CCNA Design for New Solutions Questions

75 of 514 questions · Page 6/7 · Design for New Solutions · Answers revealed

376
MCQmedium

A company is designing a serverless application using AWS Lambda and Amazon API Gateway. The application must handle sudden spikes in traffic and ensure that no requests are lost. Which of the following design choices will BEST meet these requirements?

A.Use Lambda provisioned concurrency to pre-warm the function and reduce cold starts.
B.Configure API Gateway with a usage plan and throttling, and set Lambda reserved concurrency to limit the function's maximum capacity.
C.Use AWS Step Functions to orchestrate the Lambda invocations and implement retry logic.
D.Use Amazon SQS to buffer requests and have Lambda poll the queue at a fixed rate.
AnswerB

Usage plans and throttling control the request rate, while reserved concurrency ensures the Lambda function has dedicated capacity to handle the allowed traffic without being throttled by other functions.

Why this answer

Option B is correct because configuring API Gateway with usage plans and throttling prevents overwhelming the backend, while Lambda reserved concurrency ensures a minimum capacity for the function. Option A is wrong because Lambda provisioned concurrency adds cost and is for reducing cold starts, not for handling spikes without loss. Option C is wrong because SQS decouples but does not prevent loss if Lambda doesn't scale.

Option D is wrong because Step Functions add orchestration overhead and complexity.

377
MCQmedium

A company is designing a serverless application using AWS Lambda to process incoming files from Amazon S3. Each file is less than 1 MB and processing must complete within 10 seconds. The application must handle bursts of up to 1,000 concurrent invocations. Which configuration will provide the MOST cost-effective solution?

A.Use provisioned concurrency for 1,000 concurrent executions with 128 MB memory.
B.Place the Lambda function in a VPC with 1,024 MB memory for faster processing.
C.Set reserved concurrency to 1,000 and function memory to 256 MB.
D.Set function memory to 128 MB and leave concurrency at the account default of 1,000.
AnswerD

128 MB is sufficient for small files; default concurrency handles bursts.

Why this answer

Lambda concurrency limit of 1,000 and function memory of 128 MB is sufficient for small files and cost-effective. Option A (reserved concurrency) may waste resources. Option C (provisioned concurrency) incurs extra cost.

Option D (VPC) adds unnecessary network cost.

378
MCQhard

A company is designing a new application that will run on Amazon ECS with Fargate. The application consists of three microservices: Service A, Service B, and Service C. Service A receives HTTP requests from an Application Load Balancer and sends messages to an Amazon SQS queue. Service B polls the SQS queue and processes the messages, storing results in Amazon DynamoDB. Service C reads from DynamoDB and sends notifications via Amazon SNS. The company expects variable traffic and wants to minimize costs. During a load test, the team observes that Service B is not scaling fast enough, causing the SQS queue to grow. The team also notices that Service C is idle most of the time. Which solution should the company implement to improve scaling and reduce costs?

A.Use AWS Lambda with Provisioned Concurrency for Service B and keep Service C as a Fargate service.
B.Use a step scaling policy for Service B based on CPU utilization and keep Service C as is.
C.Configure Service B with a target tracking scaling policy based on the SQS queue backlog and convert Service C to an AWS Lambda function triggered by DynamoDB Streams.
D.Increase the number of ECS tasks for Service B manually and use a scheduled scaling policy for Service C.
AnswerC

Target tracking scaling based on SQS backlog scales Service B appropriately; Lambda for Service C eliminates idle cost.

Why this answer

Option C is correct because it addresses both scaling and cost issues: Service B's scaling is improved by using a target tracking scaling policy based on the SQS queue backlog (ApproximateNumberOfMessagesVisible), which directly correlates to the work demand, ensuring faster and more precise scaling. Converting Service C to a Lambda function triggered by DynamoDB Streams eliminates idle compute costs from a constantly running Fargate service, as Lambda only runs when new data appears in DynamoDB, reducing costs significantly.

Exam trap

The trap here is that candidates often choose CPU-based scaling (Option B) because it is familiar, but they fail to recognize that queue depth is a more direct and responsive metric for scaling message-processing services, and they overlook the cost savings of replacing an idle Fargate service with a Lambda function triggered by DynamoDB Streams.

How to eliminate wrong answers

Option A is wrong because using Lambda with Provisioned Concurrency for Service B would incur costs for pre-warmed instances even when idle, and it does not address the scaling issue with the SQS queue backlog; moreover, Lambda is not ideal for long-running polling tasks. Option B is wrong because a step scaling policy based on CPU utilization is an indirect metric that does not reflect the actual work queue depth, leading to delayed scaling and continued queue growth. Option D is wrong because manually increasing tasks for Service B is not automated or cost-effective for variable traffic, and using a scheduled scaling policy for Service C does not address its idle time—it would still run tasks when not needed, wasting resources.

379
MCQmedium

A company is designing a new data lake on Amazon S3. They need to query the data using standard SQL and expect to run complex queries that scan large datasets. The query performance should be optimized to minimize data scanned. Which service should they use?

A.Amazon Redshift Spectrum
B.Amazon EMR
C.Amazon Athena
D.Amazon QuickSight
AnswerC

Athena is serverless and can query S3 data with standard SQL, optimized by partitioning and columnar formats.

