CCNA Design for New Solutions Questions

75 of 514 questions · Page 2/7 · Design for New Solutions · Answers revealed

76
MCQeasy

A startup is building a serverless application using AWS Lambda. They need to securely store and retrieve database credentials without hardcoding them in the function code. Which AWS service should they use?

A.Amazon DynamoDB
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager is the best choice for managing secrets with automatic rotation.

Why this answer

AWS Secrets Manager is designed to securely store secrets like database credentials and rotate them automatically. Lambda can retrieve them at runtime using the Secrets Manager API.

77
MCQmedium

A company is designing a new serverless data processing pipeline. The pipeline uses AWS Lambda to process records from an Amazon Kinesis Data Stream. The company wants to ensure that failed records are automatically retried and sent to a dead-letter queue after three failed attempts. Which configuration should the company use?

A.Configure the Kinesis stream to send failed records to an SQS standard queue.
B.Configure an on-failure destination on the Kinesis event source mapping to send records to an SQS queue.
C.Configure the Lambda function's dead-letter queue property with an SQS queue.
D.Configure a Lambda destination on the function to send events to an SQS queue.
AnswerB

The event source mapping for Kinesis supports an on-failure destination for DLQ.

Why this answer

Option B is correct because Kinesis Data Streams as a Lambda event source supports on-failure destinations for DLQ. Option A is wrong because Lambda destinations are for async invocations, not streams. Option C is wrong because DLQ is not a property of Lambda function configuration.

Option D is wrong because SQS standard queue does not support retry settings like Lambda.

78
MCQhard

A company has an IAM policy attached to a user as shown in the exhibit. The user is trying to stop an EC2 instance in the us-west-2 region. What will happen?

A.The user cannot stop the instance because the condition checks the request region.
B.The user cannot stop the instance because the second statement denies all actions in regions other than us-east-1.
C.The user can stop the instance because the first statement allows it.
D.The user can stop the instance because the condition applies only to the Deny statement, but the Allow statement is unconditional.
AnswerB

The deny statement with condition StringNotEquals us-east-1 denies the action in us-west-2.

Why this answer

Option C is correct. The first statement allows DescribeInstances, StartInstances, StopInstances. The second statement denies all actions if the requested region is not us-east-1.

Since us-west-2 is not us-east-1, the deny applies, and the user cannot stop the instance. Option A is wrong because the deny overrides the allow. Option B is wrong because the user cannot stop the instance.

Option D is wrong because the action is explicitly denied.

79
MCQmedium

A company is designing a new microservices architecture on AWS. They need a solution for service discovery that allows services to register themselves and discover other services dynamically. The solution must be highly available and integrated with AWS-native services. Which AWS service should they use?

A.Amazon ECS Service Discovery
B.Application Load Balancer (ALB)
C.AWS Cloud Map
D.Amazon Route 53 private hosted zones
AnswerC

Cloud Map is a service discovery service that allows resources to register and discover each other, with health checks.

Why this answer

AWS Cloud Map is the correct choice because it is a fully managed service discovery service that allows microservices to register themselves dynamically and discover other services via DNS or HTTP API calls. It integrates natively with AWS services like Amazon ECS, Amazon EKS, and AWS Lambda, and provides high availability through automatic health checking and resource synchronization across AWS Regions.

Exam trap

The trap here is that candidates often confuse Amazon ECS Service Discovery (Option A) as a separate service, when it is actually a feature of AWS Cloud Map, leading them to overlook Cloud Map as the correct, standalone service for dynamic service discovery.

How to eliminate wrong answers

Option A is wrong because Amazon ECS Service Discovery is not a standalone service; it is a feature of AWS Cloud Map that is exposed through Amazon ECS, and it lacks the broader API-based discovery and health-check integration that Cloud Map provides. Option B is wrong because an Application Load Balancer (ALB) is a Layer 7 load balancer that distributes traffic to targets, not a service registry for dynamic service-to-service discovery; it does not support service registration or DNS-based discovery for internal microservices. Option D is wrong because Amazon Route 53 private hosted zones provide DNS resolution within a VPC but do not support dynamic service registration, health checking, or API-based discovery; they are a static DNS solution, not a service discovery registry.

80
MCQeasy

A company wants to store application logs in a centralized location for analysis. The logs are generated by EC2 instances in an Auto Scaling group. The solution must be cost-effective and support real-time analysis. Which service should be used to collect and analyze the logs?

A.Amazon S3
B.Amazon Kinesis Data Firehose
C.Amazon Elasticsearch Service
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs provides real-time log collection and analysis.

Why this answer

Amazon CloudWatch Logs is the correct choice because it natively integrates with EC2 instances via the CloudWatch Logs agent to collect, monitor, and analyze log data in real time. It provides a centralized log storage with built-in metric filters and subscription filters for real-time analysis, making it cost-effective for logs generated by Auto Scaling groups without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse 'real-time analysis' with needing a dedicated analytics service like Amazon Elasticsearch Service, overlooking that CloudWatch Logs provides built-in real-time monitoring and filtering capabilities without additional cost or complexity.

How to eliminate wrong answers

Option A is wrong because Amazon S3 is an object storage service that does not support real-time analysis; it is typically used for archival or batch processing, not for streaming log collection and live querying. Option B is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that requires additional downstream services (like Amazon Elasticsearch Service or S3) for analysis and storage, adding complexity and cost for a simple log collection use case. Option C is wrong because Amazon Elasticsearch Service (now Amazon OpenSearch Service) is a search and analytics engine that can ingest logs but requires separate log collection agents and additional configuration for real-time analysis, making it less cost-effective and more complex than CloudWatch Logs for this scenario.

81
Multi-Selecteasy

A company is designing a new application that will run on Amazon EC2 instances. The application writes logs to local disk, and the logs must be aggregated centrally for analysis. The company wants a solution that requires minimal configuration and can handle high log volume. Which TWO AWS services should the company use?

Select 2 answers
A.Amazon S3
B.AWS Lambda
C.Amazon Kinesis Data Firehose
D.Amazon CloudWatch Logs
E.Amazon CloudWatch Logs Insights
AnswersD, E

CloudWatch Logs can collect logs from EC2 instances using the CloudWatch agent.

Why this answer

Option A is correct because CloudWatch Logs can collect logs from EC2 instances via the CloudWatch agent. Option C is correct because CloudWatch Logs Insights allows querying and analyzing logs. Option B is wrong because S3 is for log storage, not analysis.

Option D is wrong because Kinesis Data Firehose is for streaming data, not for EC2 log collection. Option E is wrong because Lambda is not used for log analysis.

82
MCQmedium

A company is designing a new application on AWS that requires a relational database with read replicas across multiple AWS Regions. The database must have automated failover and a recovery point objective (RPO) of less than 5 seconds. Which database solution should the company choose?

A.Amazon Aurora Global Database
B.Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas
C.Amazon RDS for PostgreSQL with cross-Region read replicas and Multi-AZ
D.Amazon DynamoDB Global Tables
AnswerA

Aurora Global Database provides RPO of 1 second and automated failover across Regions.

Why this answer

Amazon Aurora Global Database is the correct choice because it is designed for cross-Region replication with a typical RPO of less than 1 second and automated failover from the primary Region to a secondary Region in under 1 minute. This meets the requirement for a relational database with read replicas across multiple Regions and an RPO of less than 5 seconds, as Aurora Global Database uses a dedicated, fast replication channel that minimizes lag.

Exam trap

The trap here is that candidates often confuse Multi-AZ failover (which is Region-bound) with cross-Region failover, or they assume that RDS cross-Region read replicas can achieve the same low RPO as Aurora Global Database, but RDS cross-Region replication is asynchronous and cannot guarantee sub-5-second RPO.

How to eliminate wrong answers

Option B is wrong because Amazon RDS for MySQL with Multi-AZ and cross-Region read replicas uses asynchronous replication for cross-Region replicas, which can introduce replication lag exceeding 5 seconds, and Multi-AZ only provides automated failover within a single Region, not across Regions. Option C is wrong because Amazon RDS for PostgreSQL with cross-Region read replicas and Multi-AZ also relies on asynchronous replication for cross-Region copies, which cannot guarantee an RPO of less than 5 seconds, and Multi-AZ failover is limited to the same Region. Option D is wrong because Amazon DynamoDB Global Tables is a NoSQL database, not a relational database, and the question explicitly requires a relational database solution.

83
MCQmedium

An ALB is configured with a target group for HTTP:80. The health check returns a 302 redirect. What is the most likely cause of the unhealthy instances?

A.The application is returning a 500 Internal Server Error.
B.The application is taking too long to respond.
C.The security group is blocking health check traffic.
D.The application is redirecting health checks to another URL.
AnswerD

A 302 redirect suggests the application is redirecting the health check request.

Why this answer

Option C is correct because a 302 redirect indicates the application is redirecting health checks, which is not expected. Option A is wrong because 302 is not a timeout. Option B is wrong because 302 is not a 4xx error.

Option D is wrong because 302 is a redirect, not a 5xx.

84
MCQhard

Refer to the exhibit. A solutions architect has attached this IAM policy to an IAM role used by an application. The application is trying to upload an object to the S3 bucket example-bucket with server-side encryption using AWS KMS (SSE-KMS). What will happen?

A.The upload succeeds because the policy allows s3:PutObject for the bucket.
B.The upload fails because the policy requires SSE-S3.
C.The upload fails because the bucket policy does not allow SSE-KMS.
D.The upload succeeds because the condition only applies to encryption at rest.
AnswerB

The condition StringEquals on s3:x-amz-server-side-encryption must be AES256, but the request uses SSE-KMS.

Why this answer

Option B is correct. The policy only allows s3:PutObject when the encryption header is AES256 (SSE-S3). Since the application uses SSE-KMS, the condition is not met, and the request is denied.

Option A is incorrect because the condition explicitly requires AES256. Option C is incorrect because the bucket policy is not mentioned, and IAM policy alone can deny. Option D is incorrect because the policy denies the action due to unmet condition.

85
MCQmedium

A company is designing a disaster recovery solution for a web application hosted on AWS. The primary site is in us-east-1 and the DR site is in us-west-2. The application uses an Amazon RDS for MySQL database. They need to recover the database with a Recovery Point Objective (RPO) of 5 seconds and a Recovery Time Objective (RTO) of 1 hour. Which solution meets these requirements?

