CCNA Continuous Improvement for Existing Solutions Questions

75 of 428 questions · Page 1/6 · Continuous Improvement for Existing Solutions · Answers revealed

1
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all new S3 buckets are encrypted using AES-256. What is the MOST effective way to enforce this requirement?

A.Create an SCP that denies s3:CreateBucket unless encryption is specified.
B.Use CloudTrail to monitor bucket creation and alert security team.
C.Create an SCP that denies s3:PutBucketPublicAccessBlock without encryption.
D.Use AWS Config rules to detect non-compliant buckets and auto-remediate.
AnswerA

SCPs can deny actions based on conditions like encryption.

Why this answer

Option A is correct because a service control policy (SCP) can deny creation of S3 buckets without encryption. Options B, C, and D are not effective at enforcing across all accounts.

2
MCQmedium

A company uses AWS CodePipeline to deploy a web application to an Elastic Beanstalk environment. The deployment pipeline includes a source stage, a build stage using CodeBuild, and a deploy stage. Recently, deployments have been failing in the deploy stage with the error: 'The environment is in an invalid state for this operation.' The developer confirms the build artifacts are correct. What is the MOST likely cause?

A.The environment's load balancer is not available
B.The environment's Auto Scaling group has insufficient capacity
C.The Elastic Beanstalk environment uses a t2.micro instance type which is not supported by CodePipeline
D.Another deployment or configuration update is already in progress on the environment
AnswerD

Elastic Beanstalk locks the environment during updates.

Why this answer

Option C is correct because if there is an ongoing update or configuration change, Elastic Beanstalk prevents concurrent operations. Option A is wrong because CodePipeline does not require a specific instance type. Option B is wrong because insufficient capacity would cause a different error.

Option D is wrong because the environment URL being unavailable is a symptom, not cause.

3
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application needs to access an S3 bucket. The ECS task role has the necessary S3 permissions. However, the application is unable to upload files to S3. What is the MOST likely cause?

A.The Task execution role is missing S3 permissions
B.The S3 bucket policy denies access to the task role
C.The VPC does not have an S3 VPC endpoint
D.The task definition does not specify the correct task role ARN
AnswerD

The task role must be correctly specified in the task definition.

Why this answer

Option D is correct because Fargate tasks require 'Task execution role' for pulling images and logging, but for S3 access they need 'Task role' with proper IAM permissions. The task role is set, but maybe the task definition is not using the correct role ARN. Option A is wrong because VPC endpoints for S3 are not required if the task can route to S3 via internet or NAT.

Option B is wrong because 'Task execution role' is for ECS agent, not for application. Option C is wrong because S3 Bucket Policy could block access, but the question states the task role has permissions.

4
MCQeasy

A company is using Amazon API Gateway to expose a REST API. The API backend is a Lambda function that queries an Amazon DynamoDB table. During peak hours, the API returns HTTP 429 (Too Many Requests) errors. What is the MOST cost-effective way to reduce these errors?

A.Enable API caching in API Gateway.
B.Enable DynamoDB auto-scaling.
C.Increase the throttling limits in API Gateway.
D.Increase the reserved concurrency of the Lambda function.
AnswerC

Higher throttling limits reduce 429 errors by allowing more requests.

Why this answer

Option A is correct because increasing the API Gateway throttling limits allows more requests to pass through to the backend. Option B is wrong because increasing Lambda concurrency may help but is more expensive than adjusting throttling limits. Option C is wrong because DynamoDB auto-scaling addresses database capacity, not API throttling.

Option D is wrong because API caching reduces backend calls for repeated requests but does not address throttling limits.

5
MCQmedium

A company is using AWS Lambda functions to process data from an S3 bucket. Recently, the function has been timing out. The function has a 5-minute timeout configured. What is the most likely cause of the timeout?

A.The Lambda function was moved to a different VPC.
B.The Lambda function's reserved concurrency is set too low.
C.The Lambda function's memory is too low.
D.The Lambda function is processing larger files than before.
AnswerD

Larger files increase processing time, causing timeout.

Why this answer

Option B is correct because if the Lambda function is processing larger files, it may exceed the 5-minute timeout. Option A is incorrect because increasing memory does not affect timeout. Option C is incorrect because reserved concurrency does not affect execution time.

Option D is incorrect because a new VPC configuration would not cause a timeout by itself.

6
MCQmedium

A company is using AWS CodePipeline with an S3 source action. After a successful deployment, the latest commit ID is stored as an environment variable in the CodeBuild project. The team notices that subsequent pipeline executions are not triggering when new commits are pushed to the S3 bucket. What is the most likely cause?

A.The CodePipeline service role lacks permissions to poll the S3 bucket.
B.The S3 bucket policy does not allow CodePipeline to read objects.
C.The S3 bucket does not have an event notification configured to trigger the pipeline.
D.The CodePipeline webhook is misconfigured.
AnswerC

Without event notification, CodePipeline won't automatically start on new commits.

Why this answer

Option B is correct because S3 event notifications for PUT and POST operations require the bucket to be configured to send events to CodePipeline. Option A is wrong because the bucket policy is not relevant for event notifications. Option C is wrong because CodePipeline can use S3 as a source without a webhook.

Option D is wrong because the pipeline execution role is not the cause.

7
MCQeasy

A company uses AWS Lambda to process events from an SQS queue. The Lambda function has a reserved concurrency of 5. During peak hours, messages are being backed up in the queue. The function's duration is well within the 15-minute limit. What is the fastest way to increase throughput?

A.Increase the function's maximum thread count.
B.Increase the reserved concurrency to 20.
C.Create additional SQS queues and distribute messages.
D.Increase the SQS batch size to 100.
AnswerB

More concurrency allows more messages to be processed in parallel.

Why this answer

Option A is correct because increasing reserved concurrency allows more simultaneous invocations, processing more messages in parallel. Option B is wrong because Lambda functions don't have a 'thread count' setting. Option C is wrong because batch size is already maxed at 10 for SQS.

Option D is wrong because adding more queues would require code changes and doesn't directly help.

8
MCQeasy

A DevOps engineer notices that a CloudFormation stack update fails with the error: 'UPDATE_ROLLBACK_FAILED'. The stack is in a state where some resources were updated, but others failed to update. The engineer needs to fix the stack and complete the update. What should the engineer do FIRST?

A.Add a new resource to the stack to force a new update
B.Manually correct the resources that are preventing rollback, then use 'ContinueUpdateRollback'
C.Submit another stack update with the original template to overwrite the changes
D.Delete the stack and recreate it with the same template
AnswerB

This is the standard procedure to recover from rollback failure.

Why this answer

Option B is correct because when a stack update fails and rollback fails, you must manually fix the resources that prevent rollback (e.g., delete a resource that is stuck) and then continue the rollback. Option A is wrong because you cannot update a stack in UPDATE_ROLLBACK_FAILED state without first completing the rollback. Option C is wrong because you cannot add resources while in failure state.

Option D is wrong because you cannot delete the stack without first fixing the rollback.

9
MCQmedium

Refer to the exhibit. A solutions architect runs the AWS CLI command to check the state of an EC2 instance. The output shows the instance is running. However, the application team reports that the instance is unreachable over SSH. What is the MOST likely cause?

A.The CLI command is querying the wrong instance
B.A security group rule blocks inbound SSH traffic
C.The instance is in a 'stopped' state
D.The instance does not have EBS optimization enabled
AnswerB

Security groups control inbound traffic.

Why this answer

Option C is correct. The instance state is 'running', so it's not stopped or terminated. The issue is likely a security group or network ACL blocking SSH.

Option A is wrong because the instance is running. Option B is wrong because the instance ID is not shown but the query is correct. Option D is wrong because EBS optimization does not affect network connectivity.

10
MCQhard

A company is running a stateful web application on EC2 instances behind an ALB. Users report that when they refresh a page, they are logged out. What is the best solution to fix this issue?

A.Enable cross-zone load balancing on the ALB.
B.Enable sticky sessions on the ALB.
C.Replace the ALB with a Classic Load Balancer.
D.Use ElastiCache to store session data.
AnswerB

Sticky sessions route user to the same instance.

Why this answer

Option C is correct because enabling stickiness (session affinity) ensures requests from the same user go to the same instance. Option A is incorrect because a Classic Load Balancer doesn't solve statefulness. Option B is incorrect because ElastiCache doesn't solve routing.

Option D is incorrect because cross-zone load balancing doesn't affect session persistence.

11
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application experiences intermittent timeouts when calling an external API. The ECS tasks are in a private subnet with a NAT gateway. How can the company improve the reliability of outbound traffic?

A.Place the tasks in a public subnet with auto-assign public IP.
B.Deploy a NAT gateway in each Availability Zone and update the route tables.
C.Increase the NAT gateway's bandwidth by using a larger instance type.
D.Use AWS Transit Gateway to route traffic through a central VPC.
AnswerB

Eliminates single point of failure for outbound traffic.