Why this answer

Amazon Athena is a serverless interactive query service that uses standard SQL to analyze data directly in Amazon S3. It is optimized for querying large datasets with a pay-per-query model, and it automatically minimizes data scanned by leveraging features like columnar data formats (Parquet, ORC), partitioning, and compression to reduce the amount of data read per query.

Exam trap

The trap here is that candidates often confuse Amazon Redshift Spectrum with Athena because both query S3 data, but Redshift Spectrum requires a running Redshift cluster and is not serverless, while Athena is fully serverless and designed specifically for minimizing data scanned in a data lake scenario.

How to eliminate wrong answers

Option A is wrong because Amazon Redshift Spectrum is an extension of Amazon Redshift that allows querying data in S3, but it requires an active Redshift cluster and is designed for hybrid queries that combine local and external data, not for a standalone data lake query service with minimal data scanned. Option B is wrong because Amazon EMR is a managed big data platform that supports frameworks like Apache Spark and Hive, but it requires provisioning and managing clusters, and its primary focus is not on minimizing data scanned for ad-hoc SQL queries; it is more suited for complex ETL and processing jobs. Option D is wrong because Amazon QuickSight is a business intelligence (BI) and visualization service, not a SQL query engine for scanning large datasets; it relies on underlying data sources like Athena or Redshift for query execution.

380
Drag & Dropmedium

Drag and drop the steps to recover an Amazon RDS Multi-AZ DB instance after a primary instance failure in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First identify failure, wait for failover, verify promotion, update endpoints, then investigate.

381
Multi-Selecthard

A company is designing a serverless data processing pipeline using AWS Step Functions, AWS Lambda, and Amazon DynamoDB. The pipeline must process incoming JSON records from an Amazon Kinesis Data Stream. Each record must be processed exactly once and in order. The company expects a throughput of up to 1,000 records per second. Which combination of services and configurations should the company use to meet these requirements? (Choose TWO.)

Select 2 answers
A.Use DynamoDB Streams to trigger the Lambda function for each record.
B.Use an Amazon SQS FIFO queue as the event source for the Lambda function to maintain order.
C.Configure the Kinesis Data Stream with 10 shards.
D.Use AWS Step Functions to coordinate processing of records and ensure exactly-once delivery.
E.Configure the Lambda function to process records from each shard sequentially by setting the batch size to 1.
AnswersC, E

10 shards provide sufficient throughput and each shard maintains record order.

Why this answer

Option C is correct because with a throughput of 1,000 records per second, a Kinesis Data Stream with 10 shards provides the necessary capacity (each shard supports up to 1,000 records/second for ingestion and 2 MB/s for reads). This shard count ensures the stream can handle the peak load without throttling, while maintaining the ordering guarantee within each shard.

Exam trap

The trap here is that candidates often assume Step Functions can enforce exactly-once delivery, but Step Functions is a state machine orchestrator and does not provide data-level deduplication; exactly-once processing must be implemented at the application layer with idempotent consumers.

382
MCQmedium

A company is designing a new microservices architecture on Amazon ECS with Fargate. The services need to communicate with each other securely. The company wants to use service discovery so that services can find each other using DNS names. Which AWS service should the company use?

A.AWS PrivateLink with VPC endpoint services.
B.Amazon Route 53 private hosted zones with DNS records for each service.
C.AWS Cloud Map with namespaces and service instances.
D.Elastic Load Balancing with internal load balancers for each service.
AnswerC

Cloud Map is designed for service discovery in microservices.

Why this answer

Option C is correct because AWS Cloud Map provides service discovery for ECS services, allowing them to register and discover each other via DNS or API calls. Option A is wrong because Route 53 private hosted zones can be used but Cloud Map is specifically designed for service discovery. Option B is wrong because ELB is for load balancing, not service discovery.

Option D is wrong because VPC endpoints are for accessing AWS services privately, not for service discovery.

383
MCQmedium

A company is designing a new microservices architecture on AWS. They need to ensure that services can communicate asynchronously without direct coupling. Which AWS service should they use to decouple the services?

A.AWS Step Functions
B.Amazon SNS
C.Amazon SQS
D.Amazon Kinesis
AnswerC

SQS provides a message queue for asynchronous decoupling.

Why this answer

Amazon SQS is the correct choice because it provides a fully managed message queue that enables asynchronous communication between microservices, allowing them to send, store, and receive messages without direct coupling. Services can poll or receive messages from the queue at their own pace, ensuring that the producer and consumer are decoupled and can operate independently, even if one is temporarily unavailable.

Exam trap

The trap here is that candidates often confuse Amazon SNS (pub/sub) with Amazon SQS (queue), but SNS pushes messages to subscribers and does not provide a buffer for asynchronous decoupling, whereas SQS allows services to pull messages at their own pace, which is the key requirement for decoupling.

How to eliminate wrong answers

Option A is wrong because AWS Step Functions is a serverless orchestration service that coordinates multiple AWS services into a workflow, but it does not inherently decouple services asynchronously; it tightly couples the execution flow and is not a message queue. Option B is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers, which still requires subscribers to be active and does not provide a buffer for asynchronous decoupling like a queue does. Option D is wrong because Amazon Kinesis is designed for real-time streaming data ingestion and processing, not for simple asynchronous decoupling of microservices; it introduces complexity with shards and retention periods that are unnecessary for basic decoupling needs.

