AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 526600

1746 questions total · 24pages · All types, answers revealed

Page 7

Page 8 of 24

Page 9
526
MCQhard

Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to `s3://my-bucket/secret/data.txt` from an IP address in the 10.0.0.0/8 range. What will happen?

A.The upload succeeds because the Allow statement grants s3:PutObject.
B.The upload succeeds because the Deny statement only applies to GetObject, not PutObject.
C.The upload fails because the Deny statement denies all s3 actions unconditionally.
D.The upload fails because the Deny statement explicitly denies s3:PutObject for the prefix secret/ from the specified IP range.
AnswerD

Deny overrides Allow, and conditions match.

Why this answer

Option B is correct. The Deny statement explicitly denies s3:PutObject (part of s3:*) for the prefix secret/ when the source IP is in 10.0.0.0/8. Since the condition matches, the Deny overrides the Allow.

Option A is wrong because the Deny applies. Option C is wrong because the Deny is conditional, not unconditional. Option D is wrong because there is no explicit Deny for other IPs, but the condition applies to the user's IP.

527
MCQhard

A company is migrating a stateful application to AWS. The application uses sticky sessions (session affinity) on the current on-premises load balancer. The company wants to use an Application Load Balancer (ALB) in AWS. Which feature should be enabled?

A.Connection draining (deregistration delay).
B.Sticky sessions (session affinity) using a cookie generated by the load balancer.
C.Health checks to ensure only healthy instances receive traffic.
D.Cross-zone load balancing.
AnswerB

Ensures requests from the same client go to the same target.

Why this answer

Option C is correct because ALB supports sticky sessions via a cookie. Option A is wrong because cross-zone load balancing distributes traffic across AZs. Option B is wrong because connection draining is for in-flight requests during deregistration.

Option D is wrong because health checks are for instance health.

528
MCQmedium

A company is deploying a containerized application on Amazon ECS. The application must be highly available and scale automatically based on CPU utilization. The application also needs to be accessible from the internet via a single endpoint. Which combination of services should the solutions architect use?

A.Amazon ECS with an Application Load Balancer and ECS Service Auto Scaling with a target tracking policy based on average CPU utilization.
B.Amazon ECS with a Network Load Balancer and step scaling policies.
C.Amazon ECS with an Application Load Balancer and step scaling policies based on CPU utilization.
D.Amazon ECS with an Application Load Balancer and manual scaling.
AnswerA

ALB provides a single endpoint; target tracking auto scaling adjusts capacity based on CPU.

Why this answer

Using an Application Load Balancer (ALB) in front of an ECS service with auto scaling using target tracking policies meets the requirements. Option C is correct. Option A is wrong because Network Load Balancer (NLB) does not support path-based routing and is less suitable for HTTP applications.

Option B is wrong because ECS service auto scaling is needed, not step scaling for simple CPU. Option D is wrong because ECS service auto scaling with step scaling is more complex than needed.

529
Multi-Selecthard

A company uses AWS Organizations with hundreds of accounts. The central IT team needs to ensure that all accounts use a standard set of network configurations, including VPC CIDR blocks and subnets. Which THREE steps should the team take to enforce this standard? (Choose THREE.)

Select 3 answers
A.Use AWS CloudFormation StackSets to deploy standard VPC and subnet configurations to all accounts.
B.Create a service control policy (SCP) that denies creation of VPCs with non-compliant CIDR blocks.
C.Create an IAM role in each account with permissions to manage VPCs.
D.Set up AWS Lambda functions to terminate noncompliant VPCs daily.
E.Use AWS Config rules to detect and report noncompliant VPCs.
AnswersA, B, E

Automates deployment of compliant infrastructure.

Why this answer

Options A, B, and C are correct. SCPs enforce CIDR restrictions, CloudFormation StackSets deploy standard resources, and Config rules detect noncompliance. Option D is wrong because IAM roles do not enforce network config.

Option E is wrong because it is reactive.

530
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A recent deployment failed with a stack update error. The error message indicates that a resource was being updated but was in a failed state. What should the engineer do to resolve this issue?

A.Delete the stack and recreate it with the same template.
B.Roll back the stack update to the previous working state.
C.Continue the update by skipping the failed resource.
D.Create a new stack and migrate resources.
AnswerB

Rolling back restores the last successful state.

Why this answer

Option B is correct because rolling back the stack update to the last known good state is the standard approach. Option A is incorrect because continuing update may propagate errors. Option C is incorrect because deleting the stack would remove all resources.

Option D is incorrect because a new stack may have dependencies.

531
MCQhard

A multinational corporation uses AWS Organizations to manage multiple accounts across different geographic regions. The company needs to ensure that all data residing in AWS accounts for a specific country remains within that country's boundaries. Which combination of AWS services and features should the company use to enforce this data residency requirement?

A.Use AWS PrivateLink and VPC endpoints to keep traffic within the country's region.
B.Use service control policies (SCPs) to deny actions in non-approved regions and AWS Config rules to audit compliance.
C.Use resource-based policies on all AWS resources to deny access from other regions.
D.Use AWS WAF and AWS Shield to protect data and enforce geographic restrictions.
AnswerB

SCPs prevent resource creation in disallowed regions; Config detects violations.

Why this answer

Option C is correct because SCPs can restrict the Region where resources can be created, and AWS Config can detect noncompliant resources. Option A is wrong because VPC endpoints do not restrict resource creation. Option B is wrong because AWS WAF is for web traffic.

Option D is wrong because resource-based policies alone cannot prevent resource creation in other regions.

532
MCQhard

A company is designing a global application that requires low-latency read access to a database from multiple AWS regions. The database stores user profile data that is updated infrequently. The solution must ensure eventual consistency and minimize write conflicts. Which combination of AWS services should be used?

A.Amazon RDS Multi-AZ with read replicas in each region
B.Amazon DynamoDB global tables
C.Amazon Aurora Global Database
D.Amazon ElastiCache for Redis with global datastore
AnswerB

DynamoDB global tables replicate data across regions with eventual consistency and automatic conflict resolution.

Why this answer

Option B is correct because DynamoDB global tables provide multi-region replication with eventual consistency and automatic conflict resolution. Option A is wrong because RDS Multi-AZ does not replicate across regions. Option C is wrong because ElastiCache is a cache, not a primary data store.

Option D is wrong because Aurora Global Database provides strong consistency, not eventual.

533
MCQhard

A company has a production AWS Lambda function that processes data from an Amazon SQS queue. The function often experiences throttling errors. The company wants to implement a solution to reduce throttling and improve processing performance. Which solution meets these requirements?

A.Configure the SQS queue to use a higher concurrency limit.
B.Increase the reserved concurrency for the Lambda function.
C.Create additional SQS queues and distribute messages across them.
D.Increase the batch size of the Lambda event source mapping.
AnswerB

This ensures the function has enough concurrency to avoid throttling.

Why this answer

Option D is correct because increasing the Lambda function's reserved concurrency ensures the function can handle more concurrent executions, reducing throttling. Option A is wrong because Lambda does not support concurrency limits per queue. Option B is wrong because using a Lambda event source mapping for SQS already batches messages.

Option C is wrong because adding more queues does not increase concurrency per function.

534
MCQhard

A company is migrating a multi-tier application to AWS. The application has a web tier, application tier, and database tier. The company wants to use AWS services to improve scalability and reduce costs. Currently, the on-premises infrastructure is underutilized. What is the most cost-effective migration strategy?

A.Refactor the application to run on containers using Amazon EKS with Fargate.
B.Replatform the web tier to AWS Elastic Beanstalk and the database to Amazon RDS.
C.Rehost (lift-and-shift) to Amazon EC2 using AWS Application Migration Service, then right-size instances and purchase Reserved Instances.
D.Purchase compute-heavy EC2 instances to handle peak loads and use On-Demand pricing.
AnswerC

Lift-and-shift is fast, and reserved instances reduce costs.

Why this answer

Option A is correct because a lift-and-shift with right-sizing and reserved instances is cost-effective. Option B is wrong because rearchitecting is expensive and time-consuming. Option C is wrong because purchasing compute-heavy instances wastes money.

Option D is wrong because moving to containers without analysis may not reduce costs.

535
MCQmedium

A company is migrating a stateful application to AWS. The application runs on a single on-premises server and uses local storage for persistent data. The company wants to achieve high availability and scalability. Which migration approach should the company use?

A.Use multiple EC2 instances behind an Application Load Balancer with sticky sessions.
B.Lift and shift to a single Amazon EC2 instance with an EBS volume.
C.Refactor the application to store state in Amazon ElastiCache or Amazon DynamoDB.
D.Use an EC2 Auto Scaling group with lifecycle hooks to persist state to EBS snapshots.
AnswerC

Managed services provide HA and scalability for state.

Why this answer

Option D is correct because moving state to a managed service decouples state from compute. Option A is wrong because a single EC2 instance is not HA. Option B is wrong because Auto Scaling alone doesn't handle state.

Option C is wrong because EBS snapshots are for backup, not HA.

536
MCQeasy

A company is designing a new serverless application using AWS Lambda. The Lambda function needs to access an Amazon RDS database. The database is in a VPC without public internet access. What is the MOST secure way to allow the Lambda function to connect to the database?

A.Configure the Lambda function to access the VPC, and place it in the same subnets as the RDS instance.
B.Create a VPC endpoint for Amazon RDS and use it from Lambda.
C.Use an AWS Network Load Balancer in front of the RDS instance and connect Lambda to the NLB.
D.Create a public endpoint for the RDS instance and allow Lambda to connect over the internet.
AnswerA

Lambda can connect to resources in a VPC via an Elastic Network Interface (ENI) in the same subnets.

