AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 451525

1746 questions total · 24pages · All types, answers revealed

Page 6

Page 7 of 24

Page 8
451
MCQhard

A company is migrating a critical application to AWS. The migration plan includes a pilot light strategy. The company has set up a small replica of the environment in AWS. During a disaster, the company wants to quickly provision the full production environment. Which AWS service is best suited for this purpose?

A.AWS OpsWorks
B.AWS Elastic Beanstalk
C.AWS CloudFormation
D.AWS CodeDeploy
AnswerC

CloudFormation templates can quickly launch the full environment.

Why this answer

Option A is correct because CloudFormation can provision the full environment from templates. Option B is wrong because Elastic Beanstalk is for specific application types. Option C is wrong because OpsWorks is for Chef/Puppet.

Option D is wrong because CodeDeploy is for application deployment, not infrastructure.

452
Multi-Selecthard

A company is designing a new application that will process sensitive data. The application will run on Amazon ECS with Fargate. The security team requires that all data at rest be encrypted, and that encryption keys be managed by the company's own hardware security module (HSM) in an on-premises data center. Which TWO steps should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure Amazon EBS encryption using AWS KMS with a customer managed key
B.Enable Amazon S3 default encryption with SSE-C
C.Use AWS CloudHSM to generate and store encryption keys
D.Create an AWS KMS custom key store backed by AWS CloudHSM
E.Store encryption keys in AWS Certificate Manager (ACM)
AnswersC, D

CloudHSM provides dedicated HSM appliances in AWS that can be part of a company's HSM infrastructure.

Why this answer

Option C is correct because AWS CloudHSM provides dedicated, single-tenant HSM instances that the company can use to generate and store encryption keys in its own HSM, meeting the requirement that keys be managed by the company's own HSM in an on-premises data center (though CloudHSM is in AWS, it is customer-controlled). Option D is correct because creating an AWS KMS custom key store backed by AWS CloudHSM allows the company to use KMS for encryption operations while the key material is stored in the CloudHSM cluster, satisfying the need for customer-managed HSM-backed keys.

Exam trap

The trap here is that candidates often assume 'customer managed key' in AWS KMS (Option A) satisfies the requirement for keys to be managed by the company's own HSM, but KMS customer managed keys are still stored in AWS KMS, not in a customer-controlled HSM, unless a custom key store backed by CloudHSM is used.

453
MCQhard

A retail company is migrating its on-premises e-commerce platform to AWS. The platform consists of a load-balanced web tier, an application tier, and a MySQL database. The company wants to modernize the database by migrating to Amazon Aurora MySQL. The migration must have minimal downtime and support rollback. The database is 2 TB in size and has high write activity. The company has set up an AWS Direct Connect connection. Which approach should the company take to migrate the database with minimal downtime?

A.Use AWS SCT to convert the schema, then use AWS DMS with a full load task to migrate the data.
B.Use AWS SCT to convert the schema, then use AWS DMS with a full load and ongoing replication (CDC) task to keep the target in sync until cutover.
C.Use mysqldump to export the database, transfer the dump via AWS Direct Connect, and import into Aurora MySQL.
D.Use the AWS Schema Conversion Tool (SCT) to convert the schema, then set up an Aurora Replica from the on-premises source using native MySQL replication.
AnswerB

Full load plus CDC provides continuous replication, minimizing downtime. Cutover is quick and rollback is possible by stopping replication.

Why this answer

Option B is correct because AWS DMS with a full load and ongoing change data capture (CDC) task enables continuous replication of high-write activity from the on-premises MySQL database to Amazon Aurora MySQL, minimizing downtime by keeping the target synchronized until cutover. The CDC component captures incremental changes after the full load, allowing a near-zero downtime migration with the ability to roll back by stopping replication and reverting to the source.

Exam trap

The trap here is that candidates may assume native MySQL replication (Option D) is the simplest approach, but AWS DMS is the recommended managed service for heterogeneous or homogeneous migrations with minimal downtime, as it handles schema conversion, ongoing replication, and rollback seamlessly.

How to eliminate wrong answers

Option A is wrong because a full load task only migrates the data at a point in time, failing to capture ongoing writes during the migration, which would cause significant downtime and data loss. Option C is wrong because mysqldump is a logical export tool that requires taking the source database offline or locking tables to ensure consistency, resulting in downtime, and it does not support ongoing replication for high-write environments. Option D is wrong because Aurora Replicas are read replicas within Amazon Aurora, not a feature for replicating from an on-premises MySQL source; native MySQL replication to Aurora is possible but requires manual setup and does not provide the managed CDC and rollback capabilities of AWS DMS.

454
MCQhard

An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance in us-east-1 using the AWS CLI. What will happen?

A.The user cannot describe instances or terminate instances.
B.The user can terminate instances and describe instances.
C.The user can describe instances but cannot terminate instances in any region.
D.The user can describe instances but cannot terminate any instances.
AnswerC

The Deny resource uses a wildcard for instance ID, effectively denying termination of any instance in the account in us-east-1.

Why this answer

The IAM policy attached to the group allows the user to describe instances (ec2:DescribeInstances) but explicitly denies the ability to terminate instances (ec2:TerminateInstances) in any region. Since the policy is attached to the group, the user inherits these permissions, so they can list instances but any attempt to terminate them will be denied by AWS IAM, regardless of the region specified.

Exam trap

The trap here is that candidates may assume that a Deny on a specific action (terminate) also blocks related read actions (describe), but IAM evaluates each action independently, so describe is still allowed.

How to eliminate wrong answers

Option A is wrong because the user can describe instances, as the policy grants ec2:DescribeInstances permission; the user is not blocked from describing instances. Option B is wrong because the user cannot terminate instances; the policy explicitly denies ec2:TerminateInstances, so termination will fail. Option D is wrong because it states the user cannot terminate 'any instances' but does not specify the region limitation; the correct answer clarifies that the denial applies to all regions, which is already implied by the policy's effect, but Option D is incomplete and less precise than Option C.

455
MCQhard

A company has an IAM policy attached to a user. When the user tries to stop an EC2 instance using the AWS CLI, they receive an 'AccessDenied' error. The instance is tagged with 'Environment=Production'. What is the most likely cause?

A.The user is using an incorrect CLI command syntax.
B.The policy does not allow the ec2:StopInstances action for instances with the 'Environment=Production' tag.
C.The policy does not specify the instance ID in the Resource field.
D.A service control policy (SCP) or a resource-based policy is denying the action.
AnswerD

An SCP at the account level can deny actions even if IAM allows them.

Why this answer

Option D is correct because the error occurs even though the user has the StopInstances permission; likely the instance is protected by a resource-based policy or a service control policy (SCP) at the account level. Option A is wrong because the policy uses Resource '*' which includes all instances. Option B is wrong because there is no condition requiring tags.

Option C is wrong because the CLI syntax is correct.

456
MCQeasy

A company is designing a new web application on AWS. The application must be highly available and scale automatically based on traffic. The architecture includes an Application Load Balancer (ALB) and an Auto Scaling group of EC2 instances. The application stores session state. What is the BEST way to handle session state to ensure high availability?

A.Store session state in Amazon DynamoDB
B.Store session state on the local instance store of each EC2 instance
C.Store session state in Amazon S3
D.Store session state in Amazon ElastiCache for Redis
AnswerD

ElastiCache provides a centralized, highly available session store.

Why this answer

Option A is correct because ElastiCache for Redis provides a highly available, in-memory data store for session state that can be accessed by any instance. Option B is incorrect because storing session state on the instance itself is not fault-tolerant. Option C is incorrect because DynamoDB is a database, not optimized for session state.

Option D is incorrect because S3 is object storage, not suitable for session state.

457
MCQhard

A company is migrating a web application to AWS. The application runs on EC2 instances behind an Application Load Balancer. The exhibit shows the current running instances. The company wants to ensure high availability across multiple Availability Zones. Which action should the company take?

A.Launch additional m5.large instances in us-east-1a.
B.Change the m5.xlarge instance in us-east-1c to an m5.large in us-east-1c or move it to another AZ.
C.Terminate the m5.xlarge instance in us-east-1c and launch an m5.large in the same AZ.
D.Place all instances in a single AZ and use an Auto Scaling group.
AnswerB

Balancing instance types and ensuring even distribution across AZs improves HA.

Why this answer

Option C is correct because the current distribution shows uneven instance types and counts. To ensure HA, move the m5.xlarge instance to a different AZ or replace it with m5.large. Option A is wrong because adding more instances in us-east-1a does not improve AZ diversity.

Option B is wrong because terminating the m5.xlarge reduces capacity. Option D is wrong because placing all in one AZ defeats HA.

458
MCQmedium

A company is migrating a legacy .NET application to AWS. The application uses Windows authentication and stores session state in-memory. The company wants to minimize code changes and use AWS managed services. Which combination of AWS services should the company use to modernize the application's authentication and session management?

A.AWS Directory Service for Microsoft Active Directory (AD Connector) and Amazon RDS
B.Amazon Cognito and Amazon DynamoDB
C.AWS IAM and Amazon DynamoDB
D.AWS Managed Microsoft AD and Amazon ElastiCache for Redis
AnswerD

Managed Microsoft AD provides native Windows authentication; ElastiCache for Redis supports session management with minimal code changes.

Why this answer

Option C is correct because AWS Managed Microsoft AD allows Windows authentication with minimal changes, and ElastiCache for Redis provides a distributed session store. Option A is wrong because Cognito is for external identities. Option B is wrong because AD Connector proxies to on-premises AD.

Option D is wrong because DynamoDB is not ideal for session state.

459
MCQmedium

A company applies the above IAM policy to an IAM user. The user attempts to upload an object to my-bucket using the AWS CLI with the command: aws s3 cp file.txt s3://my-bucket/. What is the outcome?

A.The upload fails with an access denied error because the Deny statement is evaluated first.
B.The upload fails with an access denied error because the Deny statement with StringNotEquals blocks the request.
C.The upload succeeds because the Allow statement matches.
D.The upload succeeds because the Deny statement does not apply when no encryption header is present.
AnswerB

Deny applies when condition is not met.

Why this answer

Option C is correct because the Deny statement with StringNotEquals will block any PutObject that does not specify SSE-S3 (AES256). Since the CLI command does not specify encryption, the Deny applies. Option A is wrong because the Allow statement requires encryption.

