CCNA Design for New Solutions Questions

75 of 514 questions · Page 3/7 · Design for New Solutions · Answers revealed

151
MCQhard

A company is deploying a web application on AWS Elastic Beanstalk. The application must be accessible over HTTPS only and must automatically redirect HTTP requests to HTTPS. The SSL/TLS certificate is provided by AWS Certificate Manager (ACM). How should this be configured?

A.Use a NAT instance to perform SSL termination and redirect.
B.Install the certificate on each EC2 instance and configure the web server to redirect HTTP to HTTPS.
C.Configure the environment’s load balancer to listen on port 443 with the ACM certificate and port 80 with a redirect rule.
D.Deploy a CloudFront distribution with the ACM certificate and redirect HTTP to HTTPS at the distribution level.
AnswerC

The load balancer can terminate HTTPS and redirect HTTP to HTTPS.

Why this answer

Option C is correct because Elastic Beanstalk environments using a load balancer (ALB or CLB) can be configured to listen on port 443 with the ACM certificate for HTTPS termination, and simultaneously define a listener on port 80 with a redirect action that sends HTTP traffic to HTTPS. This is the simplest and most scalable approach, as it offloads SSL termination and redirection to the load balancer, eliminating the need to manage certificates or redirection logic on individual instances.

Exam trap

The trap here is that candidates often assume SSL termination must happen on the EC2 instances (Option B) or that a separate service like CloudFront (Option D) is required, when in fact the Elastic Beanstalk load balancer can natively handle both HTTPS termination and HTTP-to-HTTPS redirection with minimal configuration.

How to eliminate wrong answers

Option A is wrong because a NAT instance is used for outbound traffic from private subnets, not for SSL termination or HTTP-to-HTTPS redirection; it does not support load balancing or certificate management. Option B is wrong because installing the certificate on each EC2 instance and configuring the web server to redirect HTTP to HTTPS is inefficient, requires manual certificate renewal, and does not leverage Elastic Beanstalk's managed load balancer for centralized SSL termination. Option D is wrong because while CloudFront can redirect HTTP to HTTPS, it adds unnecessary complexity and cost for a simple single-region web app; the question specifically asks about configuring the Elastic Beanstalk environment, not an external CDN.

152
MCQhard

A company is designing a new multi-region application that requires a global database with low-latency reads and writes. The application must be able to survive a regional outage. Which database solution should they choose?

A.Amazon RDS Multi-AZ
B.Amazon ElastiCache for Redis global datastore
C.Amazon DynamoDB global tables
D.Amazon Aurora Global Database
AnswerD

Aurora Global Database supports cross-region reads and writes with low latency and automatic failover.

Why this answer

Option C is correct because Aurora Global Database provides low-latency reads and writes across regions with automatic failover. Option A is wrong because DynamoDB global tables are multi-region but do not support cross-region writes with the same consistency. Option B is wrong because RDS Multi-AZ is single-region.

Option D is wrong because ElastiCache is a cache, not a primary database.

153
MCQeasy

A company needs to store configuration data for multiple applications in a centralized, secure, and versioned manner. The configuration must be encrypted at rest and automatically rotated. Which AWS service should they use?

A.AWS CloudFormation
B.AWS Secrets Manager
C.AWS AppConfig
D.AWS Systems Manager Parameter Store
AnswerC

AppConfig supports versioned configuration, encryption, and automatic rotation.

Why this answer

Option B is correct because AWS AppConfig supports versioned configuration, encryption, and automatic rotation. Option A (SSM Parameter Store) can store config but doesn't support automatic rotation. Option C (Secrets Manager) is for secrets, not config.

Option D (CloudFormation) is for infrastructure as code.

154
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application running on Amazon EC2. They need to replicate data across AWS Regions with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 1 hour. Which THREE actions should they take to meet these objectives?

Select 3 answers
A.Manually create and copy AMIs to the secondary region weekly
B.Create a CloudFormation template to provision the infrastructure in the secondary region
C.Use AWS Backup to automate cross-region EBS snapshot copies
D.Enable cross-region replication on the Amazon S3 buckets containing application data
E.Configure the EC2 instances in a Multi-AZ Auto Scaling group
AnswersB, C, D

CloudFormation allows rapid deployment of infrastructure in the DR region.

Why this answer

Option B is correct because AWS CloudFormation templates enable infrastructure-as-code, allowing rapid and consistent provisioning of the secondary region environment. This automation is essential to meet the 1-hour RTO, as it eliminates manual setup and reduces recovery time to minutes by deploying pre-defined stacks.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides high availability within a single Region) with cross-region disaster recovery, leading them to incorrectly select Option E despite it not addressing regional isolation.

155
MCQhard

A company has attached the above bucket policy to an S3 bucket. The bucket is accessed by an application running on an EC2 instance in the same AWS account. The EC2 instance is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678) to access the bucket. The application is failing to get objects from the bucket. What is the most likely cause?

A.The application is not using the VPC endpoint
B.The bucket policy does not allow encryption in transit
C.The application is using HTTP instead of HTTPS
D.The application is missing the required x-amz-server-side-encryption header
AnswerC

The Deny statement blocks requests without SecureTransport, i.e., HTTP. The application may be using HTTP.

Why this answer

Option C is correct because the bucket policy likely includes a condition that denies requests not using HTTPS (i.e., `aws:SecureTransport`: false). The application is failing because it is using HTTP instead of HTTPS to access the S3 bucket, which violates the encryption-in-transit requirement enforced by the policy. Without HTTPS, the request is denied by the S3 service.

Exam trap

The trap here is that candidates often confuse encryption in transit (HTTPS) with encryption at rest (SSE headers) or assume that using a VPC Gateway Endpoint automatically secures the connection, when in fact the bucket policy's `aws:SecureTransport` condition independently enforces HTTPS.

How to eliminate wrong answers

Option A is wrong because the application is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678), which is explicitly specified in the bucket policy's `aws:SourceVpce` condition; the policy allows access from that endpoint, so the endpoint is being used. Option B is wrong because the bucket policy does not explicitly deny encryption in transit; rather, it likely requires it via the `aws:SecureTransport` condition, and the failure is due to using HTTP, not a lack of encryption-in-transit allowance. Option D is wrong because the `x-amz-server-side-encryption` header is for server-side encryption at rest, not for transport security; the error is about HTTPS (encryption in transit), not encryption at rest.

156
MCQeasy

A startup is building a serverless application using AWS Lambda. They need to store session state that can be shared across multiple Lambda invocations. Which AWS service should they use?

A.Amazon ElastiCache for Redis
B.Amazon S3
C.Amazon DynamoDB
D.Amazon CloudFront
AnswerA

Provides low-latency in-memory caching for session state.

Why this answer

Amazon ElastiCache for Redis is the correct choice because it provides a low-latency, in-memory data store that can be shared across multiple Lambda invocations. Redis supports data structures like strings, hashes, and lists, making it ideal for storing session state that needs to be accessed and updated quickly by concurrent serverless functions.

Exam trap

The trap here is that candidates often choose DynamoDB because it is a common serverless database, but they overlook that the question specifically asks for shared session state across invocations, which demands in-memory caching for performance, not a persistent database.

How to eliminate wrong answers

Option B (Amazon S3) is wrong because S3 is an object storage service with higher latency and eventual consistency for read-after-write, making it unsuitable for real-time session state that requires sub-millisecond access and strong consistency. Option C (Amazon DynamoDB) is wrong because while DynamoDB can store session state, it is a NoSQL database with higher latency compared to in-memory caching, and it is not optimized for the extremely low-latency, high-throughput session lookups that ElastiCache provides. Option D (Amazon CloudFront) is wrong because CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations, not a session store; it cannot be used to store or share mutable session state across Lambda invocations.

157
MCQmedium

A company is designing a new microservices architecture on AWS. Each service needs to store and retrieve small amounts of configuration data (under 10 KB per item) with low latency. The data is accessed frequently and must be highly available across multiple Availability Zones. Which AWS service should be used?

A.Amazon S3
B.Amazon ElastiCache for Memcached
C.Amazon RDS for MySQL
D.Amazon DynamoDB
AnswerD

DynamoDB offers low latency, high availability, and is suitable for small configuration data.

Why this answer

Option C is correct because DynamoDB provides single-digit millisecond latency, high availability, and is ideal for storing small configuration items. Option A (S3) has higher latency for small objects and is not optimized for frequent updates. Option B (ElastiCache) is for temporary caching, not durable storage.

Option D (RDS) is overkill for simple config data.

158
MCQhard

A company is designing a new application on AWS that uses Amazon API Gateway and AWS Lambda to expose a RESTful API. The API must authenticate requests using OAuth 2.0 with an external identity provider (IdP). The company wants to offload the authentication logic to the API Gateway. Which API Gateway feature should they use?

A.Use API Gateway's WebSocket API.
B.Enable API Gateway's VPC Link.
C.Configure a Lambda authorizer to validate the OAuth 2.0 token.
D.Use usage plans with API keys.
AnswerC

Lambda authorizer can call the IdP to validate tokens and return an IAM policy.

Why this answer

Option A is correct because API Gateway supports OAuth 2.0 authorization using Cognito User Pools or custom authorizers with Lambda. Option B is wrong because WebSocket API is for real-time communication. Option C is wrong because VPC Link is for private integrations.

Option D is wrong because usage plans are for API keys, not authentication.

159
Multi-Selecthard

A company is deploying a web application on AWS. The application runs on EC2 instances behind an ALB. The security team requires that all traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Which THREE steps should the architect take? (Choose three.)

Select 3 answers
A.Assign the same security group to the ALB and the instances
B.Place the EC2 instances in a public subnet
C.Configure the ALB target group to use HTTPS protocol
D.Configure the EC2 instance security group to allow inbound traffic only from the ALB's security group
E.Use network ACLs to restrict inbound traffic to the ALB's IP addresses
.Configure the ALB to listen on HTTPS for client connections
AnswersC, D

Encrypts traffic between ALB and instances.

Why this answer

Option A ensures encryption between ALB and instances. Option B restricts instance security group to only ALB's security group. Option D enables HTTPS listener on ALB for client-to-ALB encryption (though question asks for ALB-to-instance, but this is also needed for end-to-end encryption).