Why this answer

Option B is correct because configuring the Lambda function to access the VPC allows it to use an ENI to connect to the RDS instance within the VPC. Option A is wrong because the database is not publicly accessible. Option C is wrong because VPC endpoints are for accessing AWS services, not RDS instances.

Option D is wrong because Network Load Balancer is not needed for direct database connections.

537
MCQmedium

A company has a centralized network account that hosts a transit gateway with attachments to multiple VPCs in different accounts. The security team needs to ensure that all traffic between VPCs is inspected by a centralized NGFW appliance in the network account. What is the MOST efficient solution?

A.Use AWS PrivateLink to route traffic through the NGFW.
B.Create a transit gateway with a route table that includes a blackhole route for inter-VPC traffic, and attach an inspection VPC with the NGFW.
C.Establish VPC peering connections between all VPCs and route traffic through the inspection VPC.
D.Set up AWS Direct Connect between all VPCs and the inspection VPC.
AnswerB

This forces all inter-VPC traffic to go through the inspection VPC.

Why this answer

Option B is correct because it uses a transit gateway with a centralized inspection VPC, which allows all inter-VPC traffic to be routed through the NGFW appliance. By attaching the inspection VPC to the transit gateway and configuring route tables with blackhole routes for direct inter-VPC traffic, traffic is forced to traverse the NGFW for inspection. This is the most efficient and scalable solution for centralized traffic inspection across multiple VPCs in different accounts.

Exam trap

The trap here is that candidates often assume VPC peering (Option C) can be used for transitive routing, but VPC peering does not support transitive routing, making it impossible to route traffic through an inspection VPC to other VPCs.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink is designed for private connectivity to services via Network Load Balancers, not for routing inter-VPC traffic through a centralized NGFW; it does not support transitive routing or traffic inspection between VPCs. Option C is wrong because VPC peering does not support transitive routing, so you cannot route traffic from one peered VPC through another VPC to reach a third VPC; this would require a full mesh of peering connections and complex route tables, which is inefficient and not scalable. Option D is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a solution for routing traffic between VPCs; it does not provide inter-VPC routing capabilities and would add unnecessary cost and complexity.

538
MCQmedium

A company uses a centralized logging account with an S3 bucket that receives VPC Flow Logs from multiple accounts. The logs must be encrypted at rest using a KMS key in the logging account. Which configuration is required to allow cross-account delivery of VPC Flow Logs?

A.Add a bucket policy on the logging account's S3 bucket granting the VPC Flow Logs service principal write access, and a KMS key policy granting the same principal encrypt/decrypt permissions.
B.Create an IAM role in the logging account that can be assumed by the VPC Flow Logs service.
C.Configure the source account's S3 bucket policy to allow VPC Flow Logs to write logs and replicate them to the logging account.
D.In the source account, create a KMS key and allow the logging account to use it for encryption.
AnswerA

The service principal is 'delivery.logs.amazonaws.com' and needs both bucket and key permissions.

Why this answer

Option A is correct because the S3 bucket policy must allow the VPC Flow Logs service principal to write objects, and the KMS key policy must allow the same service principal to use the key. Option B is wrong because the source account's KMS key would not be used; the logging account's key encrypts the bucket. Option C is wrong because VPC Flow Logs do not use IAM roles for cross-account delivery; they use the bucket policy.

Option D is wrong because the source account's bucket policy is irrelevant; the destination bucket is in the logging account.

539
Multi-Selecthard

A company runs a web application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer. The operations team notices that the ALB returns 503 errors during peak traffic. Which TWO actions should the solutions architect take to resolve this issue?

Select 2 answers
A.Increase the idle timeout on the ALB.
B.Enable ECS service Auto Scaling to automatically adjust the number of tasks.
C.Increase the deregistration delay on the target group.
D.Review the ECS service events for task failures or health check issues.
E.Increase the task memory allocation in the task definition.
AnswersB, D

Auto Scaling can add tasks to handle increased load.

Why this answer

Options B and D are correct. 503 errors from ALB indicate the target group has no healthy targets. Checking ECS service events (B) can reveal why tasks are unhealthy. Enabling ECS service Auto Scaling (D) will increase the number of tasks to handle traffic.

Option A is wrong because increasing ALB idle timeout does not affect health. Option C is wrong because increasing deregistration delay might help but is not a primary fix. Option E is wrong because increasing task memory might not solve the health issue if it's due to capacity.

540
MCQmedium

A company is designing a data lake on Amazon S3 for analytics. The data is ingested from multiple sources and must be encrypted at rest. The company requires the ability to audit access to the data lake and enforce fine-grained access control based on tags. Which solution should the company choose?

A.Use S3 bucket policies with condition keys for tags
B.Use S3 server-side encryption with customer-provided keys (SSE-C) and bucket policies
C.Use AWS Lake Formation with column-level permissions
D.Use S3 Object Lambda with AWS CloudTrail
AnswerD

S3 Object Lambda can implement tag-based access logic and CloudTrail provides auditing.

Why this answer

Option D is correct because S3 Object Lambda allows you to add custom code to S3 GET requests, enabling fine-grained access control based on tags by dynamically modifying the data returned. AWS CloudTrail provides the required audit trail by logging all API calls, including those to S3 Object Lambda, ensuring full auditability of access to the data lake.

Exam trap

The trap here is that candidates often assume AWS Lake Formation or S3 bucket policies alone can provide both fine-grained tag-based access control and auditing, but they overlook that S3 Object Lambda combined with CloudTrail is the only option that directly enables custom, tag-driven data transformations at read time with full audit logging.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies with condition keys for tags can enforce access control based on resource tags, but they do not provide the ability to audit access at the granularity required; CloudTrail is needed for auditing, and bucket policies alone cannot enforce column-level or tag-based fine-grained access control on the data content itself. Option B is wrong because SSE-C encrypts data at rest using customer-provided keys, but it does not provide any access control or auditing capabilities; bucket policies are separate and do not enable fine-grained tag-based access control or auditing. Option C is wrong because AWS Lake Formation with column-level permissions provides fine-grained access control at the table and column level, but it does not natively support tag-based access control on S3 objects and does not inherently provide auditing; CloudTrail would still be required for auditability, and Lake Formation is more suited for database-style permissions rather than S3 object tag-based policies.

541
MCQeasy

A company is designing a highly available web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to EC2 instances in an Auto Scaling group across multiple Availability Zones. The application state is stored in an Amazon ElastiCache for Redis cluster. The company wants to minimize downtime during patching of the Redis cluster. What should the company do?

A.Increase the Redis node type to handle the load and rely on the ElastiCache maintenance window.
B.Use a blue/green deployment strategy by creating a new Redis cluster and switching the application endpoint.
C.Deploy the Redis cluster with Multi-AZ and automatic failover enabled across two Availability Zones.
D.Deploy the Redis cluster as a single node in one Availability Zone and take regular snapshots.
AnswerC

Multi-AZ with automatic failover provides high availability during patching.

Why this answer

Option A is correct because deploying ElastiCache for Redis with Multi-AZ with automatic failover allows the cluster to continue operating during maintenance. Option B is wrong because a single node cluster will be unavailable during patching. Option C is wrong because ElastiCache does not support blue/green deployment.

Option D is wrong because increasing the node type does not eliminate downtime during patching.

542
MCQhard

A large enterprise has a multi-account AWS environment with over 200 accounts organized under AWS Organizations. The central platform team uses AWS CloudFormation StackSets to deploy a standard VPC with a CIDR of 10.0.0.0/16 into each account. Recently, a business unit created a new account that was not included in the StackSet deployment, and the team manually deployed the VPC using a CloudFormation template. Now, the central team wants to ensure that all accounts have exactly the same VPC configuration and that any drift is automatically corrected. The team also wants to prevent unauthorized changes to the VPC configuration. What is the MOST efficient and secure solution?

A.Create a custom Amazon EventBridge rule that catches VPC modification events and automatically re-deploys the CloudFormation stack.
B.Use AWS Service Catalog to create a VPC product and require all accounts to provision VPCs through the product.
C.Use AWS Config rules to detect VPC changes and trigger a Lambda function to revert them.
D.Enable drift detection on the StackSet and configure automatic stack drift remediation. Additionally, apply an SCP that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions unless they are performed by the StackSet's service role.
AnswerD

StackSets drift detection and SCPs provide automated correction and prevention.

Why this answer

Option C is correct because AWS CloudFormation StackSets with drift detection and automatic remediation can detect and correct any changes to the VPC stack across all accounts. SCPs can then deny changes to the VPC resources outside of StackSets, preventing unauthorized modifications. Option A is reactive and does not prevent drift.

Option B requires custom development and is less integrated. Option D is not integrated with StackSets and requires manual steps.

543
MCQeasy

A company has three EC2 instances as shown in the exhibit. The company wants to use an Application Load Balancer to distribute traffic across these instances with cross-zone load balancing enabled. How will the traffic be distributed?

A.Traffic is distributed evenly across the two availability zones.
B.Instances in us-east-1a receive 67% of traffic, us-east-1b receives 33%.
C.Each instance receives an equal share of traffic.
D.Traffic is sent to the instance with the least outstanding requests.
AnswerC

Cross-zone load balancing distributes traffic evenly across all instances.

Why this answer

With cross-zone load balancing enabled, the ALB distributes traffic evenly across all registered instances regardless of the availability zone. Each instance receives an equal share of traffic. Option B is correct.

Option A is wrong because that is without cross-zone. Option C is wrong because it's not per AZ. Option D is wrong because it's not sticky.

