CCNA Design for New Solutions Questions

75 of 514 questions · Page 5/7 · Design for New Solutions · Answers revealed

301
MCQeasy

A company is designing a new application that will run on Amazon EKS. The development team wants to deploy containers in a way that minimizes operational overhead. Which compute option should the company choose?

A.AWS Fargate
B.Amazon EKS managed node groups
C.Amazon EC2 instances
D.Self-managed EC2 nodes
AnswerA

Fargate is serverless and eliminates node management.

Why this answer

Option A is correct because Fargate is serverless and minimizes operational overhead. Option B is wrong because managed node groups still require node management. Option C is wrong because self-managed nodes have high overhead.

Option D is wrong because EC2 instances require full management.

302
MCQhard

A company is building a microservices architecture on Amazon ECS. Services need to communicate with each other and with external SaaS applications. The architect must ensure that service discovery is dynamic and that traffic to external services is routed through a single egress point for security and monitoring. Which combination of services should the architect use?

A.AWS Cloud Map for service discovery and a NAT gateway for egress
B.Amazon Route 53 for service discovery and an Application Load Balancer for egress
C.AWS Cloud Map for service discovery and an Internet Gateway for egress
D.Amazon Route 53 for service discovery and VPC endpoints for egress
AnswerA

Cloud Map registers services; NAT gateway provides egress for tasks in private subnets.

Why this answer

AWS Cloud Map provides service discovery for microservices, and a NAT gateway provides a consistent egress point. Option B (ALB) is for ingress, not egress. Option C (Route 53) is for DNS resolution but not for egress.

Option D (VPC endpoints) is for private connectivity to AWS services, not external SaaS.

303
MCQeasy

A company is designing a serverless application that processes images uploaded to an S3 bucket. The processing must be asynchronous and can take up to 15 minutes per image. Which AWS service should be used to trigger the processing?

A.Configure S3 Event Notifications to send an event to an Amazon SQS queue, which is polled by an AWS Lambda function
B.Configure S3 Event Notifications to publish a message to an Amazon SNS topic, which triggers an AWS Lambda function
C.Configure S3 Event Notifications to invoke an AWS Lambda function synchronously
D.Use Amazon EventBridge to capture S3 events and trigger an AWS Step Functions workflow
AnswerA

S3 event to SQS decouples the upload from processing. Lambda polls SQS and can process messages asynchronously; Lambda can run up to 15 minutes.

Why this answer

S3 Event Notifications can trigger an SQS queue, which then invokes a Lambda function asynchronously. Option A (Lambda synchronous invocation) would block and time out. Option B (SNS) is for pub/sub messaging but not ideal for long-running tasks.

Option D (Step Functions) can orchestrate but is not the direct trigger for S3 events.

304
Multi-Selectmedium

A company is designing a web application that must support millions of concurrent users. The application uses a RESTful API frontend and a relational database backend. Which TWO strategies should be implemented to improve scalability?

Select 2 answers
A.Use Amazon SQS to queue database write requests.
B.Use sticky sessions (session affinity) on the load balancer.
C.Implement read replicas for the database.
D.Implement a caching layer such as ElastiCache.
E.Use a single large EC2 instance for the database.
AnswersC, D

Read replicas offload read traffic from the primary database.

Why this answer

Read replicas (Option C) offload read traffic from the primary database instance, allowing the relational database to handle a higher volume of concurrent read queries without degrading write performance. This directly improves scalability for read-heavy workloads common in web applications.

Exam trap

The trap here is that candidates often confuse queuing (SQS) with database scalability, but SQS does not increase database throughput—it only buffers requests, which can lead to backpressure and eventual inconsistency if not carefully designed.

305
MCQhard

A company is designing a disaster recovery (DR) solution for a critical application running on Amazon EC2 instances in a single AWS Region. The DR site will be in a different Region. The application data is stored in an Amazon RDS for MySQL DB instance with Multi-AZ enabled. The Recovery Point Objective (RPO) is 15 minutes, and the Recovery Time Objective (RTO) is 2 hours. Which strategy meets these requirements MOST cost-effectively?

A.Take daily automated snapshots of the RDS DB instance and copy them to the DR Region. In the DR Region, restore the DB instance from the latest snapshot.
B.Use Amazon Aurora Global Database to replicate data across Regions.
C.Use AWS Backup to copy backups to the DR Region and set up EC2 Image Builder for application recovery.
D.Configure a cross-Region read replica for the RDS MySQL DB instance. In the DR event, promote the read replica to a standalone instance.
AnswerD

Cross-Region read replicas provide low RPO (seconds) and fast RTO (minutes).

Why this answer

Option C is correct because a read replica in another Region provides an RPO of seconds and an RTO of minutes when promoted, and it is low cost. Option A is wrong because cross-Region snapshots have longer RPO (daily) and RTO (hours). Option B is wrong because Aurora Global Database is more expensive and not MySQL-compatible.

Option D is wrong because EC2 Image Builder does not address database replication.

306
MCQhard

An IAM policy is attached to an IAM user. The user is testing from an IP address 10.0.1.5. What is the effect of the policy?

A.Allow all actions on the bucket
B.Allow PutObject in uploads/ only
C.Allow GetObject because the second statement overrides
D.Deny all actions because of IP mismatch
AnswerB

The second statement allows PutObject without IP condition.

Why this answer

Option B is correct because the first statement denies access due to IP condition, the second statement allows PutObject in uploads without IP restriction. So the user can upload to uploads/ but cannot get objects. Option A is wrong because the IP condition blocks GetObject.

Option C is wrong because the second statement allows uploads. Option D is wrong because the second statement is valid.

307
MCQeasy

A company is designing a multi-tier web application on AWS. The application requires high availability across multiple Availability Zones. Which AWS service should be used to distribute incoming traffic across multiple EC2 instances in different Availability Zones?

A.AWS Global Accelerator
B.Application Load Balancer
C.AWS Direct Connect
D.Amazon Route 53
AnswerB

An Application Load Balancer automatically distributes incoming traffic across multiple targets, such as EC2 instances, in multiple Availability Zones, ensuring high availability.

Why this answer

An Application Load Balancer distributes incoming traffic across targets such as EC2 instances in multiple Availability Zones, providing high availability. Option A (AWS Global Accelerator) improves performance but is not the primary choice for multi-AZ distribution. Option C (Amazon Route 53) is a DNS service.

Option D (AWS Direct Connect) is for dedicated network connections.

308
MCQhard

A financial services company needs to design a solution for storing sensitive customer data that must be encrypted at rest using a customer-managed key stored in AWS Key Management Service (KMS). The data will be accessed by multiple EC2 instances in an Auto Scaling group. The company needs to rotate the key every 90 days and ensure that old encrypted data can still be decrypted. Which key strategy should they use?

A.Use AWS CloudHSM to generate a key and store it in a hardware security module.
B.Use an AWS managed key for S3 and enable automatic rotation.
C.Use a customer-managed CMK and enable automatic key rotation.
D.Use a customer-managed CMK and generate a new key every 90 days, re-encrypting all data.
AnswerC

Customer-managed CMKs can be automatically rotated annually, and you can also manually rotate for shorter intervals. Old keys are retained for decryption.

Why this answer

Customer-managed CMKs support automatic key rotation (annual) and manual rotation. Old data remains decryptable because KMS retains previous backing keys. Using a customer-managed CMK allows the customer to control rotation and access policies.

309
Multi-Selectmedium

Which TWO strategies can reduce the cost of storing infrequently accessed data in Amazon S3 while maintaining millisecond retrieval latency? (Choose two.)

Select 2 answers
A.Transition objects to S3 Glacier Flexible Retrieval after 90 days.
B.Use S3 Glacier Deep Archive for data older than 30 days.
C.Use S3 Standard-IA for data that is accessed less frequently but requires millisecond retrieval.
D.Use S3 Intelligent-Tiering to automatically move objects between access tiers.
E.Use S3 One Zone-IA for all data to reduce storage costs.
AnswersC, D

Standard-IA offers lower storage cost and same latency as Standard.

Why this answer

Options A and D are correct. A: S3 Intelligent-Tiering automatically moves data to lower-cost tiers when access patterns change, with no retrieval cost for infrequent access. D: S3 Standard-IA provides lower storage cost than Standard with the same latency.

Option B is wrong because S3 One Zone-IA is less durable and not recommended for important data. Option C is wrong because S3 Glacier Deep Archive has retrieval times in hours, not milliseconds. Option E is wrong because S3 Glacier Flexible Retrieval has retrieval times in minutes to hours.

310
MCQhard

A company is designing a new data lake on AWS. The data lake will store raw data in Amazon S3 and use Amazon Athena for ad-hoc queries. The company needs to ensure that only authorized users can query specific partitions based on their department. Which approach should the company use to implement fine-grained access control?

A.Use AWS Lake Formation to define data filters and grant permissions to departments at the partition level.
B.Use S3 bucket policies to restrict access to prefixes corresponding to each department.
C.Store each department's data in separate databases and use Amazon Redshift Spectrum to query.
D.Create separate IAM roles for each department and attach policies that grant access to specific partitions in Athena.
AnswerA

Lake Formation provides fine-grained access control, including partition-level filtering for Athena.

Why this answer

Using AWS Lake Formation with row-level and cell-level security allows fine-grained access control based on partitions. Option A is wrong because S3 bucket policies control access at the object level, not partition level. Option B is wrong because IAM policies alone cannot easily restrict partitions in Athena.

Option D is wrong because Redshift Spectrum is for querying data in Redshift, not Athena.

