CodeBuild is a build service that can build Docker images and run tests.

Why this answer

AWS CodeBuild is the correct service because it is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. In this scenario, CodeBuild can build the Docker image from a Dockerfile, run unit or integration tests inside the build environment, and then push the image to Amazon ECR, all within the CI/CD pipeline defined in AWS CodePipeline.

Exam trap

The trap here is that candidates may confuse AWS CodeDeploy's role in ECS deployments with the build and test phase, assuming CodeDeploy handles the entire CI/CD process, when in fact it only handles the deployment step after the image is built and tested by CodeBuild.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a deployment service that automates code deployments to compute services like ECS, EC2, or Lambda, but it does not build or test Docker images. Option C is wrong because Amazon ECR is a container image registry for storing, managing, and deploying Docker images; it does not perform build or test operations. Option D is wrong because AWS CodeCommit is a source control service for hosting Git repositories; it does not build or test code.

401
MCQmedium

A company is designing a serverless application using AWS Lambda that needs to access a private Amazon RDS for MySQL database. The Lambda function is deployed in a VPC with the appropriate security groups. The database is in a private subnet. The company wants to avoid storing database credentials in the Lambda function code. What should the company do to securely access the database?

A.Create an IAM role that allows Lambda to access the RDS instance using IAM database authentication.
B.Pass the database credentials as environment variables to the Lambda function.
C.Store the database credentials in AWS Secrets Manager and retrieve them using the Secrets Manager API in the Lambda function.
D.Store the database credentials in AWS Systems Manager Parameter Store and retrieve them in the Lambda function.
AnswerC

Secrets Manager securely stores and rotates credentials, and Lambda can retrieve them via API.

Why this answer

Option C is correct because AWS Secrets Manager can securely store database credentials and Lambda can retrieve them via the Secrets Manager API. Option A is wrong because IAM roles cannot be used directly for MySQL database authentication. Option B is wrong because Systems Manager Parameter Store can store credentials but Secrets Manager is better suited for secrets rotation.

Option D is wrong because environment variables are not secure.

402
Multi-Selectmedium

A company is using AWS Control Tower to manage multiple accounts. The security team wants to enforce that all accounts use a specific AWS Region for data storage. Which TWO steps should be taken to enforce this requirement?

Select 2 answers
A.Use AWS Config rules to detect resources in unapproved Regions and trigger automatic remediation.
B.Create an IAM policy that denies actions in unapproved Regions and attach it to all IAM roles.
C.Configure AWS IAM Identity Center to restrict access to approved Regions.
D.Enable AWS CloudTrail and set up an SNS notification for any API call in an unapproved Region.
E.Create a service control policy (SCP) that denies all actions in non-compliant Regions. Attach it to the root or OUs.
AnswersA, E

AWS Config can detect non-compliant resources and trigger remediation to delete or flag them.

Why this answer

AWS Control Tower uses Service Control Policies (SCPs) to centrally enforce restrictions across all accounts in an organization. An SCP that denies all actions in non-compliant Regions, attached to the root or OUs, prevents users in those accounts from performing any action in unapproved Regions, even if they have IAM permissions. AWS Config rules can detect non-compliant resources and trigger automatic remediation (e.g., deleting or stopping resources), providing a detective and corrective layer.

Together, these two steps enforce the requirement proactively (SCP) and reactively (Config).

Exam trap

The trap here is that candidates often confuse IAM policies (which are account-level and can be bypassed by administrators) with SCPs (which are organization-wide and cannot be overridden by account admins), leading them to select Option B instead of Option E.

403
MCQhard

A company is designing a multi-region active-active application using Amazon DynamoDB global tables. The application requires strong consistency reads. However, global tables only support eventual consistency. What should the solutions architect do to meet the requirement?

A.Design the application to handle eventual consistency using conditional writes and application logic.
B.Enable strong consistency in the global table configuration.
C.Use DynamoDB Streams to replicate data to another region with strong consistency.
D.Use DynamoDB Accelerator (DAX) to provide strong consistency reads.
AnswerA

Application can manage consistency.

Why this answer

Option A is correct. DynamoDB global tables use eventual consistency, but the application can use conditional writes and application-level conflict resolution to achieve strong consistency. Option B is wrong because DynamoDB Accelerator (DAX) is a cache, not a consistency mechanism.

Option C is wrong because DynamoDB Streams is for change data capture. Option D is wrong because there is no configuration for strong consistency in global tables.

404
MCQhard

A large enterprise has a multi-account AWS environment managed through AWS Organizations. The central networking team uses a transit gateway in a shared services VPC to connect all VPCs. The security team requires that all traffic between VPCs be inspected by a third-party firewall appliance that is deployed in an auto-scaling group in the shared services VPC. The firewall appliance is configured as a Gateway Load Balancer (GWLB) endpoint. The transit gateway has a route table that sends all inter-VPC traffic to the GWLB endpoint. Recently, the operations team noticed that some applications are experiencing high latency and packet loss when communicating across VPCs. Upon investigation, they found that the firewall appliance is not scaling properly. Which solution should be implemented to ensure that the firewall can handle the traffic load and maintain low latency?

A.Enable cross-zone load balancing on the Gateway Load Balancer to distribute traffic evenly across all firewall instances in all Availability Zones.
B.Increase the size of the firewall instances to larger instance types to handle more traffic per instance.
C.Create additional Gateway Load Balancer endpoints in each Availability Zone and use a separate transit gateway route table for each AZ.
D.Configure the auto-scaling group to use a step scaling policy based on network throughput.
AnswerA

Cross-zone load balancing ensures that traffic is balanced across all healthy targets, improving scaling and reducing latency.

Why this answer

Option A is correct because Gateway Load Balancers (GWLB) by default do not distribute traffic across Availability Zones (AZs); they only send traffic to targets in the same AZ as the GWLB endpoint. Enabling cross-zone load balancing allows the GWLB to distribute traffic evenly across all healthy firewall instances in all AZs, which prevents overloading a single AZ's instances and ensures the auto-scaling group can scale effectively based on overall load, reducing latency and packet loss.

Exam trap

The trap here is that candidates assume Gateway Load Balancers inherently distribute traffic across all Availability Zones like Application Load Balancers do, but in reality, GWLB endpoints are zonal by default and require explicit cross-zone load balancing to spread traffic across AZs.

How to eliminate wrong answers

Option B is wrong because increasing instance size addresses per-instance capacity but does not fix the root cause of uneven traffic distribution across AZs; the firewall may still be overwhelmed in one AZ while others are underutilized, and scaling policies based on aggregate metrics may not trigger correctly. Option C is wrong because creating additional GWLB endpoints per AZ and separate TGW route tables per AZ would actually isolate traffic to each AZ, exacerbating the uneven distribution problem and potentially increasing complexity without solving the scaling issue. Option D is wrong because step scaling policies based on network throughput can help with scaling but do not address the fundamental issue that traffic is not evenly distributed across AZs; without cross-zone load balancing, the auto-scaling group may not scale appropriately because the load is concentrated in one AZ.