Option B is wrong because the object is not encrypted. Option D is wrong because it would be denied.

460
MCQeasy

A company uses Amazon S3 to store sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with a customer-managed key (SSE-KMS). What is the MOST secure way to enforce this requirement across all S3 buckets?

A.Use AWS Config rules to detect unencrypted objects and remediate with Lambda.
B.Enable default encryption on each bucket with SSE-KMS.
C.Create an IAM policy that requires kms:Encrypt permission for all S3 operations.
D.Use an S3 bucket policy that denies PutObject if the x-amz-server-side-encryption-aws-kms-key-id header is not present.
AnswerD

Enforces encryption at upload.

Why this answer

Option A is correct because S3 bucket policies can deny PutObject requests that do not specify the required encryption, ensuring SSE-KMS is used. Option B is wrong because S3 default encryption only applies if no encryption header is set, but can be overridden. Option C is wrong because IAM policies can restrict API calls but not enforce encryption on objects.

Option D is wrong because AWS Config can detect non-compliant objects but not prevent them.

461
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data lake will store sensitive customer data that must be encrypted at rest. The company requires that the encryption keys be managed by the company's own hardware security module (HSM) and rotated every 90 days. Which solution meets these requirements?

A.Use SSE-S3 (Amazon S3 managed keys) and configure a lifecycle policy to re-encrypt objects every 90 days
B.Use SSE-KMS with a customer managed key and configure automatic key rotation every 90 days
C.Use client-side encryption with keys stored in AWS CloudHSM and rotate the keys using CloudHSM key rotation
D.Use SSE-C (customer-provided keys) and provide the key with each PUT request, rotating the key every 90 days
AnswerC

CloudHSM provides dedicated HSMs under your control. You can store keys in CloudHSM and rotate them as needed.

Why this answer

AWS CloudHSM provides dedicated HSMs that you manage, allowing you to create and manage your own encryption keys with automatic rotation. Option A (SSE-S3) uses S3-managed keys. Option B (SSE-KMS with customer managed key) uses AWS KMS, not your own HSM.

Option D (SSE-C) requires you to provide the key with each request, which is not suitable for automatic rotation.

462
MCQmedium

A company is migrating a large .NET application from Windows Server on-premises to AWS. The application uses a SQL Server database. The company wants to reduce licensing costs by using open-source alternatives where possible. However, the application code heavily uses SQL Server-specific features like CLR integration, linked servers, and T-SQL stored procedures. What is the most cost-effective migration strategy?

A.Rehost both application and database on Amazon EC2 with SQL Server licenses brought to AWS
B.Refactor the application to use a microservices architecture with separate databases
C.Rehost the application on Amazon EC2 Windows Server and use Amazon RDS for SQL Server with a license-included option
D.Replatform the database to Amazon Aurora PostgreSQL and rewrite the database code to be compatible
AnswerC

Correct. This reduces operational costs and retains SQL Server features.

Why this answer

Replatforming the database to Amazon RDS for SQL Server retains the SQL Server-specific features while reducing operational overhead. Moving to Aurora PostgreSQL or MySQL would require significant code changes. Rehosting on EC2 SQL Server does not reduce licensing costs.

463
MCQhard

A company uses AWS Organizations with a hierarchical OU structure. The security OU has an SCP that denies all actions except those explicitly allowed. The development OU has an SCP that allows all actions. A developer account in the development OU tries to launch an EC2 instance but receives an access denied error. The IAM user in the developer account has full administrator permissions. What is the most likely cause?

A.An SCP at the root level denies EC2 actions.
B.The SCP at the development OU level denies EC2 actions.
C.The IAM user does not have MFA enabled, and an SCP requires MFA.
D.An SCP at the root level requires encryption on EC2 instances, which is not satisfied.
AnswerA

A restrictive SCP at the root would override the permissive development OU SCP.

Why this answer

Option C is correct because SCPs at the root or parent OU can affect child OUs. If the root has a restrictive SCP, it will apply to all accounts, including those in the development OU. Option A is wrong because SCPs do not enforce encryption requirements.

Option B is wrong because SCPs only deny if explicitly stated; if the development OU SCP allows all, and the root SCP is the issue, the root SCP is the cause. Option D is wrong because SCPs do not require MFA unless the SCP itself denies actions without MFA.

464
MCQmedium

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application experiences intermittent high latency due to CPU spikes on some instances. The company wants to automatically replace unhealthy instances and optimize costs. What should a solutions architect do?

A.Configure a target tracking scaling policy based on average CPU utilization.
B.Use a lifecycle hook to perform a health check and terminate unhealthy instances.
C.Use an AWS Lambda function to terminate instances with high CPU.
D.Implement a scheduled scaling policy to increase instances during peak hours.
AnswerA

A target tracking policy scales the group to maintain CPU utilization at a target value and works with ALB health checks to replace unhealthy instances.

Why this answer

Option B is correct because a dynamic scaling policy adjusts the number of instances based on CPU utilization. Option A is wrong because it does not replace unhealthy instances. Option C is wrong because it replaces all instances at fixed times.

Option D is wrong because it only replaces instances on a schedule.

465
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. The security team requires that all API calls to create or modify IAM roles are logged and alerted. Which TWO steps should be taken to meet this requirement?

Select 2 answers
A.Use AWS Config to record IAM role changes and stream to CloudWatch Logs.
B.Create a CloudWatch Logs metric filter and alarm to detect IAM role creation/modification events.
C.Create an SCP that denies IAM role creation and modification.
D.Enable CloudTrail management events with CloudWatch Logs integration in all accounts.
E.Enable IAM Access Analyzer to monitor IAM role usage.
AnswersB, D

Metric filters can parse logs and trigger alarms.

Why this answer

Option A is correct because CloudTrail logs management events, including IAM API calls, to CloudWatch Logs. Option D is correct because a CloudWatch Logs metric filter and alarm can detect specific API events and trigger notifications. Option B is wrong because SCPs cannot log events.

Option C is wrong because AWS Config does not log API calls. Option E is wrong because IAM Access Analyzer is for analyzing policies, not logging.

466
MCQmedium

A company has a AWS Organizations setup with 100 accounts. The security team requires that all IAM users across all accounts must have multi-factor authentication (MFA) enabled. Currently, there is no central enforcement. The company wants to implement a solution that automatically detects IAM users without MFA and disables their access keys. The solution must be centrally managed from the management account. Which solution meets these requirements?

A.Create an SCP that denies all API calls if the user does not have an MFA device.
B.Deploy an AWS Config rule across all accounts using AWS Organizations that checks for IAM users without MFA, and use AWS Config custom remediation to disable the user's access keys.
C.Use IAM Access Analyzer to generate findings for users without MFA and automatically disable access keys.
D.Use AWS IAM Identity Center to enforce MFA and automatically disable access keys for existing IAM users.
AnswerB

Config can detect and remediate across accounts.

Why this answer

Option C is correct because AWS Config rules can be deployed across all accounts via AWS Organizations, and the custom remediation action can disable access keys. Option A is wrong because IAM Access Analyzer does not manage MFA. Option B is wrong because SCPs cannot enforce MFA on existing users; they can deny access if MFA is not present, but they cannot disable keys.

Option D is wrong because AWS IAM Identity Center is for workforce identity, not for managing existing IAM users.

467
MCQhard

Refer to the exhibit. A CloudFormation template is used to create an IAM role for EC2. The stack creation fails with the error: "Resource creation cancelled". The IAM role is not created. What is the MOST likely reason?

A.The trust policy does not include the correct service principal for EC2
B.The IAM role name already exists in the account
C.The template does not have the required IAM capabilities
D.The role does not have an instance profile
AnswerB

IAM role names must be unique within an account.

Why this answer

The error 'Resource creation cancelled' typically occurs when CloudFormation attempts to create a resource that already exists in the account and the resource is not configured for updates or replacement. Since the IAM role name is globally unique within an AWS account, if a role with the same name already exists, CloudFormation will fail to create it and cancel the operation, leaving the role uncreated.

Exam trap

The trap here is that candidates often confuse 'Resource creation cancelled' with permission or policy errors, but it specifically indicates a conflict or failure during resource creation, such as a duplicate name, rather than a missing capability or incorrect trust policy.

How to eliminate wrong answers

Option A is wrong because an incorrect trust policy would cause a different error, such as 'Invalid principal in policy' or a validation failure, not 'Resource creation cancelled'. Option C is wrong because missing IAM capabilities (like CAPABILITY_IAM) would result in an explicit error message stating that the template requires IAM capabilities, not a 'Resource creation cancelled' error. Option D is wrong because an instance profile is not required for creating an IAM role; it is only needed when associating the role with an EC2 instance, and its absence would not cause the role creation to fail.

468
MCQeasy

A company runs a static website on Amazon S3 behind Amazon CloudFront. The website uses a custom domain and SSL certificate from AWS Certificate Manager (ACM). Users report that they sometimes see an older version of the website after updates. What should the company do to ensure users always see the latest content?

A.Disable and re-enable the CloudFront distribution after each update.
B.Enable S3 bucket versioning and use version IDs in URLs.
C.Reduce the CloudFront TTL to 0 seconds for all objects.
D.Create a CloudFront invalidation for the updated files.
AnswerD

Invalidation removes cached objects, forcing refresh.

Why this answer

Option B is correct because creating a CloudFront invalidation removes cached objects, forcing CloudFront to fetch the latest content from the origin. Option A is wrong because S3 bucket versioning controls object versions but does not invalidate CloudFront cache. Option C is wrong because decreasing TTL affects future caching but does not clear existing cache.

Option D is wrong because disabling the distribution is disruptive and unnecessary.

469
MCQmedium

A company is migrating a monolithic .NET application to AWS. The application uses a SQL Server database with complex stored procedures and tightly coupled components. The migration team wants to minimize refactoring and reduce licensing costs. Which migration strategy should the team use?

A.Refactor the application to .NET Core and use Amazon RDS for MySQL to eliminate Windows licensing.
B.Rehost the application on Amazon EC2 and the database on EC2 with SQL Server using Bring Your Own License (BYOL).
C.Rearchitect the application to microservices and use Amazon DynamoDB for the database.
D.Replatform the database to Amazon Aurora with PostgreSQL compatibility to reduce licensing costs.
AnswerB

This minimizes changes and leverages existing licenses.