544
Multi-Selectmedium

A company is migrating a large number of files from on-premises to Amazon S3. The files are in a network-attached storage (NAS) system with a 1 Gbps connection to the internet. The company has a 2-week deadline to complete the migration. Which TWO services should the company use to accelerate the migration? (Choose TWO.)

Select 2 answers
A.AWS DataSync
B.AWS Transfer Family
C.AWS Snowball Edge
D.AWS Database Migration Service
E.AWS Direct Connect
AnswersA, C

DataSync can accelerate online transfers over the network.

Why this answer

Option A (AWS Snowball Edge) is correct for large data transfers over slow networks. Option D (AWS DataSync) is correct for accelerating online transfers. Option B is wrong because AWS Direct Connect requires time to provision.

Option C is wrong because AWS Database Migration Service is for databases. Option E is wrong because AWS Transfer Family is for file transfer protocols, not acceleration.

545
MCQhard

A security engineer created the S3 bucket policy shown in the exhibit. The policy is intended to allow the role MyAppRole to get objects only if they are encrypted with SSE-S3. However, the role is getting access denied errors when trying to get objects that are encrypted with SSE-S3. What is the most likely cause?

A.The Principal is incorrect; it should be the role name, not ARN.
B.The Resource ARN is incorrect; it should be 'arn:aws:s3:::my-bucket'.
C.The condition key is misspelled.
D.The condition key 's3:x-amz-server-side-encryption' checks the request header, not the object's encryption state.
AnswerD

The condition evaluates the request header, which may not be set when getting an already encrypted object.

Why this answer

Option A is correct. The s3:x-amz-server-side-encryption condition key is a request header, not a property of the object. SSE-S3 encryption is applied by default, but the condition checks for the request header, which is not present when the object is already encrypted server-side.

Option B is wrong because the resource is correct. Option C is wrong because the condition key is valid. Option D is wrong because the role ARN is correctly specified.

546
Multi-Selecteasy

A company is designing a new microservices architecture on Amazon ECS with Fargate. The company wants to ensure that services can discover each other using DNS names. Which THREE components are required?

Select 3 answers
A.AWS Cloud Map
B.Network Load Balancer (NLB)
C.Amazon ECS Service Connect
D.Amazon Route 53
E.Application Load Balancer (ALB)
AnswersA, D, E

Cloud Map registers service instances with DNS names.

Why this answer

Options A, C, and E are correct. An Application Load Balancer provides DNS names for services. AWS Cloud Map enables service discovery with custom DNS names.

Amazon Route 53 can be used to register custom domain names. Option B is wrong because Amazon ECS Service Connect is a feature for service discovery but is not required; it can be used instead of Cloud Map. Option D is wrong because Network Load Balancer is not required for DNS-based discovery.

547
Multi-Selecteasy

A company is designing a new web application that will be deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The application must be highly available and fault-tolerant across multiple Availability Zones. Which THREE actions should the company take to meet these requirements? (Choose three.)

Select 3 answers
A.Launch EC2 instances in an Auto Scaling group across multiple Availability Zones.
B.Use a larger EC2 instance type to handle failures.
C.Configure health checks on the ALB target group to automatically replace unhealthy instances.
D.Configure the ALB to route traffic to instances in multiple Availability Zones.
E.Use a single Availability Zone to reduce latency.
AnswersA, C, D

Provides fault tolerance across AZs.

Why this answer

Options A, D, and E are correct. Using an Auto Scaling group across multiple AZs, an ALB that distributes traffic across AZs, and health checks to replace unhealthy instances ensure high availability and fault tolerance. Option B is wrong because single AZ is not fault-tolerant.

Option C is wrong because a larger instance type does not provide fault tolerance.

548
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles that grant cross-account access to a central security account. The solution must scale as new accounts are added. What should the team do?

A.Use a service control policy (SCP) to enforce the creation of the role.
B.Manually create the same IAM role in each account with a trust policy pointing to the security account.
C.Use IAM groups in the security account and grant permissions to the groups.
D.Use AWS CloudFormation StackSets to deploy the IAM role to all accounts, and enable AWS Organizations trusted access for the role.
AnswerD

StackSets automate deployment across accounts and trusted access simplifies cross-account roles.

Why this answer

Option D is correct because AWS Organizations can automatically create roles via CloudFormation StackSets or AWS CloudFormation in each account, and using a trusted access role simplifies management. Option A is wrong because manual creation does not scale. Option B is wrong because IAM groups are not cross-account.

Option C is wrong because SCPs do not create roles.

549
Multi-Selecthard

A company is designing a multi-account strategy for its development teams. Each team needs to have its own isolated environment with VPCs, subnets, and security groups. The company wants to centralize network administration and ensure that all VPCs use a common set of security rules. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Allow each team to create their own VPCs and use VPC Peering to connect them.
B.Deploy a centralized inspection VPC with AWS Network Firewall and use Transit Gateway to route traffic.
C.Create a dedicated network account and use AWS Resource Access Manager to share subnets with other accounts.
D.Use AWS CloudFormation StackSets to deploy identical VPCs to each account.
E.Use AWS Firewall Manager to apply common security group rules across all accounts.
AnswersB, C, E

This allows central inspection and control of traffic between VPCs.

Why this answer

Option B is correct because deploying a centralized inspection VPC with AWS Network Firewall and using Transit Gateway to route traffic allows the company to centralize network administration and enforce common security rules across all VPCs. Transit Gateway acts as a hub for inter-VPC and on-premises connectivity, while AWS Network Firewall provides stateful inspection and filtering for all traffic passing through the hub, meeting the requirement for a common set of security rules.

Exam trap

The trap here is that candidates may confuse AWS CloudFormation StackSets (which only automates resource deployment) with centralized security enforcement, overlooking the need for a hub-and-spoke architecture with a centralized inspection point like AWS Network Firewall and Transit Gateway.

550
MCQhard

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS. Recently, a deployment failed because the new task definition referenced an ECR image that did not exist. The team wants to prevent this type of failure in the future. Which action should be taken?

A.Configure ECR scan on push to verify image integrity.
B.Add an ECR lifecycle policy to expire old images.
C.Add a validation step in CodePipeline to run a task definition dry-run.
D.Enable AWS CloudTrail to log ECR API calls.
AnswerC

Dry-run validates that the image exists and the task definition is valid before deployment.

Why this answer

Option D is correct because running a task definition dry-run in CodePipeline can validate the image existence before deployment. Option A is wrong because ECR lifecycle policies manage images, not validate deployment. Option B is wrong because CloudTrail logs events but does not prevent failures.

Option C is wrong because ECR scan on push only scans for vulnerabilities, not image existence.

551
MCQhard

A company has a multi-account environment with over 500 accounts. They need to enforce that all EC2 instances are launched only in approved instance families (e.g., t3, m5, c5). Which combination of AWS services provides the MOST scalable and effective enforcement?

A.Use a service control policy (SCP) to deny ec2:RunInstances if the instance type is not in the approved list, and use AWS CloudFormation hooks to enforce the same.
B.Use AWS CloudTrail to trigger an AWS Lambda function that terminates non-compliant instances.
C.Use AWS Systems Manager to scan instances and apply a tag for non-compliance.
D.Use AWS Config rules to detect non-compliant instances and automatically terminate them.
AnswerA

Preventive at the API level and works for CloudFormation deployments.

Why this answer

Option D is correct because SCPs deny non-compliant API calls, and CloudFormation hooks prevent non-compliant stacks. Option A is wrong because Config is detective, not preventive. Option B is wrong because Lambda triggered by CloudTrail is reactive.

Option C is wrong because Systems Manager is not for enforcement at launch time.

552
MCQmedium

A company is designing a new serverless application using AWS Lambda to process high-resolution images uploaded to Amazon S3. Each image can be up to 500 MB. The processing must complete within 5 minutes. What is the MOST cost-effective and scalable design to meet these requirements?

A.Use S3 event notifications to send the image to an Amazon SQS queue, then process it with a Lambda function.
B.Use AWS Fargate to run a containerized image processing service triggered by S3 event notifications.
C.Configure S3 event notifications to invoke a Lambda function that processes the image in memory and writes the result to another S3 bucket.
D.Use AWS Step Functions to orchestrate a Lambda function and an EC2 instance for processing.
AnswerC

Lambda can handle up to 10 GB of memory and 15-minute timeout, suitable for 500 MB images. Direct S3 trigger is simple and cost-effective.

Why this answer

Option A is correct because Lambda can directly process images up to 500 MB with a maximum execution time of 15 minutes, and S3 event notifications trigger Lambda directly. Option B is wrong because Fargate adds complexity and cost for simple processing. Option C is wrong because SQS adds latency and cost without benefit.

Option D is wrong because Step Functions adds orchestration overhead.

553
Multi-Selectmedium

Which TWO AWS services can be used to implement a centralized logging solution across multiple AWS accounts?

Select 2 answers
A.Amazon CloudWatch Logs with cross-account log groups.
B.Amazon SQS.
C.Amazon S3 with a centralized bucket and appropriate bucket policies.
D.AWS CloudFormation.
E.Amazon Kinesis Data Firehose.
AnswersA, C

CloudWatch Logs can aggregate logs from multiple accounts.

Why this answer

Options A and D are correct. Option A: CloudWatch Logs can aggregate logs from multiple accounts using cross-account subscriptions. Option D: Amazon S3 can serve as a central log destination for CloudTrail and other logs.

Option B is wrong because Kinesis is for streaming, not central log storage. Option C is wrong because CloudFormation is for infrastructure as code. Option E is wrong because SQS is for messaging.