311
MCQeasy

A startup is building a serverless photo-sharing application on AWS. Users upload photos via a web app, which stores them in Amazon S3. Each upload triggers an AWS Lambda function that creates a thumbnail and stores it in another S3 bucket. The application is expected to have unpredictable traffic patterns. The startup wants to minimize costs and operational overhead while ensuring the thumbnail generation completes reliably. Which solution should a Solutions Architect recommend?

A.Use Amazon ECS with Fargate to run a container that processes S3 events and generates thumbnails.
B.Upload to S3, send a message to an SQS queue, and have a Lambda function poll the queue to generate thumbnails.
C.Use an Auto Scaling group of EC2 instances to poll S3 for new uploads and generate thumbnails.
D.Configure S3 event notifications to invoke a Lambda function directly upon upload to generate thumbnails.
AnswerD

Lambda is serverless, scales automatically, and only incurs cost when running.

Why this answer

Option B is correct because S3 event notifications to Lambda are serverless, cost-effective, and scale automatically. Option A is wrong because EC2 instances incur cost even when idle and require management. Option C is wrong because SQS adds complexity and latency; Lambda can directly process S3 events.

Option D is wrong because ECS with Fargate is more complex and expensive than Lambda for this simple task.

312
MCQeasy

A company is deploying a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The company wants to secure the API by requiring authentication via a JSON Web Token (JWT). Which service should the company use to manage user authentication and issue JWTs?

A.Amazon Cognito User Pools
B.AWS Secrets Manager
C.AWS Identity and Access Management (IAM)
D.AWS Security Token Service (STS)
AnswerA

Cognito User Pools provides authentication and JWT issuance for application users.

Why this answer

Amazon Cognito User Pools is the correct choice because it is a fully managed identity provider that handles user sign-up, sign-in, and issues JSON Web Tokens (JWTs) for authentication. It integrates directly with API Gateway Lambda authorizers to validate JWTs and control access to API endpoints without custom code.

Exam trap

The trap here is that candidates often confuse AWS STS (which issues temporary AWS credentials) with a service that issues JWTs for application users, leading them to select STS instead of Cognito User Pools.

How to eliminate wrong answers

Option B (AWS Secrets Manager) is wrong because it is designed to securely store and rotate secrets such as database credentials or API keys, not to manage user authentication or issue JWTs. Option C (AWS Identity and Access Management) is wrong because IAM is used for managing AWS resource permissions via policies and roles, not for authenticating end users or issuing JWTs; it cannot issue tokens for external user identities. Option D (AWS Security Token Service) is wrong because STS issues temporary AWS credentials (access keys, session tokens) for IAM roles or federated users, not JWTs for application-level authentication.

313
MCQmedium

A company is designing a new microservices-based application on AWS. They want to ensure that services can discover each other dynamically and that traffic can be load balanced across multiple Availability Zones. Which AWS service should they use for service discovery?

A.AWS Service Catalog
B.Amazon Route 53 private hosted zones
C.AWS Systems Manager Parameter Store
D.AWS Cloud Map
AnswerD

AWS Cloud Map provides service discovery with health checks and integration with Route 53.

Why this answer

AWS Cloud Map is a cloud resource discovery service that allows services to register their endpoint locations and discover the endpoints of other services. It integrates with Route 53 for health checking and load balancing.

314
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate. The application must be able to read and write files to a shared file system that is accessible from multiple tasks simultaneously. The file system must be durable and support NFS protocol. Which storage solution should be used?

A.Amazon EBS with Multi-Attach
B.Amazon EFS
C.Amazon S3
D.Amazon FSx for Lustre
AnswerB

Amazon EFS is a fully managed NFS file system that can be mounted by multiple ECS tasks across multiple AZs, providing a shared file system.

Why this answer

Option C is correct because Amazon EFS is a fully managed NFS file system that can be mounted by multiple ECS tasks concurrently. Option A is wrong because Amazon S3 is object storage, not a file system. Option B is wrong because Amazon EBS volumes can only be attached to one EC2 instance at a time, not shared across tasks.

Option D is wrong because Amazon FSx for Lustre is optimized for high-performance computing, not general file sharing.

315
Matchingmedium

Match each storage class to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data, low latency, high throughput

Auto-cost optimization for unknown access patterns

Lowest cost for long-term archival, retrieval in 12 hours

Infrequent access, stored in a single AZ

Archival data with retrieval minutes to hours

Why these pairings

S3 storage classes cater to different access patterns and durability needs.

316
Multi-Selectmedium

A company is designing a new application that will be deployed on Amazon EKS. The application must meet PCI DSS compliance requirements. Which TWO steps should the solutions architect take to secure the cluster?

Select 2 answers
A.Enable AWS CloudTrail logging for the EKS cluster.
B.Install Calico for network policy enforcement.
C.Configure IAM roles and RBAC policies to limit access.
D.Use Bottlerocket as the node operating system.
E.Enable secret encryption using AWS KMS.
AnswersC, E

Access control is required for PCI DSS.

Why this answer

Options B and C are correct. Enabling encryption for Kubernetes secrets using AWS KMS is a PCI DSS requirement. Restricting access to the cluster with IAM and RBAC is also required.

Option A is not required for PCI DSS; cluster logging is optional. Option D is incorrect because Calico is a network policy, but not a PCI-specific requirement. Option E is incorrect because Bottlerocket is an OS, not a security control.

317
Multi-Selecthard

A company is designing a new serverless application using AWS Lambda. The function needs to access an Amazon RDS database. Which THREE practices should be followed to avoid connection exhaustion?

Select 3 answers
A.Store the database connection in a global variable to reuse across invocations
B.Assign a static IP address to the Lambda function
C.Use Amazon RDS Proxy to pool connections
D.Open the database connection only when needed and close it after each invocation
E.Increase the maximum number of database connections in the RDS parameter group
AnswersC, D, E

RDS Proxy manages connection pooling for Lambda.

Why this answer

Option A (RDS Proxy) is correct to pool connections. Option B (open connection only when needed) is correct to minimize open connections. Option D (increase max connections) is correct to handle concurrency.

Option C (static IP) is unnecessary. Option E (reuse connection across invocations) is wrong because Lambda runs in different environments.

318
MCQhard

A company is designing a disaster recovery solution that must recover an application in a different AWS Region within 15 minutes of a failure. The application uses an Amazon Aurora MySQL DB cluster. Which combination of strategies will meet the recovery time objective (RTO) while minimizing costs?

A.Deploy a standby Aurora cluster in the DR Region and use synchronous replication.
B.Use Aurora Global Database with a secondary cluster in the DR Region.
C.Configure an Aurora cross-Region replica in the DR Region. Use Amazon Route 53 to fail over DNS.
D.Take daily snapshots and restore them in the DR Region using cross-Region snapshot copy.
AnswerC

Cross-Region replicas provide fast failover (typically <1 minute) and are cost-effective as they only replicate data.

Why this answer

Option C is correct because an Aurora cross-Region replica asynchronously replicates data to a DR Region with minimal performance impact, and you can promote it to a standalone cluster within minutes. Combined with Amazon Route 53 DNS failover, this achieves an RTO under 15 minutes while keeping costs low, as you only pay for the replica storage and minimal compute until failover.

Exam trap

The trap here is that candidates often confuse Aurora Global Database (which is designed for low RTO but higher cost) with a simple cross-Region replica (which offers a slightly higher RTO but significantly lower cost), and they overlook the 15-minute RTO requirement that both can meet, making cost the deciding factor.

How to eliminate wrong answers

Option A is wrong because synchronous replication across AWS Regions would introduce high latency and is not supported by Aurora; Aurora's synchronous replication is limited to within a single Region. Option B is wrong because Aurora Global Database uses asynchronous replication with a typical RTO of 1 minute or less, but it requires a secondary cluster that incurs ongoing compute and storage costs, making it more expensive than a cross-Region replica. Option D is wrong because daily snapshots with cross-Region copy have an RTO that can exceed 15 minutes due to the time required to copy and restore the snapshot, and they also risk data loss of up to 24 hours.

319
MCQmedium

A company is designing a data lake on Amazon S3. Data is ingested from various sources, including IoT devices, and must be stored in a cost-effective manner. The data access patterns are unpredictable; some data is accessed frequently for a few days, then rarely accessed. The company wants to minimize storage costs while ensuring data is available within minutes when accessed. Which storage class should they use for the data?

A.S3 Standard
B.S3 Intelligent-Tiering
C.S3 Glacier Deep Archive
D.S3 One Zone-Infrequent Access
AnswerB

Automatically optimizes costs for unknown or changing access patterns, with millisecond retrieval.

Why this answer

Option D is correct because S3 Intelligent-Tiering automatically moves data between frequent and infrequent access tiers based on usage patterns, with no retrieval charges for infrequent access, and data is available within milliseconds. Option A is wrong because S3 Standard is expensive for rarely accessed data. Option B is wrong because S3 Glacier Deep Archive has retrieval times of 12 hours.

Option C is wrong because S3 One Zone-IA is not durable enough for a data lake.

320
Multi-Selectmedium

A company is designing a new system that will use Amazon S3 to store sensitive data. Which THREE methods can be used to encrypt data at rest in S3?

Select 3 answers
A.SSE-C
B.Client-side encryption
C.SSE-S3
D.SSE-KMS
E.AWS IAM
AnswersA, C, D

Server-side encryption with customer-provided keys.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) is correct because it allows you to encrypt data at rest in S3 using your own encryption keys, which you manage outside of AWS. You provide the encryption key as part of your PUT request, and S3 uses it to encrypt the object before writing it to disk, then discards the key from memory. This method gives you full control over the key lifecycle while still leveraging S3's server-side encryption infrastructure.

Exam trap

The trap here is that candidates may confuse client-side encryption (which happens before data reaches S3) with server-side encryption at rest, or incorrectly assume that IAM provides encryption capabilities when it only controls access permissions.