Option C (public subnets) is not needed. Option E (NACL) is not the best way. Option F (same security group) is not the approach.

160
Multi-Selecthard

A company is deploying a microservices architecture on Amazon ECS with Fargate. They need to enable service-to-service communication with mutual TLS (mTLS) and service discovery. Which combination of services should they use? (Select THREE.)

Select 3 answers
A.AWS Certificate Manager (ACM)
B.Amazon Route 53
C.AWS Direct Connect
D.AWS App Mesh
E.AWS Cloud Map
AnswersA, D, E

ACM provides certificates for mTLS.

Why this answer

AWS App Mesh provides a service mesh that supports mTLS for encrypting and authenticating service-to-service communication within an ECS Fargate environment. AWS Cloud Map enables service discovery by allowing microservices to register and discover each other via DNS or API calls. AWS Certificate Manager (ACM) is used to provision and manage the X.509 certificates required for mTLS, which are integrated with App Mesh to enforce mutual authentication.

Exam trap

The trap here is that candidates often confuse Amazon Route 53's public DNS capabilities with the internal service discovery provided by AWS Cloud Map, or they assume Direct Connect is needed for secure communication, overlooking that mTLS is handled at the application layer by App Mesh and ACM.

161
MCQmedium

Refer to the exhibit. A CloudFormation stack has been deployed with the VPCId and SubnetIds outputs. A developer wants to use these outputs as parameters in another CloudFormation stack. Which AWS service can be used to pass these values to the new stack?

A.Amazon Simple Notification Service (SNS)
B.AWS Secrets Manager
C.AWS Systems Manager Parameter Store
D.CloudFormation cross-stack references using Export and ImportValue
AnswerD

Exports allow passing outputs to other stacks.

Why this answer

Option B is correct because AWS CloudFormation cross-stack references allow you to export stack outputs and import them into other stacks using the Fn::ImportValue function. Option A is incorrect because Systems Manager Parameter Store can store parameters but is not the native CloudFormation way. Option C is incorrect because Secrets Manager is for secrets.

Option D is incorrect because SNS is for notifications.

162
MCQmedium

The above AWS CloudFormation template creates an S3 bucket with a bucket policy. A user from IP 198.51.100.5 tries to access an object in the bucket. What will happen?

A.Access is allowed because the Principal is "*".
B.Access is denied because the bucket is not public.
C.Access is allowed because the policy does not explicitly deny.
D.Access is denied because the IP is not allowed.
AnswerD

The policy restricts access to the specified IP range.

Why this answer

The bucket policy explicitly denies access to all principals except those coming from the allowed IP address range (which does not include 198.51.100.5). In AWS IAM, an explicit deny overrides any allow, so the request from IP 198.51.100.5 is denied. Option D is correct because the policy's condition block restricts access to a specific IP range, and the user's IP is not within that range.

Exam trap

The trap here is that candidates often assume a bucket policy with Principal '*' automatically allows all access, ignoring the condition block that can restrict access based on IP address or other attributes.

How to eliminate wrong answers

Option A is wrong because the Principal '*' in the policy does not grant access unconditionally; the policy includes a condition that restricts access to a specific IP address range, and the user's IP (198.51.100.5) is not in that range. Option B is wrong because the bucket policy itself can grant access without making the bucket publicly accessible; the bucket's block public access settings are not mentioned, and the policy's explicit deny is the reason for denial, not the bucket's public status. Option C is wrong because the policy does explicitly deny access via the condition block; the 'Effect' is 'Deny' for requests that do not match the allowed IP range, so the lack of an explicit deny statement is incorrect.

163
Multi-Selectmedium

A company is designing a new application on AWS that requires high availability and disaster recovery across multiple AWS Regions. The application uses an Amazon RDS for MySQL database. Which TWO strategies should they implement to meet these requirements?

Select 2 answers
A.Create a manual snapshot and copy it to another Region.
B.Enable automated backups and copy them to another Region.
C.Use S3 cross-Region replication for the database.
D.Configure a cross-Region read replica.
E.Enable Multi-AZ deployment.
AnswersB, D

Cross-Region backup copy enables restore in another region.

Why this answer

Option A (Cross-Region Read Replica) provides DR and read scaling. Option C (Cross-Region automated backups) allows restore in another region. Option B (Multi-AZ) is for HA within a region, not DR.

Option D (snapshot copy) is manual. Option E (S3 replication) doesn't apply to RDS.

164
Multi-Selectmedium

A company is designing a new serverless application that processes orders from an e-commerce website. The application uses AWS Lambda functions that are invoked by Amazon API Gateway. The company expects a sudden spike in traffic during a flash sale. Which TWO strategies should be used to ensure the application can handle the spike without errors? (Choose two.)

Select 2 answers
A.Set Lambda reserved concurrency to a value that matches the expected peak load.
B.Increase the Lambda function timeout to 15 minutes.
C.Enable usage plans and throttling in API Gateway to limit requests.
D.Use Amazon SQS to buffer requests and decouple the frontend.
E.Configure Lambda provisioned concurrency to pre-warm instances.
AnswersA, C

Reserved concurrency limits the maximum concurrent executions, preventing throttling and uncontrolled scaling.

Why this answer

Option A is correct because Lambda reserved concurrency guarantees a fixed number of concurrent executions for the function, preventing it from being throttled by other functions in the account. By setting reserved concurrency to match the expected peak load, the application ensures that all requests during the flash sale can be processed without hitting account-level concurrency limits.

Exam trap

The trap here is that candidates often confuse provisioned concurrency (which reduces cold starts) with reserved concurrency (which guarantees capacity and prevents throttling), leading them to select Option E instead of Option A.

165
MCQmedium

A company is deploying a containerized microservices architecture on Amazon ECS with Fargate. They need to securely store and rotate database credentials. Which AWS service should they use?

A.AWS CloudHSM
B.AWS Identity and Access Management (IAM) roles
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager provides built-in automatic rotation for RDS, Redshift, and DocumentDB credentials.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, automatically rotating, and managing the lifecycle of database credentials. It integrates natively with Amazon ECS and Fargate via task role permissions, allowing containers to retrieve secrets at runtime without hardcoding them. Secrets Manager also supports automatic rotation of credentials for Amazon RDS, Aurora, and other databases, which directly addresses the requirement for credential rotation.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets) with AWS Secrets Manager, but Parameter Store lacks native automatic rotation and is not designed for managing database credential lifecycles, making Secrets Manager the correct choice for this specific requirement.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides hardware-based cryptographic key storage and cryptographic operations, not a service for storing or rotating database credentials; it lacks built-in automatic rotation and secret management features. Option B is wrong because IAM roles provide temporary credentials for AWS API access but cannot store or rotate database credentials; they are used for authorization, not secret storage. Option C is wrong because AWS Systems Manager Parameter Store can store secrets but does not natively support automatic rotation of database credentials; it requires custom solutions (e.g., Lambda functions) to implement rotation, whereas Secrets Manager provides built-in rotation.

166
MCQmedium

A company is designing a serverless data processing pipeline. An AWS Lambda function processes records from an Amazon Kinesis Data Stream. The function runs for an average of 30 seconds per record, and the stream has 10 shards. The company expects a sustained load of 5,000 records per second. What is the primary consideration to ensure the Lambda function can scale to handle the load?

A.Ensure that the Lambda function processes each batch within the Kinesis stream's iterator age.
B.Request a service quota increase for Lambda concurrent executions.
C.Set a reserved concurrency of 500 for the Lambda function.
D.Increase the Lambda function timeout to more than 30 seconds.
AnswerA

Each shard is processed by a single Lambda instance; if processing takes too long, the iterator age grows and records may expire.

Why this answer

Option B is correct because each Lambda function instance processes one shard at a time, so the number of concurrent executions equals the number of shards (10). The function must be able to process records within the Kinesis iterator age to avoid throttling. Option A is wrong because Lambda can handle the concurrency; the limit is per shard.

Option C is wrong because reserved concurrency could limit scaling. Option D is wrong because Lambda scales within the account limits, but the shard count is the bottleneck.

167
MCQmedium

A company is designing a real-time analytics pipeline for IoT data. They need to ingest millions of messages per second, process them with low latency, and store results in Amazon S3. Which combination of services should they use?

A.Amazon Kinesis Data Streams, Amazon Kinesis Data Analytics, Amazon Kinesis Data Firehose
B.Amazon SQS, AWS Lambda, Amazon S3
C.Amazon Kinesis Data Streams, Amazon Redshift, Amazon S3
D.Amazon IoT Core, AWS Lambda, Amazon DynamoDB
AnswerA

This combination provides high-throughput ingestion, real-time processing, and delivery to S3.

Why this answer

Option A is correct because Kinesis Data Streams ingests high-throughput data, Kinesis Data Analytics processes it in real-time, and Firehose delivers to S3. Option B uses SQS which is not designed for millions of messages per second. Option C uses Lambda which may throttle.

Option D uses Redshift which is for data warehousing, not real-time streaming.

168
MCQmedium

A company is designing a new microservices architecture on AWS. They need to ensure that services can communicate asynchronously without tight coupling. Which AWS service should they use for message brokering?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerA

SQS provides fully managed message queues for async communication.

Why this answer

Option C is correct because Amazon SQS provides a fully managed message queuing service for asynchronous communication between microservices. Option A (Amazon SNS) is pub/sub not queue-based. Option B (Amazon Kinesis) is for streaming data.

Option D (AWS Step Functions) is for workflow orchestration.

169
Multi-Selectmedium

Which TWO actions improve the security of an Amazon S3 bucket that stores sensitive data?

Select 2 answers
A.Enable CORS (Cross-Origin Resource Sharing).
B.Enable S3 server access logging.
C.Enable S3 Block Public Access.
D.Enable S3 Transfer Acceleration.
E.Use a bucket policy that denies access to all principals except the root user.
AnswersB, C

Provides audit trail for access requests.

Why this answer

Options A and D are correct. Enabling S3 Block Public Access prevents any public access. Enabling S3 server access logging allows auditing.