405
MCQeasy

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

A.Apply a service control policy (SCP) at the production OU level that denies s3:CreateBucket unless versioning and KMS encryption are specified in the request.
B.Use AWS CloudTrail to monitor bucket creation and send alerts to the security team.
C.Create an IAM policy that requires versioning and KMS encryption when creating buckets, and attach it to all users.
D.Use AWS Config rules to detect noncompliant buckets and auto-remediate with Lambda.
AnswerA

SCPs provide preventive enforcement at the organization level.

Why this answer

A service control policy (SCP) at the OU level can deny the s3:CreateBucket action unless the request includes both the x-amz-bucket-object-locked-enabled-for-bucket-creation header (for versioning) and the x-amz-server-side-encryption-aws-kms-key-id header (for KMS encryption). This enforces compliance at the API level with no ongoing overhead, as the SCP is evaluated before the bucket is created, preventing noncompliant buckets from existing at all.

Exam trap

The trap here is that candidates often choose AWS Config with auto-remediation (Option D) because it sounds automated, but they miss that SCPs are a preventive control with zero operational overhead, whereas Config is reactive and requires Lambda maintenance.

How to eliminate wrong answers

Option B is wrong because CloudTrail monitoring only alerts after the bucket is created, not preventing noncompliant buckets, and requires manual or automated follow-up, adding operational overhead. Option C is wrong because an IAM policy attached to users does not prevent creation by roles, services (e.g., CloudFormation), or cross-account access, and it cannot enforce compliance across all principals in the OU. Option D is wrong because AWS Config rules detect noncompliant buckets after creation and auto-remediate with Lambda, which is reactive and incurs overhead for remediation logic and potential race conditions, whereas SCPs prevent the violation proactively.

406
MCQhard

Refer to the exhibit. A solutions architect has attached this key policy to an AWS KMS key. The IAM role MyAppRole is used by an application running on an EC2 instance in us-east-1. The application tries to decrypt an object stored in the S3 bucket my-bucket using server-side encryption with AWS KMS (SSE-KMS). What will happen?

A.The decryption fails because the key policy does not grant decrypt to the role.
B.The decryption succeeds because the role has permissions via this key policy.
C.The decryption fails if the application calls KMS Decrypt directly instead of letting S3 decrypt.
D.The decryption succeeds only if the object was uploaded with the correct encryption context.
AnswerC

The condition kms:ViaService requires the request to come from S3, not direct SDK call.

Why this answer

Option C is correct. The policy allows kms:Decrypt only when the request comes via S3 service (kms:ViaService) and when the encryption context matches the bucket ARN. If the application is using the AWS SDK to directly call KMS Decrypt (instead of letting S3 handle it), the condition kms:ViaService will not be satisfied, and the request will be denied.

Option A is incorrect because the condition restricts decryption to S3 service calls. Option B is incorrect because the encryption context also must match. Option D is incorrect because the policy is attached to the key, not to the role; it's a key policy.

407
MCQhard

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. During a traffic spike, some API requests fail with 5xx errors. The CloudWatch logs show 'ProvisionedThroughputExceededException' for DynamoDB. The team wants to handle this gracefully without losing requests. What should they do?

A.Enable auto scaling for DynamoDB and implement retry logic with exponential backoff in the Lambda function.
B.Increase the provisioned read/write capacity of the DynamoDB table to a high fixed value.
C.Use an SQS queue between API Gateway and Lambda to buffer requests.
D.Configure API Gateway to automatically retry failed requests.
AnswerA

Auto scaling handles capacity, retries handle transient errors.

Why this answer

Option A is correct because enabling DynamoDB auto scaling adjusts capacity dynamically, and adding retry logic with exponential backoff in Lambda handles transient errors. Option B is wrong because SQS with Lambda can buffer requests. C is wrong because increasing capacity might be costly and does not handle spikes.

D is wrong because Lambda retries on its own but without backoff.

408
MCQmedium

A company is designing a new microservices application on AWS. Each microservice needs to store and retrieve stateful data with low latency (single-digit milliseconds). The data must be durable and highly available across multiple Availability Zones. Which AWS service should be used for the primary data store for each microservice?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon RDS with Multi-AZ
D.Amazon ElastiCache for Redis
AnswerA

Amazon DynamoDB is a NoSQL database that delivers single-digit millisecond latency, is fully managed, and replicates data across multiple AZs automatically. It is ideal for stateful microservices.

Why this answer

Option C is correct because Amazon DynamoDB provides single-digit millisecond latency, automatic replication across multiple AZs, and is fully managed. Option A is wrong because Amazon S3 has higher latency and is not ideal for low-latency stateful data. Option B is wrong because Amazon RDS has higher latency than DynamoDB for simple key-value lookups.

Option D is wrong because Amazon ElastiCache is in-memory and not durable by default without additional configuration.

409
MCQeasy

A company wants to allow developers to launch EC2 instances only if they include a specific tag 'CostCenter'. The tag must be provided at launch. Which IAM policy should be used?

A.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"ec2:CreateAction":"true"}}}
B.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"aws:RequestTag/CostCenter":"false"}}}
C.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"Null":{"aws:RequestTag/CostCenter":"true"}}}
D.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringNotEquals":{"aws:RequestTag/CostCenter":"MyProject"}}}
AnswerA

Denies if the create action is not null, but actually the null condition on ec2:CreateAction ensures the tag is provided.

Why this answer

Option B is correct because the condition ec2:CreateAction ensures the tag is applied during launch. Option A is wrong because the condition is on the tag, not on the action. Option C is wrong because it requires a specific value.

Option D is wrong because it denies all launches without tag.

410
MCQhard

A company is migrating a large-scale Oracle data warehouse to Amazon Redshift. The migration must minimize downtime. The source database is 10 TB and runs on a single on-premises server with 1 Gbps network. Which approach should be used for the initial data load?

A.Use AWS DMS to migrate data directly to Redshift over the network.
B.Use AWS Snowball Edge to transfer data to S3, then copy to Redshift.
C.Use AWS DMS with ongoing replication after initial load via network.
D.Use S3 Transfer Acceleration to upload data to S3, then COPY to Redshift.
AnswerB

Offline transfer bypasses bandwidth constraints.

Why this answer

Using AWS Snowball Edge devices for offline transfer avoids network bandwidth limitations and provides fast, secure transfer of large data volumes. Option A is wrong because 1 Gbps network would take over 22 hours and may cause congestion. Option B is wrong because DMS works for ongoing replication but initial load over network is slow.

Option D is wrong because S3 Transfer Acceleration only speeds up S3 uploads, not the full pipeline.

