CCNA Design for New Solutions Questions

75 of 514 questions · Page 1/7 · Design for New Solutions · Answers revealed

1
MCQmedium

A company is designing a real-time analytics pipeline to process streaming data from IoT devices. The solution must be serverless and handle data transformation before storage. Which combination of services is most cost-effective?

A.Amazon Kinesis Data Streams, AWS Lambda, and Amazon Kinesis Data Firehose to Amazon S3
B.Amazon Kinesis Data Streams, Amazon EC2 instances for transformation, and Amazon S3
C.Amazon Simple Queue Service (SQS), AWS Lambda, and Amazon S3
D.Amazon Kinesis Data Analytics for real-time SQL and Amazon S3
AnswerA

Serverless, cost-effective for streaming transformation.

Why this answer

Option B is correct because Kinesis Data Streams ingests data, Lambda transforms it, and Firehose delivers to S3. Option A (Kinesis Analytics) is for SQL analytics, not transformation. Option C (Kinesis Data Streams to EC2) is not serverless.

Option D (SQS to Lambda to S3) misses streaming ingestion.

2
MCQmedium

A company is designing a new microservices architecture using Amazon ECS with Fargate. Each service must be isolated within its own VPC and communicate via AWS PrivateLink. The company expects variable traffic and wants to minimize costs. Which solution meets these requirements?

A.Use separate VPCs and connect them via VPC peering with NAT gateways.
B.Deploy all services in a single VPC with security groups to isolate traffic.
C.Use separate VPCs per service and create VPC endpoint services for each.
D.Use a single VPC with Transit Gateway to route between services.
AnswerC

VPC endpoints provide isolated, private connectivity without extra cost.

Why this answer

Option D is correct because using VPC endpoints per service provides isolated connectivity without internet gateways or NAT gateways, reducing costs. Option A is wrong because a shared VPC compromises isolation. Option B is wrong because NAT gateways incur costs and are not needed for PrivateLink.

Option C is wrong because Transit Gateway adds cost and complexity.

3
Multi-Selectmedium

A company wants to implement a cost-effective disaster recovery strategy for a production Amazon RDS for PostgreSQL database. The solution must provide a recovery point objective (RPO) of less than 5 minutes and a recovery time objective (RTO) of less than 15 minutes. Which strategies meet these requirements? (Choose THREE.)

Select 3 answers
A.Enable automated backups with point-in-time recovery.
B.Deploy the database in a Multi-AZ configuration.
C.Take manual snapshots and copy them to another Region.
D.Use AWS Database Migration Service (DMS) for continuous replication to a target in another Region.
E.Create a cross-Region read replica in a different Region.
AnswersB, C, E

Multi-AZ provides automatic failover to a standby in another AZ, meeting RTO <1 minute, but does not protect against region failure.

Why this answer

Option B is correct because a Multi-AZ deployment for Amazon RDS provides automatic failover to a standby instance in a different Availability Zone, which can achieve an RTO of typically 1-2 minutes and an RPO of effectively zero (synchronous replication). This meets the sub-5-minute RPO and sub-15-minute RTO requirements without additional cost for cross-region data transfer.

Exam trap

The trap here is that candidates often confuse cross-Region read replicas (asynchronous, higher RPO/RTO) with Multi-AZ (synchronous, low RPO/RTO), or assume manual snapshots can meet sub-5-minute RPO, but snapshot frequency is typically hours or daily, not minutes.

4
MCQeasy

A company is designing a new microservices-based application on AWS. They need to decouple services and ensure asynchronous communication. Which AWS service should they use?

A.Amazon Kinesis
B.Amazon SQS
C.AWS Lambda
D.Amazon SNS
AnswerB

SQS provides a message queue that decouples services.

Why this answer

Amazon SQS is a fully managed message queuing service that enables decoupling of application components. Option A (Amazon SNS) is for pub/sub messaging, Option C (Amazon Kinesis) is for real-time streaming, and Option D (AWS Lambda) is for serverless compute.

5
MCQeasy

A company is designing a new CI/CD pipeline for a web application that will be deployed on Amazon ECS. Which AWS service should the company use to build and test the application code?

A.AWS CodePipeline
B.AWS CodeDeploy
C.AWS CodeCommit
D.AWS CodeBuild
AnswerD

CodeBuild is a managed build service for compiling and testing code.

Why this answer

Option B is correct because AWS CodeBuild is a fully managed build service. Option A is wrong because CodeCommit is a source control service. Option C is wrong because CodeDeploy is a deployment service.

Option D is wrong because CodePipeline is a continuous delivery service.

6
MCQhard

A company is building a serverless application using AWS Lambda. The function needs to access a private Amazon RDS MySQL database. The Lambda function and the RDS instance are in the same VPC. What is the correct way to configure the Lambda function to connect to the database?

A.Configure the Lambda function to run in the same VPC, subnets, and security group as the RDS instance.
B.Use a NAT Gateway to allow Lambda to access RDS through the internet.
C.Assign an IAM role that allows Lambda to access RDS and configure the security group to allow traffic from the Lambda service.
D.Attach an Elastic Network Interface (ENI) to the Lambda function in the same subnet as the RDS instance.
AnswerA

This allows Lambda to connect to RDS over the network. The security group must allow inbound from Lambda's security group.

Why this answer

Option A is correct because Lambda functions in a VPC must be configured with the same VPC, subnets, and security group as the RDS instance to establish direct network connectivity. By placing the Lambda function in the same security group, you can allow inbound traffic from the security group itself (self-referencing rule) or explicitly open the database port (e.g., 3306 for MySQL) to the Lambda's security group. This ensures traffic stays within the VPC and does not traverse the internet, meeting security and latency requirements.

Exam trap

The trap here is that candidates often assume IAM roles or NAT Gateways provide network access, but AWS Lambda requires explicit VPC configuration with subnets and security groups to route traffic to private resources like RDS within the same VPC.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway is used to allow outbound internet access from a private subnet, not to enable Lambda to connect to RDS within the same VPC; using a NAT Gateway would route traffic through the internet, which is unnecessary and insecure for private database access. Option C is wrong because an IAM role alone does not provide network connectivity; Lambda still needs to be attached to the VPC via an ENI, and security group rules must explicitly allow traffic from the Lambda function's ENI, not from the Lambda service itself. Option D is wrong because Lambda automatically creates and attaches an ENI when configured with VPC settings; you cannot manually attach an ENI to a Lambda function, and the ENI is placed in the specified subnets, not directly attached as a separate step.

7
MCQeasy

A company is migrating a monolithic application to a microservices architecture on AWS. They want to decouple the services and ensure that messages between services are processed asynchronously and durably. Which AWS service should they use for this purpose?

A.Amazon Kinesis Data Streams
B.Amazon Simple Queue Service (SQS)
C.Amazon Simple Notification Service (SNS)
D.AWS Step Functions
AnswerB

SQS is a fully managed message queue for decoupling and asynchronous processing.

Why this answer

Option A is correct because Amazon SQS provides a fully managed message queue for asynchronous communication between microservices. Option B is incorrect because Amazon SNS is a pub/sub service, not a queue. Option C is incorrect because Amazon Kinesis is for real-time streaming.

Option D is incorrect because AWS Step Functions is for orchestrating workflows.

8
MCQhard

A solutions architect is reviewing the above IAM policy attached to an S3 bucket. A user from IP address 10.0.1.5 makes a request over HTTP (not HTTPS). Will the user be able to download an object?

A.No, because the IP address is not in the allowed range.
B.Yes, because the IP address is allowed.
C.No, because the request is not using HTTPS.
D.Yes, because the Allow statement is evaluated first.
AnswerC

The Deny statement blocks non-HTTPS requests.

Why this answer

The Deny statement with aws:SecureTransport=false explicitly denies requests that are not using HTTPS. Even though the Allow statement permits the IP range, the Deny overrides it. Therefore, the request is denied.

9
MCQmedium

A company is migrating a monolithic application to microservices on Amazon ECS. The application needs to communicate with external partners via HTTPS. The company wants to use mTLS for mutual authentication. Which AWS service should be used to handle the mTLS termination?

A.Application Load Balancer (ALB) with mutual TLS
B.Amazon CloudFront with a custom origin
C.Network Load Balancer (NLB) with TLS termination
D.Amazon API Gateway HTTP API
AnswerA

ALB supports mTLS for mutual authentication.

Why this answer

Option D is correct because Application Load Balancer supports mTLS authentication. Option A is incorrect because CloudFront does not natively support mTLS. Option B is incorrect because Network Load Balancer does not support mTLS.

Option C is incorrect because API Gateway supports mTLS only in REST API mode, not HTTP API, and is less suitable for ECS.

10
Multi-Selecthard

A company is designing a new application that will process streaming data from thousands of IoT devices. The data must be ingested in real time and then processed using Apache Flink. Which services should be used? (Choose TWO.)

Select 2 answers
A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon Kinesis Data Analytics for Apache Flink
D.Amazon Kinesis Data Firehose
E.Amazon Simple Queue Service (SQS)
AnswersA, C

Kinesis Data Streams is designed for real-time data ingestion.

Why this answer

Amazon Kinesis Data Streams is the correct ingestion service because it provides a durable, scalable, real-time data streaming platform that can handle the high throughput from thousands of IoT devices. It stores data in shards for up to 365 days, enabling Apache Flink to consume and process the data with exactly-once semantics and low latency.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose with Kinesis Data Streams, not realizing that Firehose is a delivery service that does not support Apache Flink's requirement for per-record replay and checkpointing, while Data Streams provides the necessary persistent, ordered stream.

11
MCQmedium

A solutions architect is troubleshooting an issue where an EC2 instance cannot connect to the internet. The output of the describe-instances CLI command is shown in the exhibit. The instance is in a VPC with a public subnet that has a route table with a default route pointing to an internet gateway. The security group allows outbound traffic to 0.0.0.0/0. What is the MOST likely cause of the problem?

A.The subnet's route table does not have a route to the internet gateway.
B.The instance does not have a public IP address.
C.The instance is not in a running state.
D.The security group is blocking outbound traffic.
AnswerA

Even with a public IP, the subnet must have a route to the internet gateway.