384
Multi-Selecthard

A company is designing a multi-region disaster recovery solution for a critical application running on Amazon EC2. The application uses an Amazon Aurora MySQL database. The RTO is 15 minutes and RPO is 1 minute. Which THREE steps should the solutions architect take to meet these requirements?

Select 3 answers
A.Pre-provision EC2 instances in the DR region with the application code and configuration.
B.Use Route 53 health checks with failover routing policy to direct traffic to the DR region.
C.Configure a cross-region read replica in the DR region and promote it during failover.
D.Take frequent snapshots of the Aurora cluster and copy them to the DR region.
E.Use Amazon Aurora Global Database for replication to the DR region.
AnswersA, B, E

Ensures compute capacity is ready for failover.

Why this answer

Options B, D, and E are correct. Aurora Global Database provides replication with RPO of seconds and failover in minutes. Pre-provisioning standby instances in the DR region ensures capacity.

Using Route 53 health checks with failover routing allows automatic DNS failover. Option A is incorrect because restoring from snapshots takes longer than 15 minutes. Option C is incorrect because cross-region read replicas do not automatically failover; manual promotion required.

385
Multi-Selecthard

A company is designing a new data lake on AWS. The data lake will store raw data from various sources in Amazon S3. The data will be processed using AWS Glue ETL jobs and queried using Amazon Athena. To optimize costs and performance, which three practices should the solutions architect implement?

Select 3 answers
A.Store data in JSON format for flexibility.
B.Compress data using Snappy or Gzip compression.
C.Use columnar storage formats such as Parquet or ORC.
D.Store data in many small files to improve parallel processing.
E.Partition the data by date and other high-cardinality columns.
AnswersB, C, E

Compression reduces storage and scan costs.

Why this answer

Partitioning data in S3 reduces the amount of data scanned by Athena. Using columnar formats like Parquet improves query performance and reduces scan costs. Compressing data reduces storage costs and I/O.

Option A, C, and E are correct. Option B is wrong because JSON is not columnar. Option D is wrong because using many small files increases overhead.

386
MCQmedium

A company is migrating a legacy monolithic application to AWS. The application currently runs on a single server and uses a MySQL database. The company wants to decouple the application into microservices while minimizing changes to the existing code. Which design approach is MOST cost-effective and requires the least code changes?

A.Deploy the application on AWS Elastic Beanstalk and use Amazon RDS for MySQL
B.Refactor the application into AWS Lambda functions using an API Gateway
C.Use AWS App Runner for the existing application and add new microservices as separate App Runner services with a sidecar pattern
D.Containerize the application using Docker and run it on Amazon ECS with AWS Fargate, using Amazon RDS for MySQL
AnswerC

App Runner allows running containerized applications with minimal configuration. The sidecar pattern enables adding microservices without altering the existing application code.

Why this answer

Using AWS App Runner with a sidecar pattern allows the existing application to run with minimal changes while adding microservices. Option A (refactoring to Lambda) requires significant code changes. Option B (using ECS with Fargate) involves containerization and orchestration.

Option D (using Elastic Beanstalk) is simpler but does not inherently decouple into microservices.

387
MCQhard

A financial services company is designing a highly available architecture for a critical application on AWS. The application runs on EC2 instances and uses an Oracle database. The database must be resilient to an Availability Zone failure and must have automated failover. Which database solution meets these requirements?

A.Use Amazon Aurora (MySQL-compatible) with Multi-AZ.
B.Use Amazon RDS for Oracle with a Read Replica in another AZ.
C.Deploy Oracle on EC2 in two Availability Zones and use asynchronous replication.
D.Use Amazon RDS for Oracle with Multi-AZ deployment.
AnswerD

RDS Multi-AZ provides automatic failover and synchronous standby.

Why this answer

Option B is correct because Amazon RDS Multi-AZ for Oracle provides automatic failover to a standby in another AZ. Option A is incorrect because Multi-AZ for RDS uses synchronous replication, not asynchronous. Option C is incorrect because Read Replica does not handle failover automatically.

Option D is incorrect because Amazon Aurora is not Oracle-compatible.

388
MCQhard

A financial services company is designing a new application that processes sensitive transactions. The application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application writes transaction logs to an Amazon EFS file system. The company needs to ensure that the logs are encrypted at rest using a customer-managed AWS KMS key. Additionally, the logs must be retained for 7 years and should not be accessible after that period. Which solution meets the encryption and retention requirements?

A.Store logs directly in Amazon S3 with default encryption. Use an S3 Lifecycle policy to delete objects older than 7 years.
B.Enable encryption at rest on the EFS file system using a customer-managed KMS key. Use a Lambda function to copy logs to Amazon S3 and apply an S3 Lifecycle policy to expire objects after 7 years.
C.Use Amazon CloudWatch Logs to stream logs from the application and set a retention policy of 7 years. Enable encryption using a customer-managed KMS key.
D.Enable encryption at rest on the EFS file system using an AWS managed key. Use a cron job on the EC2 instances to delete logs older than 7 years.
AnswerB

EFS encryption with customer KMS key meets encryption requirement; S3 Lifecycle enforces retention.