554
MCQeasy

A company is designing a cost-effective solution to store and serve large media files (e.g., videos) to users globally. The files are frequently accessed initially but become rarely accessed after 30 days. The company needs millisecond retrieval for the first 30 days and can tolerate retrieval times of minutes after that. What storage solution should the company use?

A.Amazon S3 Standard for all files, with lifecycle policy to delete after 30 days.
B.Amazon S3 Standard-IA for first 30 days, then transition to S3 Glacier Flexible Retrieval.
C.Amazon S3 Intelligent-Tiering with automatic tiering.
D.Amazon S3 Glacier Instant Retrieval for all files.
AnswerB

Standard-IA provides low cost with millisecond retrieval; Glacier is cheap for archival.

Why this answer

Option B is correct because S3 Standard-IA is cost-effective for infrequent access but still provides millisecond retrieval for the first 30 days, and transition to Glacier after 30 days. Option A is too expensive. Option C provides millisecond retrieval but is expensive.

Option D is for archival only.

555
MCQeasy

A company is migrating workloads to AWS using AWS Application Migration Service (AWS MGN). The source servers are running on VMware vSphere. After installing the AWS Replication Agent on the source servers, the migration waves are set up. However, during a test cutover, the test instance fails to launch with an error 'Insufficient IP address space in the target VPC'. What is the most likely cause?

A.The replication settings specify a subnet with an incorrect CIDR block
B.The IAM role for AWS MGN does not have permissions to create network interfaces
C.The target VPC subnet does not have enough available IP addresses
D.The AWS MGN service is not enabled in the target AWS Region
AnswerC

The test instance requires an available IP in the target subnet; insufficient IPs cause launch failure.

Why this answer

Option B is correct: AWS MGN creates instances with IPs from the target VPC subnet; insufficient IPs cause launch failure. Option A (replication settings) affect data replication, not launch. Option C (IAM permissions) typically cause access denied, not IP error.

Option D (license agreement) would show different errors.

556
MCQhard

A company is migrating a legacy PHP application running on a single on-premises server to AWS. The application stores session data locally on the server's filesystem. The company wants to achieve high availability and elasticity for the application on AWS. What should the company do to handle session state in the new architecture?

A.Configure an Application Load Balancer with sticky sessions enabled
B.Store session data in Amazon ElastiCache for Redis
C.Use Amazon EFS to share the session files across multiple EC2 instances
D.Refactor the application to use Amazon Cognito for session management
AnswerB

Correct. ElastiCache provides a centralized, fast session store for distributed applications.

Why this answer

Using ElastiCache for session storage decouples session state from individual servers, allowing the application to scale horizontally. Sticky sessions with an ALB ties a user to a specific instance, which reduces availability if that instance fails. Storing sessions on EFS is possible but slower than ElastiCache.

Re-architecting to use Cognito is unnecessary for session state.

557
MCQeasy

A company runs a critical application on EC2 instances in an Auto Scaling group. They want to be notified immediately if any instance fails a status check. What is the simplest solution?

A.Configure an ELB health check and monitor the unhealthy host count.
B.Use AWS Systems Manager Automation to check instance status periodically.
C.Create a CloudWatch alarm on the StatusCheckFailed metric with an SNS action.
D.Enable AWS CloudTrail and create a metric filter for EC2 instance failures.
AnswerC

StatusCheckFailed metric is available and can trigger alarms.

Why this answer

CloudWatch alarms can monitor EC2 status check metrics and trigger an SNS notification. Option B is correct. Option A uses CloudTrail for API calls, not status checks.

Option C is for load balancer target health. Option D uses SSM, which is not real-time for status checks.

558
MCQmedium

A company runs a production AWS Lambda function that processes orders. Recently, the function has been timing out occasionally. The function uses a VPC with a single private subnet and has a timeout of 30 seconds. What is the MOST likely cause of the timeout?

A.The function is experiencing cold starts due to high concurrency.
B.The function is hitting the maximum concurrent execution limit.
C.The function needs to be attached to a public subnet.
D.The function does not have a NAT gateway or VPC endpoints to access external resources.
AnswerD

Lambda in a VPC needs a route to the internet for external calls, otherwise requests hang.

Why this answer

Option A is correct because Lambda functions in a VPC require a NAT gateway or VPC endpoints to access external services; without it, they cannot reach the internet, causing timeouts. Option C is wrong because Lambda automatically scales. Option D is wrong because the function already has a VPC configuration.

Option B is wrong because concurrent executions do not cause timeouts.

559
MCQhard

A company is deploying a web application on AWS Elastic Beanstalk. The application must be accessible over HTTPS only and must automatically redirect HTTP requests to HTTPS. The SSL/TLS certificate is provided by AWS Certificate Manager (ACM). How should this be configured?

A.Use a NAT instance to perform SSL termination and redirect.
B.Install the certificate on each EC2 instance and configure the web server to redirect HTTP to HTTPS.
C.Configure the environment’s load balancer to listen on port 443 with the ACM certificate and port 80 with a redirect rule.
D.Deploy a CloudFront distribution with the ACM certificate and redirect HTTP to HTTPS at the distribution level.
AnswerC

The load balancer can terminate HTTPS and redirect HTTP to HTTPS.

Why this answer

Option C is correct because Elastic Beanstalk environments using a load balancer (ALB or CLB) can be configured to listen on port 443 with the ACM certificate for HTTPS termination, and simultaneously define a listener on port 80 with a redirect action that sends HTTP traffic to HTTPS. This is the simplest and most scalable approach, as it offloads SSL termination and redirection to the load balancer, eliminating the need to manage certificates or redirection logic on individual instances.

Exam trap

The trap here is that candidates often assume SSL termination must happen on the EC2 instances (Option B) or that a separate service like CloudFront (Option D) is required, when in fact the Elastic Beanstalk load balancer can natively handle both HTTPS termination and HTTP-to-HTTPS redirection with minimal configuration.

How to eliminate wrong answers

Option A is wrong because a NAT instance is used for outbound traffic from private subnets, not for SSL termination or HTTP-to-HTTPS redirection; it does not support load balancing or certificate management. Option B is wrong because installing the certificate on each EC2 instance and configuring the web server to redirect HTTP to HTTPS is inefficient, requires manual certificate renewal, and does not leverage Elastic Beanstalk's managed load balancer for centralized SSL termination. Option D is wrong because while CloudFront can redirect HTTP to HTTPS, it adds unnecessary complexity and cost for a simple single-region web app; the question specifically asks about configuring the Elastic Beanstalk environment, not an external CDN.

560
Multi-Selecthard

A company has multiple AWS accounts and wants to ensure that all resources are tagged with a cost center tag. Which THREE steps should they take to enforce this?

Select 3 answers
A.Use AWS Organizations to define a tag policy that mandates the cost center tag.
B.Use AWS Config rules to detect untagged resources and trigger a Lambda function to add the tag.
C.Use AWS CloudFormation templates that enforce tagging and use StackSets to deploy across accounts.
D.Create a service control policy (SCP) that denies resource creation if the required tag is not present, for supported services.
E.Enable AWS Cost Explorer to report on untagged resources.
AnswersA, C, D

Tag policies can enforce tags on resources during creation and prevent non-compliant resource creation.

Why this answer

Option A is correct because AWS Organizations tag policies allow you to define rules for tagging resources across accounts in your organization. By specifying the cost center tag as mandatory in a tag policy, you can enforce that all resources must have this tag, and any non-compliant resources can be reported or prevented from being created, depending on the policy's enforcement mode.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like tag policies or SCPs), and may select option B thinking it enforces tagging, when it only remediates after the fact.

561
MCQeasy

A company is modernizing a legacy application by breaking it into microservices. The application has a complex set of dependencies and requires gradual migration. Which design pattern should the company use?

A.Blue/Green deployment pattern
B.Saga pattern
C.Strangler Fig pattern
D.Circuit Breaker pattern
AnswerC

Strangler Fig allows gradually replacing monolith components with microservices.

Why this answer

B is correct because Strangler Fig pattern allows incremental replacement of functionality. A is wrong because Blue/Green is a deployment strategy. C is wrong because Circuit Breaker is for fault tolerance.

D is wrong because Saga is for distributed transactions.

562
MCQhard

A company runs a critical database on an RDS for MySQL Multi-AZ DB instance. The database is experiencing high read latency. The application is read-heavy and uses many complex joins. The company needs to improve read performance with minimal application changes. Which solution is MOST appropriate?

A.Migrate the database to Amazon DynamoDB Global Tables.
B.Create one or more RDS read replicas and direct read queries to the replica endpoint.
C.Implement Amazon ElastiCache in front of the database to cache query results.
D.Increase the DB instance class to a larger size with more vCPUs.
AnswerB

Offloads reads, minimal changes.

Why this answer

Option C is correct because setting up RDS read replicas offloads read traffic from the primary instance, and can be done with zero application changes if the application uses a separate endpoint. Option A is wrong because increasing instance size is a vertical scaling approach but may not help with complex joins. Option B is wrong because ElastiCache requires application code changes.

Option D is wrong because DynamoDB is a different database and would require significant application rework.

563
MCQeasy

A company is migrating a critical application to AWS and needs to ensure business continuity during the migration. The application must remain available with minimal downtime. Which AWS service should be used to replicate data continuously?

A.AWS Direct Connect
B.AWS Database Migration Service (DMS) with ongoing replication
C.Amazon S3 Transfer Acceleration
D.AWS Snowball Edge
AnswerB

DMS supports continuous replication to minimize downtime.