Why this answer

Option B is correct. The instance has a public IP (54.123.45.67), so it should be able to reach the internet. However, if the subnet does not have a route to the internet gateway, the instance cannot connect.

Option A is wrong because the instance has a public IP. Option C is wrong because the security group allows outbound traffic. Option D is wrong because the instance state is running.

12
MCQmedium

Refer to the exhibit. A company has an IAM policy that allows s3:GetObject on all objects in 'my-bucket' but denies access to objects in the 'confidential' folder. A user tries to access 's3://my-bucket/confidential/report.pdf'. What will happen?

A.Access is denied because the Deny statement explicitly matches the resource.
B.Access is allowed because the Deny statement is not evaluated.
C.Access is denied only if the user is not authorized by other policies.
D.Access is allowed because the Allow statement is broader.
AnswerA

An explicit Deny always overrides an Allow.

Why this answer

Option B is correct because an explicit Deny overrides any Allow. The user will be denied access. Option A is wrong because the Deny takes precedence.

Option C is wrong because the Deny is explicit. Option D is wrong because the policy applies to the user.

13
Multi-Selectmedium

A company is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. The company wants to implement service discovery and load balancing at the application layer. Which TWO services should the company use?

Select 2 answers
A.Amazon API Gateway
B.Network Load Balancer (NLB)
C.AWS Cloud Map
D.Application Load Balancer (ALB)
E.Amazon Route 53
AnswersC, D

Cloud Map provides service discovery for dynamic resources.

Why this answer

AWS Cloud Map provides service discovery, and Application Load Balancer provides application-layer load balancing. Option B (NLB) is layer 4. Option C (Route 53) is for DNS.

Option D (API Gateway) is for API management.

14
MCQmedium

A company is designing a new container-based application using Amazon EKS. The application requires persistent storage for stateful workloads, such as databases. The storage must be highly available and durable across multiple Availability Zones. Which storage solution should be used?

A.Use Amazon EBS volumes with the EBS CSI driver.
B.Use Amazon FSx for Lustre as a shared file system.
C.Use Amazon EFS with the EFS CSI driver.
D.Use Amazon S3 with the S3 CSI driver.
AnswerC

EFS is a regional, highly available file system that can be mounted by containers across AZs.

Why this answer

Amazon EFS provides a fully managed, elastic NFS file system that is accessible from multiple Amazon EKS worker nodes across different Availability Zones simultaneously. The EFS CSI driver enables Kubernetes pods to mount EFS as a persistent volume, delivering the required high availability and durability for stateful workloads like databases without single-AZ dependency.

Exam trap

The trap here is that candidates often confuse EBS's single-AZ attachment with multi-AZ availability, or mistakenly think S3's CSI driver provides file-level access, when in fact EFS is the only AWS managed file system that natively supports multi-AZ access and the Kubernetes CSI standard for stateful workloads.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are bound to a single Availability Zone and cannot be shared across multiple AZs, making them unsuitable for multi-AZ highly available storage. Option B is wrong because Amazon FSx for Lustre is optimized for high-performance computing and large-scale data processing, not for general-purpose persistent storage for databases, and it lacks native integration with Kubernetes CSI for stateful workloads. Option D is wrong because Amazon S3 is an object storage service, not a file system; it does not support standard file system semantics like POSIX locks or concurrent read/write from multiple pods, and the S3 CSI driver is not an official or widely supported solution for persistent volume claims in EKS.

15
MCQmedium

A company is designing a new application that requires a relational database with automated backups and multi-AZ redundancy. The database workload is predictable with occasional read replicas for reporting. Which AWS service should be used?

A.Amazon RDS
B.Amazon Redshift
C.Amazon DynamoDB
D.Amazon ElastiCache
AnswerA

RDS provides managed relational databases with multi-AZ and backups.

Why this answer

Option C is correct because Amazon RDS offers managed relational databases with automated backups and multi-AZ deployments. Option A is wrong because DynamoDB is NoSQL, not relational. Option B is wrong because Redshift is a data warehouse.

Option D is wrong because ElastiCache is for caching.

16
MCQmedium

A company is building a new serverless application using AWS Lambda functions. The application processes images uploaded to an Amazon S3 bucket. Each image triggers a Lambda function that resizes the image and stores the result in another S3 bucket. The company expects a high volume of uploads, up to 10,000 images per minute. The current Lambda function is configured with a timeout of 5 minutes and 1024 MB of memory. During testing, the Lambda function times out for large images. What should the company do to ensure the function can process large images without timing out?

A.Increase the Lambda function timeout to 15 minutes.
B.Use Amazon SQS to decouple the S3 event and Lambda invocation, allowing Lambda to pull messages in batches.
C.Migrate the image processing to Amazon ECS on Fargate with a long-running task.
D.Increase the Lambda function memory to 3008 MB to get more CPU and network throughput.
AnswerD

More memory allocates more vCPU, speeding up image processing.

Why this answer

Option C is correct because increasing Lambda memory also increases CPU and network throughput, which can speed up processing and reduce the chance of timeout. Option A: Increasing timeout may not help if the function is CPU-bound; also max timeout is 15 minutes. Option B: Lambda is not ideal for long-running tasks; moving to ECS would require significant rework.

Option D: SQS does not help with processing speed; it only decouples invocation.

17
Multi-Selectmedium

A company is designing a disaster recovery strategy for a production database running on Amazon RDS for MySQL. The RTO is 15 minutes and RPO is 1 hour. Which TWO solutions meet these requirements? (Choose two.)

Select 2 answers
A.Export the database to Amazon S3 using AWS DMS and import in another Region
B.Deploy Multi-AZ RDS instance and enable automatic failover
C.Use automated backups with point-in-time recovery in the same Region
D.Take manual snapshots every hour and restore in another Region
E.Create a cross-Region read replica and promote it during disaster
AnswersB, E

Multi-AZ provides synchronous replication, RPO ~seconds, RTO ~minutes.

Why this answer

Multi-AZ with automatic failover provides RTO of minutes and RPO of seconds, meeting requirements. Cross-Region read replica with promotion provides RPO of seconds and RTO of minutes (promotion time). Option C (manual snapshot) has RPO > 1 hour and RTO > 15 minutes.

Option D (export to S3) has high RTO. Option E (single instance backup) has high RTO.

18
MCQhard

A company is designing a new web application that will be deployed on Amazon ECS with Fargate. The application must scale based on the number of requests per container. The company wants to use a service that can automatically adjust the number of tasks based on a custom metric. Which solution should the company use?

A.Configure an ECS Service Auto Scaling policy with a target tracking scaling policy based on a custom CloudWatch metric.
B.Configure Amazon DynamoDB auto scaling to adjust the read capacity based on the request count.
C.Use Application Auto Scaling to register the ECS service and create a step scaling policy.
D.Use the AWS Auto Scaling console to create a scaling plan that includes the ECS service.
AnswerA

ECS Service Auto Scaling supports target tracking for custom metrics.

Why this answer

Option A is correct because ECS Service Auto Scaling can use target tracking with a custom CloudWatch metric. Option B is wrong because DynamoDB auto scaling is for tables. Option C is wrong because Application Auto Scaling is the underlying service, but the question asks for the specific solution; ECS Service Auto Scaling is the direct feature.

Option D is wrong because AWS Auto Scaling is a broader console feature, but the scaling policy is applied via ECS Service Auto Scaling.

19
MCQhard

A company is designing a new application that will use Amazon DynamoDB as its primary database. The application has two access patterns: one requires strongly consistent reads, and the other requires eventually consistent reads. The company wants to minimize costs while meeting the read consistency requirements. How should the company configure DynamoDB reads?

A.Use strongly consistent reads for all read requests to ensure data accuracy.
B.Use DynamoDB Accelerator (DAX) to cache reads and achieve strong consistency.
C.Use DynamoDB global tables with strongly consistent reads enabled.
D.Use strongly consistent reads for the pattern that requires it, and eventually consistent reads for the other pattern.
AnswerD

Optimizes cost by using the cheaper eventually consistent reads when acceptable.

Why this answer

Option B is correct because DynamoDB offers both strongly consistent and eventually consistent reads. Eventually consistent reads are half the cost of strongly consistent reads. The application should use strongly consistent reads only when needed.

Option A is wrong because using strongly consistent reads for all patterns is more expensive. Option C is wrong because DynamoDB Accelerator (DAX) is for caching, not for consistency. Option D is wrong because there is no option to use both; you choose per request.

20
MCQmedium

A company is migrating a legacy monolithic application to AWS. The application currently uses a shared filesystem for storing user-uploaded documents. The company wants to decouple storage and compute, ensure high durability, and minimize operational overhead. Which AWS service should the company use to replace the shared filesystem?

A.Amazon EBS
B.Amazon EFS
C.Amazon S3
D.Amazon FSx for Windows File Server
AnswerC

Amazon S3 provides scalable, durable object storage suitable for user-uploaded documents.

Why this answer

Amazon S3 is the correct choice because it provides a highly durable (99.999999999% durability), scalable, and fully managed object storage service that decouples storage from compute. Unlike a shared filesystem, S3 allows multiple compute instances (e.g., EC2, Lambda) to access the same documents via HTTP/HTTPS APIs without needing a mounted filesystem, minimizing operational overhead. It also supports features like versioning, lifecycle policies, and cross-region replication, making it ideal for user-uploaded documents in a migration scenario.

Exam trap

The trap here is that candidates often confuse shared filesystem requirements with network-attached storage (NAS) services like EFS or FSx, overlooking that object storage (S3) is the most durable, scalable, and operationally lightweight option for user-uploaded documents when compute and storage need to be decoupled.

How to eliminate wrong answers

Option A is wrong because Amazon EBS provides block-level storage that must be attached to a single EC2 instance at a time (or shared via multi-attach with specific constraints), making it unsuitable as a shared filesystem for multiple compute instances and not decoupling storage from compute. Option B is wrong because Amazon EFS is a managed NFS filesystem that, while shared, still requires compute instances to mount it and incurs operational overhead for managing file-level access, and it does not offer the same level of durability (99.999999999% vs 99.999999999% for S3) or cost efficiency for large-scale document storage. Option D is wrong because Amazon FSx for Windows File Server provides a fully managed Windows file server using the SMB protocol, which introduces licensing costs and operational complexity, and is not designed for the high durability and decoupling benefits of object storage for user-uploaded documents.