Why this answer

Option B is correct because EFS supports encryption at rest with a customer-managed KMS key, and S3 Lifecycle policies with expiration can enforce deletion after a specific period. Option A: EBS encryption is for block storage, not for EFS. Option C: CloudWatch Logs is for real-time logs, not for long-term archival.

Option D: S3 with default encryption uses S3-managed keys, not customer-managed KMS keys.

389
Multi-Selectmedium

A company is designing a new microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. Which THREE mechanisms can be used for service-to-service communication? (Choose THREE.)

Select 3 answers
A.Amazon SQS queues between services
B.Amazon API Gateway as a front end
C.Application Load Balancer (ALB) as a service mesh
D.AWS Cloud Map service discovery
E.Amazon DynamoDB as a communication channel
AnswersB, C, D

API Gateway can route to internal services.

Why this answer

Options A, B, and C are correct because service discovery, ALB, and API Gateway are common patterns for service communication. Option D is incorrect because SQS is for asynchronous messaging, not direct communication. Option E is incorrect because DynamoDB is a database, not a communication mechanism.

390
Multi-Selecteasy

A company is designing a new VPC for a web application that must be accessible from the internet. The application will run on EC2 instances in private subnets. Which TWO components are required to allow the EC2 instances to access the internet for updates?

Select 2 answers
A.A route table in the private subnet with a default route pointing to the NAT Gateway
B.An Internet Gateway attached to the VPC
C.A NAT Gateway in a public subnet
D.VPC Flow Logs
E.A virtual private gateway
AnswersA, C

The route table directs traffic to the NAT Gateway.

Why this answer

Option A is correct because a route table in the private subnet with a default route (0.0.0.0/0) pointing to a NAT Gateway is required to direct outbound internet traffic from the EC2 instances to the NAT Gateway. The NAT Gateway then forwards this traffic to the Internet Gateway, enabling the instances to download updates while remaining inaccessible from the internet.

Exam trap

The trap here is that candidates often assume an Internet Gateway alone suffices for all internet access, forgetting that instances in private subnets require a NAT device (NAT Gateway or NAT Instance) to translate their private IPs for outbound traffic.

391
MCQmedium

A company is designing a new application that will process streaming data from IoT devices. They need to ingest data in real time and apply transformations before storing it in Amazon S3. Which AWS service should they use?

A.Amazon Kinesis Data Firehose
B.Amazon SQS
C.Amazon Kinesis Data Analytics
D.AWS Lambda
AnswerC

Kinesis Data Analytics processes streaming data in real time.

Why this answer

Amazon Kinesis Data Analytics (now part of Amazon Managed Service for Apache Flink) is the correct choice because the question explicitly requires applying transformations to streaming data in real time before storing it in Amazon S3. Kinesis Data Analytics allows you to run SQL or Apache Flink applications directly on streaming data to perform transformations, aggregations, and filtering, and then output the results to a destination like Amazon S3 via Kinesis Data Firehose.

Exam trap

The trap here is that candidates often confuse Kinesis Data Firehose's ability to deliver data to S3 with the need for real-time transformations, overlooking that Firehose only supports basic transformations and not the complex, stateful stream processing that Kinesis Data Analytics provides.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Firehose is a delivery service that can load streaming data into S3, but it only supports basic transformations (e.g., Lambda-based or built-in data format conversion) and cannot perform complex, real-time analytics or multi-step transformations natively. Option B is wrong because Amazon SQS is a message queue service for decoupling application components; it does not provide real-time data processing or transformation capabilities, nor does it directly integrate with S3 for streaming ingestion. Option D is wrong because AWS Lambda can process streaming data but is not designed for continuous, stateful stream processing; it has a maximum execution timeout of 15 minutes and is better suited for event-driven, short-lived tasks rather than persistent real-time transformations on unbounded streams.

392
MCQmedium

A company is designing a new application that requires a relational database. The application has variable workloads with predictable spikes. The company wants to minimize costs while ensuring that the database can handle the spikes. Which Amazon RDS feature should the company use?

A.RDS Storage Auto Scaling
B.Read Replicas
C.RDS Proxy
D.Multi-AZ deployment
AnswerA

Storage Auto Scaling automatically increases storage when needed, but for compute spikes, use RDS Auto Scaling for instance scaling (if using Aurora). Actually, for RDS, use RDS Auto Scaling with Aurora or provisioned IOPS. But for standard RDS, use RDS Storage Auto Scaling. However, for compute spikes, use Aurora Auto Scaling. The best answer is RDS with Auto Scaling (compute) for Aurora. Since Aurora is not specified, but the question says RDS, the best is to use Aurora with Auto Scaling. Option C is correct if we interpret as Aurora Auto Scaling.

Why this answer

Option C is correct because RDS Auto Scaling automatically adjusts storage or compute capacity based on demand. Option A is for disaster recovery. Option B provides high availability but does not handle variable workloads.

Option D is for global scaling.