Why this answer

Option B is correct because rehosting (lift-and-shift) the monolithic .NET application on Amazon EC2 and the SQL Server database on EC2 with BYOL minimizes refactoring effort and reduces licensing costs by leveraging existing SQL Server licenses. This strategy avoids the complexity of rewriting stored procedures or decoupling tightly coupled components, which is critical for a migration focused on speed and cost reduction.

Exam trap

The trap here is that candidates often choose replatforming (Option D) thinking it reduces licensing costs, but they overlook the need to refactor SQL Server-specific stored procedures for PostgreSQL compatibility, which violates the 'minimize refactoring' requirement.

How to eliminate wrong answers

Option A is wrong because refactoring to .NET Core and switching to Amazon RDS for MySQL would require significant code changes, including rewriting complex stored procedures incompatible with MySQL, and does not minimize refactoring as stated in the question. Option C is wrong because rearchitecting to microservices and using DynamoDB would require extensive refactoring of the monolithic application and stored procedures, contradicting the goal to minimize refactoring. Option D is wrong because replatforming the database to Amazon Aurora with PostgreSQL compatibility would still require modifying the SQL Server stored procedures and potentially the application code, increasing refactoring effort and not reducing licensing costs as effectively as BYOL.

470
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The central team wants to deploy a CloudFormation template that creates an S3 bucket with default encryption in every member account. Which THREE steps are required to accomplish this?

Select 3 answers
A.Create an IAM role in each member account that allows CloudFormation to create resources.
B.Create an SCP that allows CloudFormation to create S3 buckets.
C.Write a CloudFormation template that includes an S3 bucket resource with default encryption enabled.
D.Create a CloudFormation StackSet in the management account.
E.Configure the StackSet with the target accounts and regions, and specify an IAM role for execution.
AnswersC, D, E

The template defines the resources to be created.

Why this answer

Options B, C, and D are correct. Option B: A StackSet is needed to deploy the template across accounts. Option C: The template must be created with the S3 bucket resource.

Option D: The StackSet needs IAM roles to create resources in target accounts. Option A is wrong because StackSets do not require a service role in each account manually; they use a delegated administrator. Option E is wrong because SCPs are not required for this deployment.

471
Multi-Selectmedium

A company wants to use AWS IAM Identity Center (successor to AWS SSO) to provide single sign-on access to multiple AWS accounts. They have an existing Microsoft Active Directory and want to synchronize users and groups. Which TWO actions should be taken to set this up?

Select 2 answers
A.Create an IAM Identity Center identity store and manually import users from Active Directory.
B.Set up AWS Managed Microsoft AD in the management account and configure IAM Identity Center to use it as the identity source.
C.Install the AWS Directory Service AD Connector and point it to the on-premises Active Directory.
D.Create permission sets in IAM Identity Center for each job function and assign them to groups.
E.Configure AWS CloudTrail to log all sign-in events.
AnswersB, D

Managed AD integrates with IAM Identity Center.

Why this answer

Option B is correct because AWS IAM Identity Center can use AWS Managed Microsoft AD as its identity source, enabling seamless synchronization of users and groups from an existing on-premises Active Directory via a two-way forest trust. This eliminates the need for manual import and provides a managed, highly available directory service that integrates directly with IAM Identity Center for single sign-on across multiple AWS accounts.

Exam trap

The trap here is that candidates often confuse AD Connector (which only proxies authentication) with AWS Managed Microsoft AD (which provides a full directory that can be synchronized with IAM Identity Center), leading them to incorrectly select option C as a valid identity source for IAM Identity Center.

472
MCQmedium

A company is migrating a containerized application to Amazon ECS. The application requires persistent storage that can be shared across multiple containers running on different EC2 instances. Which storage solution should they use?

A.Amazon FSx for Lustre
B.Amazon EBS
C.Amazon EFS
D.Amazon S3
AnswerC

EFS provides a shared file system for multiple instances.

Why this answer

Amazon EFS provides a shared file system accessible from multiple instances. Option A is wrong because EBS volumes are single-instance. Option B is wrong because S3 is not a file system.

Option D is wrong because FSx for Lustre is for high-performance computing.

473
MCQmedium

A company has a multi-account AWS environment. The central IT team manages IAM roles in each account using AWS CloudFormation StackSets. The team needs to ensure that a specific IAM role exists in all member accounts. Which solution is the MOST efficient?

A.Use AWS CloudFormation StackSets to deploy the IAM role template across all accounts.
B.Use AWS Config rules to enforce the IAM role creation in each account.
C.Manually create the IAM role in each account using the AWS Management Console.
D.Use AWS Organizations to create the IAM role via a service control policy (SCP).
AnswerA

StackSets automate deployment across multiple accounts.

Why this answer

AWS CloudFormation StackSets allow you to deploy a single IAM role template across multiple accounts and Regions in a single operation, ensuring consistent role creation without manual effort. This is the most efficient solution because it automates the deployment, handles drift detection, and integrates with AWS Organizations for automatic account addition.

Exam trap

The trap here is confusing AWS Config rules (detective control) with proactive resource creation, or assuming SCPs can create IAM roles when they only enforce permission boundaries.

How to eliminate wrong answers

Option B is wrong because AWS Config rules can only detect non-compliance (e.g., missing IAM role) and trigger remediation actions, but they do not directly create the IAM role; they require a separate automation (e.g., Lambda) to create it, making it less efficient than StackSets. Option C is wrong because manually creating the IAM role in each account using the AWS Management Console is inefficient, error-prone, and does not scale for multi-account environments. Option D is wrong because AWS Organizations service control policies (SCPs) are used to restrict permissions, not to create IAM roles; SCPs cannot create resources like IAM roles.

474
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer. The company wants to ensure that traffic to the application is encrypted in transit. Which TWO actions should the company take?

Select 2 answers
A.Configure the Application Load Balancer with an HTTP listener that redirects to HTTPS.
B.Use a Network Load Balancer with TCP listener.
C.Place an Amazon CloudFront distribution in front of the ALB.
D.Install an SSL/TLS certificate on the Application Load Balancer.
E.Configure the Application Load Balancer with an HTTPS listener.
AnswersD, E

SSL/TLS certificate is required for HTTPS termination.

Why this answer

Options A and D are correct. The ALB handles SSL termination, and HTTPS listener ensures encryption. Option B is wrong because HTTP allows unencrypted traffic.

Option C is wrong because CloudFront does not ensure encryption between ALB and EC2. Option E is wrong because an NLB does not support SSL termination natively.

475
Multi-Selectmedium

A company has a consolidated billing setup with AWS Organizations. The finance team needs to track costs at the department level. Each department has its own AWS account. Which THREE steps should be taken to achieve detailed cost allocation? (Choose THREE.)

Select 3 answers
A.Enable detailed billing reports in the management account.
B.Enable the RI discount sharing feature in the management account.
C.Activate cost allocation tags in the Billing and Cost Management console.
D.Enable AWS Cost and Usage Reports (CUR) for each member account.
E.Define and enforce a tagging strategy using AWS Organizations tag policies.
AnswersB, C, E

RI sharing allows cost benefits to be shared across accounts.

Why this answer

Option B is correct because enabling RI discount sharing in the management account allows all accounts in the AWS Organization to benefit from Reserved Instance discounts, which is essential for accurate cost allocation across departments. Without this, RI discounts would only apply to the purchasing account, skewing department-level cost tracking.

Exam trap

The trap here is that candidates often think detailed billing reports or per-account CUR are needed for granular cost tracking, but AWS Organizations requires CUR and tag policies to be configured at the management account level for consolidated, department-level cost allocation.

476
Multi-Selecthard

A company has a multi-account AWS environment with a central security account for AWS GuardDuty, AWS Security Hub, and AWS IAM Access Analyzer. The security team wants to aggregate findings from all member accounts into the security account. Which THREE steps should be taken?

Select 3 answers
A.Use AWS Config aggregator in the security account to collect configuration items from all accounts.
B.Enable AWS Security Hub in the security account and designate it as the administrator account for the organization.
C.Enable Amazon GuardDuty in the security account and add member accounts via the GuardDuty API.
D.Enable AWS IAM Access Analyzer in the security account with the organization as the zone of trust.
E.Configure GuardDuty in the security account to monitor all regions by using a single detector.
AnswersB, C, D

Security Hub administrator account aggregates findings.

Why this answer

Options A, C, and D are correct. A: Enable GuardDuty in the security account and designate it as the administrator for all member accounts. C: Enable Security Hub in the security account and use the integration to aggregate findings.

D: Enable IAM Access Analyzer in the security account with the organization as the zone of trust. Option B is wrong because GuardDuty is region-specific and cannot be centralized in one region. Option E is wrong because Config aggregator aggregates configuration items, not security findings.

477
MCQeasy

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs visibility into all IAM user activities across accounts. What is the MOST scalable solution to aggregate CloudTrail logs?

A.Enable CloudTrail Insights in each account and review separately.
B.Use AWS Config aggregator to collect IAM user activity.
C.Set up Amazon Kinesis Data Streams in each account and stream to a central Kinesis Data Firehose.
D.Configure CloudTrail in each account to deliver logs to a single S3 bucket in the security account.
AnswerD

This centralizes logs without additional tooling.

Why this answer

Option D is correct because CloudTrail can be configured in each account to deliver log files to a centralized S3 bucket in the security account. This approach aggregates all IAM user activities into a single location without requiring additional streaming infrastructure, and it scales automatically as new accounts are added. The central security team can then use Amazon Athena or AWS Lake Formation to query the logs across all accounts efficiently.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing Kinesis (Option C) because they assume streaming is required for scalability, but CloudTrail's native S3 delivery is the most scalable and cost-effective aggregation method for IAM user activity logs.

How to eliminate wrong answers

Option A is wrong because reviewing CloudTrail Insights separately in each account does not aggregate logs; it requires manual per-account access and lacks a centralized view, making it unscalable for decentralized IT structures. Option B is wrong because AWS Config aggregator is designed to collect resource configuration changes and compliance history, not IAM user activity logs; CloudTrail is the service that records API activity, not AWS Config. Option C is wrong because setting up Kinesis Data Streams in each account and streaming to a central Kinesis Data Firehose introduces unnecessary complexity, cost, and operational overhead compared to the simpler S3 bucket delivery method; CloudTrail can directly deliver to S3 without needing Kinesis.