21
MCQhard

A company is designing a microservices architecture on ECS with Fargate. Services need to communicate securely within a VPC and be accessible from the internet via an Application Load Balancer. The solution must minimize operational overhead. Which networking configuration should be used?

A.Services in private subnets with a NAT Gateway and an ALB in public subnets.
B.Services in private subnets with a VPC endpoint and an NLB.
C.Services in a single public subnet with an ALB.
D.Services in public subnets with Internet Gateways and an ALB.
AnswerA

Private subnets provide isolation, NAT for outbound, ALB for inbound.

Why this answer

Option A is correct because placing services in private subnets with a NAT Gateway and ALB in public subnets provides secure internal communication and internet access. Option B is wrong because public subnets expose services directly. Option C is wrong because an NLB is for TCP, not HTTP.

Option D is wrong because a single public subnet lacks redundancy.

22
MCQeasy

A company is designing a new microservices architecture on Amazon ECS with Fargate. Each microservice must be isolated and able to communicate with others only through defined APIs. Which solution provides the BEST isolation and security?

A.Use AWS App Mesh with Envoy sidecars to control traffic between services.
B.Place all microservices in the same security group and allow all traffic.
C.Use an Application Load Balancer per microservice with listener rules.
D.Use VPC peering between each microservice's VPC.
AnswerA

App Mesh provides service-level security and observability.

Why this answer

Using a service mesh like App Mesh (option C) provides fine-grained traffic control and security between microservices. Option A (same security group) is too permissive. Option B (ALB per service) adds complexity.

Option D (VPC peering) is for VPC-level, not service-level.

23
Multi-Selecteasy

A company is designing a new VPC with public and private subnets. The company wants to ensure that instances in the private subnets can download updates from the internet, but cannot be directly accessed from the internet. Which THREE components are required to meet these requirements? (Choose THREE.)

Select 3 answers
A.A route table for private subnets with a default route pointing to the NAT Gateway.
B.An Internet Gateway attached to the VPC.
C.A Virtual Private Gateway (VGW).
D.A NAT Gateway in a public subnet.
E.A VPC endpoint for S3.
AnswersA, B, D

This route ensures that outbound traffic from private subnets is directed to the NAT Gateway.

Why this answer

The correct answers are A, B, and C. Option A is correct because an Internet Gateway allows outbound traffic to the internet. Option B is correct because a NAT Gateway provides outbound internet access to instances in private subnets.

Option C is correct because the route table for private subnets must point to the NAT Gateway for default route. Option D is wrong because a Virtual Private Gateway is used for VPN connections, not internet access. Option E is wrong because VPC endpoints are for private access to AWS services, not for internet access.

24
MCQeasy

A company is designing a new web application that will be accessed by users worldwide. The application will serve static content (HTML, CSS, images) and dynamic API responses. The company wants to minimize latency for all users. Which combination of AWS services should the company use?

A.Amazon Route 53 and Amazon S3
B.Amazon CloudFront and Amazon API Gateway
C.Amazon S3 and Amazon CloudFront
D.Application Load Balancer (ALB) and Amazon CloudFront
AnswerB

CloudFront provides edge caching for static content and can route API requests to API Gateway, reducing latency.

Why this answer

Amazon CloudFront is a CDN that serves static content from edge locations, and Amazon API Gateway can host the API and integrate with CloudFront. Option A is wrong because S3 alone does not provide CDN. Option B is wrong because ALB is regional.

Option D is wrong because Route 53 is DNS only.

25
MCQhard

A company is designing a new real-time analytics platform that ingests data from thousands of IoT devices. The devices send JSON messages every second to an AWS IoT Core topic. The messages must be processed and stored in Amazon S3 for long-term analysis. The processing includes enrichment by calling a third-party API to add location data. The company expects the workload to vary significantly, with peak traffic of 100,000 messages per second. The solution must be cost-effective and minimize operational overhead. The current architecture uses a Lambda function subscribed to the IoT topic, which processes each message and writes to S3. However, during initial testing, the Lambda function frequently times out due to the third-party API latency, causing message loss. What should the company do to resolve this issue while meeting all requirements?

A.Increase the Lambda function timeout to 15 minutes and memory to 10240 MB
B.Use Amazon Kinesis Data Firehose to buffer data and write to S3, then trigger a Lambda function to enrich data asynchronously
C.Enable Provisioned Concurrency on the Lambda function to reduce cold starts
D.Configure the IoT rule to write messages to an Amazon SQS queue. Then use a Lambda function with reserved concurrency to poll the queue and process messages at a controlled rate
AnswerD

SQS decouples ingestion from processing, preventing message loss, and reserved concurrency ensures consistent performance.

Why this answer

Option D is correct because decoupling the ingestion from the processing using an SQS queue allows the Lambda function to poll messages at a controlled rate, preventing timeouts from third-party API latency. The SQS queue acts as a buffer, absorbing traffic spikes of up to 100,000 messages per second, and Lambda can process messages asynchronously without loss. This approach is cost-effective and minimizes operational overhead by leveraging managed services.

Exam trap

The trap here is that candidates may think Kinesis Data Firehose is the best choice for buffering and enrichment, but they overlook that Firehose does not support real-time enrichment via Lambda before writing to S3; it only supports transformation with a Lambda function that has a limited timeout (60 seconds) and cannot handle asynchronous API calls reliably.

How to eliminate wrong answers

Option A is wrong because increasing the Lambda timeout to 15 minutes and memory to 10240 MB does not resolve the underlying issue of third-party API latency; it only delays the timeout, and Lambda has a maximum execution time of 15 minutes, but the function may still fail if the API is slow, and high memory increases cost without solving the buffering problem. Option B is wrong because Kinesis Data Firehose writes directly to S3, but triggering a Lambda function asynchronously from S3 events would not enrich data before storage; the enrichment would need to happen after the data is already in S3, which does not meet the requirement to enrich before storage and could lead to duplicate processing or data loss. Option C is wrong because Provisioned Concurrency reduces cold starts but does not address the timeout issue caused by third-party API latency; the function would still time out if the API is slow, and it does not provide buffering for traffic spikes.

26
MCQmedium

A company is designing a containerized microservices architecture on Amazon ECS. The services must be able to discover each other using DNS names. Which AWS service should the company use for service discovery?

A.AWS Cloud Map
B.Amazon Route 53 Resolver
C.Elastic Load Balancing (ELB)
D.Amazon Elastic Container Registry (ECR)
AnswerA

Cloud Map provides DNS-based service discovery for microservices.

Why this answer

AWS Cloud Map is the correct choice because it provides a fully managed service discovery solution that integrates natively with Amazon ECS. It allows microservices to register their DNS names and health checks, enabling other services to discover them via DNS queries or API calls. This directly supports the requirement for containerized services to find each other using DNS names within an ECS cluster.

Exam trap

The trap here is confusing a load balancer (ELB) with service discovery; candidates often think ELB provides DNS-based discovery, but it only routes traffic to a group of targets, not per-instance DNS names for dynamic microservice-to-microservice communication.

How to eliminate wrong answers

Option B (Amazon Route 53 Resolver) is wrong because it is a DNS resolution service for hybrid networks (on-premises to AWS), not a service discovery mechanism for ECS microservices; it does not register or manage service instances. Option C (Elastic Load Balancing) is wrong because it distributes traffic to targets but does not provide DNS-based service discovery for individual service instances; it is a load balancer, not a discovery registry. Option D (Amazon Elastic Container Registry) is wrong because it is a container image repository, not a service discovery tool; it stores Docker images but has no role in DNS resolution or instance registration.

27
MCQhard

Refer to the exhibit. A CloudFormation template creates an S3 bucket with versioning and a public bucket policy. After deployment, users can access objects in the bucket via the internet. However, the security team requires that all access be logged. What is missing from this configuration?

A.The bucket is not encrypted.
B.The bucket policy does not restrict access to a specific IP range.
C.Bucket versioning is not enabled.
D.No logging configuration is specified.
AnswerD

Logging is needed for audit.

Why this answer

Option D is correct. The template does not enable S3 server access logs or AWS CloudTrail for object-level logging. Option A is wrong because versioning is enabled.

Option B is wrong because the policy is public. Option C is wrong because the bucket is not encrypted.

28
MCQmedium

A company is designing a new CI/CD pipeline for a containerized application using AWS CodePipeline. The application source code is stored in an Amazon S3 bucket. The pipeline must automatically build a Docker image from the source code and push it to Amazon ECR. Which action should be used as the build provider?

A.AWS CodeDeploy
B.AWS CodeCommit
C.Amazon ECS
D.AWS CodeBuild
AnswerD

AWS CodeBuild is a fully managed build service that can compile source code, run tests, and produce software packages, including Docker images, which it can push to ECR.

Why this answer

Option B is correct because AWS CodeBuild can build Docker images and push them to ECR. Option A is wrong because AWS CodeCommit is a source control service, not a build provider. Option C is wrong because Amazon ECS is a container orchestration service, not a build service.

Option D is wrong because AWS CodeDeploy is a deployment service, not a build service.

29
MCQmedium

A company needs to store configuration files for multiple environments (dev, test, prod) and retrieve them programmatically with versioning and access control. Which AWS service should be used?

A.AWS Secrets Manager
B.Amazon S3
C.AWS Systems Manager Parameter Store
D.Amazon DynamoDB
AnswerC

Parameter Store is designed for configuration management.

Why this answer

Option D is correct because AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data with versioning and IAM policies. Option A is wrong because S3 is object storage, not specifically for config. Option B is wrong because Secrets Manager is for secrets.

Option C is wrong because DynamoDB is NoSQL.

30
Multi-Selectmedium

A company is designing a new application that will run on Amazon ECS with Fargate. They need to store configuration data and secrets securely. Which services should they use? (Choose TWO.)

Select 2 answers
A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.Amazon S3
D.AWS CloudFormation
E.AWS KMS
AnswersA, B

Designed for secrets management.