321
MCQeasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application must support sticky sessions. What should they do?

A.Configure an Amazon CloudFront distribution with session affinity.
B.Store session data in Amazon ElastiCache and use a cookie to reference it.
C.Enable sticky sessions on the ALB using duration-based cookies.
D.Use a Network Load Balancer (NLB) with cross-zone load balancing.
AnswerC

ALB supports sticky sessions via cookies.

Why this answer

Option B is correct because ALB supports sticky sessions using cookies. Option A is wrong because NLB does not support sticky sessions natively. Option C is wrong because CloudFront does not handle session stickiness.

Option D is wrong because ElastiCache is for caching, not session stickiness at the load balancer level.

322
MCQhard

A company is designing a new data lake on Amazon S3 using AWS Glue for ETL. The data is partitioned by date and sensitive columns must be masked for non-privileged users. The solution must minimize storage costs and allow different masking policies per user. Which approach should the architect recommend?

A.Use AWS Lake Formation to define column-level permissions and masking policies.
B.Create separate S3 buckets for each masking policy and copy data accordingly.
C.Use AWS Glue ETL jobs to mask data based on user role at query time.
D.Store masked data in separate prefixes in the same bucket and use S3 bucket policies.
AnswerA

Lake Formation provides fine-grained access control without data duplication.

Why this answer

Using Lake Formation with column-level permissions (option D) allows masking policies per user without duplicating data. Option A (multiple copies) increases cost. Option B (separate S3 paths) is complex.

Option C (Glue transforms) mixes ETL with access control.

323
MCQeasy

The above CLI output shows the state of a CloudWatch alarm. The EC2 instance's CPU utilization averaged 85% for the last 10 minutes. What is the alarm state?

A.OK
B.ALARM
C.INSUFFICIENT_DATA
D.ERROR
AnswerB

2 consecutive periods of breaching threshold.

Why this answer

The CLI output indicates that the alarm state is 'ALARM' because the EC2 instance's CPU utilization averaged 85% for the last 10 minutes, which exceeds the alarm threshold (typically set at, for example, 80% for a standard CPU utilization alarm). CloudWatch alarms transition to ALARM when the metric breaches the threshold for the specified evaluation periods, and here the sustained high utilization over the 10-minute window meets that condition.

Exam trap

The trap here is that candidates may confuse the alarm state with the metric value itself, assuming that a high metric value automatically means ALARM, but they must verify that the threshold and evaluation periods are met; however, in this case, the CLI explicitly shows the state as ALARM, so the answer is straightforward.

How to eliminate wrong answers

Option A is wrong because OK state would indicate that the metric is within the threshold (e.g., CPU utilization below 80%), but 85% exceeds it. Option C is wrong because INSUFFICIENT_DATA means there is not enough data to determine the alarm state (e.g., missing metric data points), but the CLI shows data is present and the alarm has evaluated to ALARM. Option D is wrong because ERROR is not a valid CloudWatch alarm state; the valid states are OK, ALARM, and INSUFFICIENT_DATA.

324
Multi-Selectmedium

Which TWO actions will improve the security posture of an Amazon S3 bucket used to store sensitive data? (Choose two.)

Select 2 answers
A.Enable S3 Versioning on the bucket.
B.Enable S3 Block Public Access settings at the account or bucket level.
C.Enable default encryption using SSE-S3.
D.Enable S3 server access logging for the bucket.
E.Configure a bucket policy that denies access unless the request originates from a specific VPC or IP range.
AnswersB, E

Block Public Access prevents any public access, improving security.

Why this answer

Options B and D are correct. B: Enabling S3 Block Public Access prevents any public access to the bucket. D: Using bucket policies with condition keys such as aws:SourceIp restricts access to specific IP ranges.

Option A is wrong because server access logs provide audit but do not improve security directly. Option C is wrong because encryption protects data at rest, not access control. Option E is wrong because versioning protects against accidental deletion but not unauthorized access.

325
MCQhard

A gaming company is designing a new real-time multiplayer game backend on AWS. The game requires low-latency communication between players (< 50 ms) and the ability to handle up to 100,000 concurrent players. The backend must manage game state, player matchmaking, and chat. The company wants to use managed AWS services to reduce operational overhead. Which solution should a Solutions Architect recommend?

A.Use Amazon DynamoDB for game state, AWS Lambda for game logic, and API Gateway for client communication.
B.Use Amazon GameLift for session-based game server hosting, with its built-in matchmaking and fleet management.
C.Deploy game servers on EC2 instances behind a Network Load Balancer. Use ElastiCache for Redis for game state and SQS for chat messages.
D.Use Amazon ECS with Fargate to run game server containers, and use Application Auto Scaling to handle load.
AnswerB

GameLift is purpose-built for multiplayer games, handles scaling, matchmaking, and low-latency.

Why this answer

Option B is correct because GameLift is designed for multiplayer game hosting, including session management, matchmaking, and scaling. Option A is wrong because EC2 instances require manual management of game servers. Option C is wrong because ECS with Fargate may not meet low-latency requirements for gaming.

Option D is wrong because DynamoDB is for storage, not for real-time game server logic.

326
MCQhard

A company is designing a new real-time analytics platform that ingests millions of events per second from IoT devices. The events must be processed with low latency (under 100 ms) and stored for replay. The company wants to use managed services. Which combination of AWS services should the company use?

A.Amazon Kinesis Data Streams + AWS Lambda
B.Amazon S3 + AWS Lambda
C.Amazon Kinesis Data Firehose + Amazon Redshift
D.Amazon SQS + AWS Lambda
AnswerA

Kinesis Data Streams provides low-latency ingestion with replay capability; Lambda processes records in real time.

Why this answer

Amazon Kinesis Data Streams can ingest and buffer millions of events per second with sub-100 ms latency, and AWS Lambda can process each record in near real-time as it arrives in the stream. This combination meets the low-latency requirement and allows events to be replayed from the stream's retention window (up to 365 days with extended retention).

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose (which is near-real-time with batching) with Kinesis Data Streams (which is true real-time), or assume SQS can handle high-throughput streaming with replay, but SQS lacks ordered delivery and long-term retention for replay.

How to eliminate wrong answers

Option B is wrong because Amazon S3 is an object storage service with eventual consistency and no built-in real-time streaming capability, making it unsuitable for sub-100 ms event processing. Option C is wrong because Amazon Kinesis Data Firehose delivers data in batches (typically 60 seconds or 1 MB) and Amazon Redshift is a data warehouse optimized for analytical queries, not real-time per-event processing under 100 ms. Option D is wrong because Amazon SQS is a message queue with at least once delivery and typical latencies in the tens to hundreds of milliseconds, but it lacks the ordered replay and high-throughput streaming capabilities required for millions of events per second.

327
MCQmedium

A company is designing a serverless application using AWS Lambda functions. The application processes events from an Amazon SQS queue. The company wants to ensure that the Lambda function can scale to handle a sudden increase in messages without losing any messages. The Lambda function must process each message at least once. Which configuration should the company use?

A.Configure the SQS queue as a Lambda event source with a reserved concurrency of 1000 for the Lambda function.
B.Configure the SQS queue to invoke the Lambda function asynchronously and set the Lambda function timeout to 5 minutes.
C.Set the SQS queue visibility timeout to 30 seconds and the Lambda batch size to 100. Configure a dead-letter queue for failed messages.
D.Use an SQS FIFO queue with a Lambda function that has a reserved concurrency of 1.
AnswerA

Reserved concurrency ensures the function can scale, and SQS event source mapping provides at-least-once processing.

Why this answer

Option A is correct because configuring the SQS queue as a Lambda event source with a reserved concurrency of 1000 ensures that Lambda can scale up to 1000 concurrent executions to handle a sudden burst of messages. The SQS event source uses long polling and synchronously invokes Lambda, which processes messages in batches and automatically deletes them from the queue only upon successful completion, guaranteeing at-least-once processing. Reserved concurrency prevents throttling and ensures that the function has sufficient capacity to scale without losing messages.

Exam trap

The trap here is that candidates often assume increasing the batch size or using a dead-letter queue alone prevents message loss, but they overlook the critical need for reserved concurrency to guarantee scaling capacity during sudden spikes.

How to eliminate wrong answers

Option B is wrong because SQS cannot invoke Lambda asynchronously; Lambda must be configured as an event source mapping that synchronously pulls messages from the queue, and setting a 5-minute timeout does not address scaling or message loss. Option C is wrong because a 30-second visibility timeout is too short for Lambda processing, risking messages becoming visible again before processing completes, leading to duplicate processing; while a dead-letter queue captures failures, it does not prevent message loss during scaling. Option D is wrong because using a FIFO queue with a reserved concurrency of 1 severely limits throughput and prevents scaling to handle a sudden increase in messages, as FIFO queues process messages in order with limited concurrency.

328
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Organizations. The company has several business units that each require their own VPC in shared accounts managed centrally. The company wants to enable VPC sharing to allow business units to create resources in shared subnets while maintaining network isolation. Which combination of steps should the company take to achieve this? (Choose TWO.)

Select 2 answers
A.Create a resource share in AWS Resource Access Manager (RAM) for the shared VPC subnets.
B.Attach a transit gateway to the shared VPC and to each business unit's VPC.
C.Configure VPC endpoints in each business unit VPC to access the shared VPC.
D.Create VPC peering connections between the shared VPC and each business unit's VPC.
E.Use AWS PrivateLink to connect the business unit VPCs to the shared VPC.
AnswersA, B

AWS RAM allows sharing subnets with other accounts in the organization.

Why this answer

Option A is correct because AWS Resource Access Manager (RAM) allows you to share subnets from a centrally owned VPC with other AWS accounts within your AWS Organization. This enables business units to launch resources directly into the shared subnets while the VPC and its networking configuration remain managed centrally, ensuring network isolation through separate security groups and network ACLs.