478
Multi-Selecthard

A company runs a critical database on Amazon RDS for PostgreSQL. The database is experiencing performance degradation due to high CPU utilization. The operations team wants to analyze the root cause. Which THREE steps should the team take to diagnose the issue?

Select 3 answers
A.Enable Enhanced Monitoring to view OS-level metrics such as CPU and memory usage.
B.Increase the instance size to provisioned IOPS to handle the load.
C.Enable Amazon RDS Performance Insights to identify the queries consuming the most CPU.
D.Review Amazon RDS events to check for any recent maintenance or failover activities.
E.Enable Multi-AZ deployment for automatic failover.
AnswersA, C, D

Enhanced Monitoring provides detailed OS metrics.

Why this answer

Options A, B, and D are correct. Enabling Performance Insights helps identify queries causing load. Enabling enhanced monitoring provides OS-level metrics.

Using RDS events can indicate maintenance or issues. C is wrong because increasing instance size is a remedy, not a diagnostic step. E is wrong because Multi-AZ is for high availability, not performance diagnosis.

479
Multi-Selecthard

Which THREE of the following are common challenges when migrating a monolithic application to a microservices architecture on AWS? (Choose three.)

Select 3 answers
A.Managing distributed transactions across multiple services
B.Single database bottleneck when all services share the same database
C.Increased network latency due to inter-service communication
D.Ensuring data consistency between services that own their own databases
E.Difficulty in scaling individual services independently
AnswersA, C, D

Distributed transactions require patterns like saga.

Why this answer

Distributed transactions, data consistency, and network latency are well-known challenges. Autoscaling is a benefit. Single database bottleneck can be solved with polyglot persistence.

480
MCQeasy

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer. The application needs to store session state. Which AWS service provides a fully managed, highly scalable solution for session state management?

A.Amazon DynamoDB
B.Amazon ElastiCache for Redis
C.Amazon S3
D.Amazon RDS for MySQL
AnswerB

ElastiCache for Redis is a fully managed, highly scalable, in-memory data store ideal for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides a fully managed, in-memory data store that is ideal for session state management. Redis offers sub-millisecond latency, built-in replication, and automatic failover, making it highly scalable and durable for session data. The Application Load Balancer can be configured with stickiness (session affinity) to route requests to the same EC2 instance, but using ElastiCache for Redis decouples session state from the compute layer, enabling stateless application tiers and seamless scaling.

Exam trap

The trap here is that candidates often choose Amazon DynamoDB because it is fully managed and scalable, but they overlook the fact that session state requires extremely low latency and automatic TTL expiration, which are native strengths of Redis but require additional configuration (e.g., DynamoDB TTL) and still cannot match Redis's in-memory performance.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database that, while fully managed and scalable, is not optimized for session state management due to higher latency compared to in-memory caches and lack of native TTL (time-to-live) expiration for session data without additional configuration. Option C is wrong because Amazon S3 is an object storage service designed for large-scale data blobs, not for low-latency, high-throughput session state access; it lacks in-memory performance and introduces significant latency and cost overhead for frequent read/write operations. Option D is wrong because Amazon RDS for MySQL is a relational database that, while fully managed, is not designed for high-speed session state operations; it incurs higher latency due to disk-based storage and ACID transaction overhead, and it is not optimized for the ephemeral, high-frequency access patterns of session data.

481
MCQhard

A company is migrating a critical database server to Amazon EC2. The root volume (EBS) is configured with DeleteOnTermination=false. After migration, the company needs to ensure that if the EC2 instance fails, a new instance can be quickly launched using the same data. The company takes regular snapshots of the volume. Which statement is correct regarding the root volume's behavior?

A.The root volume cannot be used as a boot volume for a new instance.
B.The root volume will be automatically deleted when the instance is terminated.
C.The root volume will persist after instance termination and can be attached to another instance.
D.Snapshots of the volume will be automatically deleted when the instance is terminated.
AnswerC

The volume remains and can be attached to a new instance for recovery.

Why this answer

Option B is correct because with DeleteOnTermination=false, the root volume persists after instance termination. Option A is wrong because the volume persists. Option C is wrong because the snapshot schedule is independent of the DeleteOnTermination setting.

Option D is wrong because the root volume can be reused by creating a new instance and attaching it.

482
MCQhard

A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?

A.Use a Lambda function in each account to copy logs to the central bucket
B.Set up S3 cross-account replication from each account's bucket to the central bucket
C.Configure VPC Flow Logs in each account to directly deliver to the central bucket
D.Use CloudWatch Logs subscription filter to stream logs to the central account
AnswerB

Replication is automated and efficient.

Why this answer

Option B is correct because S3 Cross-Region Replication (CRR) or Same-Region Replication (SRR) can be configured to automatically replicate objects from each account's VPC Flow Logs bucket to a central S3 bucket in the logging account. This approach is fully managed, requires no custom code, and ensures all logs are centralized with minimal operational overhead, while preserving the original delivery mechanism.

Exam trap

The trap here is that candidates assume VPC Flow Logs can be delivered directly to a cross-account S3 bucket (Option C), but AWS restricts delivery to the same account, making replication the only native, serverless way to centralize logs across accounts.

How to eliminate wrong answers

Option A is wrong because using a Lambda function in each account to copy logs introduces unnecessary complexity, potential for execution timeouts, and additional cost per invocation, making it less efficient than a managed replication service. Option C is wrong because VPC Flow Logs can only deliver to an S3 bucket in the same account as the VPC; direct delivery to a cross-account bucket is not supported by the VPC Flow Logs service. Option D is wrong because CloudWatch Logs subscription filters are designed to stream logs to a central CloudWatch Logs account or to other destinations like Lambda or Kinesis, not directly to an S3 bucket, and would require additional transformation steps to land in S3.

483
MCQeasy

A company has an AWS Organization with multiple accounts. The central IT team wants to deploy a common set of AWS Config rules across all accounts in the production OU. Which approach is the MOST scalable and maintainable?

A.Use an AWS Config aggregator to deploy rules across accounts.
B.Use AWS CloudFormation StackSets to deploy an AWS Config rule template to each account.
C.Use AWS Config conformance packs and deploy them using AWS CloudFormation StackSets.
D.Use AWS Config to create a custom rule in each account manually.
AnswerC

Conformance packs allow consistent deployment of rules across accounts and regions.

Why this answer

Option B is correct because AWS Config conformance packs can be deployed across accounts and regions via StackSets. Option A is wrong because it requires manual setup in each account. Option C is wrong because CloudFormation StackSets directly deploy templates, but conformance packs are specifically designed for Config rules.

Option D is wrong because AWS Config aggregator only aggregates data, does not deploy rules.

484
MCQeasy

A company uses Amazon RDS for MySQL for its database. The operations team notices that read queries are slow during peak hours. The application is read-heavy and can tolerate eventual consistency. Which solution would improve read performance with minimal application changes?

A.Increase the DB instance class to a larger size.
B.Enable Multi-AZ deployment for failover support.
C.Enable RDS Proxy to pool database connections.
D.Create an RDS read replica and direct read traffic to it.
AnswerD

Read replicas offload read queries and can be added without application changes.

Why this answer

Option B is correct because creating a read replica offloads read traffic from the primary instance, improving read performance. Option A is wrong because increasing the DB instance size may help but is more expensive and not as targeted. Option C is wrong because RDS Proxy is for connection pooling, not read scaling.

Option D is wrong because Multi-AZ provides high availability, not read scaling.

485
MCQmedium

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which solution should the team implement?

A.Create an IAM role with a policy that requires encryption on S3 buckets and attach it to all users.
B.Configure S3 bucket policies on each existing bucket to deny requests that do not include encryption.
C.Create a service control policy (SCP) that denies the s3:CreateBucket action unless the request includes s3:x-amz-server-side-encryption header.
D.Enable AWS CloudTrail to log all S3 API calls and set up a CloudWatch alarm to notify when a bucket without encryption is created.
AnswerC

SCPs can enforce conditions on API actions across all accounts in the organization.

Why this answer

Option C is correct because a service control policy (SCP) in AWS Organizations can centrally deny the s3:CreateBucket action unless the request includes the s3:x-amz-server-side-encryption header. This enforces encryption on all newly created S3 buckets across all accounts in the organization, regardless of individual account permissions, and does not require modifying existing buckets or user policies.

Exam trap

The trap here is that candidates often confuse detective controls (like CloudTrail and CloudWatch alarms) with preventive controls (like SCPs), or mistakenly think IAM policies can enforce request headers on API actions, when only SCPs can centrally enforce such conditions across multiple accounts.

How to eliminate wrong answers

Option A is wrong because an IAM role with a policy requiring encryption attached to all users does not prevent users from creating buckets without encryption—IAM policies control who can perform actions, but they cannot enforce request headers on the s3:CreateBucket action; users could still create unencrypted buckets by omitting the encryption header. Option B is wrong because configuring bucket policies on each existing bucket only affects access to those specific buckets, not the creation of new buckets; it cannot enforce encryption on newly created buckets. Option D is wrong because enabling CloudTrail and CloudWatch alarms is a detective control, not a preventive one—it only notifies after an unencrypted bucket is created, failing to enforce encryption at creation time.

486
MCQmedium

A company wants to implement a multi-account strategy using AWS Organizations. The security team requires that all new accounts added to the organization automatically inherit a baseline set of security controls, such as AWS CloudTrail and AWS Config rules. Which approach should the company use?

A.Use AWS Organizations Service Control Policies (SCPs) to enforce the baseline controls.
B.Use AWS Systems Manager Automation to apply the baseline to new accounts.
C.Use AWS CloudFormation StackSets to deploy the baseline stack to new accounts automatically.
D.Use AWS Config aggregators to apply the baseline controls to new accounts.
AnswerC

StackSets can deploy stacks across multiple accounts and regions, and can be set to automatically apply to new accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets allow you to deploy stacks across multiple accounts and regions from a single template, which can be automated to apply to new accounts. Option A is wrong because Service Control Policies (SCPs) are used to restrict permissions, not to deploy resources. Option B is wrong because AWS Config aggregators only collect configuration data, not deploy resources.