Why this answer

Option B is correct because AWS DMS with ongoing replication can keep source and target in sync with minimal downtime. Option A is wrong because S3 Transfer Acceleration is for faster uploads, not replication. Option C is wrong because Snowball is for offline data transfer.

Option D is wrong because Direct Connect is a network connection, not a replication service.

564
MCQmedium

A company has a multi-account AWS environment with a central logging account. All VPC Flow Logs are published to a central S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena, but they want to minimize costs by reducing the amount of data scanned. Which partitioning strategy is MOST effective?

A.Partition by region and date.
B.Partition by account ID only.
C.Partition by account ID and region.
D.Partition by date and account ID.
AnswerD

Common queries filter by date range and account, so this minimizes scanned data.

Why this answer

Option C is correct because the most common query filters are by account and date, so partitioning by date and account ID reduces scans. Option A is wrong because it does not include date, which is a common filter. Option B is wrong because it only includes account ID, missing date.

Option D is wrong because region is less selective than account.

565
MCQhard

A company is designing a new multi-region application that requires a global database with low-latency reads and writes. The application must be able to survive a regional outage. Which database solution should they choose?

A.Amazon RDS Multi-AZ
B.Amazon ElastiCache for Redis global datastore
C.Amazon DynamoDB global tables
D.Amazon Aurora Global Database
AnswerD

Aurora Global Database supports cross-region reads and writes with low latency and automatic failover.

Why this answer

Option C is correct because Aurora Global Database provides low-latency reads and writes across regions with automatic failover. Option A is wrong because DynamoDB global tables are multi-region but do not support cross-region writes with the same consistency. Option B is wrong because RDS Multi-AZ is single-region.

Option D is wrong because ElastiCache is a cache, not a primary database.

566
MCQmedium

A company uses Amazon DynamoDB as a data store for a mobile application. The application experiences throttling errors during peak hours. The table has a provisioned read capacity of 5000 RCUs and write capacity of 2000 WCUs. The throttling is on writes. What is the MOST cost-effective solution?

A.Enable DynamoDB Accelerator (DAX) to offload writes.
B.Switch to on-demand capacity mode.
C.Increase write capacity to 4000 WCUs.
D.Enable auto scaling for DynamoDB write capacity.
AnswerD

Auto scaling adjusts capacity based on traffic, reducing throttling and cost.

Why this answer

DynamoDB Accelerator (DAX) is a read cache, not for writes. The most cost-effective solution is to use DynamoDB auto scaling for writes to handle peak loads without over-provisioning.

567
Multi-Selectmedium

A company uses AWS Organizations and wants to implement a least-privilege model for IAM roles. The security team needs to ensure that no IAM role can be created without an approval workflow. Which THREE steps should the company take?

Select 3 answers
A.Create an AWS Lambda function that is triggered by CloudTrail events to automatically tag approved roles.
B.Use a service control policy (SCP) to deny iam:CreateRole unless a specific tag (e.g., 'Approved') is present.
C.Use AWS CloudFormation StackSets to deploy IAM roles across accounts.
D.Enable AWS CloudTrail to log all IAM role creation events.
E.Use AWS Config rules to detect roles without the 'Approved' tag and mark them as non-compliant.
AnswersA, B, E

Automates tagging after approval.

Why this answer

Options A, C, and D are correct. Option B is wrong because CloudTrail is logging, not preventive. Option E is wrong because SCPs cannot enforce approval workflows.

568
Multi-Selecteasy

A company is migrating its on-premises file server to AWS. The file server contains 5 TB of data and is accessed by hundreds of users. The company wants a fully managed file storage solution that supports SMB protocol. Which TWO AWS services should the architect consider?

Select 2 answers
A.Amazon FSx for Windows File Server
B.Amazon FSx for Lustre
C.AWS Storage Gateway File Gateway
D.Amazon S3
E.Amazon Elastic File System (Amazon EFS)
AnswersA, C

FSx for Windows File Server is fully managed and supports SMB.

Why this answer

Amazon FSx for Windows File Server provides fully managed Windows file shares with SMB support. Amazon EFS supports NFS, not SMB. Amazon S3 is object storage, not file storage.

AWS Storage Gateway File Gateway provides SMB file shares but is not fully managed (requires gateway appliance). Amazon FSx for Lustre is for high-performance computing, not SMB.

569
MCQeasy

A company needs to store configuration data for multiple applications in a centralized, secure, and versioned manner. The configuration must be encrypted at rest and automatically rotated. Which AWS service should they use?

A.AWS CloudFormation
B.AWS Secrets Manager
C.AWS AppConfig
D.AWS Systems Manager Parameter Store
AnswerC

AppConfig supports versioned configuration, encryption, and automatic rotation.

Why this answer

Option B is correct because AWS AppConfig supports versioned configuration, encryption, and automatic rotation. Option A (SSM Parameter Store) can store config but doesn't support automatic rotation. Option C (Secrets Manager) is for secrets, not config.

Option D (CloudFormation) is for infrastructure as code.

570
Multi-Selecthard

A company is migrating a legacy Java application to AWS. The application currently runs on a single on-premises server and uses a MySQL database. The company wants to modernize the application by decoupling components and improving scalability. Which THREE steps should the architect include in the migration plan?

Select 3 answers
A.Rewrite the application to use a NoSQL database in a single migration step
B.Place an Application Load Balancer in front of the application
C.Refactor the application into microservices and deploy on Amazon ECS with Fargate
D.Deploy the application on a single larger EC2 instance
E.Migrate the database to Amazon RDS for MySQL
AnswersB, C, E

ALB enables traffic distribution and health checks for scalability.

Why this answer

Moving the database to RDS for MySQL reduces management overhead. Using an ALB to distribute traffic improves scalability. Containerizing the application on ECS/Fargate allows decoupling and auto-scaling.

Single large EC2 instance does not improve scalability. Refactoring to microservices in one step is too risky.

571
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A Solutions Architect needs to update a stack that includes an RDS DB instance. The update requires modifying the DB instance's storage type from gp2 to io1. What change should be made to the CloudFormation template to minimize downtime?

A.Modify the StorageType property in the CloudFormation template and perform a stack update.
B.Add an UpdateReplacePolicy attribute to the RDS resource.
C.Create a new stack with the updated storage type and migrate data.
D.Set the DeletionPolicy to Retain for the RDS resource.
AnswerA

Changing StorageType from gp2 to io1 is a supported modification that can be done without replacement, minimizing downtime.

Why this answer

Option B is correct because specifying 'UpdateReplacePolicy' does not exist; the correct approach is to allow modification of storage type without replacement. Option A is wrong because creating a new stack is unnecessary. Option C is wrong because DeletionPolicy affects stack deletion, not updates.

Option D is correct because changing the 'StorageType' property in the template will trigger a modification that can be done online with minimal downtime.

572
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application running on Amazon EC2. They need to replicate data across AWS Regions with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. Which THREE actions should they take to meet these objectives?

Select 3 answers
A.Manually create and copy AMIs to the secondary region weekly
B.Create a CloudFormation template to provision the infrastructure in the secondary region
C.Use AWS Backup to automate cross-region EBS snapshot copies
D.Enable cross-region replication on the Amazon S3 buckets containing application data
E.Configure the EC2 instances in a Multi-AZ Auto Scaling group
AnswersB, C, D

CloudFormation allows rapid deployment of infrastructure in the DR region.

Why this answer

Option B is correct because AWS CloudFormation templates enable infrastructure-as-code, allowing rapid and consistent provisioning of the secondary region environment. This automation is essential to meet the 1-hour RTO, as it eliminates manual setup and reduces recovery time to minutes by deploying pre-defined stacks.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides high availability within a single Region) with cross-region disaster recovery, leading them to incorrectly select Option E despite it not addressing regional isolation.

573
MCQeasy

Refer to the exhibit. A company deploys this CloudFormation template. After deployment, they enable S3 Transfer Acceleration on the bucket. Later, they update the stack. What happens to the Transfer Acceleration setting?

A.CloudFormation enables Transfer Acceleration because it is a best practice.
B.The update fails because of a conflict between the template and the manual change.
C.CloudFormation removes the Transfer Acceleration setting because it is not defined in the template.
D.The Transfer Acceleration setting remains unchanged after the update.
AnswerD

Manual changes persist unless the template manages that property.

Why this answer

Option D is correct. CloudFormation drift detection does not automatically revert manual changes. The Transfer Acceleration setting is a property of the bucket; if not defined in the template, CloudFormation may not manage it, but typically manual changes are not overwritten unless the template explicitly defines them.

However, best practice is to define all settings in the template to avoid drift. Option A is wrong because CloudFormation does not automatically disable it. Option B is wrong because CloudFormation does not automatically enable it.

Option C is wrong because updates do not reset to default.

574
MCQmedium

A company has a production AWS Lambda function that processes orders. The function's execution time has increased, causing timeouts. The team wants to troubleshoot without affecting production traffic. What should they do?

A.Enable detailed CloudWatch Logs for the production function and analyze them.
B.Create a new Lambda function with a different name to test the code changes.
C.Use a Lambda alias to route a percentage of traffic to a new version with increased timeout.
D.Increase the timeout of the production Lambda function temporarily.
AnswerB

A separate function isolates testing from production.

Why this answer

Option B is correct because creating a separate Lambda function with the same code but a different name allows testing and debugging without impacting the production function. Option A is wrong because version aliases can route traffic but still affect production. Option C is wrong because CloudWatch Logs will show the production function's logs.

Option D is wrong because changing the timeout directly on the production function could break the SLA.