Exam trap

The trap here is that candidates often confuse VPC sharing (which uses RAM to share subnets for resource creation) with network connectivity solutions like transit gateway, VPC peering, or PrivateLink, which are used for routing traffic between VPCs rather than enabling cross-account resource deployment in shared subnets.

329
MCQhard

A company has a bucket policy on an S3 bucket as shown in the exhibit. A cross-account role (CrossAccountRole) is used to access the bucket. The role has an IAM policy that allows s3:GetObject and s3:PutObject on the bucket. When users assume the role and try to upload objects without specifying encryption, the upload fails. What must the users do to successfully upload objects?

A.Remove the condition from the bucket policy.
B.Add an IAM policy that allows s3:PutObject to the role.
C.Include the x-amz-server-side-encryption header with value aws:kms in the upload request.
D.Grant the role permission to use the KMS key.
AnswerC

The condition requires that header.

Why this answer

The bucket policy condition requires that the request includes the header 'x-amz-server-side-encryption' with value 'aws:kms' for PutObject. Users must specify SSE-KMS encryption in their upload request. Option C is correct.

Option A is wrong because the bucket policy already allows. Option B is wrong because the role policy allows it. Option D is wrong because KMS key permission is not the issue.

330
MCQmedium

A company is designing a new application that requires a relational database with high read capacity. The application is read-heavy and requires low latency. Which database configuration should be used?

A.Amazon RDS with read replicas
B.Amazon DynamoDB with DAX
C.Amazon RDS with Multi-AZ deployment
D.Amazon ElastiCache for Redis
AnswerA

Read replicas scale read capacity.

Why this answer

Amazon RDS with read replicas is the correct choice because the application is read-heavy and requires low latency. Read replicas offload read traffic from the primary database instance, scaling read capacity and reducing latency for read operations by distributing the load across multiple copies of the data.

Exam trap

The trap here is that candidates often confuse Multi-AZ deployments with read replicas, assuming Multi-AZ also improves read performance, but Multi-AZ only provides failover redundancy and does not offload read traffic.

How to eliminate wrong answers

Option B is wrong because Amazon DynamoDB with DAX is a NoSQL key-value and document database, not a relational database, and the question explicitly requires a relational database. Option C is wrong because Amazon RDS with Multi-AZ deployment provides high availability and failover support, but does not increase read capacity or reduce read latency; it only maintains a standby replica for disaster recovery. Option D is wrong because Amazon ElastiCache for Redis is an in-memory data store, not a relational database, and while it can cache data to improve read performance, it does not serve as the primary relational database itself.

331
MCQmedium

An S3 bucket is created using the above CloudFormation template. What happens to objects in the bucket after 30 days?

A.Objects are transitioned to Glacier
B.The lifecycle rule is not applied because no prefix is specified
C.Objects are archived to S3 Standard-IA
D.Objects are permanently deleted
AnswerD

ExpirationInDays causes deletion after 30 days.

Why this answer

Option B is correct because the lifecycle rule expires objects after 30 days (deletes them). Option A is wrong because there is no transition. Option C is wrong because expiration deletes objects permanently.

Option D is wrong because the rule is enabled.

332
MCQhard

A company is designing a new data lake on AWS. The data lake will store petabytes of data from various sources, including IoT devices, application logs, and streaming data. The data must be stored cost-effectively, and access patterns vary from frequently accessed recent data to rarely accessed historical data. The company also needs to run SQL queries on the data. Which solution should the architect recommend?

A.Store data in S3 with lifecycle policies to transition between storage classes, and use Amazon Athena for queries
B.Store data in S3 with lifecycle policies to transition to Glacier, and use S3 Select for queries
C.Store data in Amazon EMR on EC2 and query with Hive
D.Store data in Amazon Redshift and query with Redshift Spectrum
AnswerA

S3 provides cost-effective storage with lifecycle management, and Athena can query data directly.

Why this answer

Option C is correct because S3 with lifecycle policies can move data to lower-cost storage classes as it ages, and Athena can query data in place without loading. Option A is wrong because Redshift is designed for structured data warehouse workloads, not a data lake. Option B is wrong because S3 with Glacier does not support direct querying; data must be restored first.

Option D is wrong because EMR requires managing clusters and is not cost-effective for occasional queries.

333
Multi-Selecteasy

Which TWO AWS services can be used to decouple components in a new microservices architecture? (Choose two.)

Select 2 answers
A.Amazon Simple Notification Service (SNS)
B.AWS Direct Connect
C.Amazon Route 53
D.Amazon Simple Queue Service (SQS)
E.Amazon ElastiCache
AnswersA, D

SNS is a pub/sub service for decoupling.

Why this answer

Amazon SQS (message queue) and Amazon SNS (pub/sub) are both decoupling services that allow asynchronous communication between services.

334
MCQmedium

An IAM policy is attached to an IAM role that is assumed by an EC2 instance. The EC2 instance has an IP address of 10.0.1.15. The instance is unable to download objects from the S3 bucket 'example-bucket'. What is the MOST likely cause?

A.The S3 bucket policy denies access to the IAM role.
B.The IAM role is not attached to the EC2 instance profile.
C.The policy lacks permissions for s3:ListBucket.
D.The EC2 instance is using a public IP address to access S3, which does not match the 'aws:SourceIp' condition.
AnswerD

The condition requires the source IP to be in the private range, but S3 access from EC2 uses public IPs unless using a VPC endpoint.

Why this answer

The condition restricts access to IP addresses in the 10.0.0.0/8 range. However, EC2 instances use public IPs when accessing S3, or private IPs via a VPC endpoint. If the instance uses a public IP, the condition fails.

Option B (instance profile) is not an issue. Option C (permissions boundary) is not shown. Option D (bucket policy) is not shown.

335
MCQmedium

A company is building a new microservices-based application on AWS using Amazon ECS with Fargate. The application has a frontend service, an order service, and a payment service. Services communicate synchronously via REST APIs. The company expects variable traffic and wants to ensure that failures in one service do not cascade to others. Which solution should a Solutions Architect recommend?

A.Use Amazon API Gateway in front of each service to throttle requests and protect against traffic spikes.
B.Implement retry logic with exponential backoff, circuit breakers, and timeouts in each service's client code.
C.Convert all inter-service communication to asynchronous messaging using Amazon SQS or SNS.
D.Deploy multiple instances of each service across multiple Availability Zones and use an Application Load Balancer.
AnswerB

Circuit breakers and retries isolate failures and prevent cascading, a standard resilience pattern.

Why this answer

Option D is correct because implementing circuit breakers, retries, and timeouts is a standard pattern to prevent cascading failures. Option A is wrong because synchronous communication is already in place; adding an API Gateway doesn't prevent cascading failures. Option B is wrong because adding more instances does not protect against service failures.

Option C is wrong because converting to asynchronous messaging is a larger architectural change and may not be suitable for all interactions.

336
MCQeasy

A company is designing a new microservices architecture on AWS. Each microservice must store its own data and communicate with other services via RESTful APIs. The company wants to minimize operational overhead. Which data store should the company use for each microservice?

A.Amazon ElastiCache for Redis
B.Amazon Redshift
C.Amazon RDS for PostgreSQL
D.Amazon DynamoDB
AnswerD

DynamoDB is fully managed, serverless, and scales automatically, ideal for microservices.

Why this answer

Amazon DynamoDB is a fully managed NoSQL key-value and document database that provides single-digit millisecond latency at any scale, making it ideal for microservices that need to store their own data and communicate via RESTful APIs. It requires no operational overhead for scaling, patching, or replication, and its pay-per-request billing aligns with the unpredictable traffic patterns common in microservices architectures.

Exam trap

The trap here is that candidates often choose Amazon RDS for PostgreSQL because they assume relational databases are required for structured data, but the question emphasizes minimizing operational overhead, and DynamoDB's serverless, fully managed nature eliminates the need for schema management, scaling, and patching that RDS still requires.

How to eliminate wrong answers

Option A is wrong because Amazon ElastiCache for Redis is an in-memory cache, not a durable primary data store; it is designed for caching, session management, and real-time analytics, not for persistent storage of microservice data. Option B is wrong because Amazon Redshift is a petabyte-scale data warehouse optimized for complex analytical queries on large datasets, not for transactional or operational data storage required by individual microservices. Option C is wrong because Amazon RDS for PostgreSQL, while a fully managed relational database, introduces operational overhead for schema management, connection pooling, and scaling that contradicts the goal of minimizing operational overhead for microservices, and its relational model is less flexible for the independent data persistence patterns of microservices.

337
MCQhard

A company is designing a new data lake on AWS. The data lake will store structured and unstructured data from various sources. The company needs a solution that can automatically catalog the data and make it searchable. Data will be stored in Amazon S3. Which AWS service should be used to catalog and enable search across the data lake?

A.Amazon Athena
B.Amazon EMR
C.Amazon Redshift Spectrum
D.AWS Glue Data Catalog
AnswerD

Glue Data Catalog automatically crawls data sources and stores metadata.

Why this answer

Option A is correct because AWS Glue provides a data catalog that automatically discovers and catalogs metadata from S3. Option B: Athena is a query engine, not a catalog. Option C: EMR is for big data processing.

Option D: Redshift Spectrum queries data in S3 but does not catalog it.

338
MCQeasy

A company is designing a new application to store and retrieve user profile pictures. The images will be accessed frequently and must be served with low latency. Which storage solution should they use?

A.Amazon EBS
B.Amazon S3
C.Amazon EFS
D.Amazon RDS
AnswerB

S3 is object storage optimized for high availability and low latency.