Option B is incorrect because bucket policies are not a substitute for encryption. Option C is incorrect because S3 Transfer Acceleration is for speed, not security. Option E is incorrect because CORS is for cross-origin requests, not security.

170
MCQhard

An administrator runs the above commands on an S3 bucket. What is the effect of these configurations on an object uploaded to the bucket?

A.Objects are locked indefinitely until the lock is manually removed.
B.Objects can be deleted immediately because versioning is enabled.
C.Objects cannot be deleted or overwritten for 365 days unless special permissions are granted.
D.Objects can be deleted only by the root user.
AnswerC

Object Lock with GOVERNANCE mode and 365-day retention prevents deletion.

Why this answer

The configuration shown enables S3 Object Lock in compliance mode with a retention period of 365 days. In compliance mode, an object cannot be deleted or overwritten by any user, including the root user, until the retention period expires. This is why option C is correct: objects cannot be deleted or overwritten for 365 days unless special permissions (such as those needed to shorten the retention period, which are not granted here) are involved.

Exam trap

The trap here is that candidates often assume the root user can bypass any S3 lock, but in compliance mode, even the root user is restricted, making option D a common distractor.

How to eliminate wrong answers

Option A is wrong because objects are not locked indefinitely; they are locked for a specific retention period of 365 days, after which the lock expires and the object can be deleted or overwritten normally. Option B is wrong because even with versioning enabled, S3 Object Lock in compliance mode prevents deletion of any version of the object during the retention period; versioning does not override the lock. Option D is wrong because the root user is also subject to compliance mode locks; no user, including the root user, can delete or overwrite the object during the retention period.

171
Multi-Selectmedium

A company is designing a serverless application that uses Amazon API Gateway and AWS Lambda. The API must be secured using AWS WAF. Which TWO actions should the company take to integrate WAF with API Gateway? (Choose TWO.)

Select 2 answers
A.Create an AWS WAF web ACL and attach it to the Lambda function
B.Configure API Gateway to require an API key and associate WAF with the usage plan
C.Associate an AWS WAF web ACL with the API Gateway HTTP API
D.Associate an AWS WAF web ACL with the API Gateway REST API stage
E.Place AWS WAF in front of Amazon CloudFront and use CloudFront as the API Gateway endpoint
AnswersC, D

WAF can be associated with HTTP APIs.

Why this answer

Options A and D are correct because AWS WAF can be associated with an API Gateway REST API or HTTP API regional endpoint. Option B is incorrect because CloudFront is not required. Option C is incorrect because WAF does not protect Lambda functions directly.

Option E is incorrect because WAF does not integrate with API keys.

172
MCQeasy

A company wants to implement a serverless architecture where an AWS Lambda function is triggered whenever a new object is uploaded to an S3 bucket. Which S3 feature should they use?

A.S3 Object Lock
B.S3 Transfer Acceleration
C.S3 Event Notifications
D.S3 Inventory
AnswerC

S3 can send events to Lambda on object creation.

Why this answer

S3 Event Notifications allow you to configure S3 to publish events (e.g., s3:ObjectCreated:Put) to AWS Lambda, SQS, or SNS whenever an object is uploaded. This is the native serverless integration that triggers a Lambda function directly from S3 without polling or custom code.

Exam trap

The trap here is that candidates may confuse S3 Event Notifications with S3 Inventory or S3 Object Lock, thinking any S3 feature that 'tracks' or 'protects' objects can trigger code, but only Event Notifications provide real-time, push-based triggers to Lambda.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock is a write-once-read-many (WORM) feature that prevents objects from being deleted or overwritten for a fixed retention period; it does not trigger Lambda functions. Option B is wrong because S3 Transfer Acceleration uses AWS edge locations to speed up uploads over long distances via optimized network paths; it has no event triggering capability. Option D is wrong because S3 Inventory provides scheduled CSV/Parquet reports listing objects and their metadata for auditing or lifecycle management; it does not generate real-time events to invoke Lambda.

173
MCQhard

A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The company wants to reduce operational overhead and achieve high availability. Which database strategy should the company adopt for the microservices?

A.Use Amazon RDS Proxy with a single database
B.Use a separate Amazon RDS instance for each microservice
C.Use Amazon DynamoDB for all microservices
D.Use a single Amazon RDS instance shared across all microservices
AnswerB

Database-per-service pattern ensures loose coupling.

Why this answer

Option B is correct because a microservices architecture requires database isolation to ensure loose coupling, independent scaling, and fault isolation. Using a separate Amazon RDS instance for each microservice allows each team to manage its own schema, optimize queries independently, and avoid a single point of failure, which aligns with the goal of reducing operational overhead and achieving high availability.

Exam trap

The trap here is that candidates may assume a single shared database (Option D) is simpler and sufficient for high availability, overlooking the critical microservices principle of decentralized data management and the operational overhead of tight coupling.

How to eliminate wrong answers

Option A is wrong because Amazon RDS Proxy is a connection pooling service that does not address the need for database isolation; sharing a single database across microservices creates tight coupling and a single point of failure. Option C is wrong because Amazon DynamoDB is a NoSQL database that does not natively support complex relational queries (e.g., multi-table joins, subqueries) required by the existing application, making it unsuitable for this migration. Option D is wrong because using a single Amazon RDS instance shared across all microservices reintroduces the monolithic database bottleneck, violates the principle of database per service, and increases the risk of contention and cascading failures.

174
MCQeasy

A company is designing a new application that will process streaming data from IoT devices. The data must be processed in real time and then stored in Amazon S3 for long-term analytics. Which combination of AWS services should be used?

A.Amazon Kinesis Data Firehose, Amazon Redshift
B.Amazon SQS, AWS Lambda, Amazon RDS
C.AWS IoT Core, Amazon DynamoDB
D.Amazon Kinesis Data Streams, AWS Lambda, Amazon S3
AnswerD

Real-time ingestion, processing, and storage.

Why this answer

Option D is correct because Amazon Kinesis Data Streams ingests and buffers streaming IoT data in real time, AWS Lambda processes each record as it arrives, and the processed data is written directly to Amazon S3 for durable long-term analytics. This combination provides the low-latency, serverless pipeline required for real-time processing and S3-based storage.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose (which delivers near-real-time batches) with Kinesis Data Streams (which enables per-record real-time processing), leading them to pick Option A despite its lack of a real-time processing component.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift is a data warehouse for analytics, not a real-time processing engine, and Kinesis Data Firehose delivers data in batches, not per-record processing. Option B is wrong because Amazon SQS is a message queue for decoupling components, not designed for real-time streaming ingestion, and Amazon RDS is a relational database, not suitable for high-throughput streaming data storage. Option C is wrong because AWS IoT Core ingests IoT messages but DynamoDB is a NoSQL database for low-latency queries, not a long-term analytics store like S3, and this combination lacks a real-time processing step.

175
MCQhard

A company is designing a serverless data processing pipeline using AWS Lambda to process messages from an Amazon SQS queue. The messages are generated by thousands of IoT devices. The architect needs to ensure that messages are processed in order within each device's stream and that failures are handled without data loss. Which combination of services should the architect use?

A.Use Amazon Kinesis Data Firehose with Lambda function and an SQS queue for error handling
B.Use Amazon SQS standard queues with Lambda function and a dead-letter queue
C.Use Amazon SQS FIFO queues with Lambda function
D.Use Amazon Kinesis Data Streams with Lambda function and a dead-letter queue
AnswerD

Kinesis preserves order within shards; Lambda processes records sequentially; DLQ handles failures.

Why this answer

Amazon Kinesis Data Streams preserves the order of records within a shard, and Lambda can process records in order. For error handling, a DLQ captures failed records. Option A (SQS FIFO) provides ordering but does not support Lambda triggers with ordered processing per shard.

Option B (Lambda with DLQ on SQS) does not guarantee ordering across multiple shards. Option D (Kinesis with SQS) adds unnecessary complexity.

176
MCQmedium

A company is designing a new application that requires a global content delivery network with low latency and DDoS protection. Which combination of AWS services should be used?

A.Amazon CloudFront and AWS Shield
B.AWS Global Accelerator and Amazon CloudFront
C.Amazon Route 53 and AWS Shield
D.AWS WAF and Amazon CloudFront
AnswerA

CloudFront caches content at edge, Shield protects against DDoS.

Why this answer

Option D is correct because CloudFront provides CDN with edge locations and AWS Shield Standard/Advanced provides DDoS protection. Option A is wrong because Route 53 is DNS, not CDN. Option B is wrong because Global Accelerator improves routing, not caching.

Option C is wrong because WAF is for web application firewall, not DDoS.

177
MCQhard

A company is designing a new global application that will serve users worldwide. The application uses an Application Load Balancer (ALB) in a single region. To reduce latency for users in other regions, the company wants to cache static content at edge locations. The dynamic content must still be served from the ALB. Which configuration should be used?

A.AWS Global Accelerator with the ALB as the endpoint
B.Amazon CloudFront with the ALB as the origin
C.Amazon CloudFront with multiple origins: S3 for static content and ALB for dynamic content
D.Amazon S3 Transfer Acceleration for static content
AnswerC

CloudFront can be configured with multiple origins. Static content is cached at edge locations from S3, and dynamic content is forwarded to the ALB. This reduces latency for static content.

Why this answer

Option D is correct because Amazon CloudFront can be configured with multiple origins: an S3 bucket for static content and the ALB for dynamic content. CloudFront caches static content at edge locations and forwards dynamic requests to the ALB. Option A is wrong because CloudFront with only the ALB as origin does not separate static and dynamic content.

Option B is wrong because Global Accelerator does not cache content; it only accelerates traffic. Option C is wrong because S3 Transfer Acceleration is for fast uploads to S3, not for content delivery.

178
MCQmedium

A financial services company needs to store transaction records for 7 years to meet regulatory requirements. The records must be retrievable within 24 hours of a request. The volume of data is 10 TB per year. Which storage solution is MOST cost-effective?

A.Amazon S3 Intelligent-Tiering
B.Amazon S3 Glacier Deep Archive
C.Amazon S3 Glacier with expedited retrieval
D.Amazon S3 Standard with lifecycle policies to transition to S3 Glacier after 1 year
AnswerB

Lowest cost, retrieval within 12 hours, suitable for 7-year retention.