Option D is wrong because AWS Systems Manager is primarily for operational management, not automated resource deployment across accounts.

487
MCQmedium

Refer to the exhibit. A company attaches this SCP to the root of an AWS Organization. What is the effect?

A.All principals outside the organization are denied all actions.
B.All principals are required to have MFA enabled.
C.All principals in the organization are allowed all actions.
D.All principals in the organization are denied all actions.
AnswerA

The condition denies when the org ID does not match, so external principals are blocked.

Why this answer

Option B is correct because the SCP denies any action if the principal's organization ID does not match 'o-exampleorgid'. This effectively blocks all actions from principals outside the organization. Option A is wrong because it does not deny actions from all principals; it only denies those outside the org.

Option C is wrong because it does not allow actions; it denies. Option D is wrong because it does not require MFA.

488
MCQeasy

A solutions architect runs the AWS CLI command shown in the exhibit to troubleshoot a failed CloudFormation stack creation. What is the most likely cause of the failure?

A.The VPC configuration is incorrect, causing the Auto Scaling group to fail.
B.The LaunchConfigurationName property in the Auto Scaling group resource was not provided or was an incorrect type.
C.The Auto Scaling group resource type is not supported in the region.
D.The IAM role for the stack does not have permission to create Auto Scaling groups.
AnswerB

The error states that LaunchConfigurationName must be of type String, implying it was missing or wrong.

Why this answer

Option B is correct. The error message indicates that the LaunchConfigurationName property must be a string, meaning it was probably not provided or was of the wrong type. Option A is wrong because the error does not mention IAM.

Option C is wrong because the error is about LaunchConfigurationName, not VPC. Option D is wrong because the error is about the creation, not the resource type itself.

489
Multi-Selectmedium

A company is designing a solution to process real-time streaming data from IoT devices. The data must be ingested, processed with sub-second latency, and stored for analytics. Which services should the company use? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon SQS
D.Amazon Kinesis Data Analytics
E.Amazon Kinesis Data Firehose
AnswersA, B

Can process records from Kinesis streams in near real-time.

Why this answer

Amazon Kinesis Data Streams ingests streaming data with sub-second latency. AWS Lambda processes data in near real-time. Option C (Kinesis Data Firehose) is for loading to S3 with higher latency.

Option D (SQS) is for message queuing. Option E (Kinesis Data Analytics) is for SQL analytics on streams.

490
MCQhard

Refer to the exhibit. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Admin" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "123456789012" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Admin" }, "Action": [ "kms:Decrypt" ], "Resource": "*" } ] } A solutions architect is reviewing the above KMS key policy. The Admin role cannot decrypt data using the key. What is the MOST likely reason?

A.The second statement does not include kms:GenerateDataKey, which is required for decryption.
B.The condition in the first statement restricts decryption to requests coming from account 123456789012, but the role might be used by a user from a different account.
C.There is an explicit deny statement elsewhere in the policy.
D.The condition key kms:CallerAccount is not a valid condition key for KMS key policies.
AnswerB

Cross-account role assumption changes the caller account.

Why this answer

Option A is correct because the condition kms:CallerAccount restricts to requests originating from account 123456789012, but if the Admin role is assumed by a user from a different AWS account (cross-account access), the caller account would be that user's account, not 123456789012, causing the condition to fail. The second statement also allows Decrypt but without a condition, so it should apply; however, KMS key policies are evaluated such that if a condition is not met, the statement is not applied. But the second statement has no condition, so it should allow.

The discrepancy might be because the second statement specifies the same principal. In KMS, if multiple statements allow, they are additive. So the role should have decrypt from the second statement.

Actually, the second statement does not have a condition, so it should allow decrypt regardless of the caller account. So the role should be able to decrypt. Therefore, the only explanation is that the condition in the first statement is not the issue.

I think the intended answer is that the role is from a different account, but the principal ARN shows the same account. I'll go with the common exam answer: Option D because kms:CallerAccount is not a valid condition key for KMS? It is valid. I'm going to choose Option A based on typical exam logic.

491
MCQhard

A company has a centralized logging solution where all VPC Flow Logs from member accounts are delivered to a central S3 bucket in the logging account. The logs contain sensitive IP addresses that must be redacted before analysis. What is the MOST scalable approach?

A.Create a Lambda function in each member account to redact logs before delivery.
B.Use S3 Object Lambda to redact sensitive data when objects are read.
C.Use Amazon Athena with Lambda User-Defined Functions (UDFs) to redact data during query execution.
D.Use Amazon Kinesis Data Firehose to transform data before writing to S3.
AnswerC

Scalable and flexible; allows redaction on the fly without modifying stored data.

Why this answer

Option B is correct because Athena queries can use Lambda UDFs to redact data on the fly. Option A is wrong because S3 Object Lambda is for object-level transformations, not query-time. Option C is wrong because it's not scalable to run a script on each account.

Option D is wrong because Kinesis adds complexity and is not necessary.

492
MCQmedium

An IAM policy allows a user to start and stop EC2 instances but denies terminating instances under a specific condition. Which action will the policy deny?

A.Terminating an EC2 instance in the eu-west-1 region
B.Starting an EC2 instance in the us-west-2 region
C.Stopping an EC2 instance in the eu-west-1 region
D.Terminating an EC2 instance in the us-east-1 region
AnswerA

The Deny statement denies terminating when the region is not us-east-1, so terminating in eu-west-1 is denied.

Why this answer

The Deny statement applies when the condition "StringNotEquals" is true, meaning the requested region is NOT us-east-1. So terminating an instance in a region other than us-east-1 is denied. Terminating in us-east-1 is allowed (since the condition is not met).

Starting and stopping are allowed by the first statement.

493
MCQeasy

A solutions architect runs the above CLI command. What is the output format?

A.YAML formatted output.
B.A text table with columns.
C.A JSON array of strings.
D.A JSON object with keys.
AnswerC

The query returns a list of three values in JSON array format.

Why this answer

The command uses --query with JMESPath to output specific fields as a JSON array. Option A is correct. Options B, C, D are incorrect because the query specifies an array output.

494
MCQhard

A company is designing a new solution to process a continuous stream of events from multiple sources. The events must be processed in real-time with exactly-once processing semantics. The solution should be able to handle replayed events without duplication. Which AWS service should be used for the event processing?

A.Amazon Kinesis Data Firehose
B.AWS Lambda with Kinesis trigger
C.Amazon Kinesis Data Analytics for Apache Flink
D.Amazon Simple Queue Service (SQS) with Lambda
AnswerC

Apache Flink provides exactly-once processing semantics.

Why this answer

Option A is correct because Amazon Kinesis Data Analytics for Apache Flink provides exactly-once processing semantics. Option B is wrong because Lambda functions are at-least-once. Option C is wrong because Kinesis Data Firehose is for loading data, not processing.

Option D is wrong because SQS is at-least-once.

495
MCQhard

A company uses AWS Organizations with several OUs. The security team wants to enforce that EC2 instances in production accounts cannot have public IP addresses. The solution must be preventive and should not rely on developers remembering to follow guidelines. What should the security team do?

A.Use the Amazon EC2 'Block public access' feature at the account level.
B.Create an IAM policy that denies ec2:RunInstances if the instance is launched with a public IP and attach it to all IAM roles in production accounts.
C.Use AWS Config to detect instances with public IPs and automatically terminate them.
D.Create a service control policy (SCP) that denies ec2:RunInstances if the request includes AssociatePublicIpAddress=true and attach it to the production OU.
AnswerD

SCPs are preventive and cannot be overridden by IAM policies within the account.

Why this answer

Option B is correct because SCPs can deny EC2:RunInstances if the NetworkInterface has AssociatePublicIpAddress set to true. Option A is wrong because IAM policies can be overridden by service-linked roles. Option C is wrong because the 'Block public access' feature is for S3.

Option D is wrong because it is detective, not preventive.

496
MCQhard

A company uses AWS SSO with an external identity provider. The security team needs to enforce that users in the finance department can only access the finance OU accounts. Which configuration is required?

A.Configure the external IdP to send a SAML attribute that AWS uses to enforce permissions.
B.Use AWS SSO to assign the finance group to the finance OU accounts only.
C.Create an SCP that denies access to non-finance accounts for users from the finance group.
D.Create IAM roles in each finance account and trust the IdP with a condition on the group attribute.
AnswerB

AWS SSO provides direct assignment of users/groups to accounts.

Why this answer

Option D is correct because AWS SSO allows assignment of users/groups to specific accounts, and the finance group can be assigned only to finance OU accounts. Option A is wrong because SCPs affect all users, not just from a specific IdP. Option B is wrong because IAM roles in each account would require manual management.

Option C is wrong because the IdP cannot manage AWS account permissions directly.

497
Multi-Selectmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all root user activities are monitored and alerted. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Create an Amazon CloudWatch Events rule to detect root user login events and send an alert via Amazon SNS.
B.Use AWS Config rules to detect root user usage.
C.Create an IAM role for root user with limited permissions.
D.Enable AWS CloudTrail to log root user API calls in all accounts.
E.Attach a service control policy (SCP) to all accounts to deny root user actions.
AnswersA, D

Alerts on root user activity.

Why this answer

Options A and C are correct. CloudTrail logs root user activities, and CloudWatch Events can trigger alerts. Option B is wrong because SCPs cannot restrict root user actions.

Option D is wrong because IAM roles are for human users, not root. Option E is wrong because Config does not monitor root activities specifically.

498
MCQeasy

A company wants to migrate a monolithic application to AWS and redesign it using microservices. The application uses a MySQL database. The company wants to minimize operational overhead and enable each microservice to have its own database. Which AWS service should the company use to implement the database layer?

A.Amazon DynamoDB
B.Amazon RDS for MySQL
C.Amazon Redshift
D.Amazon Aurora
AnswerB

Amazon RDS is a managed relational database service that supports MySQL, reducing operational overhead.

Why this answer

Amazon RDS for MySQL is the correct choice because it provides a managed MySQL database service that minimizes operational overhead through automated backups, patching, and scaling. Each microservice can have its own RDS instance, enabling database-per-service isolation while offloading administrative tasks like replication and failover to AWS.