Why this answer

AWS Secrets Manager is correct because it is purpose-built for securely storing, rotating, and managing secrets such as database credentials and API keys throughout their lifecycle. It integrates natively with Amazon ECS to inject secrets into containers at runtime without exposing them in the task definition or environment variables, meeting the requirement for secure configuration data and secrets.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secure strings) with AWS Secrets Manager, but the exam expects you to know that Secrets Manager is the preferred service for secrets that require automatic rotation, while Parameter Store is better for configuration data that does not need rotation, and both are correct in this question because the requirement is to store both configuration data and secrets securely.

31
MCQmedium

A media company is designing a new video transcoding pipeline on AWS. Raw video files (up to 10 GB each) are uploaded by users to an S3 bucket. Each upload must be transcoded into multiple formats (MP4, WebM, HLS) and stored in another S3 bucket. The transcoding job can take up to 30 minutes per file. The company needs a solution that is cost-effective and can handle hundreds of concurrent uploads. The operations team wants to minimize maintenance. Which solution should a Solutions Architect recommend?

A.Use S3 event notifications to invoke an AWS Lambda function that performs transcoding and stores results.
B.Use S3 event notifications to invoke a Lambda function that submits a job to AWS Elemental MediaConvert for each file.
C.Use an Auto Scaling group of EC2 instances with transcoding software installed. Configure S3 events to send messages to an SQS queue, which the instances poll.
D.Use S3 event notifications to trigger an AWS Step Functions workflow that runs an ECS Fargate task for each file.
AnswerB

MediaConvert is a managed, scalable service designed for video transcoding; Lambda handles the orchestration.

Why this answer

Option B is correct because AWS Elemental MediaConvert is a fully managed, serverless media transcoding service designed for high-volume, multi-format video processing. Using S3 event notifications to invoke a Lambda function that submits a job to MediaConvert offloads the transcoding complexity, scales automatically to handle hundreds of concurrent uploads, and requires no infrastructure maintenance, making it both cost-effective and operationally minimal.

Exam trap

The trap here is that candidates may choose Option A (Lambda) without considering the 15-minute timeout limit, or Option D (Step Functions + Fargate) because it sounds serverless, but they overlook that MediaConvert is the fully managed, cost-optimized service specifically designed for this use case.

How to eliminate wrong answers

Option A is wrong because AWS Lambda has a maximum execution timeout of 15 minutes, but the transcoding job can take up to 30 minutes per file, so the Lambda function would time out before completion. Option C is wrong because managing an Auto Scaling group of EC2 instances with transcoding software introduces significant maintenance overhead (patching, scaling policies, instance health) and is not cost-effective for sporadic or bursty workloads compared to a serverless service. Option D is wrong while technically possible, using ECS Fargate tasks orchestrated by Step Functions adds unnecessary complexity and cost compared to MediaConvert, which is purpose-built for video transcoding and natively integrates with S3; Fargate requires custom container images, task definitions, and more operational overhead.

32
MCQmedium

A company is migrating a monolithic application to microservices on AWS. They have identified that some services require high-throughput, low-latency data sharing. Which AWS service should they use for this purpose?

A.Amazon ElastiCache for Redis
B.Amazon RDS
C.Amazon S3
D.AWS Glue
AnswerA

ElastiCache for Redis provides high-throughput, low-latency in-memory caching.

Why this answer

Amazon ElastiCache for Redis provides an in-memory data store with microsecond latency, ideal for high-throughput data sharing. Option A (Amazon RDS) is a relational database, Option C (Amazon S3) is object storage, and Option D (AWS Glue) is an ETL service.

33
Multi-Selectmedium

A company is designing a new serverless application using AWS Lambda. The application needs to access an Amazon RDS for PostgreSQL database. The database credentials must be rotated automatically every 30 days. Which THREE steps should the company take to securely manage the credentials? (Choose three.)

Select 3 answers
A.Store the database credentials in AWS Secrets Manager.
B.Configure automatic rotation for the secret in AWS Secrets Manager.
C.Grant the Lambda function's IAM role permission to access the RDS database directly.
D.Write custom rotation logic in the Lambda function to change the database password.
E.Grant the Lambda function's IAM role permission to retrieve the secret from Secrets Manager.
AnswersA, B, E

Secrets Manager is designed for storing secrets.

Why this answer

Options A, C, and D are correct. Store credentials in Secrets Manager, configure automatic rotation, and grant Lambda access to retrieve secrets via IAM policy. Option B is wrong because Lambda does not need direct access to RDS for credential management.

Option E is wrong because rotation is handled by Secrets Manager, not by Lambda.

34
MCQhard

Refer to the exhibit. A company has an S3 bucket policy that allows GetObject access from two IP ranges (10.0.0.0/16 and 192.168.0.0/16). The policy also denies all S3 actions on the 'confidential/' prefix unless the request comes from the 10.0.0.0/16 range. Which of the following statements is true?

A.Users from 192.168.0.0/16 can access objects in the confidential/ prefix.
B.Users from 10.0.0.0/16 can access objects in the confidential/ prefix, but users from 192.168.0.0/16 cannot.
C.Users from 10.0.0.0/16 cannot access objects in the confidential/ prefix.
D.The policy has no effect because the Allow and Deny statements cancel each other.
AnswerB

The Deny statement denies access to confidential/ for IPs not in 10.0.0.0/16, so only 10.0.0.0/16 is allowed.

Why this answer

The S3 bucket policy includes an explicit Deny statement that blocks all S3 actions on the 'confidential/' prefix unless the request originates from the 10.0.0.0/16 IP range. Since explicit Deny statements override any Allow statements in AWS IAM policy evaluation, users from 192.168.0.0/16 are denied access to the 'confidential/' prefix even though the GetObject Allow statement includes that range. Only users from 10.0.0.0/16 satisfy the condition in the Deny statement and can therefore access objects in the 'confidential/' prefix.

Exam trap

The trap here is that candidates often assume an Allow statement for a broader set of IPs will grant access to all prefixes, overlooking that an explicit Deny with a condition can carve out exceptions, and that AWS evaluates Deny statements before Allow statements.

How to eliminate wrong answers

Option A is wrong because the explicit Deny statement on the 'confidential/' prefix blocks all requests not coming from 10.0.0.0/16, so users from 192.168.0.0/16 are denied access. Option B is correct as explained. Option C is wrong because the Deny statement specifically allows requests from 10.0.0.0/16, so users from that range can access the 'confidential/' prefix.

Option D is wrong because the Allow and Deny statements do not cancel each other; AWS IAM policy evaluation uses an explicit Deny override, so the Deny statement takes precedence over the Allow statement for requests from 192.168.0.0/16, while the Allow statement still applies to other objects.

35
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate launch type. The application needs to store session state that is shared across multiple tasks. The session data must be highly available and low-latency. Which AWS service should be used to store the session state?

A.Amazon EFS
B.Amazon ElastiCache for Redis
C.Amazon RDS for MySQL
D.Amazon DynamoDB
AnswerB

Redis is an in-memory data store that provides sub-millisecond latency and supports session management features.

Why this answer

Option B is correct because Amazon ElastiCache for Redis provides an in-memory data store with low latency and high availability, ideal for session state. Option A is wrong because DynamoDB is a NoSQL database with higher latency than in-memory. Option C is wrong because EFS is a file system, not optimized for session state.

Option D is wrong because RDS is a relational database with higher latency.

36
MCQhard

A company is designing a new application that must be highly available across multiple AWS Regions. The application will run on EC2 instances behind an Application Load Balancer. The company needs a DNS-based routing policy that routes users to the nearest healthy endpoint based on latency. Which Amazon Route 53 routing policy should be used?

A.Latency routing policy
B.Failover routing policy
C.Weighted routing policy
D.Simple routing policy
AnswerA

Latency routing policy routes traffic to the region that provides the lowest latency for the user based on historical latency data.

Why this answer

Option D is correct because Latency-based routing directs traffic to the region with the lowest latency for the user. Option A is wrong because Simple routing is for a single resource. Option B is wrong because Weighted routing distributes traffic based on weights, not latency.

Option C is wrong because Failover routing is for active-passive setups.

37
MCQhard

A company is designing a global application that requires a highly available and low-latency API. The API will be consumed by clients across the world. The backend consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances in a single AWS Region. The company wants to improve performance for global users. Which solution meets these requirements with minimal operational overhead?

A.Deploy the application in multiple Regions and use Amazon Route 53 latency-based routing with active-passive failover.
B.Create an Amazon CloudFront distribution with Lambda@Edge to proxy requests to the ALB.
C.Create an AWS Global Accelerator accelerator with the ALB as an endpoint.
D.Create an Amazon CloudFront distribution with the ALB as the origin.
AnswerC

Global Accelerator uses the AWS global network and anycast IPs to route traffic to the nearest healthy endpoint, reducing latency without multi-Region deployment.

Why this answer

Option D is correct because AWS Global Accelerator uses the AWS global network to route traffic to the optimal endpoint, providing low latency and high availability. Option A is wrong because Lambda@Edge is for content transformation, not API proxying. Option B is wrong because CloudFront can cache API responses but is not ideal for dynamic APIs that require low latency; Global Accelerator is better for non-cacheable traffic.

Option C is wrong because active-passive setup with Route 53 failover does not optimize latency for global users.

38
MCQhard

A financial services company needs to store sensitive customer data in Amazon S3 with encryption at rest. They require that the encryption keys be stored in AWS CloudHSM and that the S3 bucket must not be able to access the keys without explicit permission. Which S3 encryption option should they use?

A.SSE-S3
B.SSE-C
C.Client-side encryption
D.SSE-KMS
AnswerB

Allows customer to provide keys stored in CloudHSM.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) is correct because it allows the customer to supply their own encryption keys, which can be stored in AWS CloudHSM, and S3 will use those keys to encrypt data at rest. With SSE-C, the customer manages the keys outside of AWS, and S3 cannot access the keys without explicit permission because the keys are provided per request and not stored by AWS. This meets the requirement of storing keys in CloudHSM and ensuring S3 has no independent access to them.

Exam trap

The trap here is that candidates often choose SSE-KMS assuming it supports CloudHSM via a custom key store, but SSE-KMS still allows S3 to access the key through KMS policies without requiring the key to be provided per request, which does not meet the 'explicit permission per access' requirement as strictly as SSE-C does.