Why this answer

Amazon S3 Glacier Deep Archive is the lowest-cost storage for long-term archival with retrieval times of 12-48 hours, meeting the 24-hour requirement. Option A (S3 Standard) is more expensive. Option B (S3 Glacier) is more expensive than Deep Archive.

Option C (S3 Intelligent-Tiering) is designed for changing access patterns, not long-term archive.

179
Multi-Selecthard

A company is designing a disaster recovery solution for a critical application that runs on Amazon RDS for PostgreSQL. The application requires an RPO of 5 minutes and an RTO of 15 minutes. The primary database is in us-east-1. The recovery Region is us-west-2. Which TWO solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Take manual snapshots periodically and copy them to us-west-2.
B.Configure a cross-Region read replica for the RDS PostgreSQL instance in us-west-2.
C.Enable Multi-AZ deployment in us-east-1 and use a read replica in us-west-2.
D.Use Amazon Aurora Global Database with a secondary cluster in us-west-2.
E.Use automated backups with cross-Region copy to us-west-2.
AnswersB, D

Cross-Region replicas can be promoted quickly.

Why this answer

Aurora Global Database has RPO < 1 second and RTO < 1 minute. Cross-Region read replicas have RPO of seconds and can be promoted in minutes. Option A and Option C are correct.

Option B is wrong because Multi-AZ is single-Region. Option D is wrong because RDS does not support cross-Region automated backups. Option E is wrong because snapshot restore takes longer than 15 minutes.

180
Multi-Selectmedium

A company is designing a new hybrid cloud architecture that extends on-premises storage to AWS. The solution must provide low-latency access to frequently accessed data and use AWS storage for backup. Which TWO services should be used together?

Select 2 answers
A.Amazon EFS
B.AWS Storage Gateway (File Gateway)
C.AWS Snowball Edge
D.AWS Direct Connect
E.Amazon S3
AnswersB, E

Provides low-latency access to S3 from on-premises.

Why this answer

AWS Storage Gateway (File Gateway) provides a low-latency, on-premises cache for frequently accessed data while asynchronously uploading the underlying data to Amazon S3 for durable backup. This hybrid architecture allows applications to access data with local file-system performance while leveraging S3 as the backup target, meeting both the low-latency and backup requirements.

Exam trap

The trap here is that candidates often confuse AWS Storage Gateway (File Gateway) with Amazon EFS, thinking EFS can serve as a hybrid cache, but EFS lacks the on-premises caching component required for low-latency hybrid access.

181
MCQhard

A company is designing a new cloud-native application that will be deployed across multiple AWS Regions for high availability. The application uses Amazon Aurora Global Database for its primary data store. The company needs to ensure that in the event of a regional failure, the secondary region can be promoted to primary with minimal data loss. Which configuration should be used?

A.Use Aurora Serverless v2 with data replication across regions using Database Migration Service (DMS).
B.Deploy Aurora Multi-AZ in the primary region and use a secondary region as a warm standby.
C.Use Aurora Global Database with one primary region and one secondary region. Enable managed failover with a Recovery Point Objective (RPO) of 1 second.
D.Configure Aurora Cross-Region Read Replicas and use Amazon Route 53 for DNS failover.
AnswerC

Aurora Global Database provides cross-region replication with low RPO and managed failover.

Why this answer

Option C is correct because Amazon Aurora Global Database is specifically designed for cross-region disaster recovery with a typical RPO of 1 second and RTO of less than 1 minute when managed failover is enabled. It uses a storage-based replication layer that replicates data from the primary to secondary regions with minimal latency, ensuring that in a regional failure, the secondary region can be promoted to primary with very little data loss.

Exam trap

The trap here is that candidates often confuse cross-region read replicas (which have higher replication lag and require manual promotion) with Aurora Global Database's managed failover (which provides sub-second RPO and automated promotion), leading them to choose option D instead of C.

How to eliminate wrong answers

Option A is wrong because Aurora Serverless v2 does not support cross-region replication natively, and AWS Database Migration Service (DMS) is a migration tool, not a real-time replication solution for high availability; it introduces significant latency and potential data loss. Option B is wrong because Aurora Multi-AZ provides high availability within a single region, not across regions, and using a secondary region as a warm standby without global database replication would require manual backup restore or other mechanisms, resulting in higher RPO and RTO. Option D is wrong because Aurora Cross-Region Read Replicas use asynchronous replication with a typical RPO of seconds to minutes, and while Route 53 can handle DNS failover, the replication lag is not guaranteed to be as low as 1 second, and promoting a read replica to primary is a manual process that can take several minutes, leading to higher data loss.

182
MCQmedium

A company is designing a new application that will process real-time streaming data from thousands of IoT devices. The data must be ingested, processed with low latency, and stored in Amazon S3 for analytics. Which combination of AWS services should the company use to meet these requirements?

A.Amazon SQS, AWS Lambda, Amazon S3
B.Amazon Kinesis Data Firehose, Amazon Redshift, Amazon S3
C.Amazon MQ, AWS Lambda, Amazon RDS
D.Amazon Kinesis Data Streams, AWS Lambda, Amazon S3
AnswerD

Kinesis Data Streams ingests streaming data, Lambda processes it, S3 stores it.

Why this answer

Amazon Kinesis Data Streams ingests real-time streaming data from thousands of IoT devices with low latency, and AWS Lambda can process each record as it arrives via event source mapping. The processed data is then stored in Amazon S3 for analytics, meeting all requirements for ingestion, low-latency processing, and durable storage.

Exam trap

The trap here is that candidates confuse Amazon SQS with Kinesis Data Streams for real-time streaming, but SQS is a pull-based queue with no ordered replay or shard-level parallelism, making it unsuitable for high-throughput IoT data ingestion.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a message queue for decoupled communication, not designed for real-time streaming ingestion from thousands of IoT devices; it lacks the shard-based parallelism and ordered replay capabilities needed for streaming data. Option B is wrong because Amazon Redshift is a data warehouse for analytics, not a low-latency processing target; using Kinesis Data Firehose with Redshift adds unnecessary latency and cost for real-time processing, and the requirement specifies storing in S3, not Redshift. Option C is wrong because Amazon MQ is a managed message broker for JMS-compatible applications, not optimized for high-throughput streaming from IoT devices; Amazon RDS is a relational database, not suitable for storing streaming data for analytics in S3.

183
MCQmedium

A company runs a critical web application on EC2 instances in an Auto Scaling group across three Availability Zones. The application uses an Application Load Balancer (ALB) with a target group that has health checks configured. Recently, the operations team noticed that during a deployment, the ALB started routing traffic to a new instance before it was ready to serve requests, causing a brief period of errors. The team wants to ensure that new instances are fully initialized and ready before receiving traffic. The application takes about 30 seconds to start up. Current health check settings: health check protocol HTTP, path /, interval 30 seconds, timeout 5 seconds, healthy threshold 2, unhealthy threshold 2. The deployment uses the Auto Scaling group's instance refresh feature. Which of the following is the MOST effective way to prevent traffic from being sent to instances that are not ready?

A.Implement a lifecycle hook in the Auto Scaling group that waits for the instance to signal readiness. Also, configure the target group health check with a longer interval and a higher healthy threshold to ensure the instance is fully operational.
B.Increase the health check interval to 60 seconds and the healthy threshold to 5.
C.Use the Auto Scaling group's instance refresh feature with a warm-up time of 60 seconds.
D.Use AWS Global Accelerator to pre-warm the endpoints before directing traffic.
AnswerA

Lifecycle hooks can pause the instance launch until the application signals that it is ready, and the health check can be tuned to match the startup time.

Why this answer

Option B is correct because the lifecycle hook pauses the instance until it is ready, and the health check with a longer grace period ensures the ALB does not consider the instance healthy until it passes. Option A is wrong because increasing the interval does not prevent early traffic; the instance might still pass the first check before being ready. Option C is wrong because the warm-up time in instance refresh is for the Auto Scaling group to launch instances, not for the application to become ready.

Option D is wrong because pre-warming is not a service; it's a manual process.

184
MCQmedium

A company is migrating a monolithic e-commerce application to AWS. The application consists of a web tier, an application tier, and a database tier. The company wants to decouple the tiers to improve scalability and resilience. Which AWS service should the company use to send messages from the web tier to the application tier asynchronously?

A.Amazon SNS
B.Amazon Kinesis Data Streams
C.AWS Step Functions
D.Amazon SQS
AnswerD

SQS provides a reliable, scalable, and fully managed message queue that decouples web and application tiers.

Why this answer

Amazon SQS is the correct choice because it provides a fully managed message queuing service that enables asynchronous communication between decoupled application tiers. The web tier can send messages to an SQS queue, and the application tier can poll and process those messages independently, which improves scalability and resilience by allowing each tier to scale and fail independently.

Exam trap

The trap here is that candidates often confuse SNS (pub/sub push model) with SQS (queue pull model) for decoupling tiers, but SNS does not provide the buffering and independent consumption needed for asynchronous decoupling between a web tier and an application tier.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers, not a queue for point-to-point asynchronous decoupling; it does not provide the buffering and independent consumption that SQS offers. Option B is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data volumes, not for simple message queuing between application tiers, and it introduces unnecessary complexity and cost for this use case. Option C is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message queue for decoupling tiers; it is used for state machines, not for basic asynchronous message passing.

185
MCQmedium

A company is running a containerized application on Amazon ECS with Fargate launch type. The application needs to store persistent data that must be shared across multiple containers in the same task. Which storage option should the company use?

A.Amazon S3 bucket mounted using s3fs
B.Amazon FSx for Lustre
C.Amazon EBS volume
D.Amazon EFS file system
AnswerD

EFS provides a shared file system that can be mounted by multiple containers.

Why this answer

Amazon EFS can be mounted as a volume that is shared across containers in the same ECS task. Option A (EBS) cannot be shared across containers. Option B (S3) is object storage, not a file system.

Option C (FSx for Lustre) is for high-performance computing.

186
Multi-Selecthard

A company is designing a new application on AWS that requires a highly available and fault-tolerant architecture. Which TWO design principles should they follow?