575
MCQmedium

A company wants to implement a centralized logging solution for all VPCs in their AWS Organization. They need to capture VPC Flow Logs, AWS CloudTrail logs, and DNS logs, and store them in a central Amazon S3 bucket. The logs must be encrypted with a customer-managed KMS key. Which solution meets these requirements with the least operational overhead?

A.Create an S3 bucket in the central account with KMS encryption. Configure each account to send logs to that bucket using cross-account permissions.
B.Create separate S3 buckets for each log type in the central account and configure KMS encryption. Use AWS Glue to crawl and catalog the logs.
C.Use the AWS Centralized Logging with OpenSearch Service solution, which sets up the necessary infrastructure to collect and store logs from multiple accounts in a central S3 bucket with KMS encryption.
D.Use Amazon S3 with default encryption and enable S3 Cross-Region Replication to a central bucket.
AnswerC

Automated solution reduces operational overhead.

Why this answer

Option C is correct because the AWS Centralized Logging with OpenSearch Service solution is a purpose-built, AWS-managed solution that automates the deployment of the necessary infrastructure to collect, centralize, and store VPC Flow Logs, CloudTrail logs, and DNS logs from multiple accounts into a central S3 bucket with customer-managed KMS encryption. This approach minimizes operational overhead by handling cross-account log collection, S3 bucket configuration, and KMS key integration out of the box, eliminating the need for manual setup and maintenance.

Exam trap

The trap here is that candidates often overestimate the simplicity of manual cross-account log delivery (Option A) or confuse AWS Glue's cataloging capabilities with log collection, while underestimating the operational overhead of building and maintaining such a solution from scratch versus using a purpose-built, managed solution like AWS Centralized Logging with OpenSearch Service.

How to eliminate wrong answers

Option A is wrong because while cross-account permissions can send logs to a central bucket, this approach requires manually configuring each account's log delivery (e.g., VPC Flow Logs, CloudTrail, DNS logs) and managing cross-account KMS key policies, which introduces significant operational overhead and does not provide a centralized, automated solution. Option B is wrong because creating separate S3 buckets for each log type and using AWS Glue to crawl and catalog logs adds unnecessary complexity and cost; Glue is for data cataloging and ETL, not for log collection or cross-account aggregation, and this approach does not address the requirement to capture logs from multiple accounts. Option D is wrong because S3 default encryption uses SSE-S3, not a customer-managed KMS key, and S3 Cross-Region Replication only replicates objects after they are stored, it does not capture logs from multiple accounts or handle the initial log delivery from various AWS services.

576
MCQmedium

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce that all newly created accounts automatically have a specific set of security controls, including AWS Config rules and an AWS CloudTrail trail. Which solution meets these requirements with the LEAST operational overhead?

A.Use AWS Config conformance packs to deploy rules across accounts.
B.Use AWS Lambda functions triggered by AWS CloudTrail events to create a new stack in each new account.
C.Use AWS Organizations with AWS CloudFormation StackSets to automatically deploy the security stack to new accounts.
D.Use AWS Service Catalog to create a portfolio that includes the security stack and grant access to new accounts.
AnswerC

StackSets automatically deploy stacks to specified accounts and regions, including new accounts added to the organization.

Why this answer

Option B is correct because AWS Organizations can be used with AWS CloudFormation StackSets to automatically deploy and manage security configurations across accounts. Option A is wrong because custom scripts require ongoing maintenance. Option C is wrong because Service Catalog requires user action to provision.

Option D is wrong because AWS Config conformance packs do not automatically apply to new accounts without additional setup.

577
MCQmedium

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

A.Use AWS CloudFormation StackSets with a stack that includes an AWS::GuardDuty::Detector resource, and apply it to the organization root OU.
B.Use AWS Service Catalog to publish a GuardDuty product and require account owners to launch it.
C.Use an SCP that denies guardduty:DeleteDetector and guardduty:UpdateDetector actions, then have each account administrator manually enable GuardDuty.
D.Use AWS Config rules to detect accounts without GuardDuty enabled and trigger a Lambda function to enable it.
AnswerA

Correct: StackSets automate deployment across accounts; the resource creates the detector.

Why this answer

Option A is correct because AWS CloudFormation StackSets can be applied to the organization root OU, automatically deploying an AWS::GuardDuty::Detector resource to every account in the organization as new accounts are created. This approach requires no manual intervention per account, and StackSets handle the lifecycle of the detector across all enabled Regions with minimal operational overhead.

Exam trap

The trap here is that candidates often choose the Config + Lambda option (D) thinking it is fully automated, but they overlook that it is reactive and incurs ongoing evaluation costs, whereas StackSets provide a proactive, single-deployment solution with lower operational overhead.

How to eliminate wrong answers

Option B is wrong because AWS Service Catalog requires account owners to manually launch the product, which does not meet the requirement for automatic enabling and adds operational overhead. Option C is wrong because an SCP that denies delete and update actions does not enable GuardDuty; it only prevents modifications after manual enabling, which still requires manual action per account. Option D is wrong because AWS Config rules and Lambda functions are reactive (detect and remediate after the fact) and incur additional complexity and cost compared to a proactive, declarative StackSets deployment.

578
MCQeasy

A company has deployed a web application behind an Application Load Balancer (ALB) with an Auto Scaling group. Users report that the application is slow during peak hours. The CPU utilization of the EC2 instances is consistently below 40%, but the ALB's request count per target is high. Which action would MOST improve performance?

A.Increase the instance size (e.g., from t3.medium to t3.large)
B.Increase the desired capacity of the Auto Scaling group
C.Configure the Auto Scaling group to scale based on CPU utilization
D.Change the ALB routing algorithm to least outstanding requests
AnswerB

Adding more instances reduces request count per target.

Why this answer

Option C is correct because high request count per target with low CPU suggests the application is I/O bound or waiting on external calls; adding more instances will distribute the load and reduce queueing. Option A is wrong because increasing instance size may not help if the bottleneck is not CPU. Option B is wrong because scaling based on CPU would not trigger since CPU is low.

Option D is wrong because changing the ALB routing algorithm to least outstanding requests could help but adding more instances is more direct.

579
MCQmedium

A company manages multiple AWS accounts and wants to centralize billing and cost tracking. They have enabled AWS Organizations and consolidated billing. Which additional step should they take to gain granular visibility into costs per department?

A.Enable AWS Cost Explorer and use default groupings
B.Create AWS Budgets for each department
C.Implement cost allocation tags for resources and use AWS Cost Explorer to filter by tags
D.Use the consolidated billing feature to view costs per account
AnswerC

Tags enable granular cost tracking by department.

Why this answer

Option C is correct because cost allocation tags allow you to tag AWS resources with department-specific metadata (e.g., 'Department: Engineering'). Once enabled and activated in the Billing and Cost Management console, AWS Cost Explorer can filter and group costs by these tags, providing granular visibility into per-department spending across multiple accounts in an AWS Organization. This approach directly addresses the need for department-level cost tracking beyond the account-level view provided by consolidated billing.

Exam trap

The trap here is that candidates often confuse the account-level aggregation of consolidated billing (Option D) with the resource-level granularity needed for department tracking, or they assume AWS Budgets (Option B) provide visibility rather than just alerts.

How to eliminate wrong answers

Option A is wrong because AWS Cost Explorer's default groupings (e.g., by service or linked account) do not provide department-level granularity unless custom tags or cost categories are used; relying on default groupings alone cannot break down costs by department. Option B is wrong because AWS Budgets are used to set spending thresholds and send alerts, not to provide granular visibility into historical or current cost breakdowns by department; they are a cost control mechanism, not a reporting or analysis tool. Option D is wrong because the consolidated billing feature aggregates costs at the account level, not at the department level; it cannot distinguish costs for resources within a single account that belong to different departments.

580
MCQhard

A company has attached the above bucket policy to an S3 bucket. The bucket is accessed by an application running on an EC2 instance in the same AWS account. The EC2 instance is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678) to access the bucket. The application is failing to get objects from the bucket. What is the most likely cause?

A.The application is not using the VPC endpoint
B.The bucket policy does not allow encryption in transit
C.The application is using HTTP instead of HTTPS
D.The application is missing the required x-amz-server-side-encryption header
AnswerC

The Deny statement blocks requests without SecureTransport, i.e., HTTP. The application may be using HTTP.

Why this answer

Option C is correct because the bucket policy likely includes a condition that denies requests not using HTTPS (i.e., `aws:SecureTransport`: false). The application is failing because it is using HTTP instead of HTTPS to access the S3 bucket, which violates the encryption-in-transit requirement enforced by the policy. Without HTTPS, the request is denied by the S3 service.

Exam trap

The trap here is that candidates often confuse encryption in transit (HTTPS) with encryption at rest (SSE headers) or assume that using a VPC Gateway Endpoint automatically secures the connection, when in fact the bucket policy's `aws:SecureTransport` condition independently enforces HTTPS.

How to eliminate wrong answers

Option A is wrong because the application is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678), which is explicitly specified in the bucket policy's `aws:SourceVpce` condition; the policy allows access from that endpoint, so the endpoint is being used. Option B is wrong because the bucket policy does not explicitly deny encryption in transit; rather, it likely requires it via the `aws:SecureTransport` condition, and the failure is due to using HTTP, not a lack of encryption-in-transit allowance. Option D is wrong because the `x-amz-server-side-encryption` header is for server-side encryption at rest, not for transport security; the error is about HTTPS (encryption in transit), not encryption at rest.

581
Multi-Selectmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in the organization are encrypted at rest. Which TWO approaches can the company use to achieve this? (Choose TWO.)