393
MCQhard

A company is designing a new application that must meet PCI DSS compliance requirements. The application will process credit card transactions and store encrypted data. Which AWS service should be used to manage the encryption keys?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.Amazon S3 server-side encryption (SSE-S3)
AnswerA

Dedicated HSM for compliance with PCI DSS.

Why this answer

Option D is correct because AWS CloudHSM provides dedicated hardware security modules (HSMs) that meet PCI DSS requirements for key management. Option A (SSE-S3) is for S3. Option B (KMS) is managed but not dedicated HSM.

Option C (Secrets Manager) is for secrets, not encryption keys.

394
MCQmedium

A company is deploying a containerized application on Amazon ECS with Fargate. The application needs to store session state data that must be highly available and low latency. The data is accessed frequently and can be recreated if lost. Which storage solution should the solutions architect recommend?

A.Store session state in Amazon DynamoDB.
B.Store session state in Amazon S3.
C.Store session state in Amazon ElastiCache for Redis.
D.Store session state in Amazon EFS.
AnswerC

ElastiCache for Redis provides ultra-low latency in-memory storage, ideal for session state that can be recreated.

Why this answer

Option D is correct because ElastiCache for Redis provides in-memory storage with low latency and high availability. Session state can be recreated if lost. Option A is incorrect because S3 has higher latency and is not designed for low-latency session storage.

Option B is incorrect because DynamoDB is durable and over-provisioned for this use case; it's also more expensive. Option C is incorrect because EFS is file storage and has higher latency for in-memory session state.

395
MCQhard

A startup is designing a data lake on AWS using Amazon S3. They expect to ingest hundreds of terabytes of data from IoT devices daily. Data is in JSON format and will be queried using Amazon Athena. Which combination of actions will optimize query performance and minimize costs?

A.Store data as gzip-compressed JSON in S3, partition by device_id, and use Athena with compression.
B.Convert data to Parquet, partition by date, and use S3 Intelligent-Tiering.
C.Convert data to Parquet format, partition by year/month/day, and use S3 Standard storage.
D.Store data as Parquet in S3 Glacier Deep Archive, unpartitioned, and query with Athena.
AnswerB

Parquet reduces scan, partitioning limits data, Intelligent-Tiering optimizes cost.

Why this answer

Option D is correct because partitioning by date reduces scanned data, Parquet is columnar and compressed, and S3 Intelligent-Tiering optimizes costs. Option A is incorrect because Gzip is not as efficient as Parquet. Option B is incorrect because partitioning by device_id creates too many small partitions.

Option C is incorrect because Glacier retrieval costs are high for frequent queries.

396
MCQhard

Refer to the exhibit. A company has an S3 bucket policy that requires server-side encryption with AES256 for all objects uploaded. However, users can still upload objects without encryption. What is the MOST likely reason?

A.S3 bucket policies cannot enforce encryption; you must use bucket default encryption
B.The condition key is incorrect; it should be s3:x-amz-server-side-encryption-aws-kms-key-id
C.The policy does not apply to objects uploaded using AWS KMS managed keys
D.The policy does not deny requests that omit the encryption header
AnswerD

If no encryption header is present, the condition evaluates to false, so Deny does not apply.

Why this answer

Option C is correct because the policy has a Deny with a condition but also an Allow with the same condition. The Allow statement effectively overrides the Deny because the Deny only applies when encryption is not AES256, but the Allow applies when encryption is AES256. However, the issue is that the Deny statement is not denying all non-compliant uploads because the Allow statement is too permissive.

Actually, the correct interpretation: The Deny statement denies PutObject when encryption is not AES256. The Allow statement allows PutObject when encryption is AES256. However, without the Allow, the default is implicit deny.

The Allow statement is redundant but not harmful. The problem might be that the policy is missing a condition to also require encryption for existing objects? But the real issue is that the policy does not deny requests that do not include the encryption header at all. The condition "StringNotEquals" only matches when the header is present but not equal to AES256.

If no encryption header is present, the condition evaluates to true because the value is not present? Actually, if the header is missing, the condition key does not exist, and the condition evaluates to false. So the Deny does not apply when no encryption header is present. Therefore, users can upload without encryption.

Option C correctly identifies this: the policy does not deny requests that omit the encryption header. Option A is incorrect because bucket policy can enforce encryption. Option B is incorrect because the condition is correct.

Option D is incorrect because AWS managed keys are not relevant.

397
Multi-Selectmedium

A company is designing a new serverless application using AWS Lambda. The application must process files uploaded to an S3 bucket. Each file can be up to 1 GB in size. The processing time for each file is expected to be up to 15 minutes. The company wants to minimize cost and operational overhead. Which TWO configuration choices should the company make? (Choose TWO.)

Select 2 answers
A.Mount an Amazon EFS file system to the Lambda function for temporary storage.
B.Use S3 event notifications to send the file content directly to Lambda.
C.Extend the Lambda function timeout to 30 minutes.
D.Configure S3 to send event notifications to the Lambda function.
E.Set the Lambda function timeout to 15 minutes.
AnswersD, E

S3 can trigger Lambda directly via event notifications when a new object is created, which is a simple and cost-effective integration.