How to eliminate wrong answers

Option A (SSE-S3) is wrong because it uses AWS-managed keys stored and managed entirely by S3, not in CloudHSM, and S3 inherently has access to the keys without explicit customer permission. Option C (Client-side encryption) is wrong because it encrypts data before sending to S3, which does not use S3's server-side encryption at rest and does not involve S3 managing keys or encryption; the requirement specifies S3 encryption at rest. Option D (SSE-KMS) is wrong because it uses AWS KMS keys, which are not stored in CloudHSM; while KMS can use a CloudHSM key store (custom key store), the keys are still managed by KMS, and S3 can access them via KMS policies without requiring per-request key provision, which does not satisfy the explicit permission requirement as strictly as SSE-C.

39
MCQhard

A company is deploying a multi-tier web application on AWS. The application must be highly available across three Availability Zones. The web tier runs on EC2 instances behind an Application Load Balancer (ALB). The application tier runs on EC2 instances behind a Network Load Balancer (NLB). The database tier uses a Multi-AZ RDS instance. To reduce cross-AZ data transfer costs, which design should be implemented?

A.Use AWS Global Accelerator to reduce data transfer costs
B.Place all web tier instances in one AZ and all application tier instances in another AZ
C.Use a single AZ for all tiers to avoid cross-AZ traffic
D.Place web and application tier instances in the same subnets across all three AZs
AnswerD

ALB and NLB can route to targets in the same AZ, reducing cross-AZ traffic.

Why this answer

Option D is correct because placing web and application tier EC2 instances in the same subnets across all three Availability Zones ensures that traffic between the ALB and NLB, as well as between the NLB and application instances, stays within the same AZ whenever possible. This design leverages the ALB's cross-zone load balancing behavior (enabled by default) and the NLB's ability to route traffic to targets in the same AZ, minimizing cross-AZ data transfer costs. AWS charges for data transfer between AZs, so keeping traffic within the same AZ reduces those costs while maintaining high availability across three AZs.

Exam trap

The trap here is that candidates may think placing all resources in a single AZ (Option C) is acceptable for cost savings, but the question explicitly requires high availability across three AZs, making that option invalid despite its cost advantage.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves performance and availability by routing traffic over the AWS global network, but it does not reduce cross-AZ data transfer costs within a single region; it primarily reduces latency and improves fault tolerance for global traffic. Option B is wrong because placing all web tier instances in one AZ and all application tier instances in another AZ violates the high availability requirement (single AZ failure would take down the entire tier) and actually increases cross-AZ traffic, incurring higher data transfer costs. Option C is wrong because using a single AZ for all tiers eliminates cross-AZ traffic but completely defeats the requirement for high availability across three Availability Zones, making the application vulnerable to AZ failures.

40
MCQmedium

A company has an IAM policy attached to a user. The user is trying to download an object from the S3 bucket 'my-bucket' that was uploaded with SSE-S3 encryption. What will happen?

A.The user will be allowed only if the object was uploaded with SSE-KMS.
B.The user will be denied access because the condition is not met.
C.The user will be allowed to download the object.
D.The user will be denied because SSE-S3 is not AES256.
AnswerC

The condition requires SSE-S3 (AES256), which matches the object's encryption.

Why this answer

Option A is correct because the condition requires s3:x-amz-server-side-encryption to be AES256, which matches SSE-S3. Option B is wrong because the condition is satisfied. Option C is wrong because SSE-S3 uses AES256.

Option D is wrong because the condition is for get requests, not put.

41
MCQhard

A financial services company is designing a multi-account AWS environment using AWS Organizations. They need to enforce that all newly created S3 buckets in any account have server-side encryption enabled using AWS KMS (SSE-KMS) with a customer managed key. Additionally, they want to prevent any S3 bucket from being publicly accessible. What is the MOST efficient and comprehensive way to enforce these policies?

A.Use a service control policy (SCP) to deny the s3:PutBucketAcl action that grants public access, and rely on bucket policies to enforce encryption.
B.Use AWS Config rules with automatic remediation to enable encryption and block public access on any non-compliant bucket.
C.Create an SCP that denies s3:PutObject without the x-amz-server-side-encryption-aws:kms header, and another SCP that denies s3:PutBucketPublicAccessBlock with a condition key. Also, use a resource-based policy on the S3 service to block public access.
D.Create an SCP that denies the s3:PutBucketPublicAccessBlock action and attach it to the root OU.
AnswerC

SCPs can deny actions based on conditions, and resource policies can prevent public access proactively.

Why this answer

Option C is correct because SCPs and resource-based policies can be combined to enforce encryption and prevent public access across all accounts. Option A is wrong because SCPs cannot enforce encryption on resources directly; they only control permissions. Option B is wrong because Config rules require remediation steps and are not preventive.

Option D is wrong because it misses public access prevention.

42
MCQeasy

A company is building a microservices architecture on Amazon ECS with Fargate. Each service must be isolated and communicate only via APIs. The company needs to enforce that services cannot directly access each other's databases. Which approach should be used?

A.Use a single VPC with network ACLs to block database ports between services.
B.Use IAM policies to restrict database access at the API level.
C.Place all services in the same VPC and use security groups to restrict database access.
D.Create a separate VPC for each service and use VPC peering for API communication only.
AnswerD

Separate VPCs provide strong isolation; VPC peering allows controlled API traffic.

Why this answer

Placing each service in its own VPC with VPC peering (Option B) provides network isolation and controlled access. Option A (same VPC) does not isolate databases. Option C (security groups) is less granular.

Option D (IAM roles) does not prevent network access.

43
MCQmedium

A company is designing a multi-region active-active application with a relational database. The application requires strong consistency and read-after-write consistency globally. Which AWS database service should the company choose?

A.Amazon Aurora Global Database
B.Amazon RDS for MySQL with Multi-AZ
C.Amazon DynamoDB Global Tables
D.Amazon ElastiCache for Memcached
AnswerA

Aurora Global Database supports active-active multi-region with low-latency replication and strong consistency.

Why this answer

Amazon Aurora Global Database is designed for multi-region active-active applications requiring strong consistency and read-after-write consistency. It uses a primary region for writes and replicates data to up to five secondary regions with typical latency under one second, while still providing global read-after-write consistency through its storage-based replication layer. This makes it the only AWS relational database service that meets the stated requirements for a multi-region active-active setup with strong consistency.

Exam trap

The trap here is that candidates often confuse DynamoDB Global Tables (NoSQL, eventual consistency) with a relational database that provides strong consistency, or they assume Multi-AZ RDS can be extended to multi-region active-active, when in fact it is single-region only.

How to eliminate wrong answers

Option B is wrong because Amazon RDS for MySQL with Multi-AZ only provides high availability within a single region, not multi-region active-active capability, and it does not offer global read-after-write consistency. Option C is wrong because Amazon DynamoDB Global Tables is a NoSQL database, not a relational database, and while it offers multi-region replication, it provides eventual consistency by default, not strong consistency or read-after-write consistency globally. Option D is wrong because Amazon ElastiCache for Memcached is an in-memory caching service, not a relational database, and it does not provide persistent storage, strong consistency, or multi-region replication.

44
Multi-Selecteasy

A company is designing a new serverless application using AWS Lambda. The application needs to access an Amazon RDS database. Which THREE steps are required to secure the database access? (Choose THREE.)

Select 3 answers
A.Place the Lambda function in a VPC with access to the RDS instance
B.Enable encryption on the RDS instance
C.Store database credentials in the Lambda function code
D.Assign an IAM role to the Lambda function with permissions to connect to RDS
E.Use a public IP address for the RDS instance
AnswersA, B, D

Lambda in VPC can access RDS.

Why this answer

Option A is correct because placing the Lambda function in the same VPC as the RDS instance allows it to communicate over a private IP address, eliminating exposure to the public internet. This is essential for secure database access, as Lambda functions outside the VPC cannot directly connect to RDS instances that are not publicly accessible.

Exam trap

The trap here is that candidates often confuse IAM roles with direct database authentication, thinking that assigning an IAM role alone is sufficient without also configuring IAM database authentication on the RDS side, or they overlook the necessity of VPC placement for private network connectivity.

45
Multi-Selecteasy

A company is hosting a static website on Amazon S3. The website uses JavaScript to make API calls to a backend API hosted on Amazon API Gateway. The company wants to reduce latency for users worldwide. Which combination of AWS services should the solutions architect use? (Choose two.)

Select 2 answers
A.Use CloudFront with API Gateway as an origin.
B.Use AWS Global Accelerator for the S3 website.
C.Use Lambda@Edge to process API calls at the edge.
D.Use Amazon CloudFront for both the S3 website and the API Gateway endpoint.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, D

This allows API calls to be served from edge locations.

Why this answer

Option B and Option E are correct. CloudFront can be used as a CDN for both the S3 static website and to accelerate API calls via CloudFront with API Gateway as an origin. S3 Transfer Acceleration speeds up uploads to S3, but for API calls, CloudFront is better.

Option A is incorrect because S3 Transfer Acceleration is for uploads, not for latency reduction for API calls. Option C is incorrect because Global Accelerator improves TCP performance but is not typically used for static websites. Option D is incorrect because Lambda@Edge runs at CloudFront edge, but does not replace API Gateway.

46
MCQeasy

A company is designing a new web application that will serve static content (HTML, CSS, JS, images) to users globally. The application must have low latency and high availability. Content changes infrequently, but when updated, the changes must be reflected immediately. Which solution should the architect recommend?

A.Store content in an S3 bucket and use Amazon CloudFront with S3 as origin
B.Store content on an EC2 instance behind an Application Load Balancer and use CloudFront
C.Store content in Amazon ElastiCache for Redis and use CloudFront
D.Store content in an S3 bucket and use S3 Transfer Acceleration
AnswerA

CloudFront provides global edge caching for low latency, and invalidations allow immediate content updates.

Why this answer

Option B is correct because CloudFront can serve static content from an S3 bucket with low latency, and invalidations can be used to immediately update content. Option A is wrong because S3 alone does not provide global low latency. Option C is wrong because CloudFront with an ALB adds unnecessary complexity and cost for static content.

Option D is wrong because ElastiCache is not designed for serving static files.

47
MCQmedium

A company is designing a new application that will store sensitive user data in Amazon S3. The data must be encrypted at rest and in transit. The solution must use AWS managed keys and must be compliant with PCI DSS. Which combination of encryption options should be used?