Why this answer

Option B is correct because a NAT Gateway in each AZ provides high availability; without it, a single NAT Gateway failure causes timeouts. Option A is wrong because it reduces security. Option C is wrong because it does not address NAT redundancy.

Option D is wrong because it adds complexity without directly fixing NAT issues.

12
MCQeasy

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences periodic spikes in traffic. The operations team wants to ensure that the application can handle the spikes without manual intervention. What is the MOST cost-effective solution?

A.Use a scheduled scaling policy to add instances during predicted peak hours.
B.Create a target tracking scaling policy using the ALB RequestCountPerTarget metric.
C.Manually add instances when traffic spikes are expected.
D.Use a simple scaling policy based on CPU utilization.
AnswerB

This automatically scales based on request count per target.

Why this answer

Option C is correct because a target tracking scaling policy automatically adjusts capacity based on a metric, and using the ALB RequestCountPerTarget metric is appropriate for web traffic spikes. Option A uses the wrong metric, B requires manual intervention, and D is not cost-effective.

13
Drag & Dropmedium

Drag and drop the steps to deploy a serverless application using AWS SAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First write the template, then build, package, deploy, and test.

14
MCQeasy

A company is using AWS Elastic Beanstalk to deploy a web application. The application's performance degrades over time due to increasing database connections. The company wants to implement a solution that automatically scales the database tier based on connection count. Which action should be taken?

A.Migrate the database to Amazon DynamoDB with auto scaling.
B.Use Amazon RDS Proxy to manage database connections and enable connection pooling.
C.Enable Multi-AZ on the RDS instance and modify the DB instance class.
D.Configure the Auto Scaling group to scale based on CPU utilization.
AnswerB

RDS Proxy reduces connection overhead and scales.

Why this answer

Option B is correct because Amazon RDS Proxy manages connection pooling and can scale with application, reducing load on database. Option A is wrong because DynamoDB is a different database. Option C is wrong because scaling EC2 instances does not address database connections.

Option D is wrong because modifying RDS instance type is manual and not automatic.

15
MCQmedium

A company receives a Trusted Advisor recommendation to reduce costs by deleting unused Amazon EBS snapshots. The company has hundreds of snapshots. Which approach should the company use to identify and delete snapshots that are no longer needed?

A.Enable detailed billing reports and analyze costs.
B.Use the AWS CLI to list all snapshots and manually check each one.
C.Use AWS Backup to manage snapshots and set retention rules.
D.Use Amazon S3 Lifecycle policies to expire snapshots automatically.
AnswerC

AWS Backup can automate snapshot lifecycle and identify old snapshots.

Why this answer

Option C is correct because AWS Backup provides lifecycle policies and centralized snapshot management, making it easy to identify orphaned snapshots. Option A is wrong because it doesn't help identify unused snapshots. Option B is wrong because it's for storage class, not snapshot deletion.

Option D is wrong because it's for billing, not operations.

16
MCQhard

A healthcare company runs a HIPAA-compliant web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS for PostgreSQL database with Multi-AZ. The security team requires that all data in transit be encrypted using TLS 1.2 or higher. The current setup uses an SSL certificate on the ALB to terminate HTTPS, but traffic between the ALB and EC2 instances is over HTTP. The company wants to enforce end-to-end encryption without changing the application code. Which solution meets these requirements?

A.Replace the ALB with a Network Load Balancer, configure a TLS listener, and use target group health checks over HTTPS.
B.Configure the ALB to use a TLS listener and forward traffic to the target group using the TCP protocol on port 443.
C.Install a self-signed certificate on each EC2 instance, configure the ALB target group to use HTTPS, and upload the self-signed certificate to AWS Certificate Manager (ACM) for the ALB to trust.
D.Place AWS CloudFront in front of the ALB and configure CloudFront to use TLS 1.2, with the ALB still using HTTP.
AnswerA

NLB with TLS passthrough allows end-to-end encryption if instances have certificates installed; health checks over HTTPS verify encryption.

Why this answer

Option D (network load balancer with target group health checks over HTTPS) is not correct because it requires code change on instances. Actually, the correct solution is to terminate TLS at the ALB and re-encrypt using a self-signed certificate on the EC2 instances, but that requires application support. However, the best option is to use a Network Load Balancer with TLS termination and forward to instances with a self-signed certificate (which doesn't require code change if the app listens on HTTPS).

However, among the options, Option D is most plausible but still flawed. Let me reconsider: The correct answer should be to use a Network Load Balancer with TLS passthrough to instances that have certificates installed. Since the application cannot be changed, use a self-signed certificate on the instances for the internal traffic.

Option B (self-signed certificate on EC2 and ALB re-encrypt) often requires code changes to trust the self-signed cert. Option D is the closest: NLB with TLS listener and target group with HTTPS health check. But the correct answer is actually to use an NLB with TLS listener and target group health checks over HTTPS, but the application must support HTTPS.

Since the problem says no code change, the application likely already listens on HTTPS? Actually, the problem says traffic between ALB and EC2 is HTTP, so the application listens on HTTP. So we need to enable HTTPS on the instances without code change. That's not possible.

The only way is to use a reverse proxy on the instance or use a self-signed certificate that the ALB can trust. But ALB can terminate TLS and re-encrypt to target group with a self-signed certificate if the target group protocol is HTTPS and the ALB trusts the self-signed certificate (by uploading it to ACM as a private certificate?). ACM does not accept self-signed certificates.

So the correct solution is to use a Network Load Balancer with TLS passthrough and install a certificate on the instances. The application must support HTTPS. Since the application currently uses HTTP, the only way is to modify the application to listen on HTTPS.

However, the problem says 'without changing the application code'. So the only feasible solution is to use a reverse proxy like NGINX on the instance in front of the application. That is not listed.

Among the options, Option B is the least bad because you can upload a private CA-signed certificate to ACM and use it on ALB to re-encrypt to instances. But the instances need to have the corresponding certificate. That might require manual installation but not code change.

Option A (NLB with TLS listener and target group protocol TCP) does not encrypt traffic to instances. Option C (CloudFront in front of ALB) adds complexity. Option D is similar to B but uses NLB.

So the best answer is B. Actually, the correct answer is D: use a Network Load Balancer with TLS listener and target group health checks over HTTPS. Wait, NLB does not terminate TLS; it passes through.

So the instances must handle TLS. That requires code change. So B is better because ALB can re-encrypt.

But ALB re-encryption requires the target group protocol to be HTTPS and the ALB to trust the target's certificate. If the target uses a self-signed certificate, ALB will reject it. So you need a certificate signed by a CA that ALB trusts.

That can be a private CA from ACM Private CA. So you can install a certificate from ACM Private CA on the instances. That is a configuration change, not code change.

So B is feasible.

17
Multi-Selecthard

A company is using AWS CodePipeline to automate deployments of a web application. The pipeline includes a build stage using AWS CodeBuild and a deploy stage using AWS CodeDeploy to an Auto Scaling group. Recently, deployments have been failing during the deploy stage with an error indicating that the target instances are not in a healthy state. The CodeDeploy agent logs show that the agent is running but the application validation scripts are failing. Which THREE actions should the solutions architect take to troubleshoot and resolve the issue?

Select 3 answers
A.Test the validation script manually on a healthy instance to confirm it works as expected.
B.Increase the deployment timeout in the CodeDeploy deployment group to allow more time for validation.
C.Review the CodeDeploy agent logs on a failing instance to identify the specific error in the validation script.
D.Verify that the AppSpec file includes the correct lifecycle event hooks (e.g., ValidateService).
E.Configure an Auto Scaling lifecycle hook to perform health checks before the instance is placed in service.
AnswersA, C, D

Manual testing helps isolate whether the script itself is faulty.

Why this answer

Options A, C, and D are correct. Checking AppSpec hooks ensures the validation scripts are correctly defined. Reviewing CodeDeploy agent logs helps identify script failures.

Testing the validation script manually on a healthy instance verifies its functionality. Option B is wrong because increasing the deployment timeout does not fix the script failure. Option E is wrong because CodeDeploy does not use Auto Scaling lifecycle hooks for instance health; it uses its own deployment lifecycle.

18
MCQhard

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB). During a recent deployment, users experienced errors. The team wants to automatically roll back the deployment if the error rate exceeds 5% within 10 minutes after deployment. Which solution meets these requirements with minimal operational overhead?

A.Configure the Auto Scaling group to use ELB health checks and replace instances if the error rate increases.
B.Use CodeDeploy with manual approval gates and a script that checks error rates.
C.Use CodeDeploy with a CloudWatch alarm on the ALB error rate that triggers a deployment rollback.
D.Use a custom Lambda function that monitors ALB error rates and triggers a rollback via CodeDeploy API.
AnswerC

CodeDeploy natively supports CloudWatch alarm-based automatic rollback.

Why this answer

Option D is correct because AWS CodeDeploy supports automatic rollback based on CloudWatch alarm metrics, such as error rate, with minimal overhead. Option A is wrong because manual approval does not trigger automatic rollback. Option B is wrong because Lambda functions add complexity and are not the best practice for automatic rollback.