Select 2 answers
A.Attach a bucket policy to each bucket that denies PutObject without encryption.
B.Create a service control policy (SCP) that denies s3:CreateBucket unless the bucket has default encryption enabled.
C.Create an IAM policy that denies s3:PutObject unless encryption is specified.
D.Enable S3 Block Public Access at the organization level.
E.Use AWS Config rules to detect S3 buckets without encryption and automatically apply encryption.
AnswersB, E

Prevents creation of unencrypted buckets.

Why this answer

Options A and B are correct. SCP can deny creation of unencrypted buckets, and Config can detect noncompliant buckets. Option C is wrong because bucket policies can be bypassed by bucket owners.

Option D is wrong because IAM policies are per-account and may not cover all principals. Option E is wrong because S3 Block Public Access does not address encryption.

582
MCQmedium

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

A.Deploy AD in two Regions and use a VPN connection between the VPCs to replicate data.
B.Deploy a single AD domain in one Region and use AD replication over a VPC peering connection to a second Region.
C.Deploy AD in two Regions, attach both VPCs to the transit gateway, and enable cross-Region transit gateway peering. Use route tables to direct AD traffic through the inspection VPC.
D.Deploy AD in two Regions, attach both VPCs to a transit gateway in the primary Region, and use a transit gateway inter-Region peering attachment. Configure route tables to force traffic through the inspection VPC in the primary Region.
AnswerD

This ensures all inter-Region AD traffic is routed through the inspection VPC for firewall inspection.

Why this answer

Option D is correct because it uses a transit gateway in the primary Region with an inter-Region peering attachment to the secondary Region, allowing AD traffic to be routed through the inspection VPC in the primary Region for firewall inspection. This meets the security policy requirement that all cross-Region AD traffic must traverse the transit gateway and be inspected by the third-party firewall appliance.

Exam trap

The trap here is that candidates may think cross-Region transit gateway peering alone satisfies the inspection requirement, but without explicit route table configuration to direct traffic through the inspection VPC, the traffic will bypass the firewall.

How to eliminate wrong answers

Option A is wrong because a VPN connection between VPCs does not provide the required transit gateway routing or inspection VPC integration; it also introduces additional latency and complexity without meeting the inspection requirement. Option B is wrong because a single AD domain with VPC peering does not support cross-Region AD replication natively (AD replication requires direct connectivity or VPN, and VPC peering alone cannot enforce inspection by a third-party firewall in a separate inspection VPC). Option C is wrong because attaching both VPCs to the transit gateway and enabling cross-Region transit gateway peering does not force AD traffic through the inspection VPC; route tables must be explicitly configured to direct traffic through the inspection VPC, and the description in C lacks the necessary detail about routing through the inspection VPC in the primary Region.

583
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team requires that all S3 buckets have server-side encryption enabled. How can the company enforce this across all existing and future buckets?

A.Enable default encryption on each S3 bucket.
B.Create an IAM policy that denies s3:PutObject unless encryption headers are present.
C.Use an S3 bucket policy to deny PutObject without encryption.
D.Use AWS Config to automatically remediate noncompliant buckets.
AnswerA

Default encryption ensures all new objects are encrypted.

Why this answer

Option B is correct because S3 default encryption can be set at the bucket level for all objects. Option A is wrong because bucket policies can enforce encryption but require a policy per bucket. Option C is wrong because AWS Config can detect noncompliant buckets but not enforce encryption.

Option D is wrong because IAM policies cannot enforce encryption on S3 buckets.

584
Multi-Selectmedium

A company uses AWS Organizations and wants to centrally manage Amazon GuardDuty across all accounts. Which TWO steps are required to enable GuardDuty in all accounts from a single management account?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy GuardDuty in each account
B.Enable GuardDuty manually in each member account by logging into each account
C.Create a service control policy to force GuardDuty to be enabled
D.Use the GuardDuty delegated administrator account to enable GuardDuty for all accounts in the organization
E.Designate a member account as the GuardDuty delegated administrator
AnswersD, E

Delegated administrator can enable GuardDuty across all accounts via API.

Why this answer

Option D is correct because AWS Organizations allows you to designate a GuardDuty delegated administrator account, which can then enable GuardDuty for all member accounts in the organization with a single API call or via the console. This eliminates the need to manually enable GuardDuty in each account, as the delegated administrator manages the service centrally across the entire organization.

Exam trap

The trap here is that candidates often confuse service control policies (SCPs) with proactive enforcement, but SCPs only restrict permissions and cannot automatically enable a service; they also overlook that CloudFormation StackSets cannot enable a service like GuardDuty, which requires a specific API action rather than resource deployment.

585
MCQmedium

A company uses AWS Organizations and wants to enable cost allocation across business units using tags. They require that all resources are tagged with a 'CostCenter' tag. What is the most effective way to enforce this?

A.Create an IAM policy in each account that requires the CostCenter tag.
B.Use AWS Config rules to identify untagged resources and automatically tag them.
C.Create a tag policy in AWS Organizations that requires the CostCenter tag on resources.
D.Use an SCP to deny resource creation if the CostCenter tag is missing.
AnswerC

Tag policies centrally enforce tagging rules across all accounts.

Why this answer

Option D is correct because AWS Organizations has a tag policy feature that can enforce tags on resources during creation. Option A is wrong because SCPs can deny creation without tags, but tag policies are more specific. Option B is wrong because AWS Config can detect but not enforce.

Option C is wrong because IAM policies can enforce but require per-account configuration.

586
MCQhard

Refer to the exhibit. A company has an SCP named 'DenyOutsideRegions' attached to the root OU. The SCP is intended to deny all actions outside us-east-1 and eu-west-1. However, users in a member account are still able to launch EC2 instances in ap-southeast-1. What is the most likely reason?

A.The SCP is not applied to the root user of the member account.
B.The SCP cannot restrict actions based on region.
C.The SCP policy document does not contain a Deny statement for the regions.
D.The SCP is overridden by an Allow policy attached to the account.
AnswerC

The exhibit only shows the policy metadata, not the content.

Why this answer

Option B is correct because the SCP shown is only a list of policies; the actual policy content (the statement) is not displayed. It is possible that the SCP does not contain the intended deny rule or has an Allow effect that overrides. Option A is wrong because SCPs affect all users, including root.

Option C is wrong because SCPs can deny actions based on region conditions. Option D is wrong because SCPs apply to all services uniformly unless specified otherwise.

587
Multi-Selectmedium

A company is managing multiple AWS accounts using AWS Organizations. They want to centralize the management of EC2 instances and enforce tagging standards across all accounts. Which TWO approaches should they use?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy AWS Config rules across all accounts to check for required tags.
B.Use AWS Service Catalog to enforce tagging on EC2 products.
C.Use AWS Resource Access Manager to share a tagging policy across accounts.
D.Apply a service control policy (SCP) that denies ec2:RunInstances if the required tags are not specified.
E.Use EC2 Auto Scaling lifecycle hooks to add tags automatically.
AnswersA, D

Config rules can enforce tagging compliance.

Why this answer

Option A is correct because AWS Config rules can be deployed via CloudFormation StackSets across all accounts in an AWS Organization to continuously check for required tags on EC2 instances, enabling centralized enforcement of tagging standards. Option D is correct because a service control policy (SCP) can deny the ec2:RunInstances action if required tags are not present in the request, using the ec2:ResourceTag condition key to enforce tagging at the API level before the instance is created.

Exam trap

The trap here is that candidates often confuse AWS Service Catalog's tagging enforcement as a global solution, not realizing it only applies to products launched through the catalog, not to direct EC2 API calls across accounts.

588
Matchingmedium

Match each AWS disaster recovery strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lowest cost, RPO in hours, RTO in hours to days

Core services run in standby, ready to scale

Scaled-down production environment, ready to scale up

Both sites serve traffic, failover is immediate

One site active, other on standby

Why these pairings

DR strategies balance cost and recovery time objectives.

589
MCQhard

A company is migrating a 10 TB SQL Server database to Amazon Aurora PostgreSQL. The migration must have minimal downtime. The source database is running on-premises with a 1 Gbps network link to AWS. Which strategy should be used to reduce the migration downtime?

A.Use AWS Database Migration Service (DMS) with full load and ongoing replication.
B.Take a full backup of the SQL Server database, upload it to Amazon S3, and restore to Aurora.
C.Use AWS Schema Conversion Tool (SCT) to convert the schema, then export data to flat files and upload to S3.
D.Create an Amazon Aurora read replica from the on-premises database.
AnswerA

DMS supports both full load and continuous replication, minimizing cutover downtime.

Why this answer

Option D is correct because AWS DMS can perform a full load followed by ongoing replication to keep the target in sync, then cutover quickly. Option A is wrong because an Aurora read replica cannot be created from an external database. Option B is wrong because SCT does not handle data replication; it only converts schema.

Option C is wrong because uploading a backup file and restoring does not support ongoing replication and may require significant downtime.

590
MCQeasy

A startup is building a serverless application using AWS Lambda. They need to store session state that can be shared across multiple Lambda invocations. Which AWS service should they use?

A.Amazon ElastiCache for Redis
B.Amazon S3
C.Amazon DynamoDB
D.Amazon CloudFront
AnswerA

Provides low-latency in-memory caching for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides a low-latency, in-memory data store that can be shared across multiple Lambda invocations. Redis supports data structures like strings, hashes, and lists, making it ideal for storing session state that needs to be accessed and updated quickly by concurrent serverless functions.

Exam trap

The trap here is that candidates often choose DynamoDB because it is a common serverless database, but they overlook that the question specifically asks for shared session state across invocations, which demands in-memory caching for performance, not a persistent database.