Why this answer

Amazon S3 is ideal for storing and serving static content like images with low latency. Option B (Amazon EBS) is block storage for EC2, Option C (Amazon EFS) is file storage, and Option D (Amazon RDS) is a relational database.

339
MCQeasy

A company is designing a web application that must handle sudden spikes in traffic. The application runs in a VPC and uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The solution must be cost-effective for variable traffic patterns. Which scaling strategy should be used?

A.Simple scaling with step adjustments
B.Target tracking scaling policy based on average CPU utilization
C.Scheduled scaling
D.Manual scaling
AnswerB

Automatically adjusts capacity to maintain a target metric, cost-effective.

Why this answer

Option D is correct because a target tracking scaling policy with a predefined metric like CPU utilization is the simplest and most cost-effective way to handle variable traffic. Option A (manual scaling) is not dynamic. Option B (scheduled scaling) works for predictable patterns, not sudden spikes.

Option C (simple scaling) is less responsive than target tracking.

340
MCQhard

A company is designing a data lake on AWS using Amazon S3 as the storage layer. The data lake will ingest data from multiple sources, including streaming data from Amazon Kinesis Data Streams and batch data from on-premises systems via AWS Snowball. The company needs to catalog the data and make it available for querying with Amazon Athena and Amazon Redshift Spectrum. Which combination of services should the company use to meet these requirements?

A.Use AWS Glue to create a data catalog and run ETL jobs for both streaming and batch data.
B.Use AWS Lake Formation to set up the data lake and use its built-in catalog.
C.Use Amazon Athena to create tables and partitions directly from S3.
D.Use Amazon Kinesis Data Firehose to deliver streaming data to S3 and catalog with Athena.
AnswerA

Glue provides a data catalog and ETL capabilities.

Why this answer

AWS Glue provides a managed data catalog that integrates with Athena and Redshift Spectrum. Glue ETL can handle both streaming and batch data. Option B is correct.

Option A is wrong because Athena does not catalog data. Option C is wrong because Lake Formation builds on Glue. Option D is wrong because Kinesis Data Firehose is for streaming only.

341
MCQmedium

A developer ran the AWS CLI command shown in the exhibit. The instance has an attached EBS volume with 'DeleteOnTermination' set to false. The instance will be started again soon. What will happen to the EBS volume when the instance is stopped?

A.The EBS volume is detached but the data is preserved.
B.The EBS volume is deleted.
C.The EBS volume is deleted because the instance is stopped.
D.The EBS volume remains attached to the instance and the data persists.
AnswerD

Stopping an instance does not affect attached EBS volumes; data is preserved.

Why this answer

Option D is correct because stopping an EC2 instance does not affect the attached EBS volumes; they remain attached and their data persists. The 'DeleteOnTermination' attribute only controls behavior when the instance is terminated, not stopped. Since the instance will be started again soon, the volume stays attached with its data intact.

Exam trap

The trap here is that candidates confuse the 'stop' and 'terminate' actions, incorrectly assuming that 'DeleteOnTermination' applies to both, when in fact it only applies to termination.

How to eliminate wrong answers

Option A is wrong because stopping an instance does not detach the EBS volume; the volume remains attached and available when the instance is started again. Option B is wrong because the EBS volume is not deleted when the instance is stopped; deletion only occurs on instance termination if 'DeleteOnTermination' is set to true, which it is not. Option C is wrong because the volume is not deleted due to the instance being stopped; the 'DeleteOnTermination' attribute is irrelevant during a stop operation.

342
MCQmedium

A company has a multi-account AWS organization. The security team wants to centrally manage and enforce that all S3 buckets are encrypted with a specific KMS key. Which approach should the architect recommend?

A.Use a service control policy (SCP) to deny s3:PutBucketEncryption if the encryption is not the specified KMS key
B.Use AWS Trusted Advisor to check bucket encryption
C.Create an IAM policy that denies s3:PutObject unless the request includes the specific KMS key, and attach it to all users
D.Use AWS Config rules to detect non-compliant buckets and send alerts
AnswerA

SCPs enforce across all accounts in the organization.

Why this answer

Using SCPs in AWS Organizations allows the security team to deny creation of buckets that do not use the required KMS key. Option A (IAM policies) must be attached to each user/role, not centralized. Option C (Config rules) only detects non-compliance, does not enforce.

Option D (Trusted Advisor) provides recommendations only.

343
MCQhard

A healthcare company is designing a new system on AWS to store and analyze patient health records. The system must comply with HIPAA regulations. Data includes structured lab results and unstructured clinical notes. The company needs to run complex SQL queries on the structured data and perform natural language processing (NLP) on the unstructured data. The solution should be cost-effective and minimize administrative overhead. Which solution should a Solutions Architect recommend?

A.Store structured data in Amazon RDS for PostgreSQL, store unstructured data in S3, and use AWS Glue to run NLP jobs.
B.Store all data in S3, use Amazon Athena for SQL queries and Amazon Textract for NLP.
C.Store structured data in DynamoDB, store unstructured data in S3, use Amazon SageMaker to build custom NLP models.
D.Store structured data in Amazon Redshift, store unstructured data in S3, and use Amazon Comprehend Medical for NLP.
AnswerD

Redshift is for analytics; Comprehend Medical is HIPAA-eligible and designed for medical NLP.

Why this answer

Option B is correct because Redshift is for SQL analytics on structured data, Comprehend Medical is a HIPAA-eligible NLP service for medical text. Option A is wrong because RDS is not designed for complex analytics at scale. Option C is wrong because Athena is serverless but slower for frequent queries; Textract is for document extraction, not NLP.

Option D is wrong because DynamoDB is for NoSQL, not complex SQL queries; SageMaker is overkill for NLP if Comprehend Medical suffices.

344
MCQmedium

A company is designing a new application on AWS that processes real-time IoT sensor data from thousands of devices. The data must be ingested, processed, and stored for analysis. The company wants to use a serverless architecture to reduce operational overhead. The processing includes filtering, aggregation, and transformation. Which solution should a Solutions Architect recommend?

A.Use Amazon Kinesis Data Streams to ingest data, use Kinesis Data Firehose to deliver data to S3, and use Athena for queries.
B.Use Amazon Kinesis Data Streams to ingest data, trigger a Lambda function for processing, and store results in DynamoDB.
C.Use Amazon SQS to ingest sensor data, trigger a Lambda function for processing, and store results in DynamoDB.
D.Use AWS IoT Core to ingest data, use IoT rules to route data to Kinesis Data Analytics for real-time processing, and store results in S3.
AnswerD

IoT Core is designed for IoT; Kinesis Data Analytics provides real-time SQL processing; S3 is cost-effective storage.

Why this answer

Option C is correct because IoT Core is purpose-built for IoT device ingestion, rules engine can process and route data, Kinesis Data Analytics provides real-time SQL processing, and S3 stores results. Option A is wrong because SQS is not a streaming ingestion service. Option B is wrong because Lambda functions triggered by SQS may have concurrency limits and are not ideal for high-throughput streaming.

Option D is wrong because Kinesis Data Firehose delivers data in batches, not real-time processing.

345
MCQmedium

A company is designing a new solution to process streaming data from IoT devices. The data must be ingested, processed in real-time, and stored in a data warehouse for analytics. The company expects millions of events per second. Which combination of AWS services should be used?

A.Amazon Kinesis Data Firehose for ingestion and delivery to Amazon S3, then use AWS Glue for ETL into Amazon Redshift.
B.Amazon DynamoDB Streams for ingestion, AWS Lambda for processing, and Amazon Redshift for storage.
C.Amazon SQS for ingestion, AWS Lambda for processing, and Amazon DynamoDB for storage.
D.Amazon Kinesis Data Streams for ingestion, Amazon Kinesis Data Analytics for real-time processing, and Amazon S3 as a staging area before loading into Amazon Redshift.
AnswerD

Kinesis Data Streams handles high throughput, Data Analytics processes in real-time, and S3 integrates with Redshift.

Why this answer

Amazon Kinesis Data Streams can ingest millions of events per second with durable, ordered shards, while Kinesis Data Analytics provides real-time SQL or Apache Flink processing on the stream. Amazon S3 acts as a staging layer before loading into Amazon Redshift via COPY or Redshift Spectrum, enabling scalable analytics without throttling the ingestion pipeline.

Exam trap

Cisco often tests the distinction between Kinesis Data Streams (real-time, sub-second) and Kinesis Data Firehose (near-real-time, minutes of latency), leading candidates to choose Firehose for real-time requirements.

How to eliminate wrong answers

Option A is wrong because Kinesis Data Firehose is a near-real-time delivery service with a minimum buffer interval of 60 seconds, which cannot meet the sub-second real-time processing requirement for millions of events per second. Option B is wrong because DynamoDB Streams are designed for change data capture from a DynamoDB table, not for direct ingestion of high-throughput streaming data from IoT devices, and DynamoDB Streams have a limited retention period (24 hours) and throughput constraints. Option C is wrong because Amazon SQS is a message queue with at-least-once delivery and no native ordering guarantees (unless using FIFO, which limits throughput to 300 TPS), making it unsuitable for high-velocity, ordered streaming data; DynamoDB is not a data warehouse optimized for complex analytics queries.

346
Multi-Selecthard

A company is deploying a containerized application on Amazon EKS. The application requires persistent storage that can be shared across multiple pods in different Availability Zones. Which TWO storage solutions meet this requirement? (Choose TWO.)

Select 2 answers
A.Amazon EBS with io2 volumes
B.Amazon S3
C.Amazon EC2 Instance Store
D.Amazon FSx for Lustre
E.Amazon EFS
AnswersD, E

FSx for Lustre is a high-performance file system that can be shared across multiple clients in different AZs.