Option C is wrong because modifying ASG health checks does not directly monitor error rate for rollback.

19
MCQhard

A company has a legacy application that runs on a single EC2 instance. The application writes logs to a local file. The company wants to centralize log management without modifying the application code. Which solution is MOST operationally efficient?

A.Use AWS CloudTrail to capture log file changes.
B.Modify the application to write logs to stdout and use the awslogs driver.
C.Install and configure the Amazon CloudWatch agent on the EC2 instance.
D.Set up an Amazon S3 bucket and use an AWS Lambda function to periodically copy log files.
AnswerC

CloudWatch agent can collect logs from local files without code changes.

Why this answer

The Amazon CloudWatch agent can be installed on the EC2 instance without modifying application code. It reads the local log file and sends the logs to Amazon CloudWatch Logs for centralized management, making it the most operationally efficient solution.

Exam trap

The trap here is that candidates may think modifying the application to use stdout with the awslogs driver is simpler, but that requires code changes, which the question explicitly prohibits.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail captures API activity and management events, not log file changes on an EC2 instance. Option B is wrong because it requires modifying the application code to write logs to stdout, which violates the requirement to not modify application code. Option D is wrong because setting up an S3 bucket and Lambda function to periodically copy log files introduces unnecessary complexity and latency compared to the real-time streaming provided by the CloudWatch agent.

20
MCQmedium

A company runs a critical workload on EC2 instances in an Auto Scaling group across three Availability Zones. The application needs to maintain a consistent IP address for outbound traffic to external partners. The current design uses a NAT gateway in each AZ, but partners whitelist a single IP. How can the company provide a fixed outbound IP while maintaining high availability?

A.Use a proxy fleet of EC2 instances behind an Application Load Balancer.
B.Use a single NAT gateway across all three AZs and assign an Elastic IP.
C.Use a NAT instance with an Elastic IP in one AZ.
D.Deploy a Network Load Balancer with Elastic IPs in front of NAT instances in each AZ.
AnswerD

NLB provides a static IP and distributes traffic to NAT instances across AZs for HA.

Why this answer

Option C is correct because a NAT gateway with an Elastic IP can be placed in a single AZ, but if that AZ fails, the workload fails. A Network Load Balancer with EIPs and NAT instances provides a fixed IP and HA. Option A is wrong because multiple NAT gateways have different IPs.

Option B is wrong because it's not HA. Option D is wrong because a proxy fleet still uses multiple IPs.

21
MCQmedium

A company runs a batch processing application on a scheduled EC2 instance that starts every night. The instance processes a large number of files from an S3 bucket and writes results to another S3 bucket. The job takes approximately 6 hours to complete. Recently, the job has been failing after 4 hours with an error indicating that the instance's EBS root volume is full. The instance type is t3.medium with a 20 GB gp2 root volume. The application writes temporary files to the root volume. The company wants to fix this with minimal changes to the application and infrastructure. What should a solutions architect recommend?

A.Create an additional EBS volume and mount it to the instance.
B.Change the instance type to one with instance store volumes.
C.Increase the size of the EBS root volume to 100 GB.
D.Modify the application to compress temporary files.
AnswerC

More space on root volume resolves the issue without code changes.

Why this answer

Option B is correct because increasing the root volume size provides more space for temporary files without application changes. Option A is wrong because instance store is ephemeral and may not be available on t3 instances. Option C is wrong because mounting an EBS volume would require application changes to write to a different path.

Option D is wrong because reducing file size may not be feasible and requires code changes.

22
MCQeasy

A company is using Amazon S3 to store sensitive data. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS. The company also needs to ensure that any attempt to upload an unencrypted object is blocked. How can the company enforce this requirement?

A.Use a bucket policy that denies s3:PutObject if the request does not include the x-amz-server-side-encryption header with value aws:kms
B.Enable default encryption on the bucket with AWS KMS
C.Use AWS CloudTrail to monitor PutObject calls and alert on unencrypted uploads
D.Enable S3 Object Lock on the bucket
AnswerA

This policy condition ensures encryption is used.

Why this answer

Option B is correct because a bucket policy that denies PutObject without x-amz-server-side-encryption header set to aws:kms will enforce encryption at upload time. Option A is not possible at the bucket level. Option C (default encryption) does not enforce on existing uploads if the header is omitted.

Option D (CloudTrail) is detective, not preventive.

23
MCQhard

An S3 bucket contains log files. An administrator runs the above AWS CLI command. What does the output indicate?

A.Two log files are larger than 1 KB.
B.The log files are larger than 1000 KB.
C.The bucket contains only two objects with the prefix 'logs/'.
D.The bucket has versioning enabled.
AnswerA

1000 bytes = 1 KB.

Why this answer

Option B is correct because the query filters objects larger than 1000 bytes and returns only those keys. Option A is incorrect because the output shows two keys. Option C is incorrect because the command queries objects, not versions.

Option D is incorrect because size > 1000 bytes, not 1000 KB.

24
MCQmedium

An IAM policy is attached to an S3 bucket to allow access only from a specific IP range. Users report that they can access the bucket from IP addresses outside the range. The bucket policy also includes another statement that denies access to all principals. What is the most likely reason users outside the IP range can still access the bucket?

A.The condition key 'aws:SourceIp' is misspelled.
B.The deny statement does not apply to the users attempting to access the bucket.
C.The policy is an IAM policy, not a bucket policy, and the condition key is invalid.
D.The policy is attached to the IAM user instead of the bucket.
AnswerB

The deny statement might be scoped to a different principal, allowing access from other IPs.

Why this answer

Option A is correct because an explicit deny in another statement would override the allow, but the question says users can access from outside the range, meaning the deny is not effective. The most likely reason is that the deny statement does not apply to the users (e.g., it applies to a different principal). Option B is incorrect because the policy is a bucket policy, not an IAM policy.

Option C is incorrect because the condition is correct syntax. Option D is incorrect because the bucket policy is applied to the bucket, not IAM users.

25
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. The company wants to ensure that if a stack update fails, the stack automatically rolls back to the last known good state. Which CloudFormation stack option should the company configure?

A.Enable termination protection on the stack.
B.Configure a stack policy to prevent updates to critical resources.
C.Set the 'Rollback on failure' option to 'Yes' when performing the stack update.
D.Use a change set to review changes before updating the stack.
AnswerC

This is the default behavior; if an update fails, CloudFormation rolls back automatically.

Why this answer

Option A is correct because CloudFormation stack updates have a 'Rollback on failure' option that defaults to 'Yes'. If an update fails, CloudFormation automatically rolls back to the previous state. Option B is wrong because a stack policy prevents updates to specific resources, not rollback behavior.

Option C is wrong because change sets allow you to preview changes but do not automate rollback. Option D is wrong because termination protection prevents stack deletion, not rollback on failed updates.

26
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an Amazon RDS database that is in a private subnet. The ECS tasks are launched in a public subnet. How should they configure network access?

A.Launch the ECS tasks in the same private subnet as the RDS instance.
B.Place the ECS tasks in a public subnet and use a NAT gateway to route traffic to the database.
C.Set up a VPN connection between the ECS tasks and the database.
D.Use an Application Load Balancer to route traffic to the database.
AnswerA

Tasks in the same subnet can communicate via security groups.

Why this answer

Option D is correct because ECS tasks should be launched in the same VPC and security group as the database, or use VPC peering/transit gateway. Option A is wrong because NAT gateway is for outbound. Option B is wrong because public subnet tasks cannot directly access private RDS without proper routing.

Option C is wrong because VPN is overkill.

27
Multi-Selectmedium

A company runs a web application on EC2 instances behind an ALB. The application uses an Amazon Aurora MySQL database. The operations team notices that the database CPU utilization is consistently above 80% during business hours. The team needs to reduce database load without changing the application code. Which TWO actions should the team take? (Select TWO.)

Select 2 answers
A.Create an Aurora read replica and direct read queries to it.
B.Increase the DB instance class to a larger size.
C.Implement an ElastiCache for Redis caching layer to cache frequent queries.
D.Enable Amazon RDS Performance Insights to identify slow queries.
E.Increase the Auto Scaling group maximum size to handle more traffic.
AnswersA, C

Read replicas offload read traffic from the primary instance.

Why this answer

Option A is correct because implementing an ElastiCache caching layer can reduce repeat database queries. Option D is correct because creating an Aurora read replica and directing read traffic to it offloads the primary instance. Option B is wrong because increasing the DB instance class may help but is not a best practice for immediate load reduction.

Option C is wrong because increasing Auto Scaling group size does not affect database load. Option E is wrong because enabling Performance Insights is for monitoring, not load reduction.

28
MCQhard

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon Aurora MySQL database. Recently, the application has become slow during peak hours. The operations team notices that the database CPU utilization is high, but the number of connections is within limits. The application is read-heavy. The team wants to improve performance with minimal changes to the application code. The database is currently a single Aurora instance. Which solution should the team implement?