How to eliminate wrong answers

Option B (Amazon S3) is wrong because S3 is an object storage service with higher latency and eventual consistency for read-after-write, making it unsuitable for real-time session state that requires sub-millisecond access and strong consistency. Option C (Amazon DynamoDB) is wrong because while DynamoDB can store session state, it is a NoSQL database with higher latency compared to in-memory caching, and it is not optimized for the extremely low-latency, high-throughput session lookups that ElastiCache provides. Option D (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations, not a session store; it cannot be used to store or share mutable session state across Lambda invocations.

591
MCQmedium

A company is designing a new microservices architecture on AWS. Each service needs to store and retrieve small amounts of configuration data (under 10 KB per item) with low latency. The data is accessed frequently and must be highly available across multiple Availability Zones. Which AWS service should be used?

A.Amazon S3
B.Amazon ElastiCache for Memcached
C.Amazon RDS for MySQL
D.Amazon DynamoDB
AnswerD

DynamoDB offers low latency, high availability, and is suitable for small configuration data.

Why this answer

Option C is correct because DynamoDB provides single-digit millisecond latency, high availability, and is ideal for storing small configuration items. Option A (S3) has higher latency for small objects and is not optimized for frequent updates. Option B (ElastiCache) is for temporary caching, not durable storage.

Option D (RDS) is overkill for simple config data.

592
MCQmedium

A company uses AWS CloudTrail to log API activity. The compliance team requires that logs be stored for 7 years and be immediately accessible for the first 90 days, after which access can take up to 12 hours. Which storage solution meets these requirements cost-effectively?

A.Store logs in Amazon S3 Standard for 90 days, then transition to Amazon S3 Glacier for the remainder.
B.Store logs in Amazon S3 One Zone-Infrequent Access for 90 days, then delete.
C.Store logs in Amazon S3 Standard for 90 days, then transition to Amazon S3 Glacier Deep Archive.
D.Store logs in Amazon S3 Standard-Infrequent Access for 90 days, then transition to Amazon S3 Standard.
AnswerC

Deep Archive offers low cost with 12-hour retrieval.

Why this answer

Option C is correct because S3 Standard for 90 days then transition to S3 Glacier Deep Archive meets access needs and cost. Option A is wrong because S3 Glacier is more expensive than Deep Archive for long-term. Option B is wrong because S3 Standard-IA is not cost-effective for 7 years.

Option D is wrong because S3 One Zone-IA has lower durability and not suitable for compliance.

593
MCQhard

A company is designing a new application on AWS that uses Amazon API Gateway and AWS Lambda to expose a RESTful API. The API must authenticate requests using OAuth 2.0 with an external identity provider (IdP). The company wants to offload the authentication logic to the API Gateway. Which API Gateway feature should they use?

A.Use API Gateway's WebSocket API.
B.Enable API Gateway's VPC Link.
C.Configure a Lambda authorizer to validate the OAuth 2.0 token.
D.Use usage plans with API keys.
AnswerC

Lambda authorizer can call the IdP to validate tokens and return an IAM policy.

Why this answer

Option A is correct because API Gateway supports OAuth 2.0 authorization using Cognito User Pools or custom authorizers with Lambda. Option B is wrong because WebSocket API is for real-time communication. Option C is wrong because VPC Link is for private integrations.

Option D is wrong because usage plans are for API keys, not authentication.

594
Multi-Selecthard

A company is deploying a web application on AWS. The application runs on EC2 instances behind an ALB. The security team requires that all traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Which THREE steps should the architect take? (Choose three.)

Select 3 answers
A.Assign the same security group to the ALB and the instances
B.Place the EC2 instances in a public subnet
C.Configure the ALB target group to use HTTPS protocol
D.Configure the EC2 instance security group to allow inbound traffic only from the ALB's security group
E.Use network ACLs to restrict inbound traffic to the ALB's IP addresses
.Configure the ALB to listen on HTTPS for client connections
AnswersC, D

Encrypts traffic between ALB and instances.

Why this answer

Option A ensures encryption between ALB and instances. Option B restricts instance security group to only ALB's security group. Option D enables HTTPS listener on ALB for client-to-ALB encryption (though question asks for ALB-to-instance, but this is also needed for end-to-end encryption).

Option C (public subnets) is not needed. Option E (NACL) is not the best way. Option F (same security group) is not the approach.

595
Multi-Selecthard

A company is deploying a microservices architecture on Amazon ECS with Fargate. They need to enable service-to-service communication with mutual TLS (mTLS) and service discovery. Which combination of services should they use? (Select THREE.)

Select 3 answers
A.AWS Certificate Manager (ACM)
B.Amazon Route 53
C.AWS Direct Connect
D.AWS App Mesh
E.AWS Cloud Map
AnswersA, D, E

ACM provides certificates for mTLS.

Why this answer

AWS App Mesh provides a service mesh that supports mTLS for encrypting and authenticating service-to-service communication within an ECS Fargate environment. AWS Cloud Map enables service discovery by allowing microservices to register and discover each other via DNS or API calls. AWS Certificate Manager (ACM) is used to provision and manage the X.509 certificates required for mTLS, which are integrated with App Mesh to enforce mutual authentication.

Exam trap

The trap here is that candidates often confuse Amazon Route 53's public DNS capabilities with the internal service discovery provided by AWS Cloud Map, or they assume Direct Connect is needed for secure communication, overlooking that mTLS is handled at the application layer by App Mesh and ACM.

596
Multi-Selecthard

A company has a multi-account AWS environment with a central security account. The security team wants to implement a solution that allows them to centrally manage and audit IAM permissions across all accounts. Which THREE services should be combined to achieve this?

Select 3 answers
A.AWS Organizations
B.AWS Config
C.AWS IAM Access Analyzer
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, C, D

Organizations provides a central view and management of all accounts.

Why this answer

Options A, C, and D are correct. IAM Access Analyzer helps identify external access to resources. AWS CloudTrail logs all API calls for auditing.

AWS Organizations provides a central view and management of accounts. Option B is wrong because AWS Config is for resource configuration, not IAM permissions. Option E is wrong because Amazon GuardDuty is for threat detection, not IAM audit.

597
MCQmedium

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for all accounts. The flow logs should be sent to a central S3 bucket in the logging account. The solution must be automated for new accounts added to the organization. What should the team do?

A.Use AWS Config rules to detect missing flow logs and send alerts to the security team.
B.Use AWS CloudFormation StackSets to deploy a VPC flow log configuration to all accounts and regions, and configure the S3 bucket policy to allow cross-account delivery from all accounts.
C.Use an SCP to require that VPC flow logs be enabled.
D.Manually enable VPC flow logs in each account and region, and specify the central S3 bucket as the destination.
AnswerB

StackSets automate deployment across accounts and regions.

Why this answer

Option D is correct because AWS CloudFormation StackSets can deploy the flow log configuration to all accounts and regions, and a central S3 bucket policy allows cross-account delivery. Option A is wrong because manual creation does not scale. Option B is wrong because SCPs cannot create resources.

Option C is wrong because AWS Config can detect but not automatically enable in all regions easily.

598
MCQmedium

A company uses Amazon CloudFront with an S3 origin to serve static content. They recently updated the content in S3, but users still see the old files. What is the MOST likely reason?

A.The CloudFront distribution's cache TTL is too long
B.S3 versioning is enabled and the objects are not updated
C.CloudFront is not configured to forward the Cache-Control header
D.S3 Transfer Acceleration is disabled
AnswerA

CloudFront caches content; long TTL prevents immediate updates.

Why this answer

Option A is correct because CloudFront caches objects at edge locations based on TTL; if the TTL has not expired, users will get cached old content. Option B is wrong because S3 versioning does not affect cache invalidation. Option C is wrong because CloudFront does not have a 'Cache-Control' header by default; it's set by the origin.

Option D is wrong because S3 Transfer Acceleration is irrelevant to caching.

599
MCQmedium

A company runs a critical database on an Amazon RDS for PostgreSQL instance. The database experiences high write latency during peak hours. The company wants to improve write performance without changing the application code. Which action should the Solutions Architect take?

A.Create a read replica and offload read traffic.
B.Modify the RDS instance to use a larger instance type with higher IOPS.
C.Enable Multi-AZ deployment for the RDS instance.
D.Change the DB parameter group to optimize for write operations.
AnswerB

Larger instance types with higher IOPS reduce write latency.

Why this answer

Option C is correct because provisioning GP3 volumes with higher IOPS can improve write performance without code changes. Option A is wrong because Multi-AZ improves availability, not write latency. Option B is wrong because read replicas improve read performance, not write.

Option D is wrong because modifying parameter groups does not directly increase IOPS.

600
Multi-Selectmedium

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet compliance requirements that logs be immutable and stored for 7 years. Which THREE services should be combined to achieve this?

Select 3 answers
A.AWS Glue
B.S3 Object Lock
C.AWS CloudTrail
D.Amazon S3
E.Amazon Kinesis Data Streams
AnswersB, C, D

Prevents deletion or overwriting of logs.

Why this answer

S3 Object Lock is correct because it enforces a write-once-read-many (WORM) model on S3 objects, preventing any deletion or overwriting for a specified retention period. Combined with Amazon S3 for durable storage and AWS CloudTrail for logging API activity across accounts, this meets the 7-year immutability and retention compliance requirements.

Exam trap

The trap here is that candidates may confuse Kinesis Data Streams as a storage service for logs, but it is a streaming ingestion layer with no built-in immutability or long-term retention, while Glue is mistakenly chosen for its data cataloging capabilities rather than for log storage.

Page 7

Page 8 of 24

Page 9