Select 2 answers
A.Use Auto Scaling groups to automatically replace unhealthy instances.
B.Deploy application across multiple Availability Zones.
C.Manually create EBS snapshots every day.
D.Store data in a single Amazon S3 bucket in one Region.
E.Use a single large EC2 instance to simplify management.
AnswersA, B

Auto Scaling helps maintain desired capacity.

Why this answer

Option A is correct because deploying across multiple Availability Zones ensures high availability. Option D is correct because using Auto Scaling groups helps maintain desired capacity and fault tolerance. Option B is wrong because a single instance is a single point of failure.

Option C is wrong because a single Region does not protect against AZ failures. Option E is wrong because manual snapshots are not automated.

187
MCQhard

A company is designing a multi-region active-active application using Amazon Aurora Global Database. The application must have Recovery Point Objective (RPO) of less than 1 second and Recovery Time Objective (RTO) of less than 1 minute in case of a regional failure. Which configuration meets these requirements?

A.Deploy a single Aurora cluster with a primary in one region and a read replica in the secondary region.
B.Use cross-region read replicas with synchronous replication.
C.Deploy Aurora Global Database with multi-master clusters in two regions.
D.Use Amazon DynamoDB Global Tables instead of Aurora.
AnswerC

Multi-master allows writes in both regions and sub-second failover.

Why this answer

Aurora Global Database uses storage-based replication with typical RPO of seconds, but for sub-second RPO, multi-master with asynchronous replication (option C) is needed. Option A (single-master) has failover time > 1 minute. Option B (DynamoDB Global Tables) is not Aurora.

Option D (read replicas cross-region) has higher RPO.

188
MCQmedium

A company is designing a new solution to host a static website with global audience. The website content includes HTML, CSS, JavaScript, and images. The company wants to minimize latency for users worldwide and reduce the load on the origin server. The origin server is an Amazon S3 bucket configured for static website hosting. Which solution should be used to achieve these goals?

A.Use AWS Global Accelerator to route traffic to the S3 bucket.
B.Use AWS Lambda@Edge to serve content from edge locations.
C.Use Amazon CloudFront as a content delivery network (CDN) in front of the S3 bucket.
D.Enable S3 Transfer Acceleration on the bucket.
AnswerC

CloudFront caches content at edge locations, reducing latency and origin load.

Why this answer

Amazon CloudFront is a global content delivery network (CDN) that caches static content (HTML, CSS, JavaScript, images) at edge locations worldwide, significantly reducing latency for a global audience. By placing CloudFront in front of an S3 bucket configured for static website hosting, it offloads requests from the origin server, reducing load and improving performance. CloudFront also supports features like custom SSL, geo-restriction, and origin shield to further optimize delivery.

Exam trap

The trap here is confusing content delivery (CloudFront) with network acceleration (Global Accelerator) or upload acceleration (S3 Transfer Acceleration), leading candidates to pick options that improve network routing but do not cache or serve static content at edge locations.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator improves performance by routing traffic over the AWS global network to the optimal regional endpoint, but it does not cache content at edge locations; it is designed for TCP/UDP traffic and dynamic content, not for reducing load on an S3 static website origin. Option B is wrong because AWS Lambda@Edge runs custom code at CloudFront edge locations to modify requests/responses, but it is not a content delivery service itself; it requires CloudFront to be in place and cannot serve static content directly from edge locations without a CDN. Option D is wrong because S3 Transfer Acceleration speeds up uploads to S3 over long distances using AWS edge locations, but it does not cache or serve content to end users; it is designed for uploads, not for reducing latency for a global audience downloading static website content.

189
MCQeasy

A company is designing a new application that requires a fully managed NoSQL database with single-digit millisecond latency. The application needs to handle sudden spikes in read traffic without manual intervention. Which AWS service should the company choose?

A.Amazon RDS for MySQL
B.Amazon ElastiCache
C.Amazon Aurora
D.Amazon DynamoDB
AnswerD

DynamoDB is a fully managed NoSQL database with low latency and auto-scaling.

Why this answer

DynamoDB is a fully managed NoSQL database with single-digit millisecond latency and supports auto-scaling to handle traffic spikes. Option A (Aurora) is relational and not NoSQL. Option B (ElastiCache) is a caching layer, not a primary database.

Option C (RDS) is relational. Option D is correct.

190
Multi-Selecteasy

A company is designing a new application that requires a highly available and durable NoSQL database. Which TWO services should be considered? (Choose TWO.)

Select 2 answers
A.Amazon DocumentDB
B.Amazon DynamoDB
C.Amazon Neptune
D.Amazon RDS
E.Amazon Keyspaces (for Apache Cassandra)
AnswersB, E

DynamoDB provides high availability and durability.

Why this answer

Options A and D are correct. DynamoDB is fully managed NoSQL with multi-AZ replication and Global Tables. Keyspaces is managed Cassandra.

Option B is wrong because Neptune is graph. Option C is wrong because RDS is relational. Option E is wrong because DocumentDB is MongoDB-compatible, but not as fully managed NoSQL as the others.

191
MCQeasy

A company is building a new data lake on AWS. The data is stored in Amazon S3 and will be queried using Amazon Athena. The company wants to minimize query costs. Which S3 storage class should the company use for the data?

A.S3 Intelligent-Tiering
B.S3 Standard
C.S3 Glacier Deep Archive
D.S3 One Zone-IA
AnswerA

S3 Intelligent-Tiering automatically moves data between tiers to optimize costs.

Why this answer

Option B is correct because S3 Intelligent-Tiering automatically optimizes costs for data with changing access patterns. Option A is wrong because S3 Standard is for frequent access, not cost-optimized. Option C is wrong because S3 Glacier is for archival, not querying.

Option D is wrong because S3 One Zone-IA is for infrequent access but lacks durability and may not be cost-effective for queries.

192
MCQhard

A company is designing a multi-region disaster recovery solution for a stateful web application on Amazon EC2 with an Amazon Aurora MySQL database. The RPO must be less than 1 second and RTO less than 5 minutes. The application uses a custom TCP port 8080. What is the MOST cost-effective architecture?

A.Use Amazon RDS Multi-AZ with synchronous replication. Use Elastic Load Balancing with cross-zone load balancing.
B.Use Amazon DynamoDB global tables. Use an Application Load Balancer in each region with Route 53 weighted routing.
C.Use Amazon RDS for MySQL with a cross-region read replica. Use Amazon Route 53 failover routing with a health check on port 8080.
D.Use Amazon Aurora Global Database. Use Amazon Route 53 failover routing with a health check on port 8080.
AnswerD

Aurora Global Database offers sub-second replication; Route 53 failover routing provides fast DNS failover.

Why this answer

Amazon Aurora Global Database provides replication with sub-second RPO. Route 53 failover routing with health checks on port 8080 enables fast RTO. Option A (cross-region read replica) has higher RPO.

Option C (RDS Multi-AZ) is single-region. Option D (Application Load Balancer) is not cross-region.

193
MCQeasy

A company is migrating its on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a 100 Mbps internet connection. The migration must be completed within a week and have minimal downtime. Which AWS service should the company use to transfer the initial database dump to AWS?

A.Upload the database dump directly to an S3 bucket using multipart upload.
B.Use AWS Database Migration Service (DMS) with ongoing replication to migrate the data with minimal downtime.
C.Use AWS Snowball Edge to transfer the data offline.
D.Use S3 Transfer Acceleration to speed up the upload of the dump file.
AnswerB

DMS can perform a full load and then continuously replicate changes, allowing a cutover with minimal downtime.

Why this answer

Option B is correct because AWS DMS can perform a live migration with minimal downtime by replicating ongoing changes. Option A is wrong because direct upload via internet would take too long given bandwidth. Option C is wrong because Snowball is for offline data transfer, but would not meet the time constraint if shipping takes days.

Option D is wrong because S3 Transfer Acceleration speeds up uploads but still limited by internet bandwidth.

194
Multi-Selecteasy

A company is designing a cost-effective architecture for a batch processing job that runs nightly. The job can tolerate interruptions and requires significant compute power for a few hours. The company wants to minimize costs. Which TWO strategies should the company use?

Select 2 answers
A.Use Spot Instances for compute.
B.Purchase Reserved Instances (RI) for a 1-year term.
C.Configure Auto Scaling to scale out during the job and scale in after.
D.Use On-Demand Instances to ensure availability.
E.Use Dedicated Hosts for compliance.
AnswersA, C

Spot Instances are cost-effective and suitable for fault-tolerant batch jobs.

Why this answer

Using Spot Instances reduces cost, and Auto Scaling adjusts capacity. Option B (On-Demand) is more expensive. Option C (RI) requires commitment.

Option D (Dedicated Hosts) is expensive.

195
Multi-Selecthard

A company is designing a new multi-tier web application on AWS. The application consists of a public-facing Application Load Balancer, a fleet of EC2 instances in private subnets, and an RDS database in a private subnet. The security team requires that all traffic between the ALB and EC2 instances be encrypted, and that the EC2 instances have no direct internet access. Which TWO actions should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure the ALB to use HTTPS listeners and the target group to use HTTPS.
B.Place the EC2 instances in private subnets and use a NAT gateway for outbound internet access.
C.Attach an Internet Gateway to the VPC and route traffic through it.
D.Enable VPC Flow Logs on the private subnets.
E.Configure network ACLs to deny all inbound traffic from the internet.
AnswersA, B

This encrypts traffic between the client and ALB, and between ALB and EC2 instances if the target group uses HTTPS.

Why this answer

The correct answers are A and B. Option A is correct because using HTTPS listeners on the ALB encrypts traffic between the client and ALB, and by using HTTPS as the protocol for the target group, the traffic between ALB and EC2 instances is also encrypted. Option B is correct because placing EC2 instances in private subnets ensures they have no direct internet access, and using a NAT gateway for outbound access allows them to reach the internet for updates if needed, but not inbound.

Option C is wrong because Network ACLs are stateless and need rules for both inbound and outbound, but they do not encrypt traffic. Option D is wrong because VPC Flow Logs are for monitoring, not for encryption or internet access control. Option E is wrong because an Internet Gateway provides internet access, which is not allowed.