A.Add an Aurora Replica and configure the application to use the reader endpoint for read-only queries.
B.Use Amazon DynamoDB Accelerator (DAX) to cache database queries.
C.Add an Amazon ElastiCache Redis cluster in front of the database.
D.Increase the instance size of the Aurora primary instance.
AnswerA

This offloads read traffic with minimal application changes.

Why this answer

Adding an Aurora Replica distributes read traffic, reducing load on the primary instance. The application must be configured to use the reader endpoint for read queries.

29
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent latency spikes. The operations team has enabled detailed CloudWatch metrics and EC2 instance status checks. The team needs to identify the root cause of the latency. Which TWO actions should the team take to diagnose the issue? (Choose two.)

Select 2 answers
A.Enable detailed monitoring (1-minute metrics) on the ALB and create a CloudWatch dashboard to view the RequestCount and TargetResponseTime metrics.
B.Integrate the application with AWS X-Ray and enable tracing on the EC2 instances to capture trace data for all requests.
C.Set up an Amazon CloudWatch Synthetics canary that follows a step-by-step guide through the application and monitor the step durations.
D.Enable access logging on the ALB and analyze the logs to find requests with high latency.
E.Enable VPC Flow Logs on the subnets where the EC2 instances reside and analyze the logs for packet loss.
AnswersC, D

Correct: Canaries can measure end-to-end latency and pinpoint slow steps.

Why this answer

Option C is correct because CloudWatch Synthetics canaries simulate user workflows step by step, and monitoring step durations helps pinpoint which specific part of the application is causing latency spikes. This provides granular, end-to-end visibility into the user experience beyond what aggregate metrics offer.

Exam trap

The trap here is that candidates often confuse network-level diagnostics (VPC Flow Logs) or aggregate metrics (ALB detailed monitoring) with the application-level, user-experience-focused diagnostics needed to pinpoint the root cause of latency spikes in a web application.

30
MCQeasy

A company's security team wants to ensure that all S3 buckets are encrypted at rest. They have thousands of existing buckets. Which approach should a Solutions Architect use to identify noncompliant buckets?

A.Use AWS Trusted Advisor to check bucket encryption.
B.Analyze AWS CloudTrail logs for PutBucketEncryption API calls.
C.Enable S3 Inventory to list all objects and their encryption status.
D.Create an AWS Config rule to evaluate S3 bucket encryption settings.
AnswerD

Config rules can evaluate all buckets.

Why this answer

Option B is correct because AWS Config has managed rules to check S3 bucket encryption. Option A is wrong because Trusted Advisor checks only a subset of buckets. Option C is wrong because S3 Inventory provides object metadata, not encryption status.

Option D is wrong because CloudTrail logs API calls, not current state.

31
MCQeasy

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 10 minutes. Which AWS service should be used?

A.Amazon Inspector
B.AWS Config
C.Amazon CloudWatch Alarms
D.AWS CloudTrail
AnswerC

CloudWatch Alarms monitor metrics and send notifications.

Why this answer

CloudWatch Alarms can monitor metrics and trigger actions when a threshold is breached.

32
MCQmedium

A company uses Amazon DynamoDB as its primary database. The operations team is seeing increased read latency during peak hours. The table has a provisioned read capacity of 1000 RCU, but CloudWatch metrics show that consumed read capacity frequently reaches 1000 RCU. The application uses eventually consistent reads. What is the MOST cost-effective way to reduce read latency?

A.Switch to strongly consistent reads to improve consistency.
B.Enable DynamoDB Accelerator (DAX) to cache frequently read items.
C.Create a global secondary index (GSI) on the table to offload reads.
D.Increase the provisioned read capacity to 2000 RCU.
E.Use Amazon ElastiCache for Memcached as a read cache.
AnswerB

DAX provides microsecond read latency and reduces load on the table.

Why this answer

Option C is correct because enabling DynamoDB Accelerator (DAX) provides an in-memory cache that reduces read latency without increasing provisioned RCU. Option A is wrong because increasing RCU increases cost. Option B is wrong because switching to strongly consistent reads would double RCU consumption.

Option D is wrong because adding a global secondary index does not reduce read latency for the base table. Option E is wrong because using ElastiCache adds complexity and cost.

33
Multi-Selectmedium

A company has an Amazon RDS for PostgreSQL database that is experiencing high CPU utilization due to a large number of read queries. They need to offload read traffic and improve performance. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Enable Multi-AZ deployment for the database.
B.Create one or more read replicas in the same Region.
C.Increase the instance size of the primary database.
D.Use Amazon ElastiCache to cache query results.
E.Implement an RDS Proxy to manage connections.
AnswersB, E

Read replicas serve read traffic, reducing load on the primary.

Why this answer

Options A and D are correct. A: Creating a read replica offloads read queries from the primary database. D: Using an RDS Proxy allows connection pooling, reducing overhead.

Option B is wrong because Multi-AZ is for high availability, not read scaling. Option C is wrong because increasing instance size can help but is often more expensive than read replicas. Option E is wrong because ElastiCache is for caching data, not for offloading database queries directly.

34
MCQmedium

A company is running a production web application on AWS Auto Scaling EC2 instances behind an Application Load Balancer. Recent deployments have caused intermittent errors. The team wants to implement a deployment strategy that minimizes downtime and allows for quick rollback. Which strategy should they use?

A.Deploy a new version to a single instance, test, then scale out.
B.Use blue/green deployment with a second Auto Scaling group and switch the ALB target group.
C.Perform rolling updates with a single Auto Scaling group, updating a few instances at a time.
D.Use an immutable deployment by launching a new Auto Scaling group and terminating the old one.
AnswerB

Blue/green allows instant switch and immediate rollback.

Why this answer

Option B is correct because blue/green deployment with a second Auto Scaling group and ALB switch allows instant rollback by switching back to the original environment. Option A is wrong because rolling updates with a single ASG can still cause partial downtime and slower rollback. Option C is wrong because it does not minimize downtime and requires manual intervention.

Option D is wrong because immutable deployments replace instances, but rollback requires redeployment.

35
Multi-Selectmedium

A company is using AWS CodePipeline to automate deployments. They want to add a manual approval step before deploying to production. Which TWO actions are required?

Select 2 answers
A.Create a Lambda function to trigger the approval
B.Add a manual approval action to the pipeline
C.Set up a CloudWatch Events rule to invoke the approval
D.Configure an SNS topic to notify the approver
E.Create an IAM role that allows the approver to perform the approval action
AnswersB, E

The pipeline must include a manual approval stage.

Why this answer

Options A and D are correct. A: You need an IAM role for the approval action to allow the approver to review. D: The pipeline must be configured with a manual approval action.

Option B is wrong because SNS is optional for notification, not required. Option C is wrong because a Lambda function is not required for manual approval. Option E is wrong because CloudWatch Events can be used but not required.

36
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. They want to detect drift from the intended template configuration. Which service should they use?

A.AWS Config
B.AWS Service Catalog
C.AWS CloudTrail
D.CloudFormation Drift Detection
AnswerD

CloudFormation Drift Detection directly compares stack resources to the template.

Why this answer

AWS CloudFormation Drift Detection is a native feature that compares the actual resource configuration with the template. Option A is correct. Options B, C, and D are other services but not specifically for CloudFormation drift detection.

37
Multi-Selecthard

A company runs a containerized application on Amazon ECS with Fargate. They want to improve the security of their container images without slowing down the CI/CD pipeline. Which THREE measures should they implement?

Select 3 answers
A.Use AWS CodePipeline with approval gates for security checks.
B.Require manual vulnerability scanning before each deployment.
C.Encrypt all container images using AWS KMS.
D.Integrate Amazon ECR scanning into the CI/CD pipeline.
E.Implement image signing using AWS Signer.
AnswersA, D, E

Approval gates allow security review without manual scanning.

Why this answer

Correct answers are A, B, and C. Option A catches vulnerabilities before deployment. Option B provides centralized control and enforcement.

Option C ensures only approved images are used. Option D is wrong because manual scanning slows down the pipeline. Option E is wrong because encryption alone doesn't address vulnerabilities.

38
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application requires static IP addresses for whitelisting by external partners. The company will use a Network Load Balancer (NLB) to distribute traffic to EC2 instances. Which TWO actions should the company take to provide static IP addresses for the partners to whitelist?

Select 2 answers
A.Attach an Elastic IP to each EC2 instance.
B.Assign Elastic IP addresses to the Network Load Balancer.
C.Configure an Application Load Balancer instead of NLB.
D.Use AWS WAF to allow traffic from the partners' IP ranges.
E.Use AWS Global Accelerator with the NLB as an endpoint.
AnswersB, E

NLB supports Elastic IP per AZ, providing static IPs.

Why this answer

Options B and D are correct because assigning an Elastic IP to the NLB provides static IPs, and using a Global Accelerator provides two static IPs. Option A is wrong because it doesn't provide static IPs. Option C is wrong because it's for ALB, not NLB.

Option E is wrong because EIPs cannot be attached to instances behind NLB directly.

39
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets are encrypted with AWS KMS and prohibit public access. Which TWO actions should the team take?