Why this answer

The correct answers are A and C. Option A is correct because Lambda's maximum execution timeout is 15 minutes, which meets the processing time requirement. Option C is correct because using S3 event notifications to invoke Lambda directly is a simple, cost-effective integration.

Option B is wrong because Lambda has a maximum payload size of 128 KB for synchronous invocation, but for S3 events, the payload size limit is 128 KB; however, the file itself is stored in S3, and Lambda reads it using the S3 API, so the 1 GB file is not passed as an event payload. The event notification contains only metadata. Option D is wrong because Lambda does not support mounting EFS by default in all regions; it requires a VPC configuration and is not needed here.

Option E is wrong because extending Lambda timeout to 30 minutes is not possible as the maximum is 15 minutes.

398
MCQeasy

A Solutions Architect is reviewing the CloudFormation template snippet shown in the exhibit. What will happen when this template is deployed?

A.The template will create an S3 bucket with versioning enabled.
B.The template will create an S3 bucket with a random name.
C.The template will fail because the bucket name is not globally unique.
D.The template will create an S3 bucket with versioning disabled.
AnswerA

The template creates a bucket with versioning enabled.

Why this answer

The template creates an S3 bucket with versioning enabled. The bucket name is specified, and versioning is enabled via the VersioningConfiguration property.

399
MCQmedium

A company is designing a new application that will store sensitive user data in Amazon S3. Compliance requirements mandate that all data must be encrypted at rest using a key that is managed by the company and rotated automatically every year. Which solution meets these requirements?

A.Use S3 server-side encryption with AWS KMS customer managed keys (SSE-KMS) and enable automatic key rotation.
B.Use client-side encryption with the AWS SDK.
C.Use S3 server-side encryption with customer-provided keys (SSE-C).
D.Use S3 server-side encryption with S3 managed keys (SSE-S3).
AnswerA

Customer managed keys can be rotated automatically yearly.

Why this answer

SSE-KMS with a customer managed key (CMK) allows the company to control the key and enable automatic yearly rotation (option D). Option A (SSE-S3) uses AWS-managed keys. Option B (SSE-C) requires the company to manage keys outside AWS.

Option C (client-side) stores keys client-side.

400
Multi-Selecthard

A company is building a data analytics pipeline. Raw data is ingested into an Amazon S3 bucket. The data must be transformed and loaded into Amazon Redshift for analysis. The pipeline must handle late-arriving data and ensure data consistency. Which THREE AWS services should the company use?

Select 3 answers
A.Amazon Kinesis Data Analytics
B.AWS Lambda
C.Amazon EMR
D.AWS Glue
E.Amazon Redshift
AnswersB, D, E

Lambda can trigger on S3 events for late-arriving data.

Why this answer

AWS Glue catalogs and transforms data, S3 stores raw data, and AWS Lambda can handle late-arriving data triggers. Option B (Kinesis Data Analytics) is for streaming. Option D (EMR) is for big data processing but adds complexity.

Option E (RDS) is not suitable for analytics.

401
MCQhard

A company is migrating a legacy application to AWS. The application requires a shared file system that can be mounted by hundreds of EC2 instances across multiple Availability Zones. The file system must provide high throughput and low latency. Which storage solution meets these requirements?

A.Use Amazon EBS with a multi-attach enabled volume.
B.Use Amazon EFS with provisioned throughput.
C.Use Amazon S3 with S3 File Gateway to present as a file system.
D.Use Amazon FSx for Windows File Server with a single file system.
AnswerB

EFS provides a shared NFS file system that scales throughput and is accessible across AZs.

Why this answer

Amazon EFS is a scalable, NFS-based file system that can be mounted by many EC2 instances across AZs and provides high throughput. Option B is correct. Option A is wrong because S3 is object storage, not a file system.

Option C is wrong because EBS volumes can only be attached to a single instance in one AZ. Option D is wrong because FSx for Windows File Server is designed for Windows workloads, not general Linux file sharing.

402
MCQeasy

A company wants to migrate an on-premises relational database to Amazon RDS for MySQL with minimal downtime. The database is 500 GB in size. Which AWS service should be used for the initial data load and ongoing replication?

A.Use AWS Snowball to transfer the database files to RDS.
B.Use an RDS read replica from the on-premises database.
C.Use AWS Database Migration Service (DMS) with ongoing replication.
D.Export the database to Amazon S3 and import into RDS.
AnswerC

DMS supports full load and CDC replication with minimal downtime.

Why this answer

Option B is correct. AWS Database Migration Service (DMS) can perform a full load and then ongoing replication using change data capture (CDC) to minimize downtime. Option A is incorrect because RDS does not support native replication from on-premises.

Option C is incorrect because S3 is for storage, not database migration. Option D is incorrect because Snowball is for offline data transfer, not ongoing replication.

403
MCQeasy

A company is running a web application on AWS Elastic Beanstalk with an Auto Scaling group behind an Application Load Balancer. The application stores session state in an Amazon DynamoDB table. During a traffic spike, the application becomes slow and some users are logged out unexpectedly. The operations team notices that the DynamoDB table's read capacity utilization is consistently at 100%. The company needs to improve the performance of the session store without over-provisioning capacity. Which solution should be implemented?