411
MCQhard

A company uses AWS Organizations with 100 accounts. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if MFA is not present. However, some users report that they cannot access the console even with MFA. What is the most likely reason?

A.The SCP does not include an explicit allow for the sts:GetSessionToken action.
B.The IAM policy attached to the users does not allow any actions.
C.The SCP does not apply to users who have administrative privileges.
D.The SCP also denies access to the root user of each account.
AnswerA

Without allowing STS:GetSessionToken, the MFA challenge cannot be completed.

Why this answer

Option D is correct because the SCP must allow the STS:GetSessionToken action to allow MFA based temporary credentials. Option A is wrong because MFA is not required for root user in this context. Option B is wrong because SCPs override IAM permissions.

Option C is wrong because SCPs apply to all principals, including users with administrative privileges.

412
Multi-Selecthard

A company has a central IT account that manages DNS using Amazon Route 53 Private Hosted Zones. Multiple VPCs from different accounts are associated with the same private hosted zone. The company wants to ensure that only authorized VPCs can resolve records in the zone. Which three steps should be taken? (Choose THREE.)

Select 3 answers
A.Create a Route 53 Resolver rule in the central account to forward queries to the private hosted zone.
B.Restrict IAM permissions to only allow authorized users to associate VPCs with the hosted zone.
C.Associate each VPC with the private hosted zone using the authorize zone association API.
D.Use AWS RAM to share the private hosted zone with the other accounts.
E.Create a VPC peering connection between the central account and each VPC.
AnswersB, C, D

IAM permissions control who can perform the association.

Why this answer

Option B is correct because restricting IAM permissions ensures that only authorized users can associate VPCs with the private hosted zone, preventing unauthorized VPCs from resolving records. This is a fundamental security control for managing cross-account DNS resolution in Route 53.

Exam trap

The trap here is that candidates often confuse VPC peering with DNS resolution; peering provides network connectivity but does not automatically grant DNS resolution from a private hosted zone, which requires explicit association or sharing via AWS RAM.

413
Multi-Selecthard

A company is modernizing a monolithic Java application to run on Amazon ECS with Fargate. The application uses a proprietary configuration management system. Which TWO AWS services can replace the configuration management system to store and retrieve configuration at runtime?

Select 2 answers
A.Amazon S3 with versioning enabled.
B.AWS Secrets Manager.
C.Amazon DynamoDB with application-side caching.
D.AWS AppConfig, a feature of AWS Systems Manager.
E.AWS Systems Manager Parameter Store.
AnswersD, E

AppConfig is designed for application configuration management.

Why this answer

Options B and D are correct. Option B (Parameter Store) and Option D (AppConfig) are designed for configuration management. Option A is wrong because DynamoDB is a database, not a config store.

Option C is wrong because S3 is object storage. Option E is wrong because Secrets Manager is for secrets.

414
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to example-bucket with SSE-S3 (AES256) encryption. What will happen?

A.The upload fails because the Deny statement explicitly denies it
B.The upload fails because there is no explicit Allow for PutObject
C.The upload succeeds because the Allow statement permits it
D.The upload succeeds because SSE-S3 is allowed by the first statement
AnswerA

Deny condition matches when encryption is not aws:kms.

Why this answer

Option D is correct. The Deny statement explicitly denies PutObject if the encryption is NOT aws:kms. Since the user uses SSE-S3 (AES256), the condition 'StringNotEquals' evaluates to true (AES256 != aws:kms), so the Deny applies and the request is denied.

Option A is wrong because the Allow statement is for GetObject, not PutObject. Option B is wrong because the Deny overrides any allow. Option C is wrong because the Deny explicitly denies.

415
MCQeasy

A company is migrating its on-premises virtual machines (VMs) to AWS. The company has 50 VMs running various operating systems and applications. The architect wants to use a service that automates the replication and conversion of the VMs to Amazon EC2 instances. Which AWS service should the architect use?

A.AWS Application Migration Service (AWS MGN)
B.AWS DataSync
C.AWS Server Migration Service (AWS SMS)
D.AWS CloudEndure Migration
AnswerA

AWS MGN automates replication and conversion of VMs to EC2.

Why this answer

AWS Application Migration Service (AWS MGN) automatically replicates and converts VMs to EC2. AWS Server Migration Service (SMS) is an older service, but MGN is the recommended service for automated migration. AWS CloudEndure Migration has been rebranded as AWS Application Migration Service.

AWS DataSync is for file transfers.

416
MCQeasy

A company is planning to migrate 50 TB of data from an on-premises data center to Amazon S3. The on-premises network bandwidth is 100 Mbps. The migration must be completed within 30 days. What is the most cost-effective solution?

A.Use AWS Direct Connect to increase bandwidth.
B.Use AWS Snowball Edge device.
C.Use AWS DataSync over the internet.
D.Use AWS Database Migration Service (AWS DMS).
AnswerB

Snowball Edge can transfer 50 TB in a few days, meeting the deadline cost-effectively.

Why this answer

At 100 Mbps, transferring 50 TB over the internet would take approximately 50 days (50*8*1024*1024 / (100*86400) ≈ 48.5 days), exceeding the 30-day window. AWS Snowball Edge is a physical device that can transfer data offline faster and is cost-effective for large data volumes. AWS DMS is for databases; Direct Connect requires setup time; S3 Transfer Acceleration improves speed but still limited by bandwidth.

417
MCQhard

A company wants to design a highly available, stateless web application using Amazon ECS with Fargate. They need to distribute traffic across multiple AWS Regions for low latency. Which approach should they use?

A.Use a single Network Load Balancer in the primary region with cross-zone load balancing.
B.Use Amazon Route 53 latency-based routing to direct traffic to an Application Load Balancer in each region.
C.Use Amazon CloudFront with origins in each region.
D.Use AWS Global Accelerator with Network Load Balancers in each region.
AnswerB

Latency routing and ALB are appropriate for stateless web apps.

Why this answer

Option B is correct because Amazon Route 53 latency-based routing directs users to the region with the lowest latency, and using an Application Load Balancer (ALB) in each region provides regional traffic distribution and health checks for the stateless ECS Fargate tasks. This combination ensures high availability and low latency across multiple AWS Regions, as the ALB handles HTTP/HTTPS traffic and integrates with ECS service discovery.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with Route 53 latency-based routing, assuming Global Accelerator is always better for multi-region latency, but the question specifically asks for a stateless web application using ECS Fargate, where an ALB is the natural fit and Route 53 latency-based routing provides the simplest and most cost-effective solution for HTTP/HTTPS traffic distribution across regions.