Select 2 answers
A.Use AWS Config rules to automatically remediate non-compliant buckets.
B.Enable AWS CloudTrail to monitor and automatically remediate non-compliant buckets.
C.Create an SCP to deny s3:PutObject actions without the x-amz-server-side-encryption header set to aws:kms.
D.Create an S3 bucket policy in each account to enforce encryption and block public access.
E.Create an SCP to deny s3:PutBucketPublicAccessBlock and s3:PutBucketPolicy actions unless encryption is enabled.
AnswersC, E

This SCP enforces KMS encryption for all PutObject requests.

Why this answer

Options B and D are correct. Service control policies (SCPs) can deny actions that do not meet encryption and public access conditions. Option A is wrong because resource-level policies are per bucket.

Option C is wrong because CloudTrail cannot enforce. Option E is wrong because Config rules only detect, not enforce.

40
MCQmedium

A company runs a batch processing application on AWS. The application reads input files from an S3 bucket, processes them on EC2 instances, and writes results to another S3 bucket. The processing job runs once a day and takes approximately 3 hours. The company wants to reduce costs and operational overhead. The Solutions Architect suggests using AWS Lambda for processing, but the processing time per file can exceed the Lambda maximum execution time of 15 minutes. The architect also considers using AWS Batch. The company wants to minimize the need for infrastructure management. Which solution should the Solutions Architect recommend?

A.Provision a fleet of EC2 instances and use Auto Scaling to manage the processing.
B.Use AWS Lambda with a larger memory allocation to increase CPU and reduce processing time.
C.Use AWS Batch with a managed compute environment that uses Spot Instances and a job queue.
D.Use Amazon ECS with Fargate launch type and run the processing as a task.
AnswerC

AWS Batch manages infrastructure and supports long-running jobs.

Why this answer

Option B is correct because AWS Batch manages the compute environment, automatically scales, and handles long-running jobs without managing EC2 instances directly. Option A is wrong because Lambda has a 15-minute limit. Option C is wrong because it requires manual management of EC2 instances.

Option D is wrong because Fargate launch type for ECS can run long tasks but requires more setup than AWS Batch for batch jobs.

41
MCQmedium

A company runs a stateful web application on EC2 instances in an Auto Scaling group. The application uses a shared file system mounted on each instance. The company wants to minimize downtime during deployments. What should they use?

A.Use an in-place update without any hooks.
B.Use a rolling update with a lifecycle hook to gracefully handle connections and unmount the file system before instance termination.
C.Perform a blue/green deployment.
D.Terminate all instances and launch new ones.
AnswerB

Lifecycle hooks allow graceful shutdown.

Why this answer

Option D is correct because a rolling update with a lifecycle hook allows draining connections and unmounting the file system gracefully. Option A is for immutable deployments but stateful apps may not support it. B and C do not minimize downtime.

42
MCQmedium

A company has an AWS Lambda function that processes files uploaded to an S3 bucket. The Lambda function has been running successfully for months. Recently, the company updated the Lambda function code and started seeing occasional throttling errors (HTTP 429) from the Lambda service. The function's reserved concurrency is set to 100. The company is unsure why throttling is occurring only after the code update. What is the MOST likely cause?

A.The Lambda function is writing logs to CloudWatch Logs at a rate that exceeds the CloudWatch throttling limit.
B.The S3 bucket is receiving more uploads than before, causing more Lambda invocations.
C.The updated Lambda function no longer has the required IAM permissions to access S3, causing retries that throttle.
D.The code update increased the execution time of the Lambda function, leading to a higher number of concurrent executions that exceed the account-level concurrency limit.
AnswerD

Longer execution time means more invocations overlap, increasing concurrency and potentially hitting account limits.

Why this answer

Option B is correct because if the function invocation rate exceeds the account-level concurrency limit (default 1000), throttling occurs. The code update may have increased execution time, causing more concurrent invocations to pile up. Option A is wrong because increasing S3 events would increase invocations, but the reserved concurrency of 100 might still be within account limits.

Option C is wrong because Lambda execution role permissions don't cause throttling errors. Option D is wrong because CloudWatch Logs throttling would cause logs to be dropped, not Lambda throttling.

43
MCQeasy

A company uses AWS CodePipeline to deploy a web application. They want to automatically roll back the deployment if the new version fails CloudWatch alarm-based health checks. Which feature should they use?

A.AWS Lambda function invoked by CloudWatch Events.
B.Amazon Route 53 health checks with failover routing.
C.AWS CodeBuild with post-build actions.
D.CodeDeploy automatic rollback configuration with CloudWatch alarm.
AnswerD

CodeDeploy supports automatic rollback when a CloudWatch alarm is in ALARM state.

Why this answer

CodeDeploy can be configured to automatically roll back a deployment when a CloudWatch alarm is triggered. This is a native feature. Option B is correct.

Options A, C, and D are not directly applicable: Lambda can be used but is not the primary feature; R53 health checks are not integrated with CodeDeploy; CodeBuild is for building, not deploying.

44
MCQhard

A company has an S3 bucket that stores critical data. They need to ensure that all objects are encrypted at rest. The bucket policy currently denies uploads if the x-amz-server-side-encryption header is not set to AES256. However, some objects are still stored with SSE-KMS. How can the company enforce SSE-S3 exclusively?

A.Use S3 Lifecycle policies to transition objects to SSE-S3.
B.Enable default encryption on the bucket with SSE-S3.
C.Update the bucket policy to deny uploads with SSE-KMS.
D.Use S3 Object Lambda to change encryption.
AnswerC

Denying SSE-KMS enforces SSE-S3.

Why this answer

Option D is correct because using a bucket policy to deny uploads with SSE-KMS or without encryption ensures only SSE-S3 is allowed. Option A is incorrect because the bucket policy must be updated. Option B is incorrect because default encryption applies to new objects but does not prevent SSE-KMS.

Option C is incorrect because lifecycle rules do not change encryption of existing objects.

45
MCQmedium

A company is using Amazon S3 to store critical data and needs to ensure that objects are automatically deleted after 30 days. The current lifecycle policy is configured to expire objects after 30 days, but objects are not being deleted. What is the most likely cause?

A.The bucket has versioning enabled, and lifecycle rules apply only to current versions.
B.The objects are stored in the S3 Glacier Deep Archive storage class.
C.The bucket has S3 Object Lock enabled with a retention period exceeding 30 days.
D.The IAM role used by S3 Lifecycle lacks the s3:DeleteObject permission.
AnswerC

Object Lock prevents object deletion before retention expires.

Why this answer

Option C is correct because S3 Lifecycle policies require proper permissions to execute actions. Option A is wrong because S3 Object Lock can prevent deletion if retention period is set. Option B is wrong because versioning does not prevent lifecycle expiration; expired delete markers are removed.

Option D is wrong because storage class transitions do not affect expiration.

46
Multi-Selecteasy

A company uses Amazon S3 to store critical data. They need to ensure that data is encrypted at rest. Which TWO methods can achieve this?

Select 2 answers
A.Enable SSL/TLS for the S3 bucket
B.Configure a bucket policy to enforce encryption
C.Use client-side encryption
D.Use AWS KMS (SSE-KMS)
E.Use S3-Managed Keys (SSE-S3)
AnswersD, E

SSE-KMS uses AWS KMS for encryption.

Why this answer

Options A and D are correct. A: S3-Managed Keys (SSE-S3) is a server-side encryption option. D: AWS KMS (SSE-KMS) is another server-side encryption option.

Option B is wrong because client-side encryption is not managed by AWS. Option C is wrong because SSL/TLS encrypts data in transit, not at rest. Option E is wrong because S3 bucket policies do not encrypt data; they control access.

47
MCQmedium

A CloudFormation stack update failed with the above error. What is the likely cause?

A.The S3 bucket does not contain the zip file.
B.The IAM role ARN is incorrect.
C.The timeout value is too high.
D.The runtime is no longer supported by AWS Lambda.
AnswerD

Node.js 14.x is deprecated.

Why this answer

Option D is correct because the error message explicitly states that the runtime 'nodejs14.x' is not supported. Option A is wrong because the S3 bucket is not the issue. Option B is wrong because the role ARN is correct.

Option C is wrong because the timeout is within limits.

48
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences high request latency during peak traffic. A solutions architect discovers that the ALB is not distributing traffic evenly across the instances. The instances have different sizes (t3.large and t3.xlarge). Which TWO actions should the solutions architect take to improve load distribution?

Select 2 answers
A.Enable connection draining on the target group.
B.Replace all instances with the same instance type.
C.Change the ALB routing algorithm from round robin to least outstanding requests.
D.Enable sticky sessions (session affinity) on the target group.
E.Increase the deregistration delay (connection draining) on the target group to 300 seconds.
AnswersA, C

Connection draining ensures in-flight requests complete before an instance is deregistered, improving reliability during scaling events.

Why this answer

Option A and Option D are correct. Changing the routing algorithm to least outstanding requests ensures that instances with fewer pending requests receive new traffic, balancing load based on current capacity. Enabling connection draining ensures that in-flight requests complete before an instance is deregistered, preventing abrupt termination.