Why this answer

Amazon EFS provides a fully managed, scalable, and elastic NFS file system that can be mounted concurrently by multiple Amazon EKS pods across different Availability Zones, making it suitable for shared persistent storage. Amazon FSx for Lustre is a high-performance file system optimized for workloads like machine learning and HPC, and it supports concurrent access from multiple clients across AZs, meeting the requirement for shared storage.

Exam trap

The trap here is that candidates often assume EBS volumes can be shared across pods because they are persistent, but EBS is a block device with a single-attach limitation, making it unsuitable for multi-pod shared access across AZs.

347
MCQmedium

A company is designing a new application that will process messages from an SQS queue. The messages must be processed in real-time with minimal latency, and the processing time per message varies from 100 ms to 5 seconds. The company wants to minimize cost and operational overhead. Which solution should the architect recommend?

A.Use Amazon Kinesis Data Streams and an AWS Lambda function
B.Use an SQS queue and an EC2 Auto Scaling group to poll and process messages
C.Use an SQS queue as an event source for an AWS Lambda function
D.Use SQS to send messages to Amazon SNS, which triggers a Lambda function
AnswerC

Lambda scales automatically with the SQS queue and charges per execution, minimizing cost and overhead.

Why this answer

Option A is correct because SQS combined with Lambda provides a serverless solution that scales automatically, processes messages in near real-time, and charges only for compute time used. Option B is wrong because EC2 instances require provisioning and management, leading to higher operational overhead. Option C is wrong because Kinesis is designed for streaming data, not simple message processing.

Option D is wrong because SNS is for pub/sub messaging, not for processing messages.

348
Multi-Selecthard

A company is designing a new application on AWS that requires a highly available and durable NoSQL database. The database must be able to scale horizontally for both reads and writes. Which TWO AWS services meet these requirements? (Choose two.)

Select 2 answers
A.Amazon Neptune
B.Amazon DynamoDB
C.Amazon RDS for MySQL with Multi-AZ
D.Amazon DocumentDB (with MongoDB compatibility)
E.Amazon ElastiCache for Memcached
AnswersB, D

DynamoDB is a fully managed NoSQL database with horizontal scaling and high durability.

Why this answer

Options A and C are correct. Amazon DynamoDB is a fully managed NoSQL database that scales horizontally and provides high availability and durability. Amazon DocumentDB is a MongoDB-compatible document database that also scales horizontally.

Option B is wrong because RDS is relational. Option D is wrong because Neptune is a graph database. Option E is wrong because ElastiCache is a cache.

349
MCQmedium

A company is designing a microservices architecture on AWS. Each service needs its own DynamoDB table, and services must be fully isolated. Which networking design ensures that services can only communicate through APIs and not directly to each other's databases?

A.Place all services in a single VPC with security groups to control traffic.
B.Use a transit VPC with VPN connections to each service's VPC.
C.Create a separate VPC for each service, with VPC peering only between the API gateway and each service VPC.
D.Use a single VPC with public and private subnets; place databases in private subnets and services in public subnets.
AnswerC

This ensures each service's database is isolated and only accessible via the API.

Why this answer

Placing services in separate VPCs with VPC peering only for API communication ensures network-level isolation. Option B is correct because it prevents direct database access by not allowing peering between all VPCs. Option A is wrong because a shared VPC with security groups could allow unintended traffic.

Option C is wrong because a single VPC with subnets still allows routing between services. Option D is wrong because a transit VPN does not provide the needed isolation.

350
MCQeasy

A company needs to store application logs for at least one year with the ability to query them occasionally. The logs are generated at a rate of 10 GB per day. Which storage solution is MOST cost-effective?

A.Store logs on Amazon EBS volumes attached to a single EC2 instance for querying.
B.Stream logs to Amazon S3 using Amazon Kinesis Data Firehose, then use S3 Lifecycle policies to transition to S3 Standard-IA after 30 days.
C.Store logs in Amazon S3 Glacier and use S3 Select to query directly.
D.Stream logs to Amazon CloudWatch Logs and set a retention policy of 365 days.
AnswerB

S3 Standard-IA offers lower cost for infrequent access with retrieval available.

Why this answer

Amazon S3 with S3 Intelligent-Tiering or S3 Standard-IA is cost-effective for infrequent access. Option A (CloudWatch Logs) is expensive for long-term storage. Option C (S3 Glacier) has retrieval delays.

Option D (EBS) is not suitable for logs.

351
Multi-Selectmedium

Which TWO design patterns help ensure data durability in Amazon S3?

Select 2 answers
A.Enable Cross-Region Replication (CRR).
B.Enable S3 Versioning.
C.Enable MFA Delete.
D.Use S3 Standard-IA storage class.
E.Configure lifecycle policies to transition to Glacier.
AnswersA, B

Replicates objects to another region for durability against regional failures.

Why this answer

Options A and B are correct. Versioning protects against accidental deletion or overwrite. Cross-Region Replication provides durability across regions.

Option C is incorrect because S3 Standard is already durable; additional storage class doesn't improve durability. Option D is incorrect because MFA Delete is a security feature for deletion protection. Option E is incorrect because lifecycle policies manage cost, not durability.

352
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application that runs on Amazon EC2 with an Amazon RDS for MySQL database. The Recovery Time Objective (RTO) is 15 minutes and Recovery Point Objective (RPO) is 1 hour. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon Aurora Global Database for the database tier.
B.Use a cross-region read replica for RDS and promote it during disaster.
C.Use EC2 AMI copy to another region and launch instances from the AMI.
D.Use RDS cross-region snapshots and restore in the DR region.
E.Configure RDS Multi-AZ in the primary region.
AnswersA, B

Aurora Global Database provides low RPO/RTO cross-region.

Why this answer

Aurora Global Database (option D) provides RPO of seconds and RTO of minutes. Multi-AZ (option C) provides HA but not cross-region DR. Option A (RDS cross-region) meets RPO but RTO may be >15 min.

Option B (EC2 AMI copy) is slow. Option D is correct. Option E (read replica) can be promoted quickly.

353
MCQhard

A company is migrating a legacy on-premises application to AWS. The application requires a fixed IP address for whitelisting by external partners. The solution must be highly available across multiple Availability Zones. Which design should they use?

A.Use an Application Load Balancer (ALB) with an Elastic IP address.
B.Use Amazon Route 53 with a weighted routing policy.
C.Use a Network Load Balancer (NLB) with an Elastic IP address.
D.Use a Classic Load Balancer (CLB) with an Elastic IP address.
AnswerC

NLB supports Elastic IPs and is highly available across AZs.

Why this answer

Option C is correct because a Network Load Balancer (NLB) supports static IP addresses via Elastic IPs per Availability Zone, providing a fixed IP for partner whitelisting while maintaining high availability across multiple AZs. Unlike ALBs, NLBs operate at Layer 4 and can preserve the client IP, which is critical for IP-based whitelisting scenarios.

Exam trap

The trap here is that candidates often assume an ALB can use Elastic IPs because it is a modern load balancer, but ALBs are DNS-based and cannot be assigned static IPs, making the NLB the only correct choice for fixed IP whitelisting with high availability.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer (ALB) does not support Elastic IP addresses; it uses a DNS name and its IP addresses can change, making it unsuitable for fixed IP whitelisting. Option B is wrong because Amazon Route 53 with a weighted routing policy distributes traffic across multiple endpoints but does not provide a single fixed IP address for whitelisting; it relies on DNS resolution which can change. Option D is wrong because a Classic Load Balancer (CLB) can be assigned an Elastic IP, but it is a legacy service that does not support multiple Availability Zones natively and lacks the high availability and performance features of an NLB.

354
MCQmedium

An IAM policy is attached to an IAM user. The user tries to download an object from S3 bucket 'example-bucket' from an IP address 10.0.1.5. What will happen?

A.The policy has no effect because the condition is invalid.
B.The request is denied unless there is another explicit deny.
C.The request is denied.
D.The request is allowed.
AnswerD

The IP matches the condition.

Why this answer

The policy grants s3:GetObject only if the source IP is in 10.0.0.0/16. Since 10.0.1.5 is within that range, the request is allowed. Option A is correct.

Option B would be true if IP outside range. Option C (deny) would override. Option D (no effect) is incorrect.

355
MCQeasy

A solutions architect is designing a disaster recovery plan for a critical application. The application runs on EC2 instances behind an Application Load Balancer (ALB) in us-east-1. The recovery time objective (RTO) is 15 minutes, and the recovery point objective (RPO) is 1 hour. Which approach meets these requirements?

A.Use backup and restore: take hourly snapshots of EBS volumes and copy to us-west-2, then restore EC2 instances from snapshots.
B.Implement a pilot light strategy: replicate data to us-west-2 and keep a minimal stack running.
C.Deploy a multi-site active-active configuration with full capacity in both regions.
D.Use a warm standby: maintain a scaled-down copy of the environment in us-west-2 that can be scaled up within 15 minutes.
AnswerD

Warm standby allows quick scaling to full capacity within RTO.

Why this answer

Using a warm standby with a scaled-down copy of the environment in another region and failing over within 15 minutes meets RTO/RPO. Option D is correct. Option A is wrong because pilot light takes longer to scale.

Option B is wrong because backup and restore has higher RTO. Option C is wrong because multi-site active-active is overkill and may exceed RTO if not properly configured.

356
MCQmedium

A company is designing an event-driven architecture using Amazon EventBridge. They have multiple AWS accounts that need to receive events from a central account. What is the MOST scalable and secure way to route events to these accounts?

A.Use Amazon EventBridge cross-account event buses in each target account
B.Publish events to an AWS Lambda function in each target account
C.Use Amazon Kinesis Data Streams with cross-account access
D.Create an Amazon SNS topic in the central account and subscribe SQS queues in each target account
AnswerA

EventBridge natively supports cross-account event routing.