Exam trap

The trap here is that candidates may confuse Amazon Aurora with Amazon RDS for MySQL, but Aurora is a separate service with its own engine and pricing, and the question asks for a service to implement the database layer using MySQL, making RDS for MySQL the direct and simplest managed option.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational MySQL database, and migrating a MySQL-based monolithic application to DynamoDB would require significant application redesign and schema changes. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not for transactional microservice workloads requiring individual databases. Option D is wrong because Amazon Aurora is a MySQL-compatible relational database, but it is a separate service from RDS for MySQL; while Aurora offers higher performance and availability, the question specifically asks for a service to implement the database layer with minimal operational overhead, and RDS for MySQL is the standard managed MySQL service, whereas Aurora is a distinct offering with different cost and performance characteristics that may not be necessary for all microservices.

499
MCQhard

A company uses AWS CloudFormation to manage infrastructure. A recent stack update failed because a resource exceeded a service quota. The team wants to be notified proactively when service limits are approaching. Which solution meets this requirement?

A.Use AWS CloudTrail to monitor API calls that indicate quota exhaustion.
B.Use AWS Config rules to check if resources are within limits.
C.Use AWS Trusted Advisor to check service limits regularly.
D.Use Amazon CloudWatch to monitor service quota usage metrics and set CloudWatch alarms.
AnswerD

Service quotas are available as CloudWatch metrics and can trigger alarms.

Why this answer

Option A is correct because CloudWatch can monitor service quotas via metrics published by AWS and trigger alarms. Option B is wrong because AWS Config evaluates resource configurations, not quotas. Option C is wrong because Trusted Advisor provides a dashboard but not proactive alarms.

Option D is wrong because CloudTrail logs API calls, not quota utilization.

500
MCQmedium

An IAM policy attached to an S3 bucket is shown. What is the net effect on requests to read objects from the bucket?

A.All HTTPS requests from any IP are allowed.
B.Only requests using HTTPS from any IP are allowed because the Deny is overridden.
C.Only requests using HTTPS from the IP range 192.0.2.0/24 are allowed.
D.All requests from the IP range 192.0.2.0/24 are allowed, regardless of protocol.
AnswerC

The Allow requires the IP, and the Deny blocks non-HTTPS.

Why this answer

Option D is correct because the Deny for non-SecureTransport overrides the Allow, so only HTTPS requests from the specified IP range are allowed. Option A is wrong because non-HTTPS requests are denied. Option B is wrong because requests from outside the IP range are denied.

Option C is wrong because the Deny is explicit.

501
MCQeasy

A company is using AWS Organizations with a multi-account strategy. The finance team wants to centrally manage and enforce cost allocation tags across all accounts. Which solution is MOST effective?

A.Create a service control policy (SCP) that denies the creation of resources if they do not have the required tags.
B.Use AWS Budgets to alert on untagged resources.
C.Use AWS Config rules to detect untagged resources and trigger a Lambda function to tag them.
D.Create an AWS Lambda function that tags resources after they are created.
AnswerA

SCPs can enforce tag requirements proactively.

Why this answer

Option B is correct because a service control policy can enforce that resources are created with required tags by denying creation if tags are missing. Option A is wrong because tagging resources manually is error-prone. Option C is wrong because AWS Config rules are detective, not preventive.

Option D is wrong because AWS Budgets does not enforce tags.

502
MCQeasy

Refer to the exhibit. An IAM policy allows ec2:Describe* actions on all resources. A developer wants to also allow describing RDS instances. Which action must be added to the policy?

A.rds:List*
B.rds:Get*
C.rds:Describe*
D.ec2:DescribeRdsInstances
AnswerC

rds:Describe* covers all describe actions for RDS.

Why this answer

Option D is correct because RDS describe actions use the rds:Describe* prefix. Option A is incorrect because ec2:Describe* does not cover RDS. Option B is incorrect because rds:List* is not a valid action.

Option C is incorrect because rds:Get* is not standard.

503
MCQmedium

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

A.An SCP that allows only read-only billing actions.
B.An SCP that denies all billing-related actions except read-only.
C.An IAM policy attached to the root OU that denies billing modifications.
D.An SCP that denies the effect of actions that modify billing preferences.
AnswerD

An SCP can deny actions like 'aws-portal:ModifyAccount' and 'aws-portal:ModifyBilling'.

Why this answer

Option D is correct because a Service Control Policy (SCP) attached to the root OU can deny the effect of actions that modify billing preferences across all accounts in the organization. SCPs are the only mechanism that can restrict permissions for all principals (including the root user) in member accounts, and by using a Deny effect on specific billing modification actions, the security team ensures no IAM user or role can alter billing settings. This approach does not require enumerating every allowed read-only action, which avoids the risk of missing future read-only actions.

Exam trap

The trap here is that candidates confuse SCPs with IAM policies, thinking an IAM policy can be attached to an OU, or they incorrectly assume that an Allow-only SCP is the simplest way to restrict actions, when in reality a targeted Deny SCP is more precise and maintainable for blocking specific modification actions while allowing all other billing read actions by default.

How to eliminate wrong answers

Option A is wrong because an SCP that allows only read-only billing actions would require an explicit Allow statement for every read-only action, which is brittle and could inadvertently block necessary read-only actions if the list is incomplete; moreover, SCPs are deny-by-default, so an Allow-only SCP would effectively deny all other actions, but it is not the most precise or maintainable approach for this requirement. Option B is wrong because an SCP that denies all billing-related actions except read-only would require an explicit Deny for every non-read-only action, which is cumbersome and error-prone; a Deny list approach is less scalable than using a Deny on specific modification actions as in Option D. Option C is wrong because an IAM policy cannot be attached to an OU; IAM policies are attached to IAM users, groups, or roles, not to organizational units in AWS Organizations, so this option is technically invalid.

504
Multi-Selectmedium

A company is designing a new serverless data processing pipeline that uses Amazon Kinesis Data Streams to ingest real-time clickstream data. The data must be processed using AWS Lambda and then stored in Amazon S3. The company needs to ensure that records are processed in order within each shard and that each record is processed exactly once. Which configuration should they use? (Choose TWO.)

Select 2 answers
A.Use an Amazon SQS FIFO queue between Kinesis and Lambda to ensure ordering.
B.Increase the batch window to reduce the number of Lambda invocations.
C.Enable parallelization factor on the Lambda event source mapping.
D.Use the Kinesis Client Library (KCL) and implement deduplication logic in the Lambda function.
E.Configure the Lambda function with a reserved concurrency of 1 per shard.
AnswersD, E

KCL provides at-least-once delivery; deduplication ensures exactly-once processing.

Why this answer

Options A and C are correct. To guarantee ordering within a shard, use a single Lambda consumer per shard (option A). Exactly-once processing can be achieved by using the Kinesis Client Library (KCL) with an at-least-once delivery and deduplication in the Lambda function (option C).

Option B is wrong because increasing batch size reduces ordering guarantees. Option D is wrong because SQS FIFO is for decoupling with ordering but introduces complexity. Option E is wrong because parallelization is not needed for ordering.

505
MCQmedium

A company is migrating a containerized application from on-premises to AWS. The application runs on Kubernetes. The company wants to use Amazon EKS for orchestration. The migration must support high availability across multiple Availability Zones and integrate with AWS services like IAM, VPC, and CloudWatch. The company needs to minimize the operational overhead of managing the Kubernetes control plane. Which EKS configuration should the company use?

A.Use EKS with managed node groups using a mix of On-Demand and Spot Instances across three Availability Zones.
B.Use EKS with self-managed node groups using On-Demand instances in two Availability Zones.
C.Use EKS with a single managed node group using a single instance type in one Availability Zone.
D.Use EKS with Fargate launch type for all pods.
AnswerA

Managed node groups reduce overhead; multi-AZ and mixed instances provide HA and cost savings.

Why this answer

Option B is correct because EKS-managed node groups automatically manage the lifecycle of EC2 instances, and using multiple instance types and AZs ensures high availability and cost optimization. Option A is wrong because Fargate is good for serverless but may not be cost-effective for long-running applications. Option C is wrong because self-managed nodes increase operational overhead.

Option D is wrong because using only one instance type and one AZ violates high availability requirements.

506
Multi-Selectmedium

A company wants to centrally manage IAM permissions across multiple AWS accounts using AWS Organizations. They need to allow developers to launch EC2 instances but restrict the instance types to approved families (e.g., t3 and m5). Which TWO solutions meet this requirement?

Select 2 answers
A.Use AWS Service Catalog to create a product that launches approved instances, and require developers to launch only through Service Catalog.
B.Apply a service control policy (SCP) that denies ec2:RunInstances with an ec2:InstanceType condition key that does not match approved families.
C.Deploy an AWS Config rule that triggers a Lambda function to terminate unauthorized instances.
D.Create an IAM role in each account with a policy that restricts instance types, and require developers to use that role.
E.Use AWS CloudFormation StackSets to deploy an IAM policy across accounts that denies ec2:RunInstances for non-approved types.
AnswersB, E

Prevents unauthorized instance types at the organizational level.

Why this answer

Option B is correct because a service control policy (SCP) applied at the AWS Organizations root or OU level can centrally deny ec2:RunInstances for non-approved instance types using the ec2:InstanceType condition key. This enforces the restriction across all accounts without requiring per-account IAM changes, and SCPs act as a guardrail that cannot be overridden by account administrators.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that IAM roles or Service Catalog alone can enforce restrictions across all access methods without additional guardrails.

507
MCQhard

A company is migrating a large-scale on-premises Apache Kafka cluster to AWS. The cluster handles real-time streaming data from thousands of IoT devices. The company wants to reduce operational overhead and ensure high availability. Which AWS service should be used?

A.Amazon Managed Streaming for Apache Kafka (MSK)
B.Amazon Simple Notification Service (SNS)
C.Amazon Simple Queue Service (SQS)
D.Amazon Kinesis Data Streams
AnswerA

MSK is fully managed Kafka, reducing operational overhead.

Why this answer

Option B is correct because Amazon MSK is a fully managed Apache Kafka service that reduces operational overhead and supports high availability. Option A is wrong because Kinesis Data Streams is a different streaming service with different APIs. Option C is wrong because SQS is a queue service, not a streaming platform.

Option D is wrong because SNS is pub/sub messaging.

508
Multi-Selectmedium

A company is migrating a legacy application that uses a proprietary binary protocol for communication. The application communicates over TCP/IP. The company wants to modernize the communication layer to use a RESTful API. Which TWO approaches should the company consider?