A.Use RDS Multi-AZ in us-east-1 and failover to DR site.
B.Use AWS DMS with ongoing replication to an RDS instance in us-west-2.
C.Use RDS Cross-Region Read Replica and promote it.
D.Use Amazon Aurora Global Database.
AnswerD

Aurora Global Database provides cross-region replication with low RPO and fast failover.

Why this answer

Option B is correct because Aurora Global Database provides replication with RPO of 1 second and failover in minutes. Option A is incorrect because RDS Multi-AZ is for high availability within a region, not cross-region DR. Option C is incorrect because RDS Cross-Region Read Replica has RPO of seconds but failover is manual.

Option D is incorrect because DMS with ongoing replication has higher RTO.

86
MCQhard

A financial services company is designing a multi-tier application that must achieve a Recovery Time Objective (RTO) of 1 hour and a Recovery Point Objective (RPO) of 15 minutes for a database tier. The application uses Amazon RDS for MySQL with Multi-AZ deployment. Which disaster recovery strategy meets these requirements at the LOWEST cost?

A.Deploy the RDS instance in Multi-AZ configuration and take frequent snapshots to another Region.
B.Use AWS Database Migration Service (DMS) for continuous replication to an RDS instance in another Region.
C.Use Amazon Aurora Global Database, which provides global replication with typical RPO of 1 second.
D.Create a cross-Region read replica of the RDS MySQL instance in another Region. In a disaster, promote the read replica to a standalone instance.
AnswerD

Cross-Region read replicas provide asynchronous replication with low RPO, and promotion takes minutes, meeting RTO at lower cost than other solutions.

Why this answer

Option D is correct because RDS Cross-Region Read Replicas provide asynchronous replication with RPO in seconds, and can be promoted to master in minutes, meeting RTO. Option A is wrong because Multi-AZ only protects against AZ failure, not Region failure. Option B is wrong because a manual snapshot and restore would take longer than 1 hour RTO.

Option C is wrong because Aurora Global Database is more expensive than RDS read replicas.

87
MCQmedium

A solutions architect is troubleshooting an EC2 instance that is not sending metrics to CloudWatch. The instance is running and has internet connectivity. Based on the exhibit, what is the MOST likely reason?

A.The instance does not have an IAM role that allows sending metrics to CloudWatch.
B.The instance's security group is blocking outbound traffic to CloudWatch endpoints.
C.The instance is in the wrong AWS region for CloudWatch.
D.The CloudWatch agent is not installed or running on the instance.
AnswerD

The monitoring state is 'disabled', indicating detailed monitoring is off, but even with basic monitoring, the CloudWatch agent is needed for system-level metrics.

Why this answer

The exhibit shows that monitoring is disabled. Detailed monitoring is required for EC2 metrics at 1-minute frequency, but basic monitoring (5-minute) is enabled by default. However, if the CloudWatch agent is not installed, custom metrics won't be sent.

The most likely reason is that the CloudWatch agent is not installed or configured. Option A (no IAM role) is possible but not shown. Option B (security group) is not shown.

Option D (wrong region) is unlikely.

88
Multi-Selectmedium

A company is designing a new solution to store and analyze log files from multiple sources. The solution must provide near real-time analytics and the ability to query the logs using SQL. Which TWO AWS services should be used together to meet these requirements? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon Athena
C.Amazon ElastiCache
D.Amazon Redshift
E.Amazon Kinesis Data Firehose
AnswersB, E

Athena can query data in S3 using standard SQL.

Why this answer

Options A and C are correct. Amazon Kinesis Data Firehose can ingest log data in near real-time and load it into Amazon S3. Amazon Athena can then query the data in S3 using SQL.

Option B is wrong because CloudWatch Logs is for monitoring, not analytics. Option D is wrong because Redshift is for data warehousing, not near real-time analytics. Option E is wrong because ElastiCache is a cache.

89
MCQmedium

A company is designing a microservices architecture on AWS ECS with Fargate. Each service needs to store and retrieve session state. The solution must be highly available and low latency. Which AWS service should be used for session state storage?

A.Amazon ElastiCache for Redis
B.Amazon RDS for MySQL
C.Amazon S3
D.Amazon DynamoDB
AnswerA

ElastiCache for Redis is an in-memory cache with sub-millisecond latency, ideal for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides an in-memory data store with sub-millisecond latency, ideal for session state storage in a microservices architecture. Redis supports data structures like hashes and strings that map directly to session data patterns, and its replication and cluster modes ensure high availability across multiple Availability Zones. Fargate tasks can connect to ElastiCache via private subnets, maintaining low latency without the overhead of disk-based I/O.

Exam trap

The trap here is that candidates often choose DynamoDB because it is a managed, highly available database with low latency, but they overlook that session state is ephemeral and best served by an in-memory cache like Redis, which offers lower latency, automatic TTL expiration, and lower cost for transient data patterns.

How to eliminate wrong answers

Option B (Amazon RDS for MySQL) is wrong because relational databases introduce unnecessary latency and overhead for session state, which is ephemeral and requires fast reads/writes; RDS is optimized for persistent, ACID-compliant transactional data, not high-throughput key-value access. Option C (Amazon S3) is wrong because S3 is an object store with eventual consistency (unless using S3 Select or additional features) and higher latency (tens to hundreds of milliseconds), making it unsuitable for real-time session retrieval. Option D (Amazon DynamoDB) is wrong because while DynamoDB offers single-digit millisecond latency and is highly available, it is a NoSQL database with disk-based storage and higher per-request cost compared to an in-memory cache like Redis; for session state, which is transient and benefits from TTL-based expiration, Redis's in-memory model is more cost-effective and performant.

90
MCQeasy

A company wants to design a serverless event-driven architecture where multiple downstream services need to process events from a single source. Events must be reliably delivered and each downstream service must process every event independently. Which AWS service should be used as the event router?

A.AWS Step Functions
B.Amazon Kinesis Data Streams
C.Amazon Simple Queue Service (SQS)
D.Amazon EventBridge
AnswerD

Amazon EventBridge allows you to create rules that send events to multiple targets (e.g., Lambda, SQS, SNS, Step Functions) simultaneously, enabling independent processing.

Why this answer

Option A is correct because Amazon EventBridge can route events to multiple targets (e.g., Lambda, SQS, SNS) based on rules, and each target receives the event independently. Option B is wrong because Amazon SQS is a queue, not a router; it only delivers messages to a single consumer per message. Option C is wrong because AWS Step Functions is for orchestrating workflows, not for broadcasting events.

Option D is wrong because Amazon Kinesis Data Streams is for real-time streaming, but each shard is processed by a single consumer; broadcasting requires multiple consumer applications.

91
MCQmedium

A company is building a data lake on Amazon S3 using Parquet files. The data will be queried by multiple teams using Amazon Athena. The security team requires that access to sensitive columns (e.g., PII) be restricted based on the user's role. Which solution provides column-level access control with the LEAST administrative overhead?

A.Use AWS Lake Formation to define column-level permissions in the Data Catalog.
B.Create separate S3 buckets for sensitive and non-sensitive data and apply bucket policies to restrict access.
C.Load the data into Amazon Redshift and use Redshift Spectrum to query S3, then apply column-level security through Redshift.
D.Use IAM policies with condition keys to restrict access based on the Athena workgroup.
AnswerA

Lake Formation integrates with Athena and allows fine-grained column-level access control with minimal effort.

Why this answer

Option C is correct because Lake Formation allows column-level permissions via the Data Catalog. Option A is wrong because S3 bucket policies are at the object level, not column level. Option B is wrong because IAM policies can restrict actions but not columns.

Option D is wrong because Redshift Spectrum queries through Redshift but adds complexity.

92
MCQeasy

A company is designing a new application that requires secure storage of secrets such as database passwords and API keys. The application runs on Amazon EC2 instances. The company wants to centralize secret management and automatically rotate secrets. Which AWS service should be used?

A.AWS Key Management Service (KMS)
B.AWS CloudHSM
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager provides secret storage with automatic rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed for storing and rotating secrets centrally. Option A: Systems Manager Parameter Store can store secrets but does not natively rotate them. Option C: KMS is for encryption keys, not secret storage.

Option D: CloudHSM is for hardware security modules.

93
MCQeasy

A company is designing a new application that will run on AWS. The application needs to store and retrieve user session data with low latency. The session data is small (less than 1 KB per user) and must be highly available. The company expects up to 10 million active users per day. Which AWS service should be used as the session store?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon RDS for MySQL
D.Amazon ElastiCache for Redis
AnswerD

Redis is an in-memory store ideal for session data with low latency and high throughput.

Why this answer

Option B is correct because Amazon ElastiCache for Redis is designed for low-latency session storage and can scale to millions of users. Option A: DynamoDB is good for persistence but has higher latency than in-memory stores. Option C: RDS is relational and slower for session data.

Option D: S3 has high latency for small, frequent reads/writes.

94
MCQeasy

A company is designing a new static website hosted on Amazon S3. The website must be served over HTTPS with a custom domain name. Which AWS service should be used to achieve this?

A.Amazon Route 53 with alias record
B.Amazon CloudFront with SSL certificate
C.Amazon S3 static website hosting with bucket policy
D.Elastic Load Balancer with SSL termination
AnswerB

CloudFront can be configured with a custom SSL certificate and domain to serve HTTPS.

Why this answer

Option B is correct because CloudFront can be configured with a custom SSL certificate and domain. Option A is wrong because S3 does not natively support HTTPS with custom domains. Option C is wrong because ELB is for dynamic content.

Option D is wrong because Route 53 is DNS, not content delivery.

95
MCQmedium

A company is building a new data lake on AWS to store and analyze petabytes of data from various sources. The data includes structured (CSV, Parquet), semi-structured (JSON), and unstructured (images, videos) files. The company needs a cost-effective storage solution that allows running SQL queries directly on the data without loading it into a database. Data is accessed infrequently but must be available within minutes. Which solution should a Solutions Architect recommend?

A.Store data in Amazon S3 Glacier Deep Archive for cost savings, and use Athena for queries.
B.Store data in Amazon Redshift, use Redshift Spectrum to query data in S3.
C.Store data in Amazon S3 using lifecycle policies to transition infrequent data to S3 Standard-IA. Use Amazon Athena for SQL queries.
D.Store data in Amazon EBS volumes attached to an EC2 instance running a SQL engine.
AnswerC

S3 is cost-effective object storage; Athena is serverless and queries data directly in S3.