A.SSE-S3 for at-rest encryption and HTTPS for in-transit encryption
B.Client-side encryption for at-rest and HTTPS for in-transit
C.SSE-KMS for at-rest encryption and HTTP for in-transit encryption
D.SSE-C for at-rest encryption and HTTPS for in-transit
AnswerA

SSE-S3 uses AWS managed keys and HTTPS is standard for in-transit.

Why this answer

Option A is correct because SSE-S3 provides server-side encryption at rest using AWS-managed keys (S3-managed keys), which satisfies the requirement for AWS managed keys. HTTPS ensures encryption in transit, and both are compliant with PCI DSS standards for protecting sensitive data.

Exam trap

The trap here is that candidates may confuse SSE-KMS (which also uses AWS managed keys but adds additional control and cost) with SSE-S3, but SSE-S3 is simpler and fully compliant; the key requirement is 'AWS managed keys,' not necessarily KMS, and SSE-S3 meets that without extra overhead.

How to eliminate wrong answers

Option B is wrong because client-side encryption does not use AWS managed keys; it uses keys managed by the client, which violates the requirement for AWS managed keys. Option C is wrong because HTTP does not provide encryption in transit, leaving data vulnerable to interception, and PCI DSS requires encrypted transmission (e.g., HTTPS/TLS). Option D is wrong because SSE-C uses customer-provided keys, not AWS managed keys, failing the requirement for AWS managed keys.

48
MCQmedium

A company is designing a new application that requires a relational database. The application has variable traffic, with high spikes during business hours and low traffic at night. The company wants to minimize costs while ensuring the database can handle the spikes. Which solution should the architect recommend?

A.Use Amazon RDS with Multi-AZ and read replicas, or Amazon Aurora Serverless
B.Use Amazon RDS with a Single-AZ instance and automatic scaling
C.Use Amazon DynamoDB with on-demand capacity
D.Use Amazon RDS with a Single-AZ instance and a large instance size
AnswerA

Multi-AZ provides high availability, read replicas handle read spikes, and Aurora Serverless automatically scales compute.

Why this answer

Option B is correct because RDS with Multi-AZ and read replicas provides high availability and read scaling, while Aurora Serverless automatically scales compute capacity. Option A is wrong because a single RDS instance is not highly available. Option C is wrong because DynamoDB is NoSQL, not relational.

Option D is wrong because RDS with a Single-AZ instance is not highly available and does not handle spikes.

49
Multi-Selectmedium

A company is building a serverless data processing pipeline using AWS Lambda, Amazon DynamoDB, and Amazon S3. The pipeline processes JSON files uploaded to an S3 bucket, transforms the data, and writes results to DynamoDB. The company wants to ensure the pipeline can handle bursts of traffic without data loss. Which TWO design decisions should the solutions architect make?

Select 2 answers
A.Configure DynamoDB with on-demand capacity mode.
B.Use an Amazon SQS queue to buffer events from S3 before processing by Lambda.
C.Increase the Lambda function timeout to 15 minutes.
D.Use DynamoDB Streams to capture changes and process in batches.
E.Enable S3 Transfer Acceleration on the bucket.
AnswersA, B

On-demand capacity automatically scales to handle bursts without throttling.

Why this answer

Options A and C are correct. Using an SQS queue between S3 and Lambda decouples the processing and provides a buffer to handle bursts. Configuring DynamoDB with on-demand capacity handles sudden increases in writes without throttling.

Option B is incorrect because Lambda function timeout does not prevent data loss; it only limits execution time. Option D is incorrect because DynamoDB Streams are for change capture, not for handling bursts. Option E is incorrect because S3 Transfer Acceleration is for faster uploads, not for burst handling.

50
Multi-Selectmedium

A company is designing a new application that will use Amazon S3 to store user-uploaded images. The application must enforce that all uploads are encrypted in transit and at rest. Additionally, the bucket must be configured to block all public access. Which TWO actions should be taken to meet these requirements?

Select 2 answers
A.Use server-side encryption with customer-provided keys (SSE-C).
B.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
C.Use Amazon CloudFront to serve the images and enforce HTTPS.
D.Create a bucket policy that denies uploads without encryption in transit.
E.Configure the S3 Block Public Access settings to block all public access.
AnswersB, E

Default encryption ensures all objects are encrypted at rest automatically.

Why this answer

Option A is correct because enabling S3 default encryption ensures objects are encrypted at rest. Option D is correct because blocking public access via the Block Public Access settings is a bucket-level control. Option B is wrong because bucket policies are not used for encryption.

Option C is wrong because CloudFront is not related to S3 encryption. Option E is wrong because SSE-C is client-managed, but the question does not specify client-managed keys.

51
MCQhard

A company is designing a multi-region disaster recovery solution for a critical application. The application uses Amazon RDS for MySQL with Multi-AZ in the primary region. The recovery point objective (RPO) is 5 seconds, and the recovery time objective (RTO) is 1 minute. Which solution meets these requirements?

A.Create an RDS MySQL cross-region read replica in the secondary region and promote it during a disaster.
B.Take manual snapshots of the RDS instance every 5 seconds and copy them to the secondary region.
C.Use AWS Database Migration Service (DMS) to continuously replicate to a database in the secondary region.
D.Use Amazon Aurora Global Database with a primary instance in the primary region and one secondary in the secondary region.
AnswerD

Aurora Global Database provides low-latency replication and fast failover.

Why this answer

Amazon Aurora Global Database is the only solution that can achieve an RPO of 5 seconds and an RTO of 1 minute for a multi-region disaster recovery setup. It uses storage-based replication with typical latency under 1 second, and failover to a secondary region can be completed in about 1 minute by promoting the secondary cluster. Aurora Global Database also avoids the replication lag and promotion delays inherent in cross-region read replicas or DMS-based replication.

Exam trap

The trap here is that candidates often assume a cross-region read replica (Option A) can meet a 5-second RPO because MySQL replication is 'near real-time,' but in practice, replication lag is unpredictable and often exceeds 5 seconds, especially during peak loads or network issues.

How to eliminate wrong answers

Option A is wrong because an RDS MySQL cross-region read replica typically has replication lag of several seconds to minutes, making it impossible to guarantee a 5-second RPO, and promoting a read replica takes longer than 1 minute due to the need to stop replication and apply any pending changes. Option B is wrong because manual snapshots cannot be taken every 5 seconds (the minimum interval is 5 minutes for automated snapshots, and manual snapshots have no such frequency guarantee), and copying snapshots to another region adds significant delay, far exceeding the 5-second RPO. Option C is wrong because AWS DMS continuous replication introduces latency that often exceeds 5 seconds, and the failover process to promote the target database as the primary typically takes more than 1 minute, especially if schema changes or data consistency checks are required.

52
MCQmedium

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. The application must handle millions of requests per day. To reduce latency and offload traffic from the EC2 instances, which AWS service should be placed in front of the load balancer?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS Shield Advanced
D.AWS WAF
AnswerA

CloudFront caches content at edge locations, reducing latency and offloading EC2 instances.

Why this answer

Option A is correct because CloudFront is a CDN that caches content at edge locations, reducing latency and offloading traffic. Option B is wrong because Global Accelerator improves performance via AWS global network but does not cache. Option C is wrong because WAF is a web application firewall.

Option D is wrong because Shield is for DDoS protection.

53
MCQhard

A healthcare company is storing sensitive patient data in Amazon S3. The compliance team requires that all data be encrypted at rest and that the encryption keys be rotated every 90 days. Additionally, the company must maintain an audit trail of all key usage. Which solution meets these requirements with the LEAST operational overhead?

A.Use S3 server-side encryption with customer-provided keys (SSE-C) and implement a Lambda function to rotate keys every 90 days.
B.Use S3 server-side encryption with S3-managed keys (SSE-S3) and enable S3 server access logs.
C.Use S3 server-side encryption with AWS KMS-managed keys (SSE-KMS) and enable automatic key rotation every 90 days. Enable AWS CloudTrail for KMS key usage logging.
D.Use client-side encryption with the AWS Encryption SDK and store the keys in AWS Secrets Manager with automatic rotation.
AnswerC

SSE-KMS allows automatic key rotation with customizable interval (minimum 90 days for custom key stores), and CloudTrail provides audit trail of key usage with minimal operational burden.

Why this answer

Option D is correct because AWS KMS automatic key rotation handles rotation every 365 days (configurable to 90 days for custom key stores) and CloudTrail logs key usage. Option A is wrong because SSE-S3 does not provide key rotation control. Option B is wrong because SSE-C requires manual key management and rotation.

Option C is wrong because client-side encryption places the burden on the application.

54
Multi-Selectmedium

A company is designing a new application that will use Amazon S3 to store sensitive customer data. The data must be encrypted at rest and in transit. The company also needs to ensure that only authorized users can access the data. Which three steps should the company take? (Choose THREE.)

Select 3 answers
A.Enable S3 default encryption with SSE-KMS.
B.Use client-side encryption with a customer key.
C.Use bucket policies to restrict access based on IAM roles.
D.Configure the bucket policy to deny requests that do not use HTTPS.
E.Make the bucket publicly accessible for ease of access.
AnswersA, C, D

Encrypts data at rest with KMS-managed keys.

Why this answer

Enforce encryption in transit (HTTPS) via bucket policy. Enable S3 default encryption with SSE-KMS. Use bucket policies to restrict access to authorized principals.

Option D (public access) is wrong. Option E (client-side encryption) is not required.

55
MCQmedium

A company is designing a highly available application on AWS that uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application requires that the client's IP address be preserved in the application logs. The company also needs to perform SSL termination at the load balancer. How should the company configure the ALB to meet these requirements?

A.Use TCP listener on port 443 and forward to instances on port 80. Enable proxy protocol v2.
B.Use TCP listener on port 443 and forward to instances on port 443. Install SSL certificate on instances.
C.Use HTTPS listener on port 443, provide the SSL certificate, and forward to instances on port 443. Disable proxy protocol.
D.Use HTTPS listener on port 443, provide the SSL certificate, and forward to instances on port 80. Enable X-Forwarded-For header.
AnswerD

ALB terminates SSL and passes client IP via X-Forwarded-For.