Option B is wrong because sticky sessions would cause uneven load. Option C is wrong because increasing the deregistration delay helps but doesn't improve distribution. Option E is wrong because using the same instance type does not address the imbalance caused by different sizes; LOR algorithm handles that.

49
MCQhard

A company has a monolithic application running on a single EC2 instance. The application experiences performance issues during peak hours. The company decides to migrate to a microservices architecture using AWS Lambda and Amazon API Gateway. The migration must be done incrementally without downtime. What strategy should the company use?

A.Deploy all microservices in a new VPC and cut over DNS after testing.
B.Create a new version of the monolith that calls Lambda functions as backend.
C.Use AWS CodeDeploy to perform a blue/green deployment of the monolith to Lambda.
D.Use the strangler fig pattern: implement API Gateway to route traffic to new Lambda functions for specific endpoints while keeping the monolith for others.
AnswerD

Allows incremental migration without downtime.

Why this answer

Option B is correct because the strangler fig pattern allows incremental replacement of functionality by routing specific requests to new microservices via API Gateway while keeping the monolithic application for the rest. Option A is incorrect because full migration at once risks downtime. Option C is incorrect because pattern does not require database changes initially.

Option D is incorrect because deployment pipeline is not a migration strategy.

50
MCQmedium

A company is running a batch processing job on an EC2 instance that processes data from an S3 bucket and writes results to another S3 bucket. The job runs once per hour and takes about 20 minutes. The company wants to optimize costs by only paying for compute time when the job is running. Which solution is MOST cost-effective?

A.Convert the batch job into an AWS Lambda function.
B.Purchase a Reserved Instance for the EC2 instance to reduce hourly cost.
C.Use a t3.micro instance and keep it running 24/7 since it's low cost.
D.Use AWS Batch with spot instances to run the job only when needed.
AnswerD

Pay only for compute time, spot reduces cost.

Why this answer

Option D is correct because AWS Batch automatically provisions and terminates EC2 instances based on job queue, and can use spot instances for cost savings. Option A is wrong because Reserved Instances require 1-year commitment. Option B is wrong because keeping the instance running incurs costs even when idle.

Option C is wrong because Lambda has a 15-minute timeout limit.

51
Multi-Selecthard

A company runs a critical application on Amazon ECS with Fargate launch type. The application needs to be highly available across multiple Availability Zones. The company wants to implement blue/green deployments to minimize downtime. Which THREE steps should the solutions architect take?

Select 3 answers
A.Store the application artifacts in Amazon ECR and use an ECS service with a single task definition.
B.Use a Network Load Balancer to route traffic to the ECS service.
C.Create two separate ECS task definitions for the blue and green environments.
D.Use AWS CodeDeploy with a blue/green deployment configuration.
E.Configure an Application Load Balancer with a target group for each task set.
AnswersC, D, E

Separate task definitions allow updating one while the other serves traffic.

Why this answer

Options A, B, and D are correct. CodeDeploy with blue/green deployment automates traffic shifting. An Application Load Balancer with a target group per task set routes traffic.

Multiple task definitions per environment allow updates without downtime. Option C is wrong because storing artifacts in ECR is for images, not deployment. Option E is wrong because an NLB does not support blue/green deployments with CodeDeploy for ECS.

52
MCQeasy

A company has a monolithic application running on a single Amazon EC2 instance. The application stores data on an instance store volume. The company wants to improve availability and disaster recovery with minimal architectural changes. What is the MOST cost-effective solution?

A.Replace the instance store volume with an Amazon EBS volume, create an AMI, and use Auto Scaling with an Application Load Balancer.
B.Attach an Amazon EBS volume and configure the application to write to it, then take periodic EBS snapshots.
C.Use AWS Backup to schedule backups of the instance and restore to a new instance if needed.
D.Create an AMI from the instance and launch a second instance in a different Availability Zone behind an Application Load Balancer.
AnswerA

EBS provides persistent storage, and Auto Scaling with ALB improves availability and disaster recovery.

Why this answer

Option C is correct because using EBS snapshots provides backup and recovery for instance store data? Actually instance store is ephemeral; EBS snapshots cannot back up instance store. So Option A is correct: Create an AMI from the instance and use Auto Scaling with an Application Load Balancer. This provides high availability without changing the storage to EBS? Wait, instance store data is lost on stop/terminate.

So the best solution is to migrate data to EBS and then use AMI/Auto Scaling. But the question says minimal architectural changes. Option D is correct: Replace instance store with EBS and use AMI/Auto Scaling.

Option A uses instance store which is not persistent. Option B adds cost without solving availability. Option C is wrong because EBS snapshots cannot back up instance store.

So the correct answer is D.

53
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. They notice that during a failover, the application experiences a brief outage but then recovers. They want to minimize the failover time. Which action will most effectively reduce the failover time?

A.Disable Multi-AZ to avoid failover altogether.
B.Create a read replica and promote it during failover.
C.Enable Amazon RDS Proxy.
D.Increase the DB instance size to improve performance.
AnswerC

RDS Proxy maintains connections across failovers, reducing downtime.

Why this answer

Option A is correct because enabling Amazon RDS Proxy provides connection pooling and reduces failover time by keeping connections alive. Option B is wrong because read replicas are for read scaling, not for reducing failover time. Option C is wrong because increasing instance size doesn't directly affect failover time.

Option D is wrong because disabling Multi-AZ increases downtime.

54
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The security team requires that all CloudFormation stacks include a specific tag (CostCenter). The company wants to enforce this tag automatically. Which method should be used to enforce the tag?

A.Use AWS Service Catalog to enforce mandatory tags on all provisioned products.
B.Use an AWS Config rule to check for the tag and a custom IAM policy to deny stack creation without the tag.
C.Create an AWS Lambda function that checks for the tag and sends alerts.
D.Use AWS Resource Groups to tag resources after stack creation.
AnswerB

Config can detect and IAM policy can prevent non-compliant stack creation.

Why this answer

Option C is correct because an AWS Config rule with an iam policy to deny non-compliant stacks is the most automated enforcement method. Option A is wrong because AWS Service Catalog does not enforce tags on existing stacks. Option B is wrong because Lambda can remediate but not prevent non-compliant stacks.

Option D is wrong because tagging at the resource level is not automated enforcement.

55
MCQeasy

A company is using Amazon DynamoDB as the primary database for a web application. The application experiences occasional throttling on writes. The company wants to implement a solution that automatically increases write capacity during traffic spikes. Which solution should they use?

A.Switch to DynamoDB On-Demand capacity mode.
B.Implement DynamoDB Accelerator (DAX) for caching.
C.Use DynamoDB Global Tables to distribute writes.
D.Enable DynamoDB Auto Scaling for write capacity.
AnswerD

Auto Scaling adjusts capacity based on actual utilization.

Why this answer

Option A is correct because DynamoDB Auto Scaling automatically adjusts write capacity based on utilization. Option B is wrong because Global Tables do not address throttling. Option C is wrong because DAX is a cache, not a scaling solution.

Option D is wrong because On-Demand mode is not automatic scaling based on traffic patterns.

56
MCQhard

An e-commerce company runs a customer-facing application on AWS. The application architecture includes an Application Load Balancer (ALB), EC2 instances in an Auto Scaling group, and an Amazon RDS for MySQL Multi-AZ DB instance. The application uses a custom web server that stores session data in a local file system. During peak traffic, users experience session timeouts and errors. The operations team observes that the Auto Scaling group launches new instances and terminates old ones frequently. The team wants to improve the user experience and ensure session persistence. The Solutions Architect proposes to modify the application to store session data in an external store. However, due to a legacy code dependency, the application cannot be modified in the short term. Which solution should the Solutions Architect implement to resolve the session persistence issue without modifying the application?

A.Replace the local file system storage with an Amazon ElastiCache for Redis cluster that is external to the instances.
B.Enable sticky sessions (session affinity) on the ALB and configure the Auto Scaling group to use a lifecycle hook to drain connections before instance termination.
C.Store session data in Amazon DynamoDB and configure the application to use the DynamoDB session handler.
D.Configure the Auto Scaling group to scale down based on memory utilization rather than CPU, to reduce termination frequency.
AnswerB

Sticky sessions route user to same instance; lifecycle hook ensures sessions complete before termination.

Why this answer

Option A is correct because enabling sticky sessions on the ALB ensures that a user's requests are always routed to the same instance, preserving the local session files. Option B is wrong because ElastiCache still requires application code changes to use it. Option C is wrong because DynamoDB also requires code changes.

Option D is wrong because scaling down based on memory does not prevent session loss; it may cause more terminations.

57
Multi-Selectmedium

An e-commerce company runs its application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon Aurora MySQL DB cluster with one writer and two reader instances. During a sales event, the database CPU utilization is high, and read replicas show high replica lag. The company needs to improve the read scalability and reduce replica lag. Which THREE actions should the company take? (Choose THREE.)