196
MCQeasy

A startup needs a serverless compute service to run code in response to S3 events. The code should execute within milliseconds and require no server management. Which AWS service should be used?

A.Amazon ECS
B.AWS Lambda
C.Amazon EC2
D.AWS Fargate
AnswerB

Lambda is event-driven and serverless.

Why this answer

Option B is correct because AWS Lambda is serverless and can be triggered by S3 events. Option A is wrong because ECS manages containers, not serverless. Option C is wrong because Fargate is serverless but still container-based.

Option D is wrong because EC2 is virtual servers.

197
MCQhard

A company is migrating a legacy monolithic application to AWS. The application uses a proprietary binary protocol over TCP. The company wants to modernize the architecture using microservices while minimizing changes to the client. Which approach should the company use?

A.Use a Network Load Balancer with TCP listener and route traffic based on destination port to different target groups.
B.Use AWS Global Accelerator with a TCP listener and endpoint groups for microservices.
C.Use an Application Load Balancer with path-based routing to direct traffic to separate microservices.
D.Use Amazon API Gateway with a custom authorizer to route requests to AWS Lambda functions.
AnswerA

NLB can handle TCP traffic and route based on port to different services.

Why this answer

Networking Load Balancer with TCP listener and target groups allows routing based on protocol without modifying clients. Option A (ALB) requires HTTP. Option C (API Gateway) requires REST.

Option D (AWS Global Accelerator) uses anycast IP but still needs TCP routing.

198
MCQhard

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The Lambda function processes messages from an SQS queue and writes to DynamoDB. The company expects unpredictable traffic spikes and must ensure that messages are not lost. Which configuration should the company use to meet these requirements?

A.Use an SQS queue as a Lambda event source with reserved concurrency on the Lambda function
B.Enable DynamoDB Accelerator (DAX) for the Lambda function
C.Provisioned Concurrency on the Lambda function
D.Increase the SQS queue visibility timeout and retention period
AnswerA

Reserved concurrency prevents throttling, and SQS acts as a buffer.

Why this answer

Option A is correct because using an SQS queue as a Lambda event source with reserved concurrency ensures that messages are not lost during traffic spikes. SQS acts as a durable buffer, and reserved concurrency prevents the Lambda function from being throttled, which would otherwise cause messages to remain in the queue or be sent to a dead-letter queue. This combination guarantees that every message is processed without loss, even under unpredictable load.

Exam trap

The trap here is that candidates confuse Provisioned Concurrency (which reduces cold starts) with reserved concurrency (which guarantees processing capacity), and overlook that SQS alone cannot prevent message loss if Lambda is throttled.

How to eliminate wrong answers

Option B is wrong because DynamoDB Accelerator (DAX) is an in-memory cache that improves read performance, but it does not prevent message loss or handle Lambda throttling. Option C is wrong because Provisioned Concurrency keeps a set number of Lambda instances warm to reduce cold starts, but it does not protect against throttling during extreme spikes; reserved concurrency is needed to guarantee capacity. Option D is wrong because increasing the SQS queue visibility timeout and retention period only delays message reprocessing and extends storage time, but does not address the root cause of message loss due to Lambda throttling.

199
MCQeasy

A company needs to provide temporary, limited-privilege credentials to mobile app users to access AWS resources. Which AWS service should the architect recommend?

A.Create IAM users for each mobile user and distribute access keys.
B.Use AWS Security Token Service (STS) directly from the mobile app.
C.Create an IAM role and have the mobile app assume it directly.
D.Use Amazon Cognito with an identity pool to issue temporary credentials.
AnswerD

Cognito Identity Pools are designed for this purpose.

Why this answer

AWS Cognito Identity Pools (option C) provide temporary credentials for authenticated users. Option A (IAM users) is not for mobile users. Option B (STS) is for federated users, not directly for mobile.

Option D (IAM roles) cannot be assumed directly by mobile apps.

200
MCQeasy

A company is designing a new application that will store sensitive user data in an Amazon RDS for PostgreSQL database. The data must be encrypted at rest and in transit. The company also requires automated backups with a retention period of 35 days. What is the MOST secure and cost-effective configuration?

A.Enable RDS encryption at rest using AWS KMS, and use client-side encryption for data in transit.
B.Use an AWS KMS key to encrypt the RDS instance, and configure the DB instance to use SSL/TLS for connections.
C.Store the data in Amazon S3 with server-side encryption, and use an RDS database for metadata only.
D.Enable encryption at rest for the RDS instance, and enforce SSL/TLS connections by setting the rds.force_ssl parameter to 1.
AnswerD

RDS encryption at rest is enabled with a single checkbox; SSL/TLS is enforced via parameter group. Automated backups are enabled by default with 35-day retention.

Why this answer

Option C is correct because enabling encryption at rest (via RDS encryption) and in transit (SSL/TLS) meets both requirements; automated backups are included and retained up to 35 days. Option A is wrong because client-side encryption adds unnecessary complexity. Option B is wrong because AWS KMS is part of RDS encryption, not an additional service.

Option D is wrong because RDS encryption at rest is sufficient; no need for separate S3 encryption.

201
MCQmedium

A company is building a new data analytics platform on AWS. The platform ingests streaming data from multiple sources, processes it in real time, and stores the results in Amazon S3 for later analysis. The data volume is expected to be up to 50 GB per day. The company needs to choose a service for real-time stream processing. Which AWS service is most appropriate for this use case?

A.Amazon Kinesis Data Firehose
B.Amazon Kinesis Data Streams
C.Amazon Kinesis Data Analytics
D.Amazon EMR
AnswerC

Kinesis Data Analytics processes streaming data in real time.

Why this answer

Option A is correct because Amazon Kinesis Data Analytics enables real-time stream processing using SQL or Apache Flink. Option B: Kinesis Data Streams is for data ingestion, not processing. Option C: Kinesis Data Firehose is for loading data into stores, not for real-time processing.

Option D: Amazon EMR is for batch processing, not real-time.

202
MCQmedium

A company is building a new microservices architecture on AWS using Amazon ECS with Fargate. The services need to communicate with each other using RESTful APIs. The company wants to implement an API gateway to handle authentication, rate limiting, and request routing. Which AWS service should be used as the API gateway?

A.Network Load Balancer
B.Application Load Balancer
C.Amazon API Gateway
D.Amazon CloudFront
AnswerC

API Gateway provides full API management including auth, throttling, and routing.

Why this answer

Option C is correct because Amazon API Gateway provides authentication, rate limiting, and request routing for RESTful APIs. Option A: ALB is a load balancer, not an API gateway. Option B: CloudFront is a CDN.

Option D: NLB is for TCP/UDP traffic.

203
MCQhard

A company is designing a multi-region active-active application using Amazon Route 53 latency-based routing. The application runs on Amazon EC2 instances behind Application Load Balancers (ALBs) in two AWS Regions. The company needs to ensure that if one region becomes unavailable, traffic is automatically routed to the healthy region with minimal disruption. Which configuration meets these requirements?

A.Use Route 53 failover routing instead of latency-based routing.
B.Configure Route 53 latency-based routing without health checks.
C.Use Route 53 weighted routing with weights set to 50 for each region.
D.Configure Route 53 latency-based routing with health checks attached to each ALB endpoint.
AnswerD

Health checks allow Route 53 to automatically route traffic away from unhealthy endpoints.

Why this answer

Option B is correct because Route 53 health checks can monitor ALB endpoints. When a health check fails, Route 53 removes the unhealthy endpoint from latency-based routing, directing traffic to the healthy region. Option A is wrong because latency-based routing alone does not failover.

Option C is wrong because failover routing requires a primary/secondary setup, not active-active. Option D is wrong because weighted routing does not automatically failover based on health.

204
MCQeasy

A company is deploying a web application on AWS that requires a relational database. The application is read-heavy and expects sudden spikes in traffic. The database must be highly available and perform well under load. Which database configuration meets these requirements?

A.Use Amazon ElastiCache for Memcached as the primary database.
B.Deploy Amazon RDS in a Multi-AZ configuration without read replicas.
C.Deploy Amazon RDS in a single Availability Zone with a large instance size.
D.Deploy Amazon RDS in a Multi-AZ configuration and use read replicas to offload read traffic.
AnswerD

Multi-AZ provides failover, and read replicas improve read performance.

Why this answer

Amazon RDS Multi-AZ provides high availability, and read replicas offload read traffic. Option A (Single-AZ) is not highly available. Option C (Multi-AZ without replicas) does not help with read performance.

Option D (Memcached) is not a relational database.

205
MCQhard

A company is designing a new multi-region disaster recovery solution for a critical database. The database runs on Amazon RDS for MySQL in us-east-1. The recovery point objective (RPO) is 1 second, and the recovery time objective (RTO) is 1 minute. Which strategy meets these requirements?

A.Single-AZ RDS instance with cross-Region snapshot copy
B.Multi-AZ RDS instance in us-east-1
C.Multi-AZ RDS instance with a cross-Region read replica in us-west-2
D.Amazon Aurora Global Database
AnswerC

Synchronous replication within region, asynchronous to replica, fast failover.

Why this answer

Option C is correct because Multi-AZ with a cross-Region read replica provides low RPO (via synchronous replication within the region and asynchronous to the replica) and fast failover (RTO ~1 minute). Option A (single-AZ with cross-Region snapshot) has higher RPO/RTO. Option B (Multi-AZ only) does not cover another region.

Option D (Aurora Global Database) is for Aurora, not RDS MySQL.

206
MCQmedium

A company needs to design a disaster recovery (DR) solution for a critical database running on Amazon RDS for MySQL. The RTO is 15 minutes and RPO is 5 minutes. The primary region is us-east-1. Which solution meets these requirements?

A.Enable Multi-AZ deployment with a DB cluster.
B.Use automated backups with 5-minute retention.
C.Take manual snapshots every 5 minutes and copy to another region.
D.Create a cross-region read replica in us-west-2.
AnswerA

Synchronous replication and automatic failover meet RTO/RPO.