Why this answer

Option B is correct because S3 is the best storage for a data lake, and Athena allows serverless SQL queries directly on S3 data. Option A is wrong because Redshift is for data warehousing, not a data lake; data must be loaded. Option C is wrong because Glacier is for archival, not frequent querying.

Option D is wrong because EBS is block storage for EC2, not designed for data lakes.

96
MCQeasy

A company is building a new web application that will be accessed by users globally. They want to minimize latency and protect against DDoS attacks. Which AWS service should they use as the entry point?

A.Elastic Load Balancing
B.AWS Global Accelerator
C.Amazon CloudFront
D.Amazon Route 53
AnswerC

CloudFront provides edge caching, low latency, and integrated DDoS protection.

Why this answer

Amazon CloudFront is correct because it is a global content delivery network (CDN) that caches content at edge locations close to users, reducing latency for static and dynamic content. It also provides built-in DDoS protection through AWS Shield Standard and can integrate with AWS WAF for additional layer 7 filtering, making it the ideal entry point for a globally accessed web application requiring both low latency and DDoS mitigation.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront because both improve latency globally, but Global Accelerator does not cache content or provide application-layer DDoS protection, making it unsuitable as the primary entry point for a web application requiring both features.

How to eliminate wrong answers

Option A is wrong because Elastic Load Balancing distributes traffic only within a single AWS Region and does not provide global edge caching or native DDoS protection at the application layer; it relies on other services for global latency reduction. Option B is wrong because AWS Global Accelerator improves latency by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache content or provide application-layer DDoS protection; it focuses on TCP/UDP traffic optimization and uses static anycast IPs. Option D is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses and can perform health checks and routing policies, but it does not cache content or provide DDoS mitigation beyond basic DNS-level protection; it is not an entry point for application traffic.

97
Multi-Selecteasy

A company is designing a new application on AWS that will store sensitive user data. The application must comply with data residency requirements, meaning data must remain within a specific geographic region. Which TWO architectural decisions should a Solutions Architect make to ensure compliance?

Select 2 answers
A.Deploy all resources in a single AWS region that meets the data residency requirement.
B.Use S3 bucket policies to deny access if the request comes from outside the required region.
C.Use Amazon CloudFront to serve content from edge locations.
D.Use AWS Key Management Service (KMS) with customer managed keys.
E.Enable cross-Region replication for data stored in Amazon S3.
AnswersA, B

Deploying in a single region ensures data is stored and processed within that region.

Why this answer

Option A is correct because S3 bucket policies can restrict access to specific regions. Option C is correct because selecting the region for deployment ensures data stays in that region. Option B is wrong because CloudFront caches data globally, which may violate data residency.

Option D is wrong because cross-Region replication moves data to another region. Option E is wrong because KMS keys are region-specific but do not prevent data movement.

98
MCQhard

A company is migrating a legacy on-premises application to AWS. The application uses a monolithic architecture and a MySQL database. The company wants to refactor the application into microservices and use a NoSQL database for better scalability. The new application will be deployed on Amazon EKS. The database must be highly available and support automatic scaling. Which database service should the company use?

A.Amazon Aurora Serverless
B.Amazon DynamoDB
C.Amazon DocumentDB (with MongoDB compatibility)
D.Amazon RDS for MySQL with Multi-AZ deployment
AnswerB

DynamoDB is a fully managed NoSQL database with high availability and auto scaling.

Why this answer

Option D is correct because Amazon DynamoDB is a NoSQL database that supports high availability and automatic scaling. Option A: RDS for MySQL is relational, not NoSQL. Option B: Aurora is relational.

Option C: DocumentDB is NoSQL but is MongoDB-compatible; DynamoDB is more fully managed and serverless.

99
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances. The application needs to access an Amazon S3 bucket to read and write objects. The company wants to ensure that the EC2 instances can access the S3 bucket without storing AWS credentials on the instances. Which TWO steps should the company take?

Select 2 answers
A.Attach the IAM role to the EC2 instance profile.
B.Store the AWS access key and secret access key in a configuration file on the instance.
C.Create an S3 bucket policy that allows access from the EC2 instance's IP address.
D.Configure the EC2 security group to allow outbound traffic to S3.
E.Create an IAM role with a policy that grants the required S3 permissions.
AnswersA, E

Attaching the role to the instance profile allows the instance to assume the role.

Why this answer

Option A and Option D are correct. An IAM role with an S3 policy is attached to the EC2 instance profile, allowing the instance to assume the role and access S3 without credentials. Option B: Access keys should not be stored on instances.

Option C: S3 bucket policy can be used but is not required if the IAM role grants access. Option E: Security groups do not apply to S3 access.

100
MCQmedium

A media company is designing a video transcoding pipeline. They receive raw video files in Amazon S3, which need to be transcoded into multiple formats. The pipeline must handle sporadic bursts of uploads and complete processing within 30 minutes for each video. The cost should be minimized. Which design should they use?

A.Use AWS Lambda with layers containing FFmpeg to transcode videos.
B.Use Amazon S3 event notifications to trigger an AWS Elemental MediaConvert job.
C.Provision a cluster of EC2 instances running FFmpeg, with Auto Scaling based on SQS queue depth.
D.Use Amazon Elastic Transcoder, which is fully managed and triggers from S3 events.
AnswerB

MediaConvert is serverless, scales automatically, and is cost-effective for sporadic jobs.

Why this answer

Option A is correct because AWS Elemental MediaConvert is a serverless transcoding service that scales automatically and is cost-effective for sporadic workloads. Option B is wrong because EC2 Auto Scaling requires management and incurs costs even when idle. Option C is wrong because Elastic Transcoder is being deprecated and has less features.

Option D is wrong because Lambda has a 15-minute timeout and is not suitable for transcoding.

101
MCQmedium

A company is designing a new microservices application using Amazon ECS with Fargate. The services need to communicate securely within the VPC. Which approach should be used for service discovery?

A.Amazon Route 53 private hosted zones with health checks
B.AWS Cloud Map
C.VPC peering connections between services
D.Application Load Balancer with path-based routing
AnswerB

Managed service discovery for microservices.

Why this answer

Option A is correct because AWS Cloud Map is a fully managed service discovery service that works with ECS. Option B (ELB) is for load balancing, not discovery. Option C (Route 53 private hosted zones) can be used but requires manual management.

Option D (VPC peering) is for connecting VPCs, not service discovery.

102
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on AWS. They want to use an event-driven design where services react to state changes. Which AWS service should they use to capture, store, and replay events?

A.Amazon SNS
B.Amazon Kinesis Data Streams
C.Amazon EventBridge
D.Amazon SQS
AnswerC

EventBridge supports event archiving and replay.

Why this answer

Option D is correct because Amazon EventBridge captures events and can replay them. Option A (SQS) is queue-based, not event storage. Option B (SNS) is pub/sub, no replay.

Option C (Kinesis Data Streams) can replay but is for streaming data, not event sourcing.

103
MCQeasy

A startup is building a web application on AWS that requires a relational database. They expect unpredictable traffic patterns and want to minimize costs while ensuring high availability. Which database solution should they choose?

A.Amazon Redshift with concurrency scaling
B.Amazon Aurora Serverless (MySQL-compatible)
C.Amazon RDS for MySQL with Single-AZ deployment
D.Amazon DynamoDB with on-demand capacity
AnswerB

Aurora Serverless provides auto-scaling and high availability, cost-effective for unpredictable traffic.

Why this answer

Option B is correct because Aurora Serverless automatically scales based on demand and provides high availability with multi-AZ storage. Option A is wrong because DynamoDB is NoSQL, not relational. Option C is wrong because RDS Single-AZ lacks high availability.

Option D is wrong because Redshift is for data warehousing, not transactional workloads.

104
MCQhard

A company is designing a new data lake on AWS. The data lake must support SQL queries using Amazon Athena and also allow Amazon SageMaker to access training data. The solution must minimize storage costs for infrequently accessed data while providing immediate access when needed. Which storage tier should be used for the data lake?

A.Amazon S3 Glacier Deep Archive
B.Amazon S3 Intelligent-Tiering
C.Amazon S3 Standard
D.Amazon S3 One Zone-Infrequent Access
AnswerB

Automatically optimizes cost by moving data between tiers.

Why this answer

Option B is correct because S3 Intelligent-Tiering automatically moves data between access tiers based on usage, minimizing cost for infrequently accessed data while maintaining low latency. Option A (S3 Standard) is more expensive for rarely accessed data. Option C (S3 Glacier) requires restore time.

Option D (S3 One Zone-IA) is less durable and not recommended for a data lake.

105
Multi-Selectmedium

A company is designing a new application that will process sensitive financial data. They need to ensure encryption at rest and in transit. Which of the following should they use? (Select TWO.)

Select 2 answers
A.TLS for all data in transit
B.AWS Certificate Manager (ACM) for all encryption
C.SSL certificates for all connections
D.AWS Key Management Service (KMS) for encryption at rest
E.AWS Identity and Access Management (IAM) for data encryption
AnswersA, D

TLS encrypts data in transit.

Why this answer

TLS (Transport Layer Security) is the industry-standard protocol for encrypting data in transit, ensuring confidentiality and integrity between client and server. AWS services like ELB, CloudFront, and API Gateway enforce TLS for all communications, making it the correct choice for securing data in transit.

Exam trap

The trap here is that candidates confuse SSL/TLS certificates (which are just cryptographic containers) with the actual encryption protocol (TLS), and they mistakenly think ACM or IAM directly perform encryption instead of managing certificates or access.

106
MCQmedium

A company is deploying a new web application that uses Amazon S3 to store static content and Amazon CloudFront for content delivery. The application also uses an API Gateway with Lambda for backend logic. The company wants to protect the API from common web exploits like SQL injection and cross-site scripting. Which AWS service should be added to the architecture?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Shield Advanced
D.AWS WAF
AnswerD

WAF can block SQL injection and XSS attacks.