Select 3 answers
A.Add more reader instances to the cluster to distribute the read traffic.
B.Enable Multi-AZ for the cluster to improve read availability.
C.Increase the instance size of the writer instance to improve write throughput.
D.Increase the instance size of the reader instances to larger instance types.
E.Enable Aurora Auto Scaling for the reader instances.
AnswersA, D, E

More readers improve read scalability.

Why this answer

Adding more reader instances (Option A) distributes the read workload across additional nodes, reducing the load on each reader and helping to lower replica lag. Aurora Auto Scaling (Option E) automatically adjusts the number of reader instances based on metrics like CPU utilization or replica lag, providing dynamic scaling during traffic spikes. Increasing the instance size of reader instances (Option D) provides more CPU and memory resources to each reader, enabling them to process more read queries and apply changes from the writer faster, which directly reduces replica lag.

Exam trap

The trap here is that candidates may confuse Multi-AZ with read scaling, but Multi-AZ in Aurora is for high availability only and does not distribute read traffic, while the real solutions involve adding more readers, scaling readers up, or using Auto Scaling to handle variable load.

58
Multi-Selecthard

A company is using AWS CodePipeline to automate deployments. The pipeline includes a build stage that compiles code and runs tests. The build stage fails intermittently due to network timeouts when downloading dependencies. Which THREE actions could improve the reliability of the build stage?

Select 3 answers
A.Increase the build timeout to allow more time for downloads.
B.Use CodeBuild local cache to store dependencies across builds.
C.Run the CodeBuild project in a VPC with a NAT gateway to ensure consistent outbound connectivity.
D.Store dependencies in an S3 bucket and configure the build to use cached dependencies.
E.Use a larger compute type for CodeBuild to improve network speed.
AnswersB, C, D

Local cache reduces download frequency.

Why this answer

Options A, B, and D are correct: Caching dependencies, using a VPC with NAT gateway for consistent networking, and using CodeBuild local caching reduce failures. Option C is wrong because increasing timeout only delays failure. Option E is wrong because using a larger instance type may not fix network timeouts.

59
MCQmedium

A solutions architect deployed the above CloudFormation template. However, the Lambda function is not triggered when objects are uploaded to the S3 bucket. What is the most likely cause?

A.The BucketNotification resource depends on MyLambdaFunction, but the notification configuration is incorrect.
B.The Lambda function lacks a resource-based policy that allows S3 to invoke it.
C.The Lambda execution role does not have permission to access S3.
D.The Lambda function code does not read the S3 object content.
AnswerB

Without an 'InvokeFunction' permission for S3, the trigger will fail.

Why this answer

Option D is correct. The Lambda function's resource-based policy must allow S3 to invoke it. The template does not add any resource-based policy.

Option A is wrong because the bucket notification is configured. Option B is wrong because the role allows CloudWatch Logs. Option C is wrong because the Lambda function code does not need to read S3 for the trigger to work.

60
MCQmedium

A company uses Amazon S3 to store critical data. They need to ensure that data is automatically replicated to another AWS Region for disaster recovery. Which configuration meets this requirement with minimal operational overhead?

A.Enable S3 Versioning on the source bucket.
B.Use S3 Transfer Acceleration to upload objects to both Regions.
C.Configure an S3 Lifecycle policy to transition objects to S3 Glacier.
D.Enable S3 Cross-Region Replication (CRR) on the source bucket.
AnswerD

CRR automatically replicates objects to a destination bucket in a different Region for disaster recovery.

Why this answer

Option D is correct because S3 Cross-Region Replication (CRR) automatically replicates objects to a destination bucket in a different AWS Region, providing disaster recovery with minimal operational overhead. Option A is wrong because S3 Versioning alone does not replicate data. Option B is wrong because S3 Lifecycle policies manage storage tiers, not replication.

Option C is wrong because S3 Transfer Acceleration speeds up uploads but does not replicate data.

61
Multi-Selecthard

A company uses AWS CodePipeline to deploy a serverless application. They want to automatically test the deployment in a staging environment before promoting to production. Which THREE actions should they include in their pipeline? (Choose THREE.)

Select 3 answers
A.A build stage that packages the application using AWS CodeBuild.
B.A manual approval step before deploying to production.
C.A deploy stage that deploys to production after staging tests pass.
D.A test stage that deploys to a staging environment and runs integration tests.
E.A deploy stage that deploys to a canary environment.
AnswersA, C, D

Building is a necessary first step.

Why this answer

A typical deployment pipeline includes: build the application, run automated tests in a staging environment, and then deploy to production after approval. Option A (build) is needed. Option C (test in staging) is needed.

Option D (deploy to production after staging tests pass) is needed. Option B (manual approval to production) is common but not required for automated testing. Option E (deploy to staging) is redundant if already included in test stage.

62
MCQhard

A company has a multi-account AWS organization with hundreds of accounts. The security team wants to ensure that all accounts have AWS Config enabled with a specific set of rules. They also want to automatically remediate non-compliant resources. Which solution is MOST scalable and operationally efficient?

A.Use AWS CloudFormation StackSets to deploy Config rules to all accounts.
B.Use AWS Config rules in each account with AWS Lambda functions for remediation.
C.Use AWS Config conformance packs deployed via AWS Organizations with automatic remediation using Systems Manager Automation.
D.Use an AWS Config aggregator in the management account to view compliance across accounts.
AnswerC

Centralized, scalable, automated.

Why this answer

Option D is correct because AWS Config conformance packs can be deployed at the organization level using AWS Organizations, allowing centralized management of rules and automatic remediation with SSM Automation. Option A is wrong because manual deployment doesn't scale. Option B is wrong because CloudFormation StackSets require per-account management.

Option C is wrong because AWS Config aggregator only aggregates data, doesn't enforce rules.

63
Multi-Selectmedium

A company is using an AWS Lambda function to process files uploaded to an S3 bucket. The function is written in Python and uses the boto3 library to read the files. Recently, some files have been processed multiple times. Which TWO measures should a solutions architect implement to ensure idempotent processing?

Select 2 answers
A.Use a DynamoDB table to store processed file IDs and check for duplicates before processing.
B.Configure the S3 bucket to send events to an SQS queue and use the Lambda function to poll the queue.
C.Increase the Lambda function timeout to 15 minutes.
D.Configure S3 event notifications to filter by prefix and suffix to avoid triggering multiple times.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, D

Idempotency key store prevents duplicate processing.

Why this answer

Options B and D are correct. Using a DynamoDB table to track processed file IDs (B) allows the function to skip duplicates. Enabling S3 event notifications with a prefix and suffix filter (D) reduces the chance of multiple events for the same object.

Option A is wrong because increasing Lambda timeout doesn't prevent multiple invocations. Option C is wrong because SQS can help but needs deduplication logic as well. Option E is wrong because S3 Transfer Acceleration is for faster uploads, not idempotency.

64
MCQhard

A solutions architect applies the IAM policy shown in the exhibit to an IAM user. The user attempts to upload an object to the S3 bucket 'my-bucket' without specifying the 'x-amz-server-side-encryption' header. What will happen?

A.The upload succeeds because the Allow statement grants the s3:PutObject permission.
B.The upload succeeds because the Deny statement only applies when the header is present but set to a value other than AES256.
C.The upload fails because the Deny statement blocks any PutObject request that does not specify AES256 encryption.
D.The upload fails because the condition is malformed and causes an error.
AnswerC

The Deny statement with StringNotEquals denies if encryption header is not present or not AES256.

Why this answer

Option B is correct. The Deny statement with StringNotEquals will match because the condition s3:x-amz-server-side-encryption is not set (or evaluates to a value not equal to AES256). Since the Deny statement applies, the request is denied.

Option A is wrong because the Allow statement requires the condition to be true; if not specified, the condition is not met. Option C is wrong because the Deny statement explicitly denies if encryption is not AES256. Option D is wrong because the condition is evaluated.

65
MCQmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application is deployed across multiple Availability Zones. The team notices that during a recent traffic spike, some instances were terminated and replaced, causing a temporary drop in performance. How can the team improve the resilience of the application?

A.Purchase Reserved Instances to ensure capacity.
B.Use lifecycle hooks to wait for instance termination.
C.Increase the instance size to handle more traffic.
D.Configure a warm pool for the Auto Scaling group.
AnswerD

Warm pools keep pre-initialized instances ready to replace terminated ones quickly.

Why this answer

Option B is correct because using a warm pool allows instances to be pre-initialized and ready to serve traffic quickly when scaling out. Option A is wrong because increasing instance size does not address the replacement delay. Option C is wrong because purchasing Reserved Instances does not affect scaling speed.

Option D is wrong because lifecycle hooks can delay termination but do not speed up new instance readiness.

66
MCQmedium

A company uses AWS Lambda to process events from an Amazon SQS queue. The Lambda function is invoked with a batch size of 10. Recently, the function started failing with timeout errors when processing large batches. Which solution would improve the reliability of event processing without losing messages?