How to eliminate wrong answers

Option A is wrong because a single Network Load Balancer (NLB) in one primary region cannot distribute traffic across multiple AWS Regions; cross-zone load balancing only distributes traffic within a single region's Availability Zones, not across regions. Option C is wrong because Amazon CloudFront with origins in each region is a content delivery network (CDN) optimized for caching static content, not for routing dynamic, stateless web application traffic with low latency across regions; it adds unnecessary caching complexity and does not provide regional load balancing for dynamic requests. Option D is wrong because AWS Global Accelerator uses Anycast IPs to route traffic to the nearest regional endpoint, but it requires Network Load Balancers or Elastic IPs as endpoints, not Application Load Balancers, and while it improves latency, it does not natively support latency-based routing to multiple regions as precisely as Route 53 latency-based routing; additionally, Global Accelerator is better suited for TCP/UDP traffic and non-HTTP protocols, whereas the question specifies a stateless web application (HTTP/HTTPS) where ALB is more appropriate.

418
MCQeasy

A startup is launching a new multi-account AWS environment using AWS Organizations. They want to ensure that only the central security team has access to the root user of each member account. Additionally, they want to enable multi-factor authentication (MFA) for the root user of each account. The security team has access to the management account. What is the MOST secure and efficient way to meet these requirements?

A.Use AWS Organizations to create a new IAM user in each member account with full permissions, and disable the root user.
B.Capture the root user email addresses and passwords in a secure password manager and share them with the security team.
C.Use the management account to assume an IAM role in each member account that has permissions to reset the root user password and enable MFA. Then, rotate the root user password and enable MFA.
D.Use AWS Single Sign-On (SSO) to grant the security team access to the root user credentials for each account.
AnswerC

This allows central management without sharing credentials.

Why this answer

Option B is correct because AWS Organizations allows you to create an IAM role in each member account that can be assumed from the management account. The root user password can be reset and MFA can be enabled by assuming the role with appropriate permissions. Option A is incorrect because you cannot use AWS Organizations to manage root user credentials directly.

Option C is incorrect because AWS Single Sign-On (now IAM Identity Center) does not manage root users. Option D is inefficient and insecure as it requires sharing root credentials.

419
Multi-Selecthard

A company is performing a server migration to AWS using AWS Server Migration Service (SMS). The company needs to automate the replication of servers and track the migration status. Which THREE components are required for this solution? (Choose three.)

Select 3 answers
A.AWS SMS connector installed on the on-premises hypervisor
B.AWS Schema Conversion Tool
C.AWS Migration Hub
D.AWS Database Migration Service
E.AWS CloudFormation
AnswersA, C, E

Facilitates replication to AWS.

Why this answer

Options A, C, and D are correct. SMS connector is installed on-premises. AWS Migration Hub tracks status.

AWS CloudFormation can automate infrastructure. Option B (AWS DMS) is for databases. Option E (AWS SCT) is for schema conversion.

420
MCQeasy

A company needs to design a new solution for storing and retrieving user-uploaded images. The images are accessed frequently for the first 30 days and then rarely accessed after that. The company wants to minimize storage costs while maintaining low-latency access for frequently accessed images. Which storage strategy should be used?

A.Store images in Amazon EBS volumes attached to a web server.
B.Store images in Amazon S3 Standard and use lifecycle policies to transition to S3 Standard-IA after 30 days.
C.Store all images in Amazon S3 Glacier Flexible Retrieval.
D.Store all images in Amazon S3 Standard.
AnswerB

Lifecycle policies automate cost optimization while keeping low-latency access during frequent access period.

Why this answer

Amazon S3 Standard provides low-latency access for frequently accessed images, and S3 lifecycle policies allow automatic transition to S3 Standard-Infrequent Access (Standard-IA) after 30 days, reducing storage costs while maintaining rapid access for the initial period. This strategy directly meets the requirement of minimizing costs without sacrificing performance for the first 30 days.

Exam trap

The trap here is that candidates may choose Option D (all S3 Standard) because it guarantees low-latency access, overlooking the cost savings of transitioning to Standard-IA for data that becomes rarely accessed after 30 days.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are block-level storage attached to a single EC2 instance, not designed for storing and retrieving user-uploaded images at scale, and they incur costs even when not accessed, lacking lifecycle management for infrequent access. Option C is wrong because Amazon S3 Glacier Flexible Retrieval has retrieval times of minutes to hours, which does not provide low-latency access for frequently accessed images during the first 30 days. Option D is wrong because storing all images in Amazon S3 Standard incurs higher storage costs for data that becomes rarely accessed after 30 days, failing to minimize storage costs as required.

421
MCQeasy

A startup is building a serverless application using AWS Lambda for business logic and Amazon DynamoDB for data storage. The application must process a high volume of writes to a single DynamoDB table. The development team is concerned about throttling due to hot partitions. Which design should the team implement to avoid throttling?

A.Enable DynamoDB Accelerator (DAX) to cache write operations.
B.Use a composite primary key with a partition key that has high cardinality, such as a user ID.
C.Use a global secondary index (GSI) as the primary index for writes.
D.Add a local secondary index (LSI) to the table.
AnswerB

High cardinality partition keys distribute writes evenly across partitions.

Why this answer

Using a composite key with a partition key that has high cardinality, such as a user ID, distributes writes evenly across partitions. Option B (LSI) doesn't help with write distribution. Option C (DAX) is a cache, not a solution for hot partitions.

Option D (GSI) is for querying, not for write distribution.

422
MCQmedium

A company is migrating a monolithic application to microservices on Amazon ECS with Fargate. The application currently uses a central MySQL database. The architects plan to refactor the database into separate RDS instances per microservice. Which strategy will ensure data consistency across services with minimal application changes?

A.Enable the STRICT_TRANS_TABLES SQL mode on all RDS instances to enforce data integrity.
B.Implement a saga pattern using choreography, where each service publishes events and reacts to events from other services.
C.Configure RDS read replicas for each service to ensure eventually consistent reads.
D.Use distributed transactions with a two-phase commit protocol across RDS instances.
AnswerB

The saga pattern with choreography maintains data consistency across microservices without tight coupling, and can be implemented with minimal changes using event-driven communication.

Why this answer

Option A is correct because the Saga pattern with choreography coordinates transactions across services without a central coordinator. Option B is wrong because two-phase commit (XA) is not natively supported by RDS and adds complexity. Option C is wrong because eventually consistent reads do not guarantee consistency.

Option D is wrong because STRICT_TRANS_TABLES is a SQL mode, not a consistency solution.

423
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. The Auto Scaling group has a minimum of 2 and maximum of 10 instances. CloudWatch metrics show that CPU utilization rarely exceeds 30%. What is the MOST likely cause of the 503 errors?

A.The ALB connection draining is enabled with a very short timeout, causing in-flight connections to be dropped.
B.The EC2 instances are running out of memory.
C.The Auto Scaling group launch configuration uses an AMI that is not compatible with the instance type.
D.The ALB health check is misconfigured, causing healthy instances to be marked unhealthy.
AnswerA

Connection draining with a short timeout can cause 503 errors when the ALB stops sending traffic to an instance before in-flight requests complete.