Why this answer

Option C is correct because ALB with SSL termination and X-Forwarded-For header preserves the client IP. Option A terminates SSL on instances, which adds overhead. Option B is for Network Load Balancer, which does not support HTTP features.

Option D is wrong because ALB can be internet-facing.

56
Multi-Selecteasy

A company is designing a new database solution for a global e-commerce application. The database must support high read and write throughput with single-digit millisecond latency. The company expects traffic spikes during peak hours. Which TWO AWS services should the company consider?

Select 2 answers
A.Amazon DocumentDB (with MongoDB compatibility)
B.Amazon ElastiCache
C.Amazon DynamoDB
D.Amazon Aurora
E.Amazon RDS for MySQL
AnswersB, C

ElastiCache (Redis or Memcached) provides in-memory caching for low latency.

Why this answer

Options A and C are correct. DynamoDB provides low-latency, high-throughput NoSQL database. ElastiCache provides in-memory caching for low latency.

Option B is wrong because Aurora is relational and may not match DynamoDB's throughput for simple key-value access. Option D is wrong because DocumentDB is for document workloads. Option E is wrong because RDS is relational and less scalable.

57
MCQhard

A company is designing a new application that will store sensitive data in Amazon S3. The data must be encrypted at rest using a key that is rotated every 90 days. The company wants to use AWS managed services to minimize operational overhead. Which encryption solution should they choose?

A.SSE-C
B.SSE-S3
C.Client-side encryption with AWS KMS
D.SSE-KMS with automatic rotation
AnswerB

SSE-S3 automatically rotates keys every 90 days with no customer management.

Why this answer

Option A is correct because SSE-S3 uses S3-managed keys that are automatically rotated. Option B is wrong because SSE-KMS requires customer management of key rotation, though it can be automatic with KMS. Option C is wrong because SSE-C requires the customer to manage the keys.

Option D is wrong because client-side encryption adds operational overhead.

58
MCQmedium

A Solutions Architect runs the AWS CLI command shown in the exhibit. Which statement accurately describes the output?

A.The command lists all instances regardless of state.
B.The command lists instances in JSON format.
C.The command lists only running instances.
D.The command fails because --query is used incorrectly.
AnswerA

The command returns all instances with their state.

Why this answer

The command uses the --query parameter to filter output and --output table. The query extracts InstanceId and State.Name, and the table format shows the results. The command does not filter by state; it returns all instances regardless of state.

59
MCQhard

A company is deploying a serverless application using AWS Lambda. The application processes high-resolution images and stores them in Amazon S3. The processing time for each image is variable, but some images require more than 15 minutes to process. Lambda has a maximum execution time of 15 minutes. How can the company process these long-running image transformations?

A.Use AWS Step Functions to chain multiple Lambda functions, each processing a part of the image.
B.Use AWS Batch to run the image processing as a job on EC2 or Fargate.
C.Use Amazon SQS to queue the images and have Lambda poll the queue; the Lambda function can process one image per invocation.
D.Increase the Lambda timeout to 20 minutes.
AnswerB

AWS Batch can run jobs with longer execution times and can scale based on demand.

Why this answer

Using AWS Step Functions to orchestrate Lambda functions with a task timeout of 15 minutes does not solve the 15-minute limit. However, splitting the work into parallel Lambda functions each under 15 minutes can process larger images if the work is parallelizable. But if processing a single image takes >15 minutes, you need to use a different compute service like AWS Batch.

Option B is correct. Option A is wrong because Lambda still has the 15-minute limit. Option C is wrong because SQS doesn't extend Lambda execution time.

Option D is wrong because Step Functions cannot extend Lambda timeout.

60
MCQhard

A company is designing a new solution to ingest real-time clickstream data from a website. The data volume varies from 100 to 100,000 events per second. The solution must buffer the data for up to 5 minutes and then deliver it to Amazon S3 for analysis. The company wants to minimize operational overhead and cost. Which service should be used to buffer the data?

A.Amazon Kinesis Data Streams
B.AWS Lambda
C.Amazon Kinesis Data Firehose
D.Amazon SQS
AnswerC

Firehose provides serverless buffering and delivery to S3.

Why this answer

Option D is correct. Amazon Kinesis Data Firehose can buffer incoming data for up to 15 minutes and then deliver it to S3, with no server management. Option A is wrong because Kinesis Data Streams requires managing shards and consumers.

Option B is wrong because SQS is not designed for large-scale streaming. Option C is wrong because Lambda has concurrency limits and is not a buffer.

61
Multi-Selectmedium

A company is building a serverless application using AWS Lambda and Amazon API Gateway. They need to authenticate users. Which TWO services can be used for authentication?

Select 2 answers
A.AWS Security Token Service
B.AWS IAM
C.Amazon SQS
D.Amazon Cognito
E.Amazon CloudFront
AnswersB, D

IAM can authenticate users via API Gateway IAM authorization.

Why this answer

AWS IAM is correct because it can be used to authenticate users by attaching IAM authorization to API Gateway, allowing the API to verify the caller's identity via AWS Signature Version 4 signing. This is commonly used for machine-to-machine or internal service calls where the caller has AWS credentials.

Exam trap

The trap here is that candidates often confuse AWS STS (which issues temporary credentials) with an authentication service, or think SQS or CloudFront can handle authentication, when in fact only IAM and Cognito directly support user authentication for API Gateway in this context.

62
MCQeasy

A company is designing a new application that will store and retrieve large files (up to 5 TB). The files must be accessible via HTTPS and must be durable. Which AWS storage service should be used?

A.Amazon S3
B.Amazon EFS
C.AWS Storage Gateway
D.Amazon EBS
AnswerA

S3 is object storage with HTTPS access and high durability.

Why this answer

Amazon S3 is the correct choice because it supports objects up to 5 TB in size, provides HTTPS access via RESTful API endpoints, and offers 99.999999999% (11 nines) durability by automatically replicating data across multiple Availability Zones. S3 is purpose-built for storing and retrieving large files over the internet with high durability and scalability.

Exam trap

The trap here is that candidates may confuse file storage (EFS) or block storage (EBS) with object storage (S3), overlooking that only S3 provides native HTTPS access and 11 nines durability for large objects without requiring an EC2 instance or additional infrastructure.

How to eliminate wrong answers

Option B (Amazon EFS) is wrong because it is a file-level storage service for Linux workloads, not designed for single objects up to 5 TB (its maximum file size is 52 TB, but it lacks native HTTPS object access and is optimized for shared file systems, not direct HTTP retrieval). Option C (AWS Storage Gateway) is wrong because it is a hybrid storage service that provides on-premises access to AWS storage, not a primary storage service for direct HTTPS access to large files; it adds latency and complexity for a purely cloud-native application. Option D (Amazon EBS) is wrong because it is block-level storage attached to a single EC2 instance, cannot be accessed directly via HTTPS, and has a maximum volume size of 16 TB but requires an EC2 instance to serve files, making it unsuitable for direct object retrieval over the internet.

63
MCQeasy

A company wants to migrate an on-premises Oracle database to Amazon Aurora PostgreSQL. The migration must have minimal downtime. Which AWS service should be used for the migration?

A.AWS Server Migration Service (SMS)
B.AWS DataSync
C.AWS Database Migration Service (DMS)
D.AWS Snowball
AnswerC

DMS supports continuous replication.

Why this answer

AWS DMS supports ongoing replication to minimize downtime during migration.

64
MCQmedium

A company is designing a disaster recovery solution for a critical application running on EC2 with data in an Amazon RDS MySQL Multi-AZ DB instance. The recovery time objective (RTO) is 15 minutes and recovery point objective (RPO) is 1 hour. Which strategy meets these requirements?

A.Enable Multi-AZ in a different Region.
B.Create a cross-Region read replica of the RDS DB instance.
C.Take daily snapshots of the RDS DB instance and copy them to another Region.
D.Use Amazon S3 cross-Region replication for database backups.
AnswerB

Promoting a read replica can achieve RTO under 15 minutes and RPO under 1 hour.

Why this answer

Option B is correct because a cross-Region read replica of an Amazon RDS MySQL DB instance provides asynchronous replication with a typical replication lag of seconds to minutes, meeting the RPO of 1 hour and RTO of 15 minutes by promoting the replica to a standalone instance in the event of a disaster. This approach minimizes data loss and allows rapid failover without relying on snapshot restoration or backup copying.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which is Region-bound) with cross-Region disaster recovery, or they assume daily snapshots are sufficient for a 1-hour RPO, failing to recognize that snapshot frequency must match the RPO window.

How to eliminate wrong answers

Option A is wrong because Multi-AZ in a different Region is not a supported configuration; Multi-AZ provides high availability within a single Region by synchronously replicating to a standby in a different Availability Zone, not across Regions. Option C is wrong because daily snapshots cannot achieve an RPO of 1 hour; snapshot frequency is at most once every 5 minutes, but daily snapshots would result in up to 24 hours of potential data loss, far exceeding the 1-hour RPO. Option D is wrong because Amazon S3 cross-Region replication is used for S3 objects, not for RDS database backups; RDS automated backups and manual snapshots are stored in S3, but the replication of those backups via S3 CRR does not provide the low RTO or RPO required, as it would still require restoring from a snapshot, which takes longer than 15 minutes.

65
MCQeasy

A company is designing a new application that will be deployed on AWS. The application requires a relational database with automatic failover and high availability within a single AWS region. Which database deployment option meets these requirements?

A.Amazon RDS Single-AZ deployment
B.Amazon RDS with Read Replicas
C.Amazon RDS Multi-AZ deployment
D.Amazon RDS cross-region replication
AnswerC

Multi-AZ provides automatic failover and high availability within a region.

Why this answer

Option C is correct because RDS Multi-AZ provides automatic failover and high availability within a region. Option A is wrong because Single-AZ does not provide failover. Option B is wrong because Read Replicas are for read scaling, not failover.

Option D is wrong because cross-region replication is for disaster recovery, not primary failover.

66
Multi-Selectmedium

A company is designing a real-time analytics platform that ingests data from thousands of IoT devices. The platform must process and store high-velocity data with low latency. Which TWO AWS services should be used together to meet these requirements? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon Kinesis Data Analytics
D.Amazon S3
E.Amazon SQS
AnswersB, C

Ingests large amounts of data from IoT devices in real time.