Why this answer

Option A is correct because a Multi-AZ DB cluster deployment for Amazon RDS for MySQL provides automatic failover to a standby instance in a different Availability Zone within the same region, achieving an RTO of typically 1–2 minutes and an RPO of effectively zero (synchronous replication). This meets the 15-minute RTO and 5-minute RPO requirements without any manual intervention or cross-region latency.

Exam trap

The trap here is that candidates often confuse Multi-AZ (which provides high availability within a region) with cross-region replication (which is asynchronous and cannot meet tight RPO/RPO), or they assume automated backups or snapshots can achieve sub-15-minute RTO, ignoring the restore time overhead.

How to eliminate wrong answers

Option B is wrong because automated backups with 5-minute retention only provide point-in-time recovery within the retention period, but the RTO for restoring from a backup is significantly longer than 15 minutes (often 30+ minutes for a large database), and the RPO is limited to the backup interval, not the 5-minute requirement. Option C is wrong because manual snapshots taken every 5 minutes cannot be copied to another region quickly enough to meet the 15-minute RTO; snapshot copy times are unpredictable and often exceed 15 minutes, and the RPO would be compromised by the copy delay. Option D is wrong because a cross-region read replica in us-west-2 is asynchronous, meaning replication lag can exceed 5 minutes, and promoting a read replica to a primary instance typically takes several minutes, failing the 15-minute RTO; additionally, cross-region failover introduces latency and potential data loss beyond the 5-minute RPO.

207
MCQeasy

A startup wants to deploy a web application on AWS with a serverless architecture. The application includes static content (HTML, CSS, JS) and a REST API backend using Lambda and DynamoDB. The company wants low latency and high availability globally. Which combination of services should they use?

A.Amazon CloudFront for static content, Application Load Balancer for API, and Lambda for compute.
B.AWS Lambda@Edge for both static content and API.
C.Amazon CloudFront for static content, Amazon API Gateway for the REST API, and AWS Lambda for compute.
D.Amazon S3 for static content with Transfer Acceleration, and AWS Lambda for API.
AnswerC

CloudFront provides CDN, API Gateway manages APIs, Lambda runs code serverlessly.

Why this answer

Option A is correct because CloudFront serves static content with low latency, API Gateway provides a REST API endpoint, and Lambda integrates with DynamoDB. Option B is wrong because S3 Transfer Acceleration is for uploads, not global content delivery. Option C is wrong because ALB is not serverless.

Option D is wrong because Lambda Edge runs at edge locations but is not needed for API backend.

208
MCQmedium

A company is designing a new microservices architecture on AWS. Each microservice is deployed as a containerized application and must be able to scale independently. The company wants to minimize operational overhead for managing the containers and the underlying infrastructure. Which solution should the architect recommend?

A.Amazon EKS with managed node groups
B.Amazon ECS with Fargate launch type
C.Amazon ECS with EC2 launch type and Auto Scaling groups
D.Amazon Lightsail containers
AnswerB

Fargate is serverless, no infrastructure management.

Why this answer

Option D is correct because AWS Fargate is a serverless compute engine for containers that eliminates the need to manage underlying instances. Option A is wrong because ECS with EC2 requires managing EC2 instances. Option B is wrong because EKS with managed node groups still requires managing node groups.

Option C is wrong because Lightsail is for simple applications, not microservices.

209
MCQmedium

A company is designing a multi-region disaster recovery solution for a stateless web application running on Amazon ECS Fargate. The application uses an Application Load Balancer and stores session data in Amazon ElastiCache for Redis. The company needs to achieve an RPO of 15 minutes and an RTO of 30 minutes. What is the MOST cost-effective design that meets these requirements?

A.Deploy a second ECS cluster and ALB in the secondary region with no tasks. Use cross-Region replication for ElastiCache. Use Route 53 to fail over after scaling up tasks.
B.Deploy a second ECS cluster and ALB in the secondary region with a scaled-down number of tasks. Use ElastiCache Global Datastore for Redis to replicate session data. Use Route 53 health checks to fail over.
C.Use a multi-region ECS service with Service Connect and Route 53 latency-based routing. Keep equal capacity in both regions.
D.Use pilot light by replicating ECS task definitions and copying AMIs to the secondary region. Use ElastiCache snapshot and restore. Fail over with Route 53.
AnswerB

Correct: Warm standby with Global Datastore meets RPO and RTO.

Why this answer

Option A is correct because it meets the RPO and RTO with a warm standby approach that keeps a scaled-down copy running in the secondary region. Option B is too slow for RTO. Option C is too expensive (pilot light doesn't match).

Option D is too slow for RTO.

210
MCQhard

A company is migrating a legacy monolithic application to AWS. They want to refactor the application into microservices and use container orchestration. Which AWS service should they use to manage the containers?

A.AWS Lambda
B.Amazon ECS
C.Amazon EKS
D.AWS Fargate
AnswerC

EKS is a managed Kubernetes service.

Why this answer

Option B is correct because Amazon EKS is a managed Kubernetes service for container orchestration. Option A is wrong because ECS is also a container orchestration service but uses AWS proprietary, not Kubernetes. Option D is wrong because Fargate is a compute engine for containers, not an orchestration service.

Option C is wrong because Lambda is serverless, not for containers.

211
Multi-Selecthard

Which THREE factors should be considered when designing a VPC for a new application that must be compliant with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose three.)

Select 3 answers
A.Encrypt traffic between VPCs using VPN or AWS PrivateLink.
B.Use VPC endpoints to keep traffic within the AWS network.
C.Implement network segmentation using subnets and security groups.
D.Use a single Availability Zone to reduce complexity.
E.Enable VPC Flow Logs to capture network traffic metadata.
AnswersA, C, E

Encryption of cardholder data in transit is required.

Why this answer

PCI DSS requires network segmentation, encryption in transit, and logging of network traffic. VPC endpoints allow private connectivity, but are not a PCI requirement per se.

212
MCQmedium

A company is deploying a containerized application on Amazon EKS. The application needs to access an Amazon RDS database. The security team requires that database credentials be rotated automatically and never stored in plaintext. Which solution should the architect use?

A.Use AWS Secrets Manager to store and rotate credentials, and grant the EKS pod access via an IAM role
B.Use IAM database authentication for RDS and assign an IAM role to the pod
C.Hardcode the credentials in the container image and rotate the image regularly
D.Store credentials in AWS Systems Manager Parameter Store and grant the EKS pod access via an IAM role
AnswerA

Secrets Manager rotates credentials automatically and integrates with IAM for access.

Why this answer

AWS Secrets Manager can rotate RDS credentials automatically and provide them to applications via IAM roles. Option A (Parameter Store) does not support automatic rotation. Option B (environment variables) exposes credentials in plaintext.

Option D (IAM database authentication) avoids passwords but does not rotate credentials; it uses tokens.

213
MCQhard

A CloudFormation stack output is as above. The company wants to use the SQS queue URL in another stack. Which intrinsic function should be used to reference the queue URL in the second stack?

A.Fn::ImportValue
B.Fn::GetAtt
C.Fn::Sub
D.Fn::Ref
AnswerA

ImportValue imports exported output values from other stacks.

Why this answer

Option C is correct because Fn::ImportValue is used to import exported stack outputs. Option A is wrong because Fn::GetAtt gets attributes from resources in the same template. Option B is wrong because Fn::Ref returns a resource's primary identifier.

Option D is wrong because Fn::Sub is for string substitution.

214
MCQmedium

A company is building a serverless application using AWS Lambda. The application processes files uploaded to an S3 bucket. Each file can be up to 500 MB, and processing takes up to 10 minutes. The Lambda function must be triggered as soon as a file is uploaded. Which configuration should they use?

A.Use S3 event notification to send an SQS message, which triggers Lambda.
B.Configure S3 event notification to invoke the Lambda function directly.
C.Increase the Lambda function timeout to 15 minutes and memory to 3 GB.
D.Use AWS Step Functions to poll S3 and invoke Lambda.
AnswerB

S3 can directly invoke Lambda for each object creation event.

Why this answer

Option A is correct because S3 event notifications can trigger Lambda for each object creation. Option B is incorrect because Lambda supports up to 15 minutes, but 10 minutes is fine, but S3 event notification is needed. Option C is incorrect because SQS is not necessary for direct S3 trigger.

Option D is incorrect because Step Functions add complexity.

215
MCQeasy

A small business wants to host a simple static website on AWS. The website consists of HTML, CSS, JavaScript, and images. The company expects low traffic and wants to minimize costs. The website must be highly available and load quickly for users globally. Which solution should a Solutions Architect recommend?

A.Store the website files in an S3 bucket configured for static website hosting, and use Amazon CloudFront as a CDN.
B.Host the website on Amazon Lightsail with a load balancer and two instances.
C.Host the website on a single EC2 instance running Apache web server, with an Elastic IP address.
D.Deploy the website on AWS Elastic Beanstalk with a single EC2 instance.
AnswerA

S3 static hosting is very low cost, highly available, and CloudFront provides global performance.

Why this answer

Option C is correct because S3 static website hosting with CloudFront provides low cost, high availability, and global low latency. Option A is wrong because EC2 instances are overkill and expensive for static content. Option B is wrong because Lightsail is more expensive than S3 for static sites.

Option D is wrong because Elastic Beanstalk is designed for dynamic web apps, not static sites.

216
MCQmedium

A company is designing a new solution to securely store and manage secrets for applications running on AWS. The secrets include database credentials, API keys, and OAuth tokens. The solution must automatically rotate secrets and integrate with AWS services like Amazon RDS. Which AWS service should be used?

A.Store secrets in AWS Systems Manager Parameter Store with a SecureString parameter type.
B.Use AWS CloudHSM to store secrets as keys.
C.Use AWS Key Management Service (KMS) to store secrets as encrypted data keys.
D.Use AWS Secrets Manager to store secrets and configure automatic rotation.
AnswerD

Secrets Manager is purpose-built for secrets with rotation and native RDS integration.