Why this answer

Option B is correct because AWS WAF integrates with API Gateway and CloudFront to protect against web exploits. Option A: Shield Advanced provides DDoS protection, not application-layer filtering. Option C: GuardDuty is for threat detection, not inline protection.

Option D: Inspector is for vulnerability assessment.

107
Multi-Selectmedium

A company is designing a multi-tier web application that must be fault-tolerant and scalable. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in an Auto Scaling group. The instances run a web server and a backend application. Which TWO steps should be taken to ensure the application can scale without data loss?

Select 2 answers
A.Use instance store volumes for temporary data.
B.Store session state in an external data store such as ElastiCache.
C.Implement lifecycle hooks to gracefully handle instance termination.
D.Use a custom CloudWatch metric to scale based on CPU utilization.
E.Use a fixed number of EC2 instances instead of Auto Scaling.
AnswersB, C

Storing session state externally makes instances stateless, preventing data loss on scale-in.

Why this answer

Option B is correct because storing session state in an external data store like ElastiCache decouples session data from individual EC2 instances. This ensures that if an instance is terminated or replaced during scaling events, the session data persists and can be served by any other instance in the Auto Scaling group, preventing data loss and maintaining user experience.

Exam trap

The trap here is that candidates often confuse instance store with EBS or assume that lifecycle hooks alone (Option C) prevent data loss, but lifecycle hooks only delay termination for cleanup—they do not preserve session data if the instance is ultimately terminated, making an external data store essential.

108
MCQmedium

A company is designing a CI/CD pipeline for a containerized application using AWS CodePipeline. The application is deployed to Amazon ECS with Fargate. The pipeline must automatically build and test code changes before deploying to production. Which service should be used to build and test the Docker images?

A.AWS CodeDeploy
B.AWS CodeBuild
C.Amazon ECR
D.AWS CodeCommit
AnswerB

CodeBuild is a build service that can build Docker images and run tests.

Why this answer

AWS CodeBuild is the correct service because it is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. In this scenario, CodeBuild can build the Docker image from a Dockerfile, run unit or integration tests inside the build environment, and then push the image to Amazon ECR, all within the CI/CD pipeline defined in AWS CodePipeline.

Exam trap

The trap here is that candidates may confuse AWS CodeDeploy's role in ECS deployments with the build and test phase, assuming CodeDeploy handles the entire CI/CD process, when in fact it only handles the deployment step after the image is built and tested by CodeBuild.

How to eliminate wrong answers

Option A is wrong because AWS CodeDeploy is a deployment service that automates code deployments to compute services like ECS, EC2, or Lambda, but it does not build or test Docker images. Option C is wrong because Amazon ECR is a container image registry for storing, managing, and deploying Docker images; it does not perform build or test operations. Option D is wrong because AWS CodeCommit is a source control service for hosting Git repositories; it does not build or test code.

109
MCQmedium

A company is designing a serverless application using AWS Lambda that needs to access a private Amazon RDS for MySQL database. The Lambda function is deployed in a VPC with the appropriate security groups. The database is in a private subnet. The company wants to avoid storing database credentials in the Lambda function code. What should the company do to securely access the database?

A.Create an IAM role that allows Lambda to access the RDS instance using IAM database authentication.
B.Pass the database credentials as environment variables to the Lambda function.
C.Store the database credentials in AWS Secrets Manager and retrieve them using the Secrets Manager API in the Lambda function.
D.Store the database credentials in AWS Systems Manager Parameter Store and retrieve them in the Lambda function.
AnswerC

Secrets Manager securely stores and rotates credentials, and Lambda can retrieve them via API.

Why this answer

Option C is correct because AWS Secrets Manager can securely store database credentials and Lambda can retrieve them via the Secrets Manager API. Option A is wrong because IAM roles cannot be used directly for MySQL database authentication. Option B is wrong because Systems Manager Parameter Store can store credentials but Secrets Manager is better suited for secrets rotation.

Option D is wrong because environment variables are not secure.

110
MCQhard

A company is designing a multi-region active-active application using Amazon DynamoDB global tables. The application requires strong consistency reads. However, global tables only support eventual consistency. What should the solutions architect do to meet the requirement?

A.Design the application to handle eventual consistency using conditional writes and application logic.
B.Enable strong consistency in the global table configuration.
C.Use DynamoDB Streams to replicate data to another region with strong consistency.
D.Use DynamoDB Accelerator (DAX) to provide strong consistency reads.
AnswerA

Application can manage consistency.

Why this answer

Option A is correct. DynamoDB global tables use eventual consistency, but the application can use conditional writes and application-level conflict resolution to achieve strong consistency. Option B is wrong because DynamoDB Accelerator (DAX) is a cache, not a consistency mechanism.

Option C is wrong because DynamoDB Streams is for change data capture. Option D is wrong because there is no configuration for strong consistency in global tables.

111
MCQhard

Refer to the exhibit. A solutions architect has attached this key policy to an AWS KMS key. The IAM role MyAppRole is used by an application running on an EC2 instance in us-east-1. The application tries to decrypt an object stored in the S3 bucket my-bucket using server-side encryption with AWS KMS (SSE-KMS). What will happen?

A.The decryption fails because the key policy does not grant decrypt to the role.
B.The decryption succeeds because the role has permissions via this key policy.
C.The decryption fails if the application calls KMS Decrypt directly instead of letting S3 decrypt.
D.The decryption succeeds only if the object was uploaded with the correct encryption context.
AnswerC

The condition kms:ViaService requires the request to come from S3, not direct SDK call.

Why this answer

Option C is correct. The policy allows kms:Decrypt only when the request comes via S3 service (kms:ViaService) and when the encryption context matches the bucket ARN. If the application is using the AWS SDK to directly call KMS Decrypt (instead of letting S3 handle it), the condition kms:ViaService will not be satisfied, and the request will be denied.

Option A is incorrect because the condition restricts decryption to S3 service calls. Option B is incorrect because the encryption context also must match. Option D is incorrect because the policy is attached to the key, not to the role; it's a key policy.

112
MCQmedium

A company is designing a new microservices application on AWS. Each microservice needs to store and retrieve stateful data with low latency (single-digit milliseconds). The data must be durable and highly available across multiple Availability Zones. Which AWS service should be used for the primary data store for each microservice?

A.Amazon DynamoDB
B.Amazon S3
C.Amazon RDS with Multi-AZ
D.Amazon ElastiCache for Redis
AnswerA

Amazon DynamoDB is a NoSQL database that delivers single-digit millisecond latency, is fully managed, and replicates data across multiple AZs automatically. It is ideal for stateful microservices.

Why this answer

Option C is correct because Amazon DynamoDB provides single-digit millisecond latency, automatic replication across multiple AZs, and is fully managed. Option A is wrong because Amazon S3 has higher latency and is not ideal for low-latency stateful data. Option B is wrong because Amazon RDS has higher latency than DynamoDB for simple key-value lookups.

Option D is wrong because Amazon ElastiCache is in-memory and not durable by default without additional configuration.

113
MCQhard

A company wants to design a highly available, stateless web application using Amazon ECS with Fargate. They need to distribute traffic across multiple AWS Regions for low latency. Which approach should they use?

A.Use a single Network Load Balancer in the primary region with cross-zone load balancing.
B.Use Amazon Route 53 latency-based routing to direct traffic to an Application Load Balancer in each region.
C.Use Amazon CloudFront with origins in each region.
D.Use AWS Global Accelerator with Network Load Balancers in each region.
AnswerB

Latency routing and ALB are appropriate for stateless web apps.

Why this answer

Option B is correct because Amazon Route 53 latency-based routing directs users to the region with the lowest latency, and using an Application Load Balancer (ALB) in each region provides regional traffic distribution and health checks for the stateless ECS Fargate tasks. This combination ensures high availability and low latency across multiple AWS Regions, as the ALB handles HTTP/HTTPS traffic and integrates with ECS service discovery.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with Route 53 latency-based routing, assuming Global Accelerator is always better for multi-region latency, but the question specifically asks for a stateless web application using ECS Fargate, where an ALB is the natural fit and Route 53 latency-based routing provides the simplest and most cost-effective solution for HTTP/HTTPS traffic distribution across regions.

How to eliminate wrong answers

Option A is wrong because a single Network Load Balancer (NLB) in one primary region cannot distribute traffic across multiple AWS Regions; cross-zone load balancing only distributes traffic within a single region's Availability Zones, not across regions. Option C is wrong because Amazon CloudFront with origins in each region is a content delivery network (CDN) optimized for caching static content, not for routing dynamic, stateless web application traffic with low latency across regions; it adds unnecessary caching complexity and does not provide regional load balancing for dynamic requests. Option D is wrong because AWS Global Accelerator uses Anycast IPs to route traffic to the nearest regional endpoint, but it requires Network Load Balancers or Elastic IPs as endpoints, not Application Load Balancers, and while it improves latency, it does not natively support latency-based routing to multiple regions as precisely as Route 53 latency-based routing; additionally, Global Accelerator is better suited for TCP/UDP traffic and non-HTTP protocols, whereas the question specifies a stateless web application (HTTP/HTTPS) where ALB is more appropriate.

114
MCQeasy

A company needs to design a new solution for storing and retrieving user-uploaded images. The images are accessed frequently for the first 30 days and then rarely accessed after that. The company wants to minimize storage costs while maintaining low-latency access for frequently accessed images. Which storage strategy should be used?

A.Store images in Amazon EBS volumes attached to a web server.
B.Store images in Amazon S3 Standard and use lifecycle policies to transition to S3 Standard-IA after 30 days.
C.Store all images in Amazon S3 Glacier Flexible Retrieval.
D.Store all images in Amazon S3 Standard.
AnswerB

Lifecycle policies automate cost optimization while keeping low-latency access during frequent access period.

Why this answer

Amazon S3 Standard provides low-latency access for frequently accessed images, and S3 lifecycle policies allow automatic transition to S3 Standard-Infrequent Access (Standard-IA) after 30 days, reducing storage costs while maintaining rapid access for the initial period. This strategy directly meets the requirement of minimizing costs without sacrificing performance for the first 30 days.

Exam trap

The trap here is that candidates may choose Option D (all S3 Standard) because it guarantees low-latency access, overlooking the cost savings of transitioning to Standard-IA for data that becomes rarely accessed after 30 days.