A.Increase the SQS queue visibility timeout to match the function timeout.
B.Increase the Lambda function reserved concurrency to handle more invocations.
C.Increase the Lambda function timeout to the maximum 15 minutes.
D.Reduce the batch size to a smaller value, such as 5.
AnswerD

Smaller batches reduce processing time per invocation.

Why this answer

Option C is correct because reducing the batch size decreases the processing time per invocation, reducing the chance of timeout. Option A is wrong because increasing the timeout may not help if the issue is total processing time. Option B is wrong because increasing reserved concurrency does not help with timeout.

Option D is wrong because SQS queues do not send batches to Lambda as SQS batch size; the Lambda batch size is the relevant parameter.

67
Multi-Selecthard

A company has a fleet of EC2 instances that process data from an SQS queue. The instances are part of an Auto Scaling group. The team notices that the queue depth is growing, but the Auto Scaling group is not scaling out quickly enough. Which THREE actions should the team take to improve the scaling responsiveness? (Choose three.)

Select 3 answers
A.Use a custom CloudWatch metric for the SQS queue depth to drive scaling.
B.Decrease the AWS CloudWatch metric warm-up time.
C.Reduce the Auto Scaling group cooldown period.
D.Use a step scaling policy instead of a simple scaling policy.
E.Increase the instance size in the launch template.
AnswersA, C, D

Custom metrics can trigger scaling based on actual queue length.

Why this answer

Options B, D, and E are correct. Option B: Using a custom metric based on queue depth allows scaling on actual workload. Option D: Reducing the cooldown period allows faster scaling actions.

Option E: Using a step scaling policy provides more aggressive scaling when queue depth is high. Option A is wrong because increasing instance size does not improve scaling speed. Option C is wrong because decreasing the warm-up time for the metric is not a standard Auto Scaling feature.

68
MCQeasy

A company has an Amazon S3 bucket that stores sensitive data. They want to ensure that all objects in the bucket are encrypted at rest. What should they do?

A.Use AWS CloudTrail to monitor for unencrypted objects.
B.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
C.Enable S3 Versioning to protect objects.
D.Create a bucket policy that denies PutObject if the object is not encrypted.
AnswerB

Default encryption automatically encrypts all new objects.

Why this answer

Option B is correct because enabling default encryption on the bucket ensures all new objects are encrypted. Option A is wrong because bucket policy can be circumvented. Option C is wrong because CloudTrail only logs.

Option D is wrong because versioning does not enforce encryption.

69
MCQhard

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS Fargate. The pipeline includes stages for source, build, and deploy. The deploy stage uses an ECS service with a blue/green deployment configuration. After a recent update, the deployment fails with the error: 'The service cannot be deployed because the target group is not in a healthy state.' The target group health checks are configured with path '/health', interval 30 seconds, unhealthy threshold 2. The application health endpoint returns 200 OK. What should the company do to resolve this issue?

A.Redeploy the previous version of the application that passed health checks.
B.Modify the target group health check to use path '/' instead of '/health'.
C.Create a new target group with the correct health check path and update the ECS service.
D.SSH into the Fargate container and restart the application.
AnswerB

A common path ensures both blue and green targets pass health checks during the transition.

Why this answer

Option B is correct because the CodePipeline deploy action uses CodeDeploy for blue/green deployments. The error indicates that the original target group (blue) is not healthy, possibly because the health check path is not valid for the original application version. Adjusting the health check to a common path like '/' allows both versions to pass.

Option A is incorrect because Fargate does not allow SSH. Option C is incorrect because redeploying the same version won't fix the underlying health check issue. Option D is incorrect because a new target group does not address the root cause.

70
Multi-Selectmedium

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. The company currently uses server-side encryption with S3 managed keys (SSE-S3). The team wants to enforce encryption using a customer-managed key (CMK) from AWS KMS. Which TWO actions should the team take?

Select 2 answers
A.Configure a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
B.Enable AWS CloudTrail to audit all PutObject requests.
C.Enable default encryption on the bucket with AWS KMS (SSE-KMS) as the encryption type.
D.Configure a bucket policy that allows PutObject only if the object is encrypted.
E.Disable SSE-S3 on the bucket so that only SSE-KMS can be used.
AnswersA, C

This policy blocks uploads that do not use SSE-KMS.

Why this answer

Option A and Option C are correct. Option A (S3 Bucket Policy denying PutObject without the correct encryption header) enforces encryption at upload time. Option C (Default encryption with SSE-KMS) ensures that objects uploaded without encryption headers are encrypted with KMS.

Option B (Bucket policy allowing any encryption) does not enforce KMS. Option D (Disable SSE-S3) is not possible; you cannot disable SSE-S3, you can only set default encryption. Option E (CloudTrail logging) does not enforce encryption.

71
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team requires that all objects be encrypted at rest. The company currently uses server-side encryption with S3-managed keys (SSE-S3). The security team wants to ensure that only authorized users can access the decryption keys. What should the company do?

A.Configure an S3 bucket policy to allow only specific IAM roles to put objects.
B.Continue using SSE-S3 and enable S3 Block Public Access.
C.Use client-side encryption with an AWS KMS key.
D.Change the default encryption to server-side encryption with AWS KMS (SSE-KMS) and apply IAM policies to control key usage.
AnswerD

SSE-KMS allows key management and access control via IAM.

Why this answer

Option C is correct because SSE-KMS provides centralized key management and access control. Option A is wrong because SSE-S3 keys are managed by AWS, not the customer. Option B is wrong because client-side encryption does not use S3 server-side encryption.

Option D is wrong because bucket policies control access to objects, not encryption keys.

72
MCQmedium

A social media startup uses AWS Lambda functions to process user-uploaded images. The Lambda function resizes images and stores them in Amazon S3. The function uses the S3 SDK to put objects. Recently, the team noticed that the function sometimes fails with 'Timeout' errors for large images. The Lambda function has a timeout of 5 seconds and 256 MB of memory. The team wants to improve the solution to handle larger images reliably and cost-effectively. Which solution should the team implement?

A.Migrate the image processing to a dedicated Amazon EC2 instance with an EBS volume.
B.Increase the Lambda function's timeout to 15 minutes and allocate more memory (e.g., 1024 MB).
C.Use Amazon API Gateway with a larger payload limit to offload the image processing.
D.Use AWS Elastic Transcoder to resize images instead of Lambda.
AnswerB

More memory and timeout allow processing larger images within Lambda limits.

Why this answer

Option C (increase memory and timeout) directly addresses the issue of processing large images. Option A (Elastic Transcoder) is for video. Option B (EC2 with EBS) is overkill and not serverless.

Option D (API Gateway with larger payload) does not solve the Lambda processing limit.

73
Multi-Selectmedium

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all objects uploaded to specific S3 buckets are encrypted at rest. Which TWO actions should they take? (Choose 2)

Select 2 answers
A.Use a bucket policy that denies PutObject without the x-amz-server-side-encryption header.
B.Configure default encryption on the S3 buckets to use SSE-S3 or SSE-KMS.
C.Enable S3 Cross-Region Replication.
D.Enable S3 Versioning on the buckets.
E.Enable S3 Server Access Logs.
AnswersA, B

Denies uploads without encryption.

Why this answer

Options B and D are correct. B enforces encryption at upload time, and D provides server-side encryption. A does not enforce encryption, C is about access logging, and E is about replication.

74
MCQhard

A company runs a real-time analytics platform on Amazon Kinesis Data Streams with multiple consumers. The stream is provisioned with 10 shards. One consumer is falling behind, causing data latency. The consumer reads data using the Kinesis Client Library (KCL). Which action will improve the consumer's processing throughput?

A.Decrease the batch size in the KCL configuration.
B.Increase the number of shards in the Kinesis stream.
C.Increase the Kinesis stream's retention period to 7 days.
D.Increase the number of EC2 instances running the consumer application.
AnswerD

More workers allow parallel processing of shards.

Why this answer

Option B is correct because KCL distributes shard processing across workers; adding more workers allows parallel processing. Option A is wrong because it does not reduce per-shard load. Option C is wrong because it does not help shard distribution.

Option D is wrong because it may increase shard count but still requires more workers.

75
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ. The operations team notices that during a failover, the application experiences errors for about 2 minutes. The application uses a JDBC connection pool. Which solution should the team implement to reduce the failover impact?

A.Use Amazon CloudWatch Events to trigger a Lambda function that restarts the application.
B.Use Amazon RDS Proxy to manage database connections.
C.Configure the JDBC connection string with a timeout and implement automatic retry logic.
D.Increase the TTL for the RDS DNS record to 60 seconds.
AnswerC

Retry logic allows the application to reconnect after failover.

Why this answer

Option C is correct because using a custom JDBC URL with a timeout and retry logic allows the application to reconnect after failover. Option A is wrong because RDS proxy does not eliminate the need for application retry logic. Option B is wrong because increasing the TTL does not affect the connection timeout.

Option D is wrong because a Lambda function does not directly improve failover recovery.

Page 1 of 6 · 428 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Continuous Improvement for Existing Solutions questions.