Why this answer

Option D is correct because EventBridge cross-account event buses allow events to be sent directly to event buses in other accounts securely and scalably. Option A is incorrect because SNS topics have limited cross-account capabilities. Option B is incorrect because Kinesis Data Streams is not designed for event routing.

Option C is incorrect because Lambda functions would require custom invocation logic.

357
MCQmedium

A company is designing a new microservices architecture on AWS. Each microservice must be independently deployable and scalable. The company expects unpredictable traffic patterns with sudden spikes. Which combination of AWS services should be used to build a decoupled, resilient system?

A.Use Amazon API Gateway, AWS Lambda, Amazon SQS, Amazon DynamoDB, and Amazon CloudWatch.
B.Use Application Load Balancer, Amazon EC2 Auto Scaling, Amazon SQS, and Amazon RDS.
C.Use Amazon API Gateway, AWS Lambda, Amazon Kinesis Data Streams, and Amazon DynamoDB.
D.Use Application Load Balancer, Amazon ECS with Fargate, Amazon SQS, and Amazon RDS with read replicas.
AnswerA

This option provides serverless, decoupled, and scalable components ideal for unpredictable spikes.

Why this answer

Option A is correct because it combines API Gateway as a managed entry point, Lambda for stateless compute, SQS for decoupling and buffering sudden traffic spikes, DynamoDB for serverless NoSQL storage, and CloudWatch for observability. This serverless stack ensures each microservice is independently deployable and scales automatically without provisioning, handling unpredictable spikes via SQS queue depth and Lambda concurrency limits.

Exam trap

The trap here is that candidates often choose Kinesis Data Streams (Option C) thinking it provides better decoupling, but they overlook that SQS is specifically designed for asynchronous message buffering with per-message visibility timeouts, which is more appropriate for microservices decoupling than Kinesis's shard-based streaming model.

How to eliminate wrong answers

Option B is wrong because it relies on EC2 Auto Scaling and ALB, which have slower scaling response times (minutes) compared to Lambda's sub-second scaling, making it less resilient to sudden spikes. Option C is wrong because Kinesis Data Streams is designed for real-time streaming analytics with shard-level scaling, not for decoupling request-response microservices; it lacks the buffering and visibility timeout features of SQS that are critical for resilient decoupling. Option D is wrong because RDS with read replicas introduces a relational database bottleneck that does not scale horizontally for unpredictable write-heavy spikes, and ECS with Fargate still requires container startup time and task definition management, which is less elastic than Lambda's instant scaling.

358
Multi-Selecteasy

A company is designing a new data processing pipeline that must transform data from JSON to Parquet format. The pipeline should run daily and handle data up to 10 GB. Which TWO AWS services can be used to perform this transformation?

Select 2 answers
A.Amazon EMR
B.AWS Lambda
C.AWS Glue
D.Amazon Athena (CTAS queries)
E.Amazon Kinesis Data Firehose
AnswersC, D

Serverless ETL service.

Why this answer

Option A (AWS Glue) is correct for ETL jobs. Option C (Amazon Athena) is correct for converting data with CTAS queries. Option B (Kinesis Data Firehose) is for streaming, not daily batch.

Option D (Lambda) has a 15-minute timeout and 10 GB limit. Option E (EMR) is possible but overkill.

359
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user who needs to upload objects to an S3 bucket owned by another AWS account. The uploads are failing with access denied. What is the most likely cause?

A.The upload request does not include the required ACL header.
B.The resource ARN is incorrect.
C.The bucket policy denies the request.
D.The user does not have s3:PutObject permission.
AnswerA

The condition enforces the ACL header.

Why this answer

Option C is correct. The policy requires the x-amz-acl header to be set to 'bucket-owner-full-control', but the user's upload request likely does not include that header. Options A and B are wrong because the policy explicitly allows PutObject.

Option D is wrong because the bucket policy is not shown.

360
MCQeasy

A developer runs the above AWS CLI command. What is the expected output?

A.A list of public IP addresses
B.A list of instance IDs for running web-server instances
C.All instance IDs regardless of state
D.An error because the query syntax is incorrect
AnswerB

The command returns InstanceIds of running instances with the specified tag.

Why this answer

Option A is correct because the command filters for instances with tag Name=web-server and state running, then outputs the InstanceIds as text. Option B is wrong because it outputs only if instances exist. Option C is wrong because the filter is correct.

Option D is wrong because the query selects InstanceId, not all info.

361
MCQeasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. The application must handle sudden spikes in traffic without manual intervention. Which scaling approach should they use?

A.Manual scaling
B.Scheduled scaling
C.Target tracking scaling policies
D.Simple scaling policies
AnswerC

Target tracking automatically adjusts capacity to maintain a target metric value.

Why this answer

Option B is correct because target tracking scaling policies automatically adjust capacity based on a target metric. Option A is wrong because simple scaling requires manual intervention for cooldown. Option C is wrong because scheduled scaling is for predictable traffic.

Option D is wrong because manual scaling is not automatic.

362
Multi-Selectmedium

A company is designing a new microservices architecture that requires service discovery and API management. Which THREE services can be used together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon Route 53
B.Amazon API Gateway
C.Application Load Balancer
D.Amazon VPC Lattice
E.AWS Cloud Map
AnswersB, C, E

API Gateway creates and manages APIs.

Why this answer

Options A, C, and D are correct. AWS Cloud Map provides service discovery, API Gateway manages APIs, and ALB can route traffic. Option B is wrong because Route 53 is DNS, not service discovery.

Option E is wrong because VPC Lattice is for service-to-service communication, not API management.

363
MCQmedium

A company is designing a multi-tier web application on AWS. The application must be highly available and scale automatically based on traffic. The web tier runs on Amazon EC2 instances behind an Application Load Balancer. The application tier also uses EC2 instances. Which solution meets these requirements with the LEAST operational overhead?

A.Use Amazon ECS with Fargate for both tiers, with an Application Load Balancer.
B.Use AWS Global Accelerator with a single Auto Scaling group for both tiers.
C.Use Network Load Balancer with Auto Scaling groups for both tiers.
D.Use Auto Scaling groups for both web and application tiers, and route traffic through an Application Load Balancer.
AnswerD

Auto Scaling groups provide automatic scaling and health checks, ALB distributes traffic, low overhead.

Why this answer

Option A is correct because using Auto Scaling groups for both tiers and an ALB provides automatic scaling and high availability with minimal operational overhead. Option B is incorrect because AWS Global Accelerator does not provide automatic scaling of instances. Option C is incorrect because Amazon ECS adds container orchestration overhead.

Option D is incorrect because a Network Load Balancer is not ideal for HTTP traffic and does not provide automatic scaling.

364
MCQhard

A company is monitoring a Lambda function named my-function. The function has an alias 'prod' that points to version 1. The above CLI output shows two metrics for the Errors metric. What is the likely reason for two metrics?

A.The function is invoked via two different triggers
B.The function is configured with two different reserved concurrency settings
C.The function has two versions: $LATEST and version 1
D.The function is deployed in two different regions
AnswerC

Each version has its own metric.

Why this answer

The CLI output shows two metrics for the Errors metric because the function has two versions: $LATEST (the unpublished, mutable version) and version 1 (the published, immutable version). The alias 'prod' points to version 1, but CloudWatch metrics are emitted per version, so both $LATEST and version 1 generate separate error metric streams. This is why two distinct data points appear for the same metric name.

Exam trap

The trap here is that candidates assume the alias 'prod' consolidates all metrics into a single stream, but AWS CloudWatch emits separate metric dimensions for each version, even when an alias points to a specific version, causing two distinct error metric lines.

How to eliminate wrong answers

Option A is wrong because multiple triggers (e.g., S3, API Gateway) would invoke the same function version, not create separate metric streams; CloudWatch aggregates errors per version, not per trigger. Option B is wrong because reserved concurrency settings affect throttling behavior, not the number of metric streams; they do not create separate error metrics. Option D is wrong because the function is deployed in a single region (implied by the CLI output), and cross-region deployments would require separate function ARNs and would not appear as two metrics under the same function name in a single region's CloudWatch console.

365
Multi-Selectmedium

A company is designing a new event-driven architecture using AWS services. The system must process events from multiple sources, filter and route events to different consumers, and ensure that events are processed exactly once. Which THREE services should be used to build this architecture? (Choose three.)

Select 3 answers
A.Amazon Kinesis Data Firehose to deliver events to destinations.
B.AWS Lambda functions to consume events from queues and process them.
C.AWS AppSync to provide real-time subscriptions for events.
D.Amazon SQS FIFO queues to ensure exactly-once processing.
E.Amazon EventBridge to ingest events and route them based on rules.
AnswersB, D, E

Lambda can poll SQS queues and process events.

Why this answer

AWS Lambda functions are correct because they can be triggered by Amazon SQS FIFO queues to process messages one at a time, preserving the order and enabling idempotent processing. Lambda integrates natively with SQS, automatically scaling the number of concurrent executions based on the queue depth, which supports the exactly-once processing requirement when combined with FIFO queues.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Firehose with Amazon Kinesis Data Streams, assuming Firehose supports exactly-once processing, but Firehose only provides at-least-once delivery and lacks the FIFO ordering and deduplication capabilities required for this use case.