How to eliminate wrong answers

Option A is wrong because Amazon EBS volumes are block-level storage attached to a single EC2 instance, not designed for storing and retrieving user-uploaded images at scale, and they incur costs even when not accessed, lacking lifecycle management for infrequent access. Option C is wrong because Amazon S3 Glacier Flexible Retrieval has retrieval times of minutes to hours, which does not provide low-latency access for frequently accessed images during the first 30 days. Option D is wrong because storing all images in Amazon S3 Standard incurs higher storage costs for data that becomes rarely accessed after 30 days, failing to minimize storage costs as required.

115
MCQeasy

A startup is building a serverless application using AWS Lambda for business logic and Amazon DynamoDB for data storage. The application must process a high volume of writes to a single DynamoDB table. The development team is concerned about throttling due to hot partitions. Which design should the team implement to avoid throttling?

A.Enable DynamoDB Accelerator (DAX) to cache write operations.
B.Use a composite primary key with a partition key that has high cardinality, such as a user ID.
C.Use a global secondary index (GSI) as the primary index for writes.
D.Add a local secondary index (LSI) to the table.
AnswerB

High cardinality partition keys distribute writes evenly across partitions.

Why this answer

Using a composite key with a partition key that has high cardinality, such as a user ID, distributes writes evenly across partitions. Option B (LSI) doesn't help with write distribution. Option C (DAX) is a cache, not a solution for hot partitions.

Option D (GSI) is for querying, not for write distribution.

116
MCQmedium

A company is migrating a monolithic application to microservices on Amazon ECS with Fargate. The application currently uses a central MySQL database. The architects plan to refactor the database into separate RDS instances per microservice. Which strategy will ensure data consistency across services with minimal application changes?

A.Enable the STRICT_TRANS_TABLES SQL mode on all RDS instances to enforce data integrity.
B.Implement a saga pattern using choreography, where each service publishes events and reacts to events from other services.
C.Configure RDS read replicas for each service to ensure eventually consistent reads.
D.Use distributed transactions with a two-phase commit protocol across RDS instances.
AnswerB

The saga pattern with choreography maintains data consistency across microservices without tight coupling, and can be implemented with minimal changes using event-driven communication.

Why this answer

Option A is correct because the Saga pattern with choreography coordinates transactions across services without a central coordinator. Option B is wrong because two-phase commit (XA) is not natively supported by RDS and adds complexity. Option C is wrong because eventually consistent reads do not guarantee consistency.

Option D is wrong because STRICT_TRANS_TABLES is a SQL mode, not a consistency solution.

117
MCQmedium

A financial services company is designing a new application that processes sensitive transactions. The application runs on Amazon ECS with Fargate. The compliance team requires that all data in transit between the application and the database must be encrypted. The database is an Amazon RDS for PostgreSQL instance. The application connects to the database using a connection string that includes the database endpoint. The security team has enabled encryption in transit on the RDS instance using a certificate. The application is currently failing to connect to the database with an error related to SSL/TLS. The development team verified that the connection string includes the sslmode=require parameter. What is the most likely cause of the connection failure?

A.The RDS instance is using a public certificate that is not trusted by the application.
B.The security group for the RDS instance does not allow inbound traffic on port 443.
C.The Fargate task does not have the necessary SSL libraries installed.
D.The RDS DB parameter group does not have the 'rds.force_ssl' parameter set to 1.
AnswerD

The rds.force_ssl parameter must be set to enforce SSL connections.

Why this answer

Option C is correct. By default, TLS is not enforced on RDS; you must set the rds.force_ssl parameter to 1. Option A is wrong because Fargate containers can use SSL.

Option B is wrong because security groups don't block SSL/TLS. Option D is wrong because the parameter group is correctly assigned.

118
Multi-Selectmedium

A company is designing a new solution to store and analyze large volumes of IoT sensor data. The data is time-series and must be retained for 90 days. The company needs to run complex SQL queries on the data and expects low latency for the most recent 7 days of data. Which TWO solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon Kinesis Data Analytics to analyze data in real-time and store results in S3.
B.Use Amazon RDS for PostgreSQL with TimescaleDB extension.
C.Use Amazon Redshift with automated snapshot retention of 90 days.
D.Use Amazon Timestream for storing time-series data and run SQL queries.
E.Use Amazon DynamoDB with TTL to expire data after 90 days and use PartiQL for queries.
AnswersA, D

Kinesis Data Analytics can run SQL on streaming data and store results.

Why this answer

Amazon Timestream is a time-series database that supports SQL queries and automatically tiers data. Amazon Kinesis Data Analytics + S3 can also provide SQL querying on streaming data stored in S3. Option A and Option D are correct.

Option B is wrong because DynamoDB TTL is not for complex SQL. Option C is wrong because RDS is not optimized for time-series scale. Option E is wrong because Redshift is not low-latency for recent data without streaming.

119
Multi-Selecteasy

A company is designing a new static website hosted on Amazon S3. They want to use Amazon CloudFront as a content delivery network (CDN) to serve the website globally with low latency. The website content must be encrypted in transit. Which configurations should they use? (Choose TWO.)

Select 2 answers
A.Enable default encryption on the S3 bucket using AES-256.
B.Enable S3 Transfer Acceleration on the bucket.
C.Configure the S3 bucket policy to deny requests that do not use HTTPS.
D.Configure CloudFront to require HTTPS for viewer requests.
E.Use CloudFront signed URLs to restrict access.
AnswersC, D

This ensures CloudFront uses HTTPS to fetch objects from S3.

Why this answer

Options A and C are correct. Configuring CloudFront to require HTTPS (A) ensures encryption in transit between viewers and CloudFront. Configuring S3 bucket to only allow HTTPS (C) ensures encryption between CloudFront and S3.

Option B is wrong because S3 Transfer Acceleration is for speed, not encryption. Option D is wrong because S3 default encryption is for at-rest, not in transit. Option E is wrong because CloudFront signed URLs are for access control, not encryption.

120
MCQhard

A company is designing a data processing pipeline for real-time analytics. The pipeline ingests data from IoT devices that send JSON messages via MQTT to AWS IoT Core. The messages must be processed in real-time to detect anomalies and the results must be stored in Amazon S3 for later analysis. The company currently uses a Lambda function to process each message, but as the number of devices grows, the Lambda function is being throttled due to concurrency limits. The company needs a solution that scales to handle thousands of devices per second without losing messages. The processed data must be available in S3 within 1 minute of ingestion. Which architecture should the company use?

A.Send the IoT messages to an Amazon SQS queue and have Lambda poll the queue in batches to reduce the number of concurrent invocations.
B.Store the raw messages in an S3 bucket and use S3 Select to query the data for anomalies periodically.
C.Ingest the messages into Amazon Kinesis Data Streams with multiple shards, and use a Lambda function to process records from the stream. Increase the Lambda concurrency limit.
D.Use AWS IoT Core rules to route messages to Amazon Kinesis Data Firehose, which writes raw data to S3. Then use Amazon Kinesis Data Analytics to read from S3 and perform real-time anomaly detection, writing results back to S3 via Firehose.
AnswerD

This architecture separates ingestion (Firehose) from processing (Kinesis Data Analytics), which can scale independently and meet the 1-minute latency.

Why this answer

Option C is correct because Kinesis Data Analytics provides real-time SQL processing, and Kinesis Data Firehose delivers the results to S3 with low latency. Option A is wrong because Lambda concurrency limits will still be hit; SQS does not solve concurrency limits. Option B is wrong because Kinesis Data Streams alone does not process data; Lambda would still be needed and could be throttled.

Option D is wrong because S3 cannot process streaming data in real-time; S3 Select is for querying objects.

121
MCQmedium

A company is designing a new microservices architecture on AWS. The company wants to use a service mesh to manage service-to-service communication, observability, and security. Which AWS service should the company use?

A.Amazon API Gateway
B.AWS App Mesh
C.AWS Transit Gateway
D.AWS Cloud Map
AnswerB

App Mesh is a service mesh that provides traffic management, observability, and security.

Why this answer

Option C is correct because AWS App Mesh is a service mesh that provides traffic management, observability, and security. Option A is wrong because Amazon API Gateway is for external APIs. Option B is wrong because AWS Cloud Map is for service discovery.

Option D is wrong because AWS Transit Gateway is for network connectivity.

122
MCQmedium

A company is designing a new serverless application that uses Amazon API Gateway and AWS Lambda. The application must authenticate users using a third-party identity provider (IdP) that supports OpenID Connect (OIDC). The company wants to offload authentication to the API Gateway. Which solution should the architect recommend?

A.Use an API Gateway COGNITO_USER_POOLS authorizer with Cognito configured as an OIDC client to the third-party IdP
B.Use an API Gateway COGNITO_USER_POOLS authorizer
C.Use an API Gateway Lambda authorizer
D.Use an API Gateway IAM authorizer
AnswerA

Cognito can federate with OIDC IdPs, and API Gateway validates the Cognito token.

Why this answer

Option D is correct because API Gateway can use a COGNITO_USER_POOLS authorizer with an OIDC identity provider for authentication. Option A is wrong because COGNITO_USER_POOLS supports OIDC, but Cognito must be configured as an OIDC client. Option B is wrong because Lambda authorizers are custom, not offloading authentication.

Option C is wrong because IAM authorization is for AWS credentials, not OIDC.

123
MCQmedium

A company deployed the above CloudFormation template. An EC2 instance launched in the PrivateSubnet needs to access the internet for software updates. Which action is required?

A.Create a VPC Peering connection to a public VPC
B.Add a NAT Gateway in the PublicSubnet and update the PrivateSubnet's route table to point to the NAT Gateway
C.Add an Internet Gateway to the VPC and route the private subnet's route table to it
D.Modify the PrivateSubnet to assign public IP addresses on launch
AnswerB

NAT Gateway enables outbound internet for private instances.

Why this answer

A NAT Gateway placed in a public subnet with an Internet Gateway attached allows instances in private subnets to initiate outbound traffic to the internet (e.g., for software updates) while preventing inbound connections from the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. This is the standard AWS pattern for outbound-only internet access from private subnets.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, thinking that routing a private subnet directly to an Internet Gateway is sufficient, but this would expose instances to inbound traffic and require public IPs, defeating the purpose of a private subnet.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not provide internet access; it only connects two VPCs privately, and neither VPC inherently has internet access without an Internet Gateway. Option C is wrong because routing a private subnet directly to an Internet Gateway would allow inbound internet traffic, violating the security model of a private subnet; Internet Gateways require public IP addresses and are used with public subnets. Option D is wrong because assigning public IP addresses to instances in a private subnet does not grant internet access; the subnet still lacks a route to an Internet Gateway, and public IPs alone cannot reach the internet without a gateway.