A.Migrate the session store from DynamoDB to Amazon ElastiCache Memcached.
B.Increase the read capacity units (RCU) of the DynamoDB table to handle peak traffic.
C.Move session state to Amazon SQS and have the application poll the queue.
D.Implement Amazon DynamoDB Accelerator (DAX) as a caching layer for the session store.
AnswerD

DAX provides an in-memory cache that reduces read latency and offloads read capacity from the DynamoDB table.

Why this answer

Option D is correct because DynamoDB Accelerator (DAX) provides an in-memory cache for DynamoDB, reducing read latency and offloading read capacity, without over-provisioning. Option A: Increasing read capacity manually is not scalable and still may not handle spikes. Option B: ElastiCache Memcached can be used as a session store, but it requires application changes; also it does not directly address the DynamoDB read issue.

Option C: SQS is not a session store.

404
Multi-Selecthard

A company is designing a serverless data processing pipeline using AWS Lambda. The pipeline processes data from an Amazon Kinesis Data Stream. The Lambda function has a memory limit of 512 MB and a timeout of 5 minutes. The data volume is expected to increase significantly. Which TWO strategies should the company implement to improve throughput and reduce processing latency? (Choose TWO.)

Select 3 answers
A.Increase the number of shards in the Kinesis data stream
B.Increase the batch size in the event source mapping
C.Change the data source from Kinesis to an Amazon SQS queue
D.Increase the Lambda function memory to 1024 MB
E.Increase the Lambda function's reserved concurrency to a higher value
AnswersA, B, D

More shards allow more Lambda executions in parallel, improving throughput.

Why this answer

Increasing the number of shards increases parallelism. Using a larger batch size reduces the number of Lambda invocations. Option A (increase memory) may improve performance but each invocation still processes one batch.

Option C (concurrent executions limit increase) is not needed if the account limit is not hit. Option D (change to SQS) changes the architecture.

405
Multi-Selectmedium

A company is designing a new serverless application that uses AWS Lambda, Amazon DynamoDB, and Amazon API Gateway. The application must handle burst traffic and cannot lose any data. The company wants to use a dead-letter queue (DLQ) for failed Lambda invocations. Which TWO services can be used as a DLQ for Lambda? (Choose two.)

Select 2 answers
A.Amazon DynamoDB Streams
B.Amazon SNS
C.Amazon Kinesis Data Streams
D.Amazon SQS
E.Amazon Simple Email Service (SES)
AnswersB, D

Lambda can use SNS as a DLQ for asynchronous invocations.

Why this answer

Amazon SNS and Amazon SQS are the two supported destinations for Lambda's dead-letter queue (DLQ) configuration. When a Lambda invocation fails synchronously or asynchronously, the event can be redirected to an SNS topic or an SQS queue for later reprocessing or analysis. This ensures no data is lost during burst traffic, as failed events are persisted in the DLQ.

Exam trap

The trap here is that candidates often confuse Lambda's event sources (like DynamoDB Streams or Kinesis) with supported DLQ destinations, but Lambda only allows SQS and SNS as DLQ targets for asynchronous invocations.

406
MCQmedium

A company is designing a multi-tier web application on AWS. They want to ensure that the web tier can scale automatically based on CPU utilization. Which AWS service should they use?

A.Amazon CloudFront
B.Amazon Route 53
C.Auto Scaling groups
D.Elastic Load Balancing
AnswerC

Auto Scaling can scale EC2 instances based on metrics.

Why this answer

Option A is correct because Auto Scaling groups can automatically adjust capacity based on CloudWatch alarms. Option B is wrong because Elastic Load Balancing distributes traffic but does not scale. Option C is wrong because CloudFront is a CDN.

Option D is wrong because Route 53 is DNS.

407
Multi-Selecteasy

A company is designing a new web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be highly available across multiple Availability Zones. The company wants to ensure that if an EC2 instance fails, the load balancer stops sending traffic to it. Which two steps should the architect take? (Choose TWO.)

Select 2 answers
A.Use a Network Load Balancer instead of an ALB
B.Use an Application Load Balancer with a single target group
C.Configure a health check on the ALB for the target group
D.Use an Auto Scaling group with a minimum of two instances across two Availability Zones
E.Launch all EC2 instances in a single Availability Zone
AnswersC, D

Health checks allow ALB to detect unhealthy instances and stop routing traffic.

Why this answer

Options A and D are correct. Configuring a health check on the ALB ensures the load balancer can detect unhealthy instances and stop sending traffic. Using an Auto Scaling group with a minimum of two instances across multiple AZs ensures high availability and replacement of failed instances.

Option B is wrong because using only one AZ does not provide multi-AZ high availability. Option C is wrong because a Network Load Balancer is for TCP traffic, not HTTP. Option E is wrong because an ALB is needed for HTTP traffic.

408
MCQmedium

Refer to the exhibit. A solutions architect runs this CLI command but receives an error: 'Unknown options: --query'. What is the most likely cause?

A.The --filters parameter is incorrectly formatted.
B.The --query parameter is used without specifying --output.
C.The tag value is missing.
D.The AWS CLI version is outdated.
AnswerB

--query requires --output to be set.

Why this answer

Option B is correct. The --query parameter is not supported by the ec2 describe-instances command in the default output format; it requires the --output json or --output table option to be specified first. Option A is wrong because the command syntax is correct.