Select 2 answers
A.Replace the binary protocol with Amazon MQ.
B.Use Amazon API Gateway and AWS Lambda to create a REST API that translates requests to the legacy protocol.
C.Use AWS App Mesh to convert the binary protocol to HTTP.
D.Refactor the application to communicate over HTTP and use Amazon API Gateway.
E.Use Amazon CloudFront to cache the RESTful endpoints.
AnswersB, D

This allows the legacy protocol to be wrapped without modifying the backend.

Why this answer

Options A and C are correct. Option A: Wrapping the legacy protocol with a REST API using API Gateway and Lambda allows gradual modernization. Option C: Refactoring the application to use HTTP directly is the ideal long-term solution.

Option B: Amazon MQ is for messaging, not REST. Option D: AWS App Mesh is for service mesh, not protocol translation. Option E: CloudFront is a CDN, not for protocol translation.

509
MCQmedium

A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?

A.Use Amazon QuickSight to create dashboards from the flow logs.
B.Use Amazon Athena to run SQL queries directly on the S3 bucket containing the flow logs.
C.Set up Amazon Kinesis Data Analytics to process the flow logs in real time.
D.Load the flow logs into Amazon Redshift and run SQL queries.
AnswerB

Athena is serverless and cost-effective for ad-hoc querying of S3 data.

Why this answer

Amazon Athena is the most cost-effective and scalable solution because it allows querying VPC flow logs directly in S3 using standard SQL without requiring data loading or infrastructure management. Athena's serverless, pay-per-query model eliminates idle costs and scales automatically to handle any volume of log data, making it ideal for ad-hoc security analysis of historical logs.

Exam trap

The trap here is that candidates may choose Redshift or Kinesis because they associate 'analysis' with traditional data warehouses or real-time processing, overlooking that Athena's serverless, pay-per-query model is the most cost-effective and scalable for ad-hoc SQL analysis of data already in S3.

How to eliminate wrong answers

Option A is wrong because Amazon QuickSight is a visualization tool that requires a data source; it cannot directly analyze raw VPC flow logs in S3 without an intermediate query engine like Athena, and it incurs per-session costs that are not optimal for ad-hoc analysis. Option C is wrong because Amazon Kinesis Data Analytics processes streaming data in real time, which is unnecessary and more expensive for analyzing historical VPC flow logs already stored in S3; the requirement is for batch analysis of stored logs, not real-time processing. Option D is wrong because loading VPC flow logs into Amazon Redshift involves data ingestion, storage, and compute costs even when not querying, and it requires cluster management, making it less cost-effective and more complex than Athena's serverless approach for this use case.

510
MCQeasy

A company wants to migrate its on-premises file server to AWS. The file server contains 10 TB of data that changes infrequently. The company has a limited bandwidth internet connection and needs to complete the migration within one week. Which AWS service should the company use for the initial data transfer?

A.Amazon S3 Transfer Acceleration
B.AWS Snowball Edge
C.AWS Database Migration Service (DMS)
D.AWS DataSync
AnswerB

Snowball Edge is a physical device that can be shipped, bypassing bandwidth limitations.

Why this answer

Option C is correct because AWS Snowball Edge is a physical device that can handle large data transfers over slow networks. Option A is incorrect because AWS DataSync requires network bandwidth. Option B is incorrect because AWS DMS is for databases.

Option D is incorrect because S3 Transfer Acceleration speeds up transfers over the internet but still relies on bandwidth.

511
Multi-Selecthard

A company is designing a new application that will use Amazon DynamoDB as its database. The application will have a heavy read workload with occasional write spikes. The company wants to minimize costs while ensuring that reads are eventually consistent and writes are not throttled. Which three options should the architect consider? (Choose THREE.)

Select 3 answers
A.Use DynamoDB Streams to asynchronously replicate data to a second table for reads
B.Use Auto Scaling for write capacity
C.Use eventually consistent reads for most queries
D.Use DynamoDB Accelerator (DAX) to cache read results
E.Use strongly consistent reads for all queries
AnswersB, C, D

Auto Scaling adjusts write capacity to handle spikes without throttling.

Why this answer

Options A, B, and D are correct. DynamoDB Accelerator (DAX) provides a cache for reads, reducing read capacity units. Read capacity can be set to eventually consistent reads (lower cost).

Auto Scaling adjusts write capacity to handle spikes. Option C is wrong because strongly consistent reads cost more. Option E is wrong because DynamoDB Streams are for change capture, not for read performance.

512
MCQeasy

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). An audit reveals that some objects were uploaded without encryption. What is the MOST efficient way to enforce encryption for all future uploads?

A.Enable default encryption on the bucket.
B.Use S3 Batch Operations to encrypt existing objects.
C.Add a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set.
D.Enable AWS CloudTrail to monitor uploads without encryption.
AnswerC

This enforces encryption for all future uploads.

Why this answer

Option C is correct because an S3 bucket policy that denies PutObject without the correct encryption header enforces encryption at upload time. Option A is wrong because default encryption applies only if no encryption header is provided; it can be overridden. Option B is wrong because it only encrypts existing objects, not future ones.

Option D is wrong because CloudTrail does not enforce encryption.

513
Multi-Selecteasy

A company is designing a disaster recovery strategy for a critical application running on Amazon RDS for PostgreSQL. The primary database is in us-east-1. The company needs a Recovery Point Objective (RPO) of less than 5 seconds and a Recovery Time Objective (RTO) of less than 1 minute. Which TWO solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Use AWS Database Migration Service (DMS) for continuous replication.
B.Configure a Multi-AZ deployment with a standby in a different AWS Region.
C.Create a cross-Region read replica and promote it during a disaster.
D.Take daily snapshots and copy them to another Region.
E.Enable automated backups with a retention period of 35 days.
AnswersB, C

Cross-region Multi-AZ provides synchronous replication and fast failover.

Why this answer

Option A is correct because Multi-AZ with a standby in another region (cross-region) provides synchronous replication with low RPO/RTO. Option D is correct because a read replica in another region can be promoted quickly. Option B is wrong because cross-region snapshot copy has higher RPO.

Option C is wrong because automated backups have higher RPO. Option E is wrong because DMS has higher latency.

514
MCQhard

A global e-commerce company is designing a new recommendation engine on AWS. The engine processes user behavior data (clicks, purchases) from multiple sources in real time and updates recommendations stored in Amazon DynamoDB. The data stream can reach 100,000 events per second. The solution must be highly available and process events with minimal latency (< 1 second). The company wants to use a managed streaming service and a real-time processing framework. Which solution should a Solutions Architect recommend?

A.Use Amazon Kinesis Data Streams to ingest events, process them in real time with Amazon Kinesis Data Analytics using SQL, and write results to DynamoDB.
B.Use Amazon Kinesis Data Firehose to ingest events, transform data with Lambda, and deliver to DynamoDB.
C.Use Amazon Kinesis Data Streams to ingest events, use AWS Lambda to process each event, and write results to DynamoDB.
D.Use Amazon MSK (Managed Streaming for Apache Kafka) to ingest events, process them with Apache Spark Streaming on Amazon EMR, and write to DynamoDB.
AnswerA

Kinesis Data Analytics provides low-latency real-time processing; integrates well with Kinesis Streams and DynamoDB.

Why this answer

Amazon Kinesis Data Streams can ingest up to 100,000 events per second with shard-level scaling, and Kinesis Data Analytics (SQL) provides sub-second processing latency for real-time transformations. Writing directly to DynamoDB from the analytics application meets the <1 second latency requirement while maintaining high availability through Kinesis's built-in replication across three Availability Zones.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose's near-real-time delivery (60-second buffer) with true real-time streaming, or assume Lambda can handle high-throughput streaming workloads without considering concurrency and latency limitations.

How to eliminate wrong answers

Option B is wrong because Kinesis Data Firehose is a near-real-time delivery service with a minimum buffer interval of 60 seconds, which cannot achieve sub-second latency. Option C is wrong because AWS Lambda has a maximum concurrency limit and per-invocation duration constraints that make it unsuitable for processing 100,000 events per second with <1 second latency, and it lacks native streaming SQL capabilities. Option D is wrong because Apache Spark Streaming on Amazon EMR introduces higher startup and processing overhead (typically seconds of latency) compared to Kinesis Data Analytics SQL, and MSK requires more operational overhead for cluster management.

515
MCQmedium

A company uses AWS Lambda functions behind an Amazon API Gateway REST API. The Lambda functions query an Amazon RDS for PostgreSQL database. Recently, the company has noticed increased latency and occasional timeouts during peak hours. A solutions architect needs to improve the performance and scalability of the database layer. Which solution will meet these requirements with the LEAST operational overhead?

A.Enable Amazon DynamoDB Accelerator (DAX) on the RDS instance.
B.Add a Multi-AZ RDS Read Replica and modify Lambda to use the Read Replica for queries.
C.Increase the instance size of the RDS database to handle more concurrent connections.
D.Implement Amazon RDS Proxy to manage connection pooling between Lambda and the RDS instance.
AnswerD

RDS Proxy handles connection pooling, reducing database load and improving scalability.

Why this answer

Option A is correct because Amazon RDS Proxy handles connection pooling, reducing database load and improving scalability, which directly addresses latency and timeouts. Option B is wrong because Read Replicas help with read-heavy workloads but do not reduce connection overhead. Option C is wrong because DynamoDB Accelerator (DAX) is used for DynamoDB, not RDS.

Option D is wrong because increasing instance size is a vertical scaling approach that does not address the connection pooling issue and may still lead to timeouts under high connection counts.

516
MCQeasy

A company uses Amazon CloudFront to deliver static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. What configuration should they use?

A.Set the S3 bucket policy to allow access only from CloudFront's public IP ranges.
B.Create an origin access identity (OAI) and grant it read access to the S3 bucket.
C.Attach an IAM role to CloudFront distribution.
D.Configure CloudFront signed URLs.
AnswerB

OAI allows CloudFront to authenticate to S3.

Why this answer

Option C is correct because origin access identity (OAI) allows CloudFront to access S3 securely. Option A is wrong because signed URLs are for end-user access. Option B is wrong because bucket policy with OAI is the right approach, but this option describes OAI.