366
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy for a critical application. The application runs on EC2 instances in a single AWS Region. The company needs a Recovery Time Objective (RTO) of 2 hours and a Recovery Point Objective (RPO) of 15 minutes. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use S3 Cross-Region Replication for application data and launch EC2 instances from AMIs copied to the secondary Region
B.Take hourly snapshots of EBS volumes and copy them to another Region; use AWS CloudFormation to launch instances from the snapshots
C.Use Amazon Aurora Global Database for the database and deploy EC2 instances with an Application Load Balancer that has cross-Region load balancing enabled
D.Use Amazon DynamoDB global tables for the database and deploy EC2 instances in a warm standby configuration in another Region
E.Configure an Active-Passive failover using Route 53 with health checks within the same Region
AnswersC, D

Aurora Global Database provides replication with RPO of seconds, and cross-Region ALB can redirect traffic to warm standby instances.

Why this answer

Multi-Region replication with Aurora Global Database provides fast failover and RPO of seconds. Application Load Balancer with cross-Region load balancing can route traffic to a warm standby in another Region. Option B (snapshot to S3) may take longer than 15 minutes RPO.

Option D (single Region) does not provide DR. Option E (S3 Cross-Region Replication) is for S3 objects, not EC2 instance state.

367
MCQmedium

A company is deploying a new microservices application on Amazon ECS using Fargate. The application consists of several services that need to communicate with each other. The company wants to use service discovery so that services can find each other by name. Additionally, the company needs to ensure that traffic between services is encrypted in transit. The security team requires that all inter-service traffic uses TLS. Which combination of services should be used to meet these requirements?

A.Use AWS Cloud Map for service discovery and an Application Load Balancer for inter-service communication with TLS termination.
B.Use the built-in service discovery in Amazon ECS and encrypt traffic using AWS Certificate Manager (ACM) certificates.
C.Use an Application Load Balancer with target groups for each service and enable TLS on the load balancer.
D.Use AWS Cloud Map for service discovery and AWS App Mesh with TLS enforcement for inter-service communication.
AnswerD

Cloud Map provides DNS-based service discovery; App Mesh enables mTLS between services.

Why this answer

Option A is correct because AWS Cloud Map provides service discovery and AWS App Mesh can enforce TLS encryption for inter-service traffic. Option B: Service discovery via Cloud Map works, but ALB is for external traffic, not inter-service mTLS. Option C: Service discovery is not provided by default in ECS; you need Cloud Map.

Option D: ALB can route traffic but does not provide service discovery by service name.

368
MCQmedium

A company is running a stateful web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session data locally on the instance. The company wants to make the application highly available and fault-tolerant without rewriting the application code. What should the solutions architect do?

A.Replace the ALB with a Network Load Balancer (NLB) and enable cross-zone load balancing.
B.Move session state to Amazon ElastiCache and configure the ALB to use sticky sessions.
C.Configure the ALB with sticky sessions (session affinity) and use a custom cookie.
D.Use an Auto Scaling group to add more instances and distribute load.
AnswerC

Sticky sessions bind a user to a specific instance, preserving local state without code changes.

Why this answer

Option D is correct. By using an ALB with sticky sessions (session affinity), requests from the same user go to the same instance, preserving local session state. Option A is incorrect because moving session state to ElastiCache would require code changes.

Option B is incorrect because a Network Load Balancer does not support sticky sessions by default and also doesn't solve the state issue. Option C is incorrect because Auto Scaling would terminate instances, losing session data.

369
Multi-Selectmedium

A company is designing a new data lake on Amazon S3. They need to ensure that data is encrypted at rest and that access is audited. Which services should they use? (Choose TWO.)

Select 2 answers
A.Amazon Macie
B.Amazon GuardDuty
C.AWS KMS
D.AWS Config
E.AWS CloudTrail
AnswersC, E

Manages encryption keys for S3.

Why this answer

AWS KMS provides encryption keys, and AWS CloudTrail logs API calls for auditing. Option C (Amazon GuardDuty) is for threat detection, Option D (Amazon Macie) is for sensitive data discovery, and Option E (AWS Config) is for resource configuration tracking.

370
MCQmedium

A company is migrating a legacy on-premises application to AWS. The application requires a shared file system that supports the NFS protocol and must be accessible from multiple EC2 instances across different Availability Zones. The file system must provide high durability and low latency. The company also needs to control access to the file system using IAM policies. The solutions architect needs to choose the appropriate AWS storage service. Which service should the architect use?

A.Amazon S3 with S3 File Gateway to present as a file system.
B.Amazon EBS with a Provisioned IOPS volume type, mounted on multiple instances using a cluster file system.
C.Amazon EFS with IAM authorization.
D.Amazon FSx for Lustre with a persistent deployment type.
AnswerC

EFS provides NFS access across AZs and supports IAM policies for access control.

Why this answer

Amazon EFS is a fully managed NFS file system that is accessible across AZs, supports IAM policies for access control, and provides high durability and low latency. Option C is correct. Option A is wrong because EBS volumes can only be attached to a single instance in one AZ.

Option B is wrong because S3 is object storage, not a file system. Option D is wrong because FSx for Lustre is designed for high-performance computing, not general NFS.

371
Multi-Selecthard

A company is building a serverless application using AWS Lambda and Amazon DynamoDB. They need to ensure that the application can handle a sudden increase in traffic without losing any data or causing errors. Which THREE strategies should they implement?

Select 3 answers
A.Use DynamoDB on-demand capacity mode.
B.Decouple the application with Amazon SQS.
C.Enable DynamoDB auto scaling.
D.Use DynamoDB Accelerator (DAX) for caching.
E.Configure Lambda reserved concurrency.
AnswersA, C, E

On-demand handles unpredictable traffic without capacity planning.

Why this answer

Option A (DynamoDB auto scaling) handles throughput spikes. Option B (Lambda reserved concurrency) prevents throttling. Option D (DynamoDB on-demand capacity) handles unpredictable traffic.

Option C (DAX) improves read performance but not write scaling. Option E (SQS) would decouple but adds complexity.

372
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). They want to implement a blue/green deployment strategy with minimal impact on users. Which approach should they use?

A.Create a new target group with the green instances. Modify the ALB listener rule to forward traffic to the new target group.
B.Stop all instances, launch new instances with the new version, and update the target group.
C.Update the existing target group's instances to the new version, one at a time.
D.Create a new ALB and update DNS to point to the new ALB.
AnswerA

This is the standard blue/green deployment with ALB.

Why this answer

Option A is correct because blue/green deployment with an ALB is achieved by creating a new target group for the green instances and modifying the ALB listener rule to forward traffic to the new target group. This allows instant traffic shifting with zero downtime, as the ALB can route traffic between target groups without changing the DNS or creating a new ALB. The blue (old) target group remains available for instant rollback if needed.

Exam trap

The trap here is confusing blue/green deployment with rolling updates or assuming that a new ALB and DNS change are required, when in fact ALB listener rule modifications provide immediate traffic switching without DNS propagation delays.

How to eliminate wrong answers

Option B is wrong because stopping all instances causes complete downtime, violating the requirement for minimal impact on users. Option C is wrong because updating instances one at a time in the existing target group is a rolling update strategy, not a blue/green deployment; it does not maintain two separate environments for instant switchover. Option D is wrong because creating a new ALB and updating DNS introduces DNS propagation delays and potential disruption, whereas blue/green with ALB should leverage listener rule changes for immediate traffic shift.

373
Multi-Selectmedium

A company is designing a new cloud-native application that will run on Amazon ECS with Fargate. The application must store logs centrally for analysis. Which TWO services can be used to collect and analyze logs from ECS Fargate tasks?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS FireLens (Fluent Bit)
C.Amazon S3
D.AWS CloudTrail
E.Amazon Kinesis Data Analytics
AnswersA, B

ECS can send logs to CloudWatch Logs using the awslogs log driver.

Why this answer

Option A and Option C are correct. CloudWatch Logs can be used with the awslogs driver to collect logs. FireLens (using Fluent Bit) can also collect and forward logs.

Option B is wrong because Kinesis Data Analytics is for streaming analytics, not log collection. Option D is wrong because S3 is a storage service, not a log analysis service. Option E is wrong because CloudTrail captures API calls, not application logs.

374
MCQeasy

A company wants to decouple a microservices architecture where one service (producer) sends events to another service (consumer). The producer can generate bursts of events, and the consumer processes them in batches. The solution must be serverless and handle potential consumer failures without losing events. Which AWS service should be used as the message broker?

A.Amazon SNS
B.Amazon Kinesis Data Streams
C.Amazon EventBridge
D.Amazon SQS
AnswerD

SQS provides a durable, serverless queue that decouples producers and consumers, supports batch processing, and can retain messages on failure.

Why this answer

Option A is correct because Amazon SQS is a serverless message queue that can buffer bursts and retain messages until the consumer processes them, with dead-letter queues for failures. Option B is wrong because Amazon SNS pushes messages to subscribers and does not support polling or batch processing. Option C is wrong because Kinesis Data Streams is for real-time streaming, not simple decoupling with batch processing.

Option D is wrong because EventBridge is for event routing, not a message queue.

375
Multi-Selecthard

A company is migrating a monolithic application to microservices on AWS. The current application uses a single Amazon RDS for PostgreSQL database. To avoid tight coupling, each microservice should have its own database. The company needs to minimize downtime during migration. Which THREE strategies should be used?

Select 3 answers
A.Design each microservice with its own database.
B.Use a single shared database with separate schemas for each service.
C.Use AWS Database Migration Service (DMS) for ongoing replication.
D.Implement the Strangler Fig pattern to gradually migrate functionality.
E.Deploy all microservices on a single large EC2 instance.
AnswersA, C, D

Database per service is a microservices best practice.

Why this answer

Options B, C, and D are correct. The Strangler Fig pattern gradually replaces functionality. Database per service ensures isolation.

AWS DMS can migrate data with minimal downtime. Option A is wrong because a shared database defeats the purpose. Option E is wrong because a single large RDS instance is not a microservices pattern.

← PreviousPage 5 of 7 · 514 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.