Why this answer

Amazon Kinesis Data Streams ingests high-velocity streaming data. Amazon Kinesis Data Analytics performs real-time analytics on the stream. Option B (Lambda) can be used but not as the primary analytics engine.

Option C (S3) is for storage, not real-time. Option D (DynamoDB) is for low-latency queries but not for stream analytics. Option E (SQS) is for message queuing, not real-time analytics.

67
MCQmedium

Refer to the exhibit. A solutions architect is designing a new application that requires three EC2 instances running in different Availability Zones in us-east-1. The architect runs the AWS CLI command shown and sees three instances running in three AZs. However, the application is not highly available because if one AZ fails, the application loses one-third of its capacity. The architect needs to ensure that the application can survive the loss of an entire AZ without manual intervention. What should the architect do?

A.Create a launch configuration and manually associate it with the instances.
B.Create an Auto Scaling group with a minimum size of 2 and a maximum size of 6, spread across three AZs.
C.Use EC2 Auto Recovery to automatically recover instances in case of failure.
D.Manually launch additional instances in other AZs.
AnswerB

Auto Scaling automatically replaces failed instances.

Why this answer

Option C is correct. An Auto Scaling group across three AZs with minimum 2 instances ensures that if one AZ fails, the instances in the other two AZs continue running, and Auto Scaling will launch new instances in the remaining AZs to maintain the desired count. Option A is wrong because it does not automatically replace failed instances.

Option B is wrong because a launch configuration is not enough; you need an Auto Scaling group. Option D is wrong because spreading across two AZs only protects against one AZ failure partially.

68
MCQeasy

A company wants to provide temporary access to an S3 bucket for external partners. The access must be time-limited and restricted to specific objects. Which AWS service or feature should they use?

A.S3 bucket policies
B.CloudFront signed URLs
C.Presigned URLs
D.IAM roles
AnswerC

Presigned URLs grant time-limited access to specific objects.

Why this answer

Option A is correct because presigned URLs provide temporary, limited access to specific S3 objects. Option B (bucket policies) are not time-limited. Option C (IAM roles) require AWS credentials.

Option D (CloudFront signed URLs) are for content delivery, not direct S3 access.

69
MCQmedium

A company is designing a new microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other using REST APIs. The company wants to implement a service mesh to handle traffic routing, observability, and security. Which AWS service should the company use?

A.Elastic Load Balancing for internal network load balancers.
B.AWS App Mesh.
C.AWS Cloud Map for service discovery.
D.Amazon API Gateway with VPC linking.
AnswerB

App Mesh provides service mesh capabilities for ECS.

Why this answer

AWS App Mesh is a service mesh that provides traffic management, observability, and security for microservices. Option C is correct. Option A is wrong because API Gateway is for external APIs.

Option B is wrong because Cloud Map is for service discovery. Option D is wrong because ELB is a load balancer, not a service mesh.

70
Multi-Selecthard

Which THREE factors should be considered when designing a global application that requires low-latency access to static content and dynamic API responses?

Select 3 answers
A.Use VPC peering between all Regions to reduce latency.
B.Use Amazon CloudFront with multiple origins for static and dynamic content.
C.Use AWS Direct Connect for global connectivity.
D.Deploy application in multiple AWS Regions and use Route 53 latency-based routing.
E.Use AWS Global Accelerator for dynamic content.
AnswersB, D, E

CloudFront caches static content at edge and forwards dynamic requests.

Why this answer

Options A, C, and D are correct. Amazon CloudFront provides edge caching for static content and can route dynamic requests to the nearest origin. AWS Global Accelerator improves performance for dynamic content via anycast IP.

Multi-Region deployment with Route 53 latency routing reduces latency. Option B is incorrect because Direct Connect is for dedicated private connectivity, not global optimization. Option E is incorrect because VPC peering does not provide global edge caching.

71
MCQhard

A company is designing a serverless data processing pipeline that uses AWS Lambda to process messages from Amazon SQS. Each message requires 5 minutes of processing time. The company expects a steady state of 1,000 messages per second. What is the MOST scalable and cost-effective design?

A.Deploy an Amazon ECS service with Fargate that polls the SQS queue. Use an SQS queue with long polling and auto scaling based on queue depth.
B.Use an SQS queue and a Lambda function that processes messages in batches. Set the Lambda function timeout to 15 minutes and use reserved concurrency.
C.Use an Amazon MQ broker with ActiveMQ and configure a Lambda function to consume messages from a queue.
D.Configure an SQS queue with a Lambda trigger. Set the Lambda function timeout to 5 minutes and the batch size to 1.
AnswerA

ECS can scale to thousands of tasks, each handling one message for 5 minutes, cost-effective and scalable.

Why this answer

Option B is correct because Lambda has a 15-minute timeout and can scale concurrency, but to handle 1,000 msg/s with 5 min processing, you need enough concurrency. However, Lambda concurrency per account has limits; the better approach is to use a Lambda function that reads from SQS in batches and processes each message, but the function timeout must be at least 5 min per invocation. Option A is wrong because Lambda can't run for 5 minutes (timeout is 15 min, so it's possible, but the question implies 5 min per message, so batch size of 1 is fine).

Actually, Lambda max execution is 15 min, so 5 min is fine. The main issue is that Lambda concurrency default is 1,000, and with 1,000 msg/s, each message takes 5 min, you'd need 300,000 concurrent executions, which exceeds default limits. So the best design is to use an Amazon ECS service with auto scaling.

Option B is correct.

72
MCQhard

A financial services company is designing a new system on AWS to process real-time stock trades. The system must handle up to 10,000 trades per second with end-to-end latency under 500 milliseconds. Trades are ingested via REST API, validated, enriched with market data, and stored in a database for regulatory compliance. The architecture must be highly available across three Availability Zones. The company wants to use AWS managed services to minimize operational overhead. Which solution should a Solutions Architect recommend?

A.Use Network Load Balancer to distribute trade requests to a fleet of EC2 instances running a custom Java application. The application processes trades and writes to Amazon RDS for MySQL with Multi-AZ.
B.Use Amazon API Gateway to ingest trades, publish to an SNS topic, subscribe an SQS queue and a Lambda function. Lambda validates and enriches, then stores in DynamoDB.
C.Use Amazon API Gateway to ingest trades, send to an SQS FIFO queue for ordered processing, trigger an AWS Lambda function for validation and enrichment, and store in DynamoDB.
D.Use Amazon API Gateway to ingest trades, send to Amazon Kinesis Data Streams for buffering, use AWS Lambda to process in parallel, and store results in DynamoDB with on-demand capacity.
AnswerD

Kinesis can handle high throughput, Lambda scales automatically, DynamoDB provides low-latency storage.

Why this answer

Option C is correct because it uses API Gateway for ingestion, Kinesis Data Streams for buffering, Lambda for processing (scale to handle 10k tps), and DynamoDB for low-latency storage. Option A is wrong because SQS does not guarantee ordering for high throughput FIFO queues (limited to 300 tps). Option B is wrong because EC2 instances introduce management overhead and may not scale as quickly.

Option D is wrong because SNS does not provide a persistent buffer; messages can be lost if subscriber is unavailable.

73
Multi-Selecthard

A company is designing a hybrid cloud solution that extends its on-premises data center to AWS. The company has a 10 Gbps AWS Direct Connect connection and needs to securely connect multiple VPCs and on-premises networks with transitive routing. The solution must be highly available and use AWS managed services. Which TWO components should the company include in the design? (Choose TWO.)

Select 2 answers
A.AWS Global Accelerator endpoints in each VPC.
B.AWS Transit Gateway with attachments for each VPC and the Direct Connect Gateway.
C.AWS Site-to-Site VPN connections from on-premises to each VPC.
D.VPC peering between each VPC and the on-premises network.
E.AWS Direct Connect Gateway attached to the Transit Gateway.
AnswersB, E

Transit Gateway enables transitive routing and central management.

Why this answer

AWS Transit Gateway provides transitive routing between VPCs and on-premises networks. Direct Connect Gateway allows association of multiple VPCs via Transit Gateway. Option A and Option C are correct.

Option B is wrong because VPN CloudHub does not integrate with Transit Gateway. Option D is wrong because VPC peering does not support transitive routing. Option E is wrong because AWS Global Accelerator is not for network connectivity.

74
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application experiences sudden traffic spikes. What is the most effective way to ensure the application can handle the spikes without manual intervention?

A.Use a target tracking scaling policy based on average CPU utilization.
B.Increase the instance size to handle more load per instance.
C.Manually increase the desired capacity when traffic spikes.
D.Use scheduled scaling to add instances at expected peak times.
AnswerA

Target tracking automatically adjusts capacity to maintain a target metric, handling spikes.

Why this answer

Option D is correct because a target tracking scaling policy based on CPU utilization automatically adjusts capacity in response to demand. Option A is wrong because scheduled scaling works for predictable patterns, not sudden spikes. Option B is wrong because a larger instance size may not handle spikes if only a few instances.

Option C is wrong because manual scaling is not automated.

75
MCQeasy

A company is designing a new application that will process sensitive financial transactions. The application must be deployed in a VPC with no public internet access. The application needs to send logs to Amazon CloudWatch Logs and store files in Amazon S3. Which set of actions should be taken to meet these requirements without allowing internet access?

A.Create a Gateway VPC endpoint for S3 and an Interface VPC endpoint for CloudWatch Logs
B.Place the application behind a public Application Load Balancer
C.Set up a NAT gateway in a public subnet and route traffic through it
D.Use AWS PrivateLink to connect to CloudWatch Logs and S3
AnswerA

Gateway endpoints for S3 and Interface endpoints for CloudWatch Logs provide private connectivity within the VPC, no internet required.

Why this answer

Option A is correct because VPC endpoints (Gateway for S3 and Interface for CloudWatch Logs) allow private connectivity to AWS services without internet access. Option B is wrong because a NAT gateway provides outbound internet access, which is not allowed. Option C is wrong because a public ALB would expose the application to the internet.

Option D is wrong because AWS PrivateLink is used for services in other accounts, not for CloudWatch Logs; the correct endpoint is Interface endpoint.

Page 1 of 7 · 514 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.