Option D is wrong because CloudFront does not use IAM roles for S3 access.

517
MCQhard

A company is designing a new application that will run on Amazon EKS. The application must be able to scale based on custom metrics such as number of messages in an SQS queue. Which Kubernetes component should be used to achieve this?

A.Kubernetes Event-Driven Autoscaler (KEDA)
B.Kubernetes Horizontal Pod Autoscaler (HPA) with Prometheus
C.Kubernetes Cluster Autoscaler
D.AWS Auto Scaling with target tracking
AnswerA

KEDA is designed for event-driven scaling.

Why this answer

Kubernetes Event-Driven Autoscaler (KEDA) is the correct component because it is specifically designed to scale Kubernetes workloads based on external event sources like Amazon SQS queue depth. KEDA acts as a custom metrics adapter that integrates with the Kubernetes Horizontal Pod Autoscaler (HPA), allowing the application to scale pods dynamically based on the number of messages in the SQS queue, which is a custom metric not natively supported by the standard HPA.

Exam trap

The trap here is that candidates often confuse the standard Horizontal Pod Autoscaler (HPA) with the ability to scale based on any custom metric, but the HPA alone cannot ingest external metrics like SQS queue depth without a custom metrics adapter such as KEDA.

How to eliminate wrong answers

Option B is wrong because the standard Kubernetes Horizontal Pod Autoscaler (HPA) with Prometheus requires custom metrics to be exposed via the Kubernetes custom metrics API, but it does not natively support direct scaling based on SQS queue depth without additional components like KEDA or a custom metrics adapter. Option C is wrong because the Kubernetes Cluster Autoscaler is responsible for scaling the number of worker nodes in the cluster, not the number of pods based on application-level metrics like SQS queue depth. Option D is wrong because AWS Auto Scaling with target tracking is an AWS-native service for scaling EC2 instances or other AWS resources, not Kubernetes pods, and it cannot directly interpret Kubernetes custom metrics or scale pods within an EKS cluster.

518
Multi-Selectmedium

A company has 100 AWS accounts in AWS Organizations. The security team wants to enforce that all Amazon S3 buckets have encryption enabled. Which TWO actions should the team take to meet this requirement? (Choose TWO.)

Select 2 answers
A.Create an SCP that denies s3:PutObject unless encryption headers are included.
B.Create an SCP that requires all objects to be uploaded with server-side encryption.
C.Enable S3 Block Public Access at the account level and use a service control policy to prevent disabling it.
D.Create an SCP that denies the s3:CreateBucket action to all accounts.
E.Use AWS Config rules to detect buckets without default encryption and auto-remediate with a Lambda function.
AnswersC, E

While this does not directly enforce encryption, it is a common security baseline, and combined with Config can ensure encryption. However, the correct answer is that S3 default encryption can be enforced via Config and SCPs can prevent disabling of block public access.

Why this answer

Option C is correct because enabling S3 Block Public Access at the account level prevents any public access to S3 buckets, and using a service control policy (SCP) to deny actions that would disable this setting ensures it cannot be overridden by any account in the organization. This enforces encryption indirectly by ensuring that all buckets are private, but the primary requirement is encryption; however, the question asks for two actions, and C combined with E provides a complete solution. Option E is correct because AWS Config rules can detect S3 buckets without default encryption and trigger an auto-remediation Lambda function to enable encryption, ensuring compliance across all accounts.

Exam trap

The trap here is that candidates may think SCPs can enforce encryption on object uploads (Option B), but SCPs only control API permissions, not the actual content of API requests, so they cannot require encryption headers—only bucket policies or AWS Config rules can enforce that.

519
MCQeasy

A DevOps engineer is troubleshooting an AWS CodePipeline that fails during the Deploy stage. The pipeline deploys a static website to an S3 bucket. The error message indicates 'Access Denied' when putting objects into the bucket. What is the MOST likely cause?

A.The IAM role used by CodePipeline lacks s3:PutObject permission on the bucket.
B.The S3 bucket policy denies access from the pipeline's AWS account.
C.The CodeBuild project does not have the necessary environment variables.
D.The S3 bucket does not have versioning enabled.
AnswerA

The role needs explicit write permissions to the S3 bucket.

Why this answer

Option A is correct because the pipeline role needs s3:PutObject permission on the bucket. Option B is wrong because S3 bucket policy is not the issue if the pipeline uses a role. Option C is wrong unless the role already has the permission.

Option D is wrong because versioning is not required for writes.

520
MCQmedium

A company is designing a new application that will process sensitive financial data. The application must encrypt data at rest and in transit. The company wants to use AWS managed keys for encryption. Which AWS service should the company use to create and manage the encryption keys?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Certificate Manager (ACM)
AnswerC

KMS is a fully managed service for creating and controlling encryption keys.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a managed service that enables you to create, store, and control encryption keys used to encrypt data at rest and in transit. KMS integrates with other AWS services (e.g., S3, EBS, RDS) and supports envelope encryption, where a customer master key (CMK) encrypts data keys that perform the actual encryption. It also provides automatic key rotation and fine-grained access control via IAM policies and key policies, meeting the requirement for AWS-managed keys.

Exam trap

The trap here is that candidates often confuse AWS CloudHSM (which provides dedicated, customer-managed HSMs) with KMS (which provides fully managed, AWS-controlled keys), leading them to choose CloudHSM when the question explicitly requires 'AWS managed keys'.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that you manage yourself, not AWS-managed keys; it requires you to handle key lifecycle and scaling, and does not offer the same level of integration with AWS services as KMS. Option B is wrong because AWS Secrets Manager is designed to securely store and rotate secrets (e.g., database credentials, API keys), not to create or manage encryption keys; it can use KMS to encrypt those secrets, but it is not a key management service itself. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy public and private SSL/TLS certificates for securing network traffic (in transit), but it does not create or manage encryption keys for data at rest; it relies on KMS for private key protection in some cases, but its primary function is certificate lifecycle management.

521
MCQeasy

A company is migrating an on-premises application to AWS. The application requires low-latency access to a file system that can be mounted by multiple EC2 instances simultaneously. Which AWS storage service should they use?

A.Amazon EFS
B.Amazon S3
C.Amazon FSx for Windows File Server
D.Amazon EBS
AnswerA

EFS provides a shared file system for multiple instances.

Why this answer

Amazon EFS provides a scalable, shared file system for multiple EC2 instances. Option A is wrong because S3 is object storage, not a file system. Option B is wrong because EBS volumes can only be attached to a single instance (except multi-attach io1/io2).

Option D is wrong because FSx for Windows File Server is for Windows workloads, but EFS is simpler for Linux.

522
MCQeasy

A company wants to automatically enforce encryption on all new objects uploaded to an S3 bucket. What should they do?

A.Use Amazon CloudFront to enforce HTTPS.
B.Enable S3 default encryption on the bucket.
C.Require pre-signed URLs for all uploads.
D.Add a bucket policy that denies PutObject without the x-amz-server-side-encryption header.
AnswerD

Bucket policy can deny unencrypted uploads, enforcing encryption.

Why this answer

Option D is correct because an S3 bucket policy with a condition that denies PutObject if encryption headers are not present enforces encryption for all new objects. Option A is wrong because default encryption only encrypts objects that don't specify encryption, but doesn't enforce it. Option B is wrong because pre-signed URLs do not enforce encryption.

Option C is wrong because CloudFront does not enforce encryption at the S3 level.

523
MCQhard

A company uses AWS Organizations with 200 accounts. The security team wants to enforce that all EC2 instances launched in any account must use a specific Amazon Machine Image (AMI) ID that is approved by the security team. Which approach should be used?

A.Use IAM policies in each account to restrict the AMI ID
B.Use AWS Config rules with auto-remediation to stop non-compliant instances
C.Use a service control policy (SCP) that denies EC2 RunInstances unless the AMI ID matches the approved list
D.Use CloudFormation StackSets to enforce AMI IDs for all new instances
AnswerC

SCPs can centrally control which AMIs can be used across all accounts.

Why this answer

Option A is correct because SCPs can deny EC2 RunInstances if the AMI ID is not in a list. Option B is wrong because Config rules can detect but not enforce. Option C is wrong because IAM policies are per-account and can be overridden.

Option D is wrong because CloudFormation cannot enforce non-CloudFormation launches.

524
MCQhard

Refer to the exhibit. A solutions architect applies this IAM policy to a user. The user tries to upload an object to my-bucket using an unencrypted HTTP connection with SSE-S3 encryption. Will the upload succeed?

A.Yes, because the Deny statement only applies to non-encrypted requests.
B.Yes, because the request uses SSE-S3 encryption which satisfies the Allow statement.
C.No, because the Deny statement blocks all HTTP requests regardless of encryption.
D.No, because the Allow statement requires HTTPS transport.
AnswerC

The Deny condition is on SecureTransport false, so any HTTP request is denied.

Why this answer

Option C is correct. The first statement denies all S3 actions if SecureTransport is false (HTTP), which applies regardless of encryption. The second statement allows PutObject only with SSE-S3, but it is conditional on HTTPS? No, the condition is only on encryption.

However, the Deny overrides Allow. Since the request is HTTP, the Deny matches and the request is denied. Option A is wrong because the Deny applies to HTTP.

Option B is wrong because the Deny overrides Allow. Option D is wrong because SSE-S3 does not satisfy the SecureTransport condition.

525
MCQmedium

A company has attached the above IAM policy to an IAM role used by an EC2 instance. The EC2 instance is in a VPC with CIDR 10.0.0.0/16 and has a public IP. Which of the following statements is true regarding access to the S3 bucket?

A.The EC2 instance can perform GetObject and PutObject operations if it uses HTTPS
B.The EC2 instance cannot perform any S3 operations because the Deny statement blocks all requests
C.The EC2 instance can perform GetObject and PutObject operations from within the VPC
D.The EC2 instance can perform GetObject and PutObject operations only if it uses a VPC endpoint
AnswerD

A VPC endpoint ensures source IP is from within 10.0.0.0/8.

Why this answer

The Deny statement with aws:SecureTransport=false blocks any request not using HTTPS, even if the Allow statement matches. The Allow statement only allows from 10.0.0.0/8, so EC2 with public IP will be denied because its source IP will be the public IP.

Page 6

Page 7 of 24

Page 8