Why this answer

The 503 errors are likely due to the ALB connection draining setting. If connection draining is enabled and the drain timeout is too short, in-flight requests may be terminated, causing 503 errors. Low CPU utilization suggests the instances are not overloaded.

424
Multi-Selectmedium

A company has a web application running on EC2 instances in an Auto Scaling group. The application experiences unpredictable traffic spikes. The company wants to ensure that the application can scale out quickly and scale in to reduce costs. Which TWO actions should the solutions architect recommend?

Select 2 answers
A.Configure a lifecycle hook to delay instance termination during scale-in.
B.Manually increase the desired capacity during peak times.
C.Create a target tracking scaling policy based on Average CPU Utilization.
D.Create a simple scaling policy with a step adjustment to add instances when CPU exceeds 80%.
E.Use a scheduled scaling policy to add instances during expected peak hours.
AnswersC, D

Target tracking dynamically adjusts capacity to maintain a target metric.

Why this answer

Options B and C are correct. A target tracking scaling policy based on a metric like CPU utilization automatically adjusts capacity. A simple scaling policy with a step adjustment allows rapid scaling out.

Option A is wrong because scheduled scaling is for predictable patterns. Option D is wrong because manual scaling is not automated. Option E is wrong because a lifecycle hook delays scale-in, increasing costs.

425
Multi-Selectmedium

A company is designing a multi-account architecture using AWS Organizations. The company wants to enforce that all Amazon S3 buckets across all accounts must have server-side encryption (SSE) enabled. Which TWO actions should be taken to enforce this requirement?

Select 2 answers
A.Create a service control policy (SCP) that denies s3:PutBucket* actions unless encryption is specified.
B.Set the default encryption on each bucket to disable encryption.
C.Enable AWS CloudTrail to log all S3 API calls and trigger a Lambda function to remediate.
D.Create an IAM policy with a global condition for SSE and attach it to all users and roles.
E.Use AWS Config rules to detect S3 buckets without encryption and automatically remediate.
AnswersA, E

SCPs can deny actions that do not meet conditions, such as requiring encryption.

Why this answer

Option A is correct because a service control policy (SCP) can be applied at the AWS Organizations root, OU, or account level to deny S3 bucket operations that do not include encryption. By using a condition key like `s3:x-amz-server-side-encryption` in the SCP, you can enforce that any `s3:PutBucket*` action must specify encryption, preventing the creation or modification of buckets without SSE. This provides a preventive, centralized control that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules with auto-remediation) with preventive controls (like SCPs), but the question specifically asks to 'enforce' the requirement, which demands a preventive approach that blocks non-compliant actions before they occur.

426
MCQmedium

A financial services company is designing a new application that processes sensitive transactions. The application runs on Amazon ECS with Fargate. The compliance team requires that all data in transit between the application and the database must be encrypted. The database is an Amazon RDS for PostgreSQL instance. The application connects to the database using a connection string that includes the database endpoint. The security team has enabled encryption in transit on the RDS instance using a certificate. The application is currently failing to connect to the database with an error related to SSL/TLS. The development team verified that the connection string includes the sslmode=require parameter. What is the most likely cause of the connection failure?

A.The RDS instance is using a public certificate that is not trusted by the application.
B.The security group for the RDS instance does not allow inbound traffic on port 443.
C.The Fargate task does not have the necessary SSL libraries installed.
D.The RDS DB parameter group does not have the 'rds.force_ssl' parameter set to 1.
AnswerD

The rds.force_ssl parameter must be set to enforce SSL connections.

Why this answer

Option C is correct. By default, TLS is not enforced on RDS; you must set the rds.force_ssl parameter to 1. Option A is wrong because Fargate containers can use SSL.

Option B is wrong because security groups don't block SSL/TLS. Option D is wrong because the parameter group is correctly assigned.

427
MCQeasy

A company uses AWS Organizations with a management account and several member accounts. The security team needs to centrally manage IAM users and roles across all accounts. Which AWS service should the company use?

A.AWS Directory Service for Microsoft Active Directory.
B.AWS Identity and Access Management (IAM) in the management account.
C.AWS IAM Identity Center (AWS SSO).
D.Amazon Cognito user pools.
AnswerC

Provides centralized access management across accounts.

Why this answer

Option C is correct because AWS IAM Identity Center (successor to AWS SSO) allows centralized management of user access across multiple accounts. Option A is wrong because IAM is per account. Option B is wrong because Cognito is for customer-facing identities.

Option D is wrong because Directory Service is not for managing IAM identities.

428
MCQhard

A media company uses AWS CloudFront to distribute video content. They notice that some users in Europe experience high latency. CloudFront metrics show low cache hit ratios for European edge locations. The origin is an S3 bucket in us-east-1. What is the MOST effective optimization?

A.Increase the default TTL for objects in CloudFront.
B.Add additional cache behaviors for different file types.
C.Add a second origin in eu-west-1 and configure origin groups with failover.
D.Enable S3 Transfer Acceleration on the bucket.
AnswerC

A geographically close origin improves cache fill latency and overall performance.

Why this answer

Option C is correct because creating an additional CloudFront distribution with an origin in Europe or using a multi-region origin setup reduces latency for European users. Option A is wrong because S3 Transfer Acceleration improves uploads, not downloads. Option B is wrong because increasing TTL would reduce origin load but not latency for uncached objects.

Option D is wrong because adding more cache behaviors doesn't help with geographic latency.

429
MCQmedium

A company is migrating a legacy on-premises .NET application to AWS. The application uses a SQL Server database and requires full control over the operating system for compliance. Which migration strategy should the solutions architect recommend to minimize rework while meeting compliance requirements?

A.Rehost the application on EC2 instances and use RDS Custom for SQL Server.
B.Replace the database with Amazon DynamoDB and refactor the application.
C.Replatform the application to use RDS for SQL Server and deploy the application on EC2 instances.
D.Refactor the application to run on Amazon ECS using Docker containers.
AnswerA

Minimal changes, OS-level control via RDS Custom meets compliance.

Why this answer

Rehosting (lift-and-shift) with EC2 and RDS Custom for SQL Server allows the company to move the application and database with minimal changes while retaining OS-level control for compliance. Option A is wrong because RDS does not provide OS access. Option B is wrong because ECS requires containerization which adds rework.

Option D is wrong because DynamoDB is NoSQL and would require significant application changes.

430
MCQmedium

A company runs a production application on EC2 instances behind an Application Load Balancer. After a recent deployment, users report intermittent 503 errors. The CloudWatch metrics show that the ALB's 'TargetResponseTime' is within normal range, but 'RequestCount' has increased by 50%. There are no changes to the security groups. What is the MOST likely cause of the 503 errors?