Why this answer

AWS Secrets Manager is purpose-built for securely storing, managing, and automatically rotating secrets such as database credentials, API keys, and OAuth tokens. It provides native integration with Amazon RDS, enabling automatic rotation of RDS credentials without custom code, which directly meets the requirements for automatic rotation and AWS service integration.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Parameter Store (which can store secrets but lacks native rotation) with AWS Secrets Manager (which is designed specifically for automatic secret rotation and deep AWS service integration), leading them to choose Parameter Store for its lower cost and familiarity.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store with SecureString does not support automatic rotation of secrets; it requires custom AWS Lambda functions or external processes to rotate secrets. Option B is wrong because AWS CloudHSM is a hardware security module for generating and storing cryptographic keys, not for managing application secrets like database credentials or API keys, and it lacks native rotation and RDS integration. Option C is wrong because AWS KMS is a key management service for creating and controlling encryption keys, not for storing secrets; it can encrypt data keys but does not provide secret storage, rotation, or direct RDS integration.

217
MCQmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application must maintain session state. The company expects steady traffic with occasional spikes. Which solution is MOST scalable and cost-effective?

A.Use sticky sessions (session affinity) on the ALB with a session cookie.
B.Use Amazon ElastiCache for Memcached to store session data.
C.Store session data in Amazon DynamoDB tables.
D.Use Amazon ElastiCache for Redis to store session data externally.
AnswerD

Redis provides a scalable, highly available session store.

Why this answer

ElastiCache for Redis provides a centralized, scalable session store decoupled from EC2. Option A (sticky sessions) is less scalable. Option C (ElastiCache Memcached) is also viable but Redis is preferred for persistence.

Option D (DynamoDB) is more expensive for session data.

218
MCQhard

A company is designing a data lake on Amazon S3. The data is ingested from multiple sources and must be encrypted at rest using customer-managed keys. The company also needs to audit all access to the data lake. Which combination of services should be used?

A.Enable S3 bucket encryption with SSE-S3. Enable S3 server access logs.
B.Configure S3 bucket encryption with SSE-KMS using a customer-managed CMK. Enable AWS CloudTrail with data events for S3 and KMS.
C.Enable S3 default encryption with SSE-S3. Enable Amazon CloudWatch Logs for S3 access logging.
D.Use client-side encryption with a customer-managed key. Enable Amazon CloudWatch Logs for S3 access logs.
AnswerB

Customer-managed key meets requirement; CloudTrail audits access.

Why this answer

AWS KMS with customer-managed CMKs provides encryption control. AWS CloudTrail logs all API calls including KMS decrypt operations. Option A (SSE-S3) does not use customer keys.

Option C (CloudWatch) does not audit access. Option D (S3 server access logs) does not capture KMS usage.

219
MCQmedium

A company is migrating a monolithic e-commerce application to a microservices architecture on AWS. The application consists of several services that need to communicate asynchronously. The company wants to decouple the services and ensure that messages are processed exactly once and in order. The current solution uses a single Amazon SQS queue with multiple consumers, but messages are sometimes processed out of order or duplicated. The company needs a solution that guarantees order and exactly-once processing without introducing significant latency. Which approach should be used?

A.Use a single Amazon SQS standard queue with a deduplication ID to ensure each message is processed only once.
B.Use an Amazon SQS FIFO queue with a message group ID to ensure messages are processed exactly once and in order.
C.Use Amazon Kinesis Data Streams with a single shard and implement idempotent processing in the consumer.
D.Use Amazon SNS with a FIFO topic and subscribe SQS FIFO queues to ensure ordered delivery.
AnswerB

FIFO queues guarantee first-in-first-out delivery and exactly-once processing.

Why this answer

Option B is correct because Amazon SQS FIFO queues guarantee exactly-once processing and preserve message order. Option A: SQS standard queues do not guarantee order or exactly-once. Option C: SNS does not provide ordering or exactly-once delivery to subscribers.

Option D: Kinesis Data Streams can provide ordering within a shard but does not guarantee exactly-once processing; also adds complexity.

220
MCQhard

A company is designing a multi-region active-active application using Amazon Route 53, Application Load Balancers, and Auto Scaling groups. They need to route users to the closest region with the lowest latency. Which routing policy should they use?

A.Latency routing
B.Weighted routing
C.Failover routing
D.Geolocation routing
AnswerA

Routes to the region with the lowest latency.

Why this answer

Option C is correct because latency-based routing routes users to the region with the lowest latency. Option A (geolocation) routes based on user location, not latency. Option B (weighted) distributes traffic by weight.

Option D (failover) is for disaster recovery.

221
MCQmedium

A media company runs a video processing pipeline on AWS. Videos are uploaded to an S3 bucket, which triggers an AWS Lambda function that transcodes the video into multiple formats using FFmpeg. The transcoding job runs on the Lambda function with a 15-minute timeout. Recently, the company started receiving 4K videos that take more than 15 minutes to transcode. The Lambda function times out, and the video is not processed. The company wants to process these large videos without increasing the Lambda timeout and without rewriting the entire pipeline. What should the solutions architect do?

A.Replace the Lambda function with AWS Elemental MediaConvert job triggered by S3 events.
B.Increase the Lambda function memory to the maximum to improve performance and reduce processing time.
C.Use AWS Step Functions to call multiple Lambda functions in parallel to process chunks of the video.
D.Use a Lambda function with a larger ephemeral storage to handle the video file.
AnswerA

MediaConvert supports long-running jobs and is designed for video processing.

Why this answer

Option A is correct. AWS Elemental MediaConvert is a managed service designed for video transcoding. It can handle large files and long-running jobs.

The pipeline can be modified to trigger a MediaConvert job instead of a Lambda function. Option B is incorrect because Lambda functions have a maximum execution time of 15 minutes; increasing memory does not extend timeout. Option C is incorrect because using a larger Lambda function still has the 15-minute limit.

Option D is incorrect because Step Functions orchestrate Lambda functions but do not extend the individual Lambda timeout.

222
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data lake will store petabytes of data from various sources. The company needs to query the data using Amazon Athena and Amazon Redshift Spectrum. The data is highly compressed and stored in Parquet format. Which storage class should be used to minimize costs while maintaining immediate query performance?

A.S3 Standard
B.S3 Glacier Deep Archive
C.S3 One Zone-IA
D.S3 Intelligent-Tiering
AnswerD

Intelligent-Tiering optimizes cost automatically.

Why this answer

Option B is correct. S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers based on usage, optimizing cost without compromising performance. Option A is wrong because S3 Standard is more expensive for infrequently accessed data.

Option C is wrong because S3 Glacier has retrieval delays. Option D is wrong because S3 One Zone-IA has lower durability and availability.

223
Multi-Selecteasy

A company is building a data lake on Amazon S3. The data comes from various sources and must be encrypted at rest. The security policy requires that the encryption keys be managed by the company and rotated annually. Which TWO solutions meet these requirements? (Choose two.)

Select 2 answers
A.Use server-side encryption with customer-provided keys (SSE-C)
B.Use server-side encryption with S3 managed keys (SSE-S3)
C.Use server-side encryption with AWS KMS managed keys (SSE-KMS) with a customer managed key
D.Enable default encryption on the S3 bucket with SSE-S3
E.Use client-side encryption with the Amazon S3 encryption client
AnswersA, C

Customer manages keys and rotates them.

Why this answer

SSE-C allows the company to manage keys and rotate them. SSE-KMS with customer managed key also allows management and rotation. Option B (SSE-S3) uses AWS-managed keys.

Option C (client-side encryption) is not at rest encryption. Option D (default encryption) might use SSE-S3 or SSE-KMS but not necessarily customer managed.

224
MCQhard

A company runs a critical e-commerce platform on AWS. The application is deployed across multiple Availability Zones in a single region (us-east-1). The architecture includes an Application Load Balancer (ALB), an EC2 Auto Scaling group, and an Amazon RDS for MySQL Multi-AZ database. The application experiences periodic spikes in traffic, and the Auto Scaling group scales out successfully. However, during a recent traffic spike, the database CPU utilization reached 90%, causing increased latency and some database connection timeouts. The company needs to improve the database performance to handle the spikes without over-provisioning. The solutions architect must design a solution that reduces the load on the primary database instance and improves read scalability. The application is read-heavy, with a read-to-write ratio of 80:20. Which solution should the architect implement?

A.Implement an Amazon ElastiCache Redis cluster to cache frequent database queries.
B.Increase the DB instance class to a larger size and enable Multi-AZ with synchronous replication.
C.Migrate the database to Amazon DynamoDB and use DynamoDB Accelerator (DAX) for read performance.
D.Create one or more Amazon RDS Read Replicas in the same region and configure the application to route read queries to the read replica endpoint.
AnswerD

Read replicas offload read traffic from the primary, improving performance for read-heavy workloads.

Why this answer

Amazon RDS Read Replicas can offload read traffic from the primary instance, reducing CPU utilization. The application must be configured to use the reader endpoint for read queries. Option A is correct.

Option B is wrong because scaling up the instance class vertically has limits and may not be cost-effective; it also doesn't provide read scalability. Option C is wrong because ElastiCache is for caching, not for offloading database reads; it requires application changes and may not support all query patterns. Option D is wrong because DynamoDB Accelerator (DAX) is for DynamoDB, not RDS MySQL.

225
Multi-Selecthard

A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application data is stored on Amazon EBS volumes. The recovery point objective (RPO) is 15 minutes, and the recovery time objective (RTO) is 2 hours. Which TWO actions should the company take to meet these objectives? (Choose two.)

Select 2 answers
A.Use Amazon EBS Multi-Attach to attach volumes to instances in another region.
B.Use AWS Backup to create a backup plan with a daily backup.
C.Use AWS CloudFormation to recreate the EC2 instances from a template.
D.Configure Amazon EBS snapshots to be taken every 15 minutes.
E.Copy EBS snapshots to another AWS Region and automate restoring them into EBS volumes.
AnswersD, E

Meets the 15-minute RPO.

Why this answer

Options A and D are correct. To meet an RPO of 15 minutes, EBS snapshots must be taken every 15 minutes. To meet an RTO of 2 hours, the snapshots can be copied to another region and used to restore volumes and launch instances.

Option B is not sufficient because EBS snapshots are not real-time. Option C is wrong because the RPO is 15 minutes, not 1 hour. Option E is wrong because it does not specify cross-region replication.

← PreviousPage 3 of 7 · 514 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.