124
Multi-Selecthard

A company is designing a new application that will process sensitive data. The application will run on Amazon ECS with Fargate. The security team requires that all data at rest be encrypted, and that encryption keys be managed by the company's own hardware security module (HSM) in an on-premises data center. Which TWO steps should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure Amazon EBS encryption using AWS KMS with a customer managed key
B.Enable Amazon S3 default encryption with SSE-C
C.Use AWS CloudHSM to generate and store encryption keys
D.Create an AWS KMS custom key store backed by AWS CloudHSM
E.Store encryption keys in AWS Certificate Manager (ACM)
AnswersC, D

CloudHSM provides dedicated HSM appliances in AWS that can be part of a company's HSM infrastructure.

Why this answer

Option C is correct because AWS CloudHSM provides dedicated, single-tenant HSM instances that the company can use to generate and store encryption keys in its own HSM, meeting the requirement that keys be managed by the company's own HSM in an on-premises data center (though CloudHSM is in AWS, it is customer-controlled). Option D is correct because creating an AWS KMS custom key store backed by AWS CloudHSM allows the company to use KMS for encryption operations while the key material is stored in the CloudHSM cluster, satisfying the need for customer-managed HSM-backed keys.

Exam trap

The trap here is that candidates often assume 'customer managed key' in AWS KMS (Option A) satisfies the requirement for keys to be managed by the company's own HSM, but KMS customer managed keys are still stored in AWS KMS, not in a customer-controlled HSM, unless a custom key store backed by CloudHSM is used.

125
MCQeasy

A company is designing a new web application on AWS. The application must be highly available and scale automatically based on traffic. The architecture includes an Application Load Balancer (ALB) and an Auto Scaling group of EC2 instances. The application stores session state. What is the BEST way to handle session state to ensure high availability?

A.Store session state in Amazon DynamoDB
B.Store session state on the local instance store of each EC2 instance
C.Store session state in Amazon S3
D.Store session state in Amazon ElastiCache for Redis
AnswerD

ElastiCache provides a centralized, highly available session store.

Why this answer

Option A is correct because ElastiCache for Redis provides a highly available, in-memory data store for session state that can be accessed by any instance. Option B is incorrect because storing session state on the instance itself is not fault-tolerant. Option C is incorrect because DynamoDB is a database, not optimized for session state.

Option D is incorrect because S3 is object storage, not suitable for session state.

126
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data lake will store sensitive customer data that must be encrypted at rest. The company requires that the encryption keys be managed by the company's own hardware security module (HSM) and rotated every 90 days. Which solution meets these requirements?

A.Use SSE-S3 (Amazon S3 managed keys) and configure a lifecycle policy to re-encrypt objects every 90 days
B.Use SSE-KMS with a customer managed key and configure automatic key rotation every 90 days
C.Use client-side encryption with keys stored in AWS CloudHSM and rotate the keys using CloudHSM key rotation
D.Use SSE-C (customer-provided keys) and provide the key with each PUT request, rotating the key every 90 days
AnswerC

CloudHSM provides dedicated HSMs under your control. You can store keys in CloudHSM and rotate them as needed.

Why this answer

AWS CloudHSM provides dedicated HSMs that you manage, allowing you to create and manage your own encryption keys with automatic rotation. Option A (SSE-S3) uses S3-managed keys. Option B (SSE-KMS with customer managed key) uses AWS KMS, not your own HSM.

Option D (SSE-C) requires you to provide the key with each request, which is not suitable for automatic rotation.

127
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer. The company wants to ensure that traffic to the application is encrypted in transit. Which TWO actions should the company take?

Select 2 answers
A.Configure the Application Load Balancer with an HTTP listener that redirects to HTTPS.
B.Use a Network Load Balancer with TCP listener.
C.Place an Amazon CloudFront distribution in front of the ALB.
D.Install an SSL/TLS certificate on the Application Load Balancer.
E.Configure the Application Load Balancer with an HTTPS listener.
AnswersD, E

SSL/TLS certificate is required for HTTPS termination.

Why this answer

Options A and D are correct. The ALB handles SSL termination, and HTTPS listener ensures encryption. Option B is wrong because HTTP allows unencrypted traffic.

Option C is wrong because CloudFront does not ensure encryption between ALB and EC2. Option E is wrong because an NLB does not support SSL termination natively.

128
MCQeasy

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer. The application needs to store session state. Which AWS service provides a fully managed, highly scalable solution for session state management?

A.Amazon DynamoDB
B.Amazon ElastiCache for Redis
C.Amazon S3
D.Amazon RDS for MySQL
AnswerB

ElastiCache for Redis is a fully managed, highly scalable, in-memory data store ideal for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides a fully managed, in-memory data store that is ideal for session state management. Redis offers sub-millisecond latency, built-in replication, and automatic failover, making it highly scalable and durable for session data. The Application Load Balancer can be configured with stickiness (session affinity) to route requests to the same EC2 instance, but using ElastiCache for Redis decouples session state from the compute layer, enabling stateless application tiers and seamless scaling.

Exam trap

The trap here is that candidates often choose Amazon DynamoDB because it is fully managed and scalable, but they overlook the fact that session state requires extremely low latency and automatic TTL expiration, which are native strengths of Redis but require additional configuration (e.g., DynamoDB TTL) and still cannot match Redis's in-memory performance.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database that, while fully managed and scalable, is not optimized for session state management due to higher latency compared to in-memory caches and lack of native TTL (time-to-live) expiration for session data without additional configuration. Option C is wrong because Amazon S3 is an object storage service designed for large-scale data blobs, not for low-latency, high-throughput session state access; it lacks in-memory performance and introduces significant latency and cost overhead for frequent read/write operations. Option D is wrong because Amazon RDS for MySQL is a relational database that, while fully managed, is not designed for high-speed session state operations; it incurs higher latency due to disk-based storage and ACID transaction overhead, and it is not optimized for the ephemeral, high-frequency access patterns of session data.

129
Multi-Selectmedium

A company is designing a solution to process real-time streaming data from IoT devices. The data must be ingested, processed with sub-second latency, and stored for analytics. Which services should the company use? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Streams
C.Amazon SQS
D.Amazon Kinesis Data Analytics
E.Amazon Kinesis Data Firehose
AnswersA, B

Can process records from Kinesis streams in near real-time.

Why this answer

Amazon Kinesis Data Streams ingests streaming data with sub-second latency. AWS Lambda processes data in near real-time. Option C (Kinesis Data Firehose) is for loading to S3 with higher latency.

Option D (SQS) is for message queuing. Option E (Kinesis Data Analytics) is for SQL analytics on streams.

130
MCQeasy

A solutions architect runs the above CLI command. What is the output format?

A.YAML formatted output.
B.A text table with columns.
C.A JSON array of strings.
D.A JSON object with keys.
AnswerC

The query returns a list of three values in JSON array format.

Why this answer

The command uses --query with JMESPath to output specific fields as a JSON array. Option A is correct. Options B, C, D are incorrect because the query specifies an array output.

131
MCQhard

A company is designing a new solution to process a continuous stream of events from multiple sources. The events must be processed in real-time with exactly-once processing semantics. The solution should be able to handle replayed events without duplication. Which AWS service should be used for the event processing?

A.Amazon Kinesis Data Firehose
B.AWS Lambda with Kinesis trigger
C.Amazon Kinesis Data Analytics for Apache Flink
D.Amazon Simple Queue Service (SQS) with Lambda
AnswerC

Apache Flink provides exactly-once processing semantics.

Why this answer

Option A is correct because Amazon Kinesis Data Analytics for Apache Flink provides exactly-once processing semantics. Option B is wrong because Lambda functions are at-least-once. Option C is wrong because Kinesis Data Firehose is for loading data, not processing.

Option D is wrong because SQS is at-least-once.

132
MCQeasy

A company wants to migrate a monolithic application to AWS and redesign it using microservices. The application uses a MySQL database. The company wants to minimize operational overhead and enable each microservice to have its own database. Which AWS service should the company use to implement the database layer?

A.Amazon DynamoDB
B.Amazon RDS for MySQL
C.Amazon Redshift
D.Amazon Aurora
AnswerB

Amazon RDS is a managed relational database service that supports MySQL, reducing operational overhead.

Why this answer

Amazon RDS for MySQL is the correct choice because it provides a managed MySQL database service that minimizes operational overhead through automated backups, patching, and scaling. Each microservice can have its own RDS instance, enabling database-per-service isolation while offloading administrative tasks like replication and failover to AWS.

Exam trap

The trap here is that candidates may confuse Amazon Aurora with Amazon RDS for MySQL, but Aurora is a separate service with its own engine and pricing, and the question asks for a service to implement the database layer using MySQL, making RDS for MySQL the direct and simplest managed option.

How to eliminate wrong answers

Option A is wrong because Amazon DynamoDB is a NoSQL key-value and document database, not a relational MySQL database, and migrating a MySQL-based monolithic application to DynamoDB would require significant application redesign and schema changes. Option C is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for analytical queries, not for transactional microservice workloads requiring individual databases. Option D is wrong because Amazon Aurora is a MySQL-compatible relational database, but it is a separate service from RDS for MySQL; while Aurora offers higher performance and availability, the question specifically asks for a service to implement the database layer with minimal operational overhead, and RDS for MySQL is the standard managed MySQL service, whereas Aurora is a distinct offering with different cost and performance characteristics that may not be necessary for all microservices.

133
MCQmedium

An IAM policy attached to an S3 bucket is shown. What is the net effect on requests to read objects from the bucket?

A.All HTTPS requests from any IP are allowed.
B.Only requests using HTTPS from any IP are allowed because the Deny is overridden.
C.Only requests using HTTPS from the IP range 192.0.2.0/24 are allowed.
D.All requests from the IP range 192.0.2.0/24 are allowed, regardless of protocol.
AnswerC

The Allow requires the IP, and the Deny blocks non-HTTPS.