A.The ALB's idle timeout is set too low.
B.The security group for the ALB does not allow inbound traffic on the listener port.
C.The ALB's target group health check settings are misconfigured.
D.The deployment removed the health check path from the application.
AnswerD

If the health check path is removed, health checks fail, causing targets to be marked unhealthy, and ALB returns 503.

Why this answer

Option A is correct because an increase in request count without a corresponding increase in target capacity can cause the ALB to return 503 errors when all targets are unhealthy or overloaded. Option B is incorrect because security groups were not changed. Option C is incorrect because if the health check path was removed, health checks would fail consistently, not intermittently.

Option D is incorrect because a missing security group rule would block traffic entirely, not cause intermittent errors.

431
MCQeasy

A company runs a web application on AWS Elastic Beanstalk. The application experiences periodic traffic spikes that cause the environment to scale out. However, the scaling is slow, leading to increased latency during spikes. The operations team wants to improve the responsiveness of the Auto Scaling group. The application is stateless and runs on a single instance type. What should a solutions architect recommend?

A.Configure the Auto Scaling group to use multiple instance types.
B.Use scheduled scaling to add capacity before expected spikes.
C.Decrease the Auto Scaling group's cooldown period.
D.Change the instance type to a larger size.
AnswerC

Shorter cooldown allows more frequent scaling decisions, improving responsiveness.

Why this answer

Option A is correct because increasing the cooldown period makes the Auto Scaling group more conservative, but that would slow scaling. Actually, decreasing the cooldown allows faster scaling. The question asks for improved responsiveness; Option A (decreasing cooldown) is the correct answer.

Option B is wrong because a larger instance type may not help if the issue is scaling speed. Option C is wrong because multiple instance types add complexity and might not speed up scaling. Option D is wrong because scheduled scaling is proactive but does not respond to unexpected spikes.

432
MCQhard

A company is migrating a legacy .NET application to AWS. The application uses Windows authentication and integrates with on-premises Active Directory. The company wants to use AWS Managed Microsoft AD to reduce administrative overhead. However, after migration, the application fails to authenticate users. What is the most likely cause?

A.The security group for the application servers does not allow inbound traffic on port 389.
B.AWS Managed Microsoft AD does not support LDAP queries.
C.The application is not configured to use the correct DNS servers for the AWS Managed Microsoft AD domain.
D.The application is using NTLM authentication, which is not supported by AWS Managed Microsoft AD without a trust relationship.
AnswerD

NTLM requires a trust, and without it, authentication fails.

Why this answer

Option D is correct because the application likely uses NTLM or Kerberos authentication, which requires proper trust relationships between the AWS Managed Microsoft AD and the on-premises AD. Option A is wrong because security groups do not affect authentication protocols. Option B is wrong because AWS Managed Microsoft AD supports LDAP.

Option C is wrong because DNS resolution is not the root cause.

433
Multi-Selectmedium

A company is designing a new solution to store and analyze large volumes of IoT sensor data. The data is time-series and must be retained for 90 days. The company needs to run complex SQL queries on the data and expects low latency for the most recent 7 days of data. Which TWO solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon Kinesis Data Analytics to analyze data in real-time and store results in S3.
B.Use Amazon RDS for PostgreSQL with TimescaleDB extension.
C.Use Amazon Redshift with automated snapshot retention of 90 days.
D.Use Amazon Timestream for storing time-series data and run SQL queries.
E.Use Amazon DynamoDB with TTL to expire data after 90 days and use PartiQL for queries.
AnswersA, D

Kinesis Data Analytics can run SQL on streaming data and store results.

Why this answer

Amazon Timestream is a time-series database that supports SQL queries and automatically tiers data. Amazon Kinesis Data Analytics + S3 can also provide SQL querying on streaming data stored in S3. Option A and Option D are correct.

Option B is wrong because DynamoDB TTL is not for complex SQL. Option C is wrong because RDS is not optimized for time-series scale. Option E is wrong because Redshift is not low-latency for recent data without streaming.

434
Multi-Selecteasy

A company is designing a new static website hosted on Amazon S3. They want to use Amazon CloudFront as a content delivery network (CDN) to serve the website globally with low latency. The website content must be encrypted in transit. Which configurations should they use? (Choose TWO.)

Select 2 answers
A.Enable default encryption on the S3 bucket using AES-256.
B.Enable S3 Transfer Acceleration on the bucket.
C.Configure the S3 bucket policy to deny requests that do not use HTTPS.
D.Configure CloudFront to require HTTPS for viewer requests.
E.Use CloudFront signed URLs to restrict access.
AnswersC, D

This ensures CloudFront uses HTTPS to fetch objects from S3.

Why this answer

Options A and C are correct. Configuring CloudFront to require HTTPS (A) ensures encryption in transit between viewers and CloudFront. Configuring S3 bucket to only allow HTTPS (C) ensures encryption between CloudFront and S3.

Option B is wrong because S3 Transfer Acceleration is for speed, not encryption. Option D is wrong because S3 default encryption is for at-rest, not in transit. Option E is wrong because CloudFront signed URLs are for access control, not encryption.

435
MCQmedium

A company is migrating a large on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a 24/7 uptime requirement. The company plans to use AWS Database Migration Service (AWS DMS) for continuous replication with minimal downtime. The source database is Oracle 11g running on Linux. During the full load phase, AWS DMS reports high latency and the replication slows down significantly. The source database CPU utilization is at 100% during the migration. The company needs to minimize the impact on production workload. What should the company do to improve the migration performance and reduce impact on the source database?

A.Use AWS DMS change data capture (CDC) only, without full load, to reduce the load
B.Increase the size of the DMS replication instance to handle more load
C.Reduce the number of parallel load threads in the DMS task to decrease source CPU usage
D.Set up an Oracle read replica and use it as the source for AWS DMS
AnswerD

A read replica offloads the migration workload from the primary database, reducing CPU impact.

Why this answer

Option D is correct: Using a read replica as the source for DMS offloads the load from the primary database. Option A (increase DMS instance size) may not help if the source is bottlenecked. Option B (reduce parallel load threads) would slow down migration.

Option C (use change data capture only) still requires initial load.

436
MCQmedium

Refer to the exhibit. An S3 bucket policy is shown. A user from IP 10.0.0.5 makes a GET request over HTTPS. Will the request succeed?

A.Yes, because the request matches the Allow condition and the Deny condition does not apply.
B.No, because the Deny statement explicitly denies all actions.
C.Yes, because the IP address is within the allowed range.
D.No, because the Deny statement overrides the Allow statement.
AnswerA

HTTPS satisfies SecureTransport true, so Deny is not triggered.

Why this answer

Option A is correct. The first statement allows GET from the specified IP range. The second statement denies all actions if not using HTTPS.

Since the request uses HTTPS (SecureTransport true), the Deny condition does not apply, so the Allow takes effect.