Why this answer

Option D is correct because the Deny for non-SecureTransport overrides the Allow, so only HTTPS requests from the specified IP range are allowed. Option A is wrong because non-HTTPS requests are denied. Option B is wrong because requests from outside the IP range are denied.

Option C is wrong because the Deny is explicit.

134
MCQeasy

Refer to the exhibit. An IAM policy allows ec2:Describe* actions on all resources. A developer wants to also allow describing RDS instances. Which action must be added to the policy?

A.rds:List*
B.rds:Get*
C.rds:Describe*
D.ec2:DescribeRdsInstances
AnswerC

rds:Describe* covers all describe actions for RDS.

Why this answer

Option D is correct because RDS describe actions use the rds:Describe* prefix. Option A is incorrect because ec2:Describe* does not cover RDS. Option B is incorrect because rds:List* is not a valid action.

Option C is incorrect because rds:Get* is not standard.

135
Multi-Selectmedium

A company is designing a new serverless data processing pipeline that uses Amazon Kinesis Data Streams to ingest real-time clickstream data. The data must be processed using AWS Lambda and then stored in Amazon S3. The company needs to ensure that records are processed in order within each shard and that each record is processed exactly once. Which configuration should they use? (Choose TWO.)

Select 2 answers
A.Use an Amazon SQS FIFO queue between Kinesis and Lambda to ensure ordering.
B.Increase the batch window to reduce the number of Lambda invocations.
C.Enable parallelization factor on the Lambda event source mapping.
D.Use the Kinesis Client Library (KCL) and implement deduplication logic in the Lambda function.
E.Configure the Lambda function with a reserved concurrency of 1 per shard.
AnswersD, E

KCL provides at-least-once delivery; deduplication ensures exactly-once processing.

Why this answer

Options A and C are correct. To guarantee ordering within a shard, use a single Lambda consumer per shard (option A). Exactly-once processing can be achieved by using the Kinesis Client Library (KCL) with an at-least-once delivery and deduplication in the Lambda function (option C).

Option B is wrong because increasing batch size reduces ordering guarantees. Option D is wrong because SQS FIFO is for decoupling with ordering but introduces complexity. Option E is wrong because parallelization is not needed for ordering.

136
Multi-Selecthard

A company is designing a new application that will use Amazon DynamoDB as its database. The application will have a heavy read workload with occasional write spikes. The company wants to minimize costs while ensuring that reads are eventually consistent and writes are not throttled. Which three options should the architect consider? (Choose THREE.)

Select 3 answers
A.Use DynamoDB Streams to asynchronously replicate data to a second table for reads
B.Use Auto Scaling for write capacity
C.Use eventually consistent reads for most queries
D.Use DynamoDB Accelerator (DAX) to cache read results
E.Use strongly consistent reads for all queries
AnswersB, C, D

Auto Scaling adjusts write capacity to handle spikes without throttling.

Why this answer

Options A, B, and D are correct. DynamoDB Accelerator (DAX) provides a cache for reads, reducing read capacity units. Read capacity can be set to eventually consistent reads (lower cost).

Auto Scaling adjusts write capacity to handle spikes. Option C is wrong because strongly consistent reads cost more. Option E is wrong because DynamoDB Streams are for change capture, not for read performance.

137
MCQhard

A global e-commerce company is designing a new recommendation engine on AWS. The engine processes user behavior data (clicks, purchases) from multiple sources in real time and updates recommendations stored in Amazon DynamoDB. The data stream can reach 100,000 events per second. The solution must be highly available and process events with minimal latency (< 1 second). The company wants to use a managed streaming service and a real-time processing framework. Which solution should a Solutions Architect recommend?

A.Use Amazon Kinesis Data Streams to ingest events, process them in real time with Amazon Kinesis Data Analytics using SQL, and write results to DynamoDB.
B.Use Amazon Kinesis Data Firehose to ingest events, transform data with Lambda, and deliver to DynamoDB.
C.Use Amazon Kinesis Data Streams to ingest events, use AWS Lambda to process each event, and write results to DynamoDB.
D.Use Amazon MSK (Managed Streaming for Apache Kafka) to ingest events, process them with Apache Spark Streaming on Amazon EMR, and write to DynamoDB.
AnswerA

Kinesis Data Analytics provides low-latency real-time processing; integrates well with Kinesis Streams and DynamoDB.

Why this answer

Amazon Kinesis Data Streams can ingest up to 100,000 events per second with shard-level scaling, and Kinesis Data Analytics (SQL) provides sub-second processing latency for real-time transformations. Writing directly to DynamoDB from the analytics application meets the <1 second latency requirement while maintaining high availability through Kinesis's built-in replication across three Availability Zones.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose's near-real-time delivery (60-second buffer) with true real-time streaming, or assume Lambda can handle high-throughput streaming workloads without considering concurrency and latency limitations.

How to eliminate wrong answers

Option B is wrong because Kinesis Data Firehose is a near-real-time delivery service with a minimum buffer interval of 60 seconds, which cannot achieve sub-second latency. Option C is wrong because AWS Lambda has a maximum concurrency limit and per-invocation duration constraints that make it unsuitable for processing 100,000 events per second with <1 second latency, and it lacks native streaming SQL capabilities. Option D is wrong because Apache Spark Streaming on Amazon EMR introduces higher startup and processing overhead (typically seconds of latency) compared to Kinesis Data Analytics SQL, and MSK requires more operational overhead for cluster management.

138
MCQhard

A company is designing a new application that will run on Amazon EKS. The application must be able to scale based on custom metrics such as number of messages in an SQS queue. Which Kubernetes component should be used to achieve this?

A.Kubernetes Event-Driven Autoscaler (KEDA)
B.Kubernetes Horizontal Pod Autoscaler (HPA) with Prometheus
C.Kubernetes Cluster Autoscaler
D.AWS Auto Scaling with target tracking
AnswerA

KEDA is designed for event-driven scaling.

Why this answer

Kubernetes Event-Driven Autoscaler (KEDA) is the correct component because it is specifically designed to scale Kubernetes workloads based on external event sources like Amazon SQS queue depth. KEDA acts as a custom metrics adapter that integrates with the Kubernetes Horizontal Pod Autoscaler (HPA), allowing the application to scale pods dynamically based on the number of messages in the SQS queue, which is a custom metric not natively supported by the standard HPA.

Exam trap

The trap here is that candidates often confuse the standard Horizontal Pod Autoscaler (HPA) with the ability to scale based on any custom metric, but the HPA alone cannot ingest external metrics like SQS queue depth without a custom metrics adapter such as KEDA.

How to eliminate wrong answers

Option B is wrong because the standard Kubernetes Horizontal Pod Autoscaler (HPA) with Prometheus requires custom metrics to be exposed via the Kubernetes custom metrics API, but it does not natively support direct scaling based on SQS queue depth without additional components like KEDA or a custom metrics adapter. Option C is wrong because the Kubernetes Cluster Autoscaler is responsible for scaling the number of worker nodes in the cluster, not the number of pods based on application-level metrics like SQS queue depth. Option D is wrong because AWS Auto Scaling with target tracking is an AWS-native service for scaling EC2 instances or other AWS resources, not Kubernetes pods, and it cannot directly interpret Kubernetes custom metrics or scale pods within an EKS cluster.

139
MCQmedium

A company is designing a new application that will process sensitive financial data. The application must encrypt data at rest and in transit. The company wants to use AWS managed keys for encryption. Which AWS service should the company use to create and manage the encryption keys?

A.AWS CloudHSM
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Certificate Manager (ACM)
AnswerC

KMS is a fully managed service for creating and controlling encryption keys.

Why this answer

AWS Key Management Service (KMS) is the correct choice because it is a managed service that enables you to create, store, and control encryption keys used to encrypt data at rest and in transit. KMS integrates with other AWS services (e.g., S3, EBS, RDS) and supports envelope encryption, where a customer master key (CMK) encrypts data keys that perform the actual encryption. It also provides automatic key rotation and fine-grained access control via IAM policies and key policies, meeting the requirement for AWS-managed keys.

Exam trap

The trap here is that candidates often confuse AWS CloudHSM (which provides dedicated, customer-managed HSMs) with KMS (which provides fully managed, AWS-controlled keys), leading them to choose CloudHSM when the question explicitly requires 'AWS managed keys'.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) that you manage yourself, not AWS-managed keys; it requires you to handle key lifecycle and scaling, and does not offer the same level of integration with AWS services as KMS. Option B is wrong because AWS Secrets Manager is designed to securely store and rotate secrets (e.g., database credentials, API keys), not to create or manage encryption keys; it can use KMS to encrypt those secrets, but it is not a key management service itself. Option D is wrong because AWS Certificate Manager (ACM) is used to provision, manage, and deploy public and private SSL/TLS certificates for securing network traffic (in transit), but it does not create or manage encryption keys for data at rest; it relies on KMS for private key protection in some cases, but its primary function is certificate lifecycle management.

140
MCQmedium

A company has attached the above IAM policy to an IAM role used by an EC2 instance. The EC2 instance is in a VPC with CIDR 10.0.0.0/16 and has a public IP. Which of the following statements is true regarding access to the S3 bucket?

A.The EC2 instance can perform GetObject and PutObject operations if it uses HTTPS
B.The EC2 instance cannot perform any S3 operations because the Deny statement blocks all requests
C.The EC2 instance can perform GetObject and PutObject operations from within the VPC
D.The EC2 instance can perform GetObject and PutObject operations only if it uses a VPC endpoint
AnswerD

A VPC endpoint ensures source IP is from within 10.0.0.0/8.

Why this answer

The Deny statement with aws:SecureTransport=false blocks any request not using HTTPS, even if the Allow statement matches. The Allow statement only allows from 10.0.0.0/8, so EC2 with public IP will be denied because its source IP will be the public IP.

141
MCQmedium

A company is deploying a containerized application on Amazon ECS. The application must be highly available and scale automatically based on CPU utilization. The application also needs to be accessible from the internet via a single endpoint. Which combination of services should the solutions architect use?

A.Amazon ECS with an Application Load Balancer and ECS Service Auto Scaling with a target tracking policy based on average CPU utilization.
B.Amazon ECS with a Network Load Balancer and step scaling policies.
C.Amazon ECS with an Application Load Balancer and step scaling policies based on CPU utilization.
D.Amazon ECS with an Application Load Balancer and manual scaling.
AnswerA

ALB provides a single endpoint; target tracking auto scaling adjusts capacity based on CPU.