437
MCQmedium

A company is migrating data to Amazon S3 and requires that all objects uploaded to the bucket 'my-bucket' are encrypted with SSE-S3. The above IAM policy is attached to an IAM user. An application using the user's credentials attempts to upload an object without specifying the x-amz-server-side-encryption header. What will happen?

A.The upload succeeds because the Allow statement grants permission.
B.The upload fails because the bucket policy overrides the IAM policy.
C.The upload fails because the Deny statement denies the request when encryption is not AES256.
D.The upload succeeds because the object is encrypted with the default SSE-S3.
AnswerC

The Deny statement explicitly denies PutObject if encryption is not AES256, and without the header, it is considered not AES256.

Why this answer

Option D is correct. The Allow statement grants permission only if encryption is AES256. The Deny statement denies if encryption is not AES256.

Since no encryption header is specified, the condition in the Deny statement evaluates to true (StringNotEquals), and the request is denied. Option A is wrong because the Deny statement explicitly denies. Option B is wrong because AES256 is required.

Option C is wrong because the bucket policy does not override the IAM policy; both are evaluated.

438
Multi-Selectmedium

A company uses AWS Organizations with consolidated billing. The company wants to share a centrally managed Amazon VPC subnet across multiple accounts using AWS Resource Access Manager (RAM). Which THREE resources can be shared via RAM? (Choose THREE.)

Select 3 answers
A.License configurations
B.Subnets
C.Transit gateways
D.VPC peering connections
E.Security groups
AnswersA, B, C

License Manager configurations can be shared via RAM.

Why this answer

Option A is correct because AWS License Manager configurations can be shared across accounts using AWS Resource Access Manager (RAM), enabling centralized management of software licenses. This allows organizations to enforce license usage limits and rules consistently across multiple accounts in an AWS Organization.

Exam trap

The trap here is that candidates often assume VPC peering connections can be shared via RAM because they are a networking construct, but RAM only supports sharing of resources that can be centrally managed and attached to multiple accounts, not point-to-point connections like VPC peering.

439
MCQhard

A company is migrating a large-scale batch processing workload from on-premises to AWS. The workload runs on a schedule and processes data files from an FTP server. The company wants to use AWS services that are serverless and event-driven to reduce operational overhead. The data files will be uploaded to an Amazon S3 bucket. Which solution meets these requirements?

A.Use Amazon S3 Event Notifications to invoke an AWS Batch job that processes the file
B.Use Amazon S3 Event Notifications to invoke an AWS Lambda function that processes the file
C.Use AWS Glue to crawl the S3 bucket and run an ETL job on a schedule
D.Use Amazon S3 Event Notifications to start an AWS Step Functions workflow that runs processing on Amazon EC2
AnswerB

Lambda is serverless, event-driven, and processes the file upon upload, reducing overhead.

Why this answer

Option D is correct: S3 events can trigger Lambda, which processes the file. Option A (AWS Batch) is not serverless in the sense of event-driven; it requires compute resources. Option B (Step Functions) is for orchestrating workflows, not direct processing.

Option C (Glue) is for ETL, not general batch processing.

440
Multi-Selecthard

A company is migrating a batch processing workload to AWS. The workload runs nightly and takes approximately 2 hours on a single on-premises server. The company wants to reduce the processing time to under 30 minutes. Which THREE steps should the solutions architect recommend?

Select 3 answers
A.Split the workload into smaller batches and run them in parallel on multiple EC2 instances.
B.Use a larger, compute-optimized EC2 instance type.
C.Use EBS io2 volumes with high IOPS for the instance.
D.Use EC2 Spot Instances to reduce cost.
E.Use AWS Batch with multiple compute environments to orchestrate parallel processing.
AnswersA, B, E

Parallel processing reduces overall time significantly.

Why this answer

Using a larger instance (compute optimized) can speed up processing. Parallel processing by splitting the workload across multiple EC2 instances reduces time. Using a distributed processing framework like AWS Batch with multiple compute environments enables parallel execution.

EBS io2 volumes improve I/O but may not reduce time by 75%. Spot Instances can reduce cost but not processing time directly.

441
Multi-Selecthard

A company is running a critical microservices application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) to distribute traffic. Recently, the team noticed that the ALB's 5xx error rate has increased. The error is HTTP 503. The team suspects the target group is unhealthy. Which THREE steps should the team take to diagnose and resolve the issue?

Select 3 answers
A.Verify the ECS service's desired count and compare with the number of healthy tasks in the target group.
B.Replace the ALB with a Network Load Balancer (NLB) to bypass health checks.
C.Check the ECS service events and task status to ensure tasks are running and passing health checks.
D.Verify that sticky sessions (session affinity) are enabled on the target group.
E.Check the ALB access logs and health check settings for the target group.
AnswersA, C, E

A mismatch may indicate scaling issues.

Why this answer

Option A, Option C, and Option E are correct. Option A checks health check settings and logs. Option C checks if the service is running and tasks are healthy.

Option E checks if the service's desired count matches running tasks. Option B (Check target group stickiness) is not directly related to 503 errors. Option D (Switch to Network Load Balancer) is a major change and not diagnostic.

442
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The stack fails to update due to a resource conflict. The operations team needs to identify the resource causing the failure and modify the template to allow the update. Which approach is MOST effective?

A.Create a Change Set for the stack to preview the changes and identify the conflict.
B.Review the stack's 'Events' tab in the AWS Management Console to find the error message.
C.Use AWS CloudFormation StackSets to deploy the update across multiple accounts.
D.Run a drift detection operation on the stack to identify manual changes.
AnswerA

Change Sets allow you to see the impact and errors before applying.

Why this answer

Option B is correct because Change Sets show the changes and potential errors before execution. Option A is wrong because it only shows the last event, not the planned changes. Option C is wrong because StackSets manage multiple accounts/regions, not single stack updates.

Option D is wrong because Drift detection shows differences from the template, not update conflicts.

443
MCQhard

Refer to the exhibit. A CloudFormation stack was successfully created. The stack's template includes an S3 bucket and a Lambda function. A developer runs the CLI command shown but receives an error that the stack does not exist. What is the MOST likely cause?

A.The AWS CLI is configured to use a different region than where the stack was deployed.
B.The stack was deleted after creation.
C.The stack name is case-sensitive and should be 'MyApp'.
D.The '--query' parameter is incorrectly formatted.
AnswerA

Stack names are unique per region; querying the wrong region returns 'stack does not exist'.

Why this answer

Option A is correct because the CLI command is querying the wrong region. The stack was created in us-east-1 but the CLI default region might be different. Option B is wrong because the stack was created successfully.

Option C is wrong because outputs are returned correctly. Option D is wrong because the stack name is exactly as used.

444
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an Amazon S3 bucket that contains sensitive data. The security team requires that all traffic between the ECS tasks and S3 remain within the AWS network and not traverse the internet. What is the MOST secure way to meet this requirement?