Why this answer

Using an Application Load Balancer (ALB) in front of an ECS service with auto scaling using target tracking policies meets the requirements. Option C is correct. Option A is wrong because Network Load Balancer (NLB) does not support path-based routing and is less suitable for HTTP applications.

Option B is wrong because ECS service auto scaling is needed, not step scaling for simple CPU. Option D is wrong because ECS service auto scaling with step scaling is more complex than needed.

142
MCQhard

A company is designing a global application that requires low-latency read access to a database from multiple AWS regions. The database stores user profile data that is updated infrequently. The solution must ensure eventual consistency and minimize write conflicts. Which combination of AWS services should be used?

A.Amazon RDS Multi-AZ with read replicas in each region
B.Amazon DynamoDB global tables
C.Amazon Aurora Global Database
D.Amazon ElastiCache for Redis with global datastore
AnswerB

DynamoDB global tables replicate data across regions with eventual consistency and automatic conflict resolution.

Why this answer

Option B is correct because DynamoDB global tables provide multi-region replication with eventual consistency and automatic conflict resolution. Option A is wrong because RDS Multi-AZ does not replicate across regions. Option C is wrong because ElastiCache is a cache, not a primary data store.

Option D is wrong because Aurora Global Database provides strong consistency, not eventual.

143
MCQeasy

A company is designing a new serverless application using AWS Lambda. The Lambda function needs to access an Amazon RDS database. The database is in a VPC without public internet access. What is the MOST secure way to allow the Lambda function to connect to the database?

A.Configure the Lambda function to access the VPC, and place it in the same subnets as the RDS instance.
B.Create a VPC endpoint for Amazon RDS and use it from Lambda.
C.Use an AWS Network Load Balancer in front of the RDS instance and connect Lambda to the NLB.
D.Create a public endpoint for the RDS instance and allow Lambda to connect over the internet.
AnswerA

Lambda can connect to resources in a VPC via an Elastic Network Interface (ENI) in the same subnets.

Why this answer

Option B is correct because configuring the Lambda function to access the VPC allows it to use an ENI to connect to the RDS instance within the VPC. Option A is wrong because the database is not publicly accessible. Option C is wrong because VPC endpoints are for accessing AWS services, not RDS instances.

Option D is wrong because Network Load Balancer is not needed for direct database connections.

144
MCQmedium

A company is designing a data lake on Amazon S3 for analytics. The data is ingested from multiple sources and must be encrypted at rest. The company requires the ability to audit access to the data lake and enforce fine-grained access control based on tags. Which solution should the company choose?

A.Use S3 bucket policies with condition keys for tags
B.Use S3 server-side encryption with customer-provided keys (SSE-C) and bucket policies
C.Use AWS Lake Formation with column-level permissions
D.Use S3 Object Lambda with AWS CloudTrail
AnswerD

S3 Object Lambda can implement tag-based access logic and CloudTrail provides auditing.

Why this answer

Option D is correct because S3 Object Lambda allows you to add custom code to S3 GET requests, enabling fine-grained access control based on tags by dynamically modifying the data returned. AWS CloudTrail provides the required audit trail by logging all API calls, including those to S3 Object Lambda, ensuring full auditability of access to the data lake.

Exam trap

The trap here is that candidates often assume AWS Lake Formation or S3 bucket policies alone can provide both fine-grained tag-based access control and auditing, but they overlook that S3 Object Lambda combined with CloudTrail is the only option that directly enables custom, tag-driven data transformations at read time with full audit logging.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies with condition keys for tags can enforce access control based on resource tags, but they do not provide the ability to audit access at the granularity required; CloudTrail is needed for auditing, and bucket policies alone cannot enforce column-level or tag-based fine-grained access control on the data content itself. Option B is wrong because SSE-C encrypts data at rest using customer-provided keys, but it does not provide any access control or auditing capabilities; bucket policies are separate and do not enable fine-grained tag-based access control or auditing. Option C is wrong because AWS Lake Formation with column-level permissions provides fine-grained access control at the table and column level, but it does not natively support tag-based access control on S3 objects and does not inherently provide auditing; CloudTrail would still be required for auditability, and Lake Formation is more suited for database-style permissions rather than S3 object tag-based policies.

145
MCQeasy

A company is designing a highly available web application on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to EC2 instances in an Auto Scaling group across multiple Availability Zones. The application state is stored in an Amazon ElastiCache for Redis cluster. The company wants to minimize downtime during patching of the Redis cluster. What should the company do?

A.Increase the Redis node type to handle the load and rely on the ElastiCache maintenance window.
B.Use a blue/green deployment strategy by creating a new Redis cluster and switching the application endpoint.
C.Deploy the Redis cluster with Multi-AZ and automatic failover enabled across two Availability Zones.
D.Deploy the Redis cluster as a single node in one Availability Zone and take regular snapshots.
AnswerC

Multi-AZ with automatic failover provides high availability during patching.

Why this answer

Option A is correct because deploying ElastiCache for Redis with Multi-AZ with automatic failover allows the cluster to continue operating during maintenance. Option B is wrong because a single node cluster will be unavailable during patching. Option C is wrong because ElastiCache does not support blue/green deployment.

Option D is wrong because increasing the node type does not eliminate downtime during patching.

146
MCQeasy

A company has three EC2 instances as shown in the exhibit. The company wants to use an Application Load Balancer to distribute traffic across these instances with cross-zone load balancing enabled. How will the traffic be distributed?

A.Traffic is distributed evenly across the two availability zones.
B.Instances in us-east-1a receive 67% of traffic, us-east-1b receives 33%.
C.Each instance receives an equal share of traffic.
D.Traffic is sent to the instance with the least outstanding requests.
AnswerC

Cross-zone load balancing distributes traffic evenly across all instances.

Why this answer

With cross-zone load balancing enabled, the ALB distributes traffic evenly across all registered instances regardless of the availability zone. Each instance receives an equal share of traffic. Option B is correct.

Option A is wrong because that is without cross-zone. Option C is wrong because it's not per AZ. Option D is wrong because it's not sticky.

147
MCQhard

A security engineer created the S3 bucket policy shown in the exhibit. The policy is intended to allow the role MyAppRole to get objects only if they are encrypted with SSE-S3. However, the role is getting access denied errors when trying to get objects that are encrypted with SSE-S3. What is the most likely cause?

A.The Principal is incorrect; it should be the role name, not ARN.
B.The Resource ARN is incorrect; it should be 'arn:aws:s3:::my-bucket'.
C.The condition key is misspelled.
D.The condition key 's3:x-amz-server-side-encryption' checks the request header, not the object's encryption state.
AnswerD

The condition evaluates the request header, which may not be set when getting an already encrypted object.

Why this answer

Option A is correct. The s3:x-amz-server-side-encryption condition key is a request header, not a property of the object. SSE-S3 encryption is applied by default, but the condition checks for the request header, which is not present when the object is already encrypted server-side.

Option B is wrong because the resource is correct. Option C is wrong because the condition key is valid. Option D is wrong because the role ARN is correctly specified.

148
Multi-Selecteasy

A company is designing a new web application that will be deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The application must be highly available and fault-tolerant across multiple Availability Zones. Which THREE actions should the company take to meet these requirements? (Choose three.)

Select 3 answers
A.Launch EC2 instances in an Auto Scaling group across multiple Availability Zones.
B.Use a larger EC2 instance type to handle failures.
C.Configure health checks on the ALB target group to automatically replace unhealthy instances.
D.Configure the ALB to route traffic to instances in multiple Availability Zones.
E.Use a single Availability Zone to reduce latency.
AnswersA, C, D

Provides fault tolerance across AZs.

Why this answer

Options A, D, and E are correct. Using an Auto Scaling group across multiple AZs, an ALB that distributes traffic across AZs, and health checks to replace unhealthy instances ensure high availability and fault tolerance. Option B is wrong because single AZ is not fault-tolerant.

Option C is wrong because a larger instance type does not provide fault tolerance.

149
MCQmedium

A company is designing a new serverless application using AWS Lambda to process high-resolution images uploaded to Amazon S3. Each image can be up to 500 MB. The processing must complete within 5 minutes. What is the MOST cost-effective and scalable design to meet these requirements?

A.Use S3 event notifications to send the image to an Amazon SQS queue, then process it with a Lambda function.
B.Use AWS Fargate to run a containerized image processing service triggered by S3 event notifications.
C.Configure S3 event notifications to invoke a Lambda function that processes the image in memory and writes the result to another S3 bucket.
D.Use AWS Step Functions to orchestrate a Lambda function and an EC2 instance for processing.
AnswerC

Lambda can handle up to 10 GB of memory and 15-minute timeout, suitable for 500 MB images. Direct S3 trigger is simple and cost-effective.

Why this answer

Option A is correct because Lambda can directly process images up to 500 MB with a maximum execution time of 15 minutes, and S3 event notifications trigger Lambda directly. Option B is wrong because Fargate adds complexity and cost for simple processing. Option C is wrong because SQS adds latency and cost without benefit.

Option D is wrong because Step Functions adds orchestration overhead.

150
MCQeasy

A company is designing a cost-effective solution to store and serve large media files (e.g., videos) to users globally. The files are frequently accessed initially but become rarely accessed after 30 days. The company needs millisecond retrieval for the first 30 days and can tolerate retrieval times of minutes after that. What storage solution should the company use?

A.Amazon S3 Standard for all files, with lifecycle policy to delete after 30 days.
B.Amazon S3 Standard-IA for first 30 days, then transition to S3 Glacier Flexible Retrieval.
C.Amazon S3 Intelligent-Tiering with automatic tiering.
D.Amazon S3 Glacier Instant Retrieval for all files.
AnswerB

Standard-IA provides low cost with millisecond retrieval; Glacier is cheap for archival.

Why this answer

Option B is correct because S3 Standard-IA is cost-effective for infrequent access but still provides millisecond retrieval for the first 30 days, and transition to Glacier after 30 days. Option A is too expensive. Option C provides millisecond retrieval but is expensive.

Option D is for archival only.

← PreviousPage 2 of 7 · 514 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.