A.Use an internet gateway and route traffic through a NAT gateway.
B.Enable S3 Transfer Acceleration on the bucket.
C.Create a VPC endpoint for S3 and attach it to the VPC.
D.Use a NAT gateway and update the route table to direct S3 traffic to the NAT.
AnswerC

VPC endpoint enables private connectivity to S3 without internet.

Why this answer

Option C is correct because using a VPC endpoint for S3 (Gateway or Interface) ensures traffic stays within the AWS network. Option A is wrong because internet traffic goes over the public internet. Option B is wrong because a NAT gateway is for outbound internet, not private access to S3.

Option D is wrong because S3 Transfer Acceleration uses the internet.

445
MCQhard

A company is designing a data processing pipeline for real-time analytics. The pipeline ingests data from IoT devices that send JSON messages via MQTT to AWS IoT Core. The messages must be processed in real-time to detect anomalies and the results must be stored in Amazon S3 for later analysis. The company currently uses a Lambda function to process each message, but as the number of devices grows, the Lambda function is being throttled due to concurrency limits. The company needs a solution that scales to handle thousands of devices per second without losing messages. The processed data must be available in S3 within 1 minute of ingestion. Which architecture should the company use?

A.Send the IoT messages to an Amazon SQS queue and have Lambda poll the queue in batches to reduce the number of concurrent invocations.
B.Store the raw messages in an S3 bucket and use S3 Select to query the data for anomalies periodically.
C.Ingest the messages into Amazon Kinesis Data Streams with multiple shards, and use a Lambda function to process records from the stream. Increase the Lambda concurrency limit.
D.Use AWS IoT Core rules to route messages to Amazon Kinesis Data Firehose, which writes raw data to S3. Then use Amazon Kinesis Data Analytics to read from S3 and perform real-time anomaly detection, writing results back to S3 via Firehose.
AnswerD

This architecture separates ingestion (Firehose) from processing (Kinesis Data Analytics), which can scale independently and meet the 1-minute latency.

Why this answer

Option C is correct because Kinesis Data Analytics provides real-time SQL processing, and Kinesis Data Firehose delivers the results to S3 with low latency. Option A is wrong because Lambda concurrency limits will still be hit; SQS does not solve concurrency limits. Option B is wrong because Kinesis Data Streams alone does not process data; Lambda would still be needed and could be throttled.

Option D is wrong because S3 cannot process streaming data in real-time; S3 Select is for querying objects.

446
MCQhard

A company uses AWS Lambda to process files uploaded to an S3 bucket. The Lambda function writes results to a DynamoDB table. Over time, the function's execution time has increased, and some operations fail with ProvisionedThroughputExceededException. The function is configured with 1024 MB memory and a 5-minute timeout. The DynamoDB table has 1000 RCUs and 500 WCUs. The Lambda function performs reads and writes on the same table. What is the MOST cost-effective way to resolve the throttling without sacrificing performance?

A.Enable DynamoDB Accelerator (DAX) for the table
B.Use SQS to decouple the S3 trigger from the Lambda function and implement a batching strategy to DynamoDB
C.Increase DynamoDB write capacity units to 1000 WCUs
D.Increase the Lambda function memory to 2048 MB
AnswerB

SQS buffers requests, allowing batch writes and reducing throttling.

Why this answer

Option C is correct because increasing WCUs alone would cost more and might not be efficient if the issue is read-heavy. Option D (DAX) reduces read latency but doesn't increase write capacity. Option A (increase memory) increases CPU but not write capacity.

Option B (SQS) decouples the writes, allowing retries and smoothing out spikes, which is cost-effective because SQS is cheap and prevents throttling by buffering requests.

447
MCQmedium

A company is designing a new microservices architecture on AWS. The company wants to use a service mesh to manage service-to-service communication, observability, and security. Which AWS service should the company use?

A.Amazon API Gateway
B.AWS App Mesh
C.AWS Transit Gateway
D.AWS Cloud Map
AnswerB

App Mesh is a service mesh that provides traffic management, observability, and security.

Why this answer

Option C is correct because AWS App Mesh is a service mesh that provides traffic management, observability, and security. Option A is wrong because Amazon API Gateway is for external APIs. Option B is wrong because AWS Cloud Map is for service discovery.

Option D is wrong because AWS Transit Gateway is for network connectivity.

448
Drag & Dropmedium

Drag and drop the steps to restore an Amazon RDS DB instance from a snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First navigate to snapshots, restore, configure settings, wait for completion, then update application endpoint.

449
MCQmedium

A company is designing a new serverless application that uses Amazon API Gateway and AWS Lambda. The application must authenticate users using a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The company wants to offload authentication to the API Gateway. Which solution should the architect recommend?

A.Use an API Gateway COGNITO_USER_POOLS authorizer with Cognito configured as an OIDC client to the third-party IdP
B.Use an API Gateway COGNITO_USER_POOLS authorizer
C.Use an API Gateway Lambda authorizer
D.Use an API Gateway IAM authorizer
AnswerA

Cognito can federate with OIDC IdPs, and API Gateway validates the Cognito token.

Why this answer

Option D is correct because API Gateway can use a COGNITO_USER_POOLS authorizer with an OIDC identity provider for authentication. Option A is wrong because COGNITO_USER_POOLS supports OIDC, but Cognito must be configured as an OIDC client. Option B is wrong because Lambda authorizers are custom, not offloading authentication.

Option C is wrong because IAM authorization is for AWS credentials, not OIDC.

450
MCQmedium

A company deployed the above CloudFormation template. An EC2 instance launched in the PrivateSubnet needs to access the internet for software updates. Which action is required?

A.Create a VPC Peering connection to a public VPC
B.Add a NAT Gateway in the PublicSubnet and update the PrivateSubnet's route table to point to the NAT Gateway
C.Add an Internet Gateway to the VPC and route the private subnet's route table to it
D.Modify the PrivateSubnet to assign public IP addresses on launch
AnswerB

NAT Gateway enables outbound internet for private instances.

Why this answer

A NAT Gateway placed in a public subnet with an Internet Gateway attached allows instances in private subnets to initiate outbound traffic to the internet (e.g., for software updates) while preventing inbound connections from the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. This is the standard AWS pattern for outbound-only internet access from private subnets.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, thinking that routing a private subnet directly to an Internet Gateway is sufficient, but this would expose instances to inbound traffic and require public IPs, defeating the purpose of a private subnet.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not provide internet access; it only connects two VPCs privately, and neither VPC inherently has internet access without an Internet Gateway. Option C is wrong because routing a private subnet directly to an Internet Gateway would allow inbound internet traffic, violating the security model of a private subnet; Internet Gateways require public IP addresses and are used with public subnets. Option D is wrong because assigning public IP addresses to instances in a private subnet does not grant internet access; the subnet still lacks a route to an Internet Gateway, and public IPs alone cannot reach the internet without a gateway.

Page 5

Page 6 of 24

Page 7