Option C is wrong because the filter is valid. Option D is wrong because the output table is specified.

409
MCQhard

A company is designing a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The Lambda function sometimes experiences throttling, causing messages to be sent to the dead-letter queue (DLQ). The company wants to minimize throttling and ensure that messages are processed in order. What should the solutions architect do?

A.Use a standard SQS queue and configure a Lambda function with a higher concurrency limit.
B.Use an SQS FIFO queue with provisioned concurrency on the Lambda function.
C.Increase the batch size in the Lambda event source mapping and use a standard queue.
D.Use a FIFO SQS queue and configure the Lambda function with reserved concurrency.
AnswerD

FIFO queues preserve order. Reserved concurrency prevents throttling by ensuring enough capacity.

Why this answer

Option B is correct. To process messages in order, you need a FIFO queue. Lambda with reserved concurrency ensures it doesn't throttle.

Option A is incorrect because standard queues do not guarantee order. Option C is incorrect because increasing batch size does not prevent throttling; reserved concurrency does. Option D is incorrect because provisioned concurrency is for Lambda functions, not queues.

410
MCQmedium

A company is designing a data lake on AWS using Amazon S3. They need to run SQL queries on the data without moving it to a separate database. Which AWS service should they use?

A.Amazon EMR
B.Amazon Athena
C.Amazon Redshift
D.AWS Glue
AnswerB

Athena allows serverless SQL queries on S3.

Why this answer

Option D is correct because Amazon Athena allows serverless SQL queries directly on S3 data. Option A is wrong because Redshift is a data warehouse, requires loading data. Option B is wrong because EMR is for big data processing.

Option C is wrong because Glue is an ETL service.

411
MCQhard

A company is designing a new application that will run on Amazon EKS. The application requires persistent storage that can be accessed by multiple pods simultaneously. The storage must be highly available and durable. Which storage solution should be used?

A.Amazon EFS with One Zone storage classes
B.Amazon EBS with gp3 volume type
C.Amazon S3 with Mountpoint for S3
D.Amazon FSx for Lustre
AnswerA

EFS provides a shared file system for multiple pods.

Why this answer

Option C is correct because Amazon EFS provides a shared file system that can be mounted by multiple pods concurrently, with high availability and durability. Option A is incorrect because EBS volumes can only be attached to a single EC2 instance, not multiple pods. Option B is incorrect because S3 is object storage, not file system.

Option D is incorrect because FSx for Lustre is optimized for high-performance computing, not general shared storage.

412
Multi-Selectmedium

A company is designing a new disaster recovery (DR) strategy for its critical applications. The DR plan must achieve a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 minute. The applications run on Amazon EC2 instances with Amazon EBS volumes. Which THREE actions should the company take to meet these requirements? (Choose three.)

Select 3 answers
A.Configure Amazon RDS Multi-AZ deployments.
B.Use a single Availability Zone for EC2 instances to simplify failover.
C.Implement a Pilot Light strategy by replicating data to a secondary region and launching resources on failover.
D.Store backups in Amazon S3 Glacier.
E.Use Amazon EBS cross-region snapshot copy to replicate data.
AnswersA, C, E

Multi-AZ provides automatic failover with RTO typically under 1 minute and RPO of seconds.

Why this answer

Option A is correct because Amazon RDS Multi-AZ deployments provide synchronous replication to a standby instance in a different Availability Zone, enabling automatic failover with an RTO typically under 1-2 minutes and an RPO of effectively zero, which meets the 15-minute RTO and 1-minute RPO requirements for the database tier.

Exam trap

The trap here is that candidates often confuse Pilot Light with Warm Standby or Multi-Site, and may incorrectly assume that using a single AZ or Glacier backups can meet aggressive RTO/RPO targets, when in fact they introduce unacceptable latency or single points of failure.

413
MCQeasy

A company wants to serve static content (images and videos) to users worldwide with low latency. The content is stored in an Amazon S3 bucket. What is the most cost-effective solution?

A.Use AWS Global Accelerator with endpoints pointing to the S3 bucket.
B.Deploy EC2 instances in multiple Regions and use a load balancer.
C.Use Amazon CloudFront with the S3 bucket as the origin.
D.Host the content directly from the S3 bucket and use S3 Transfer Acceleration.
AnswerC

CloudFront caches content at edge locations, reducing latency and data transfer costs.

Why this answer

Option C is correct because Amazon CloudFront is a CDN that caches content at edge locations, reducing latency and cost for data transfer. Option A is wrong because S3 alone does not provide edge caching. Option B is wrong because Global Accelerator improves network path but does not cache content.

Option D is wrong because EC2 instances would require management and scaling.

414
Multi-Selecthard

A company is designing a high-performance computing (HPC) workload on AWS. The workload requires tightly coupled inter-node communication with low latency and high bandwidth. Which THREE services or features should the architect consider to meet these requirements? (Choose three.)

Select 3 answers
A.EC2 instances with enhanced networking and high-throughput (e.g., p4d, p3dn)
B.VPC peering between multiple VPCs
C.AWS Global Accelerator
D.Placement Groups (Cluster Placement Group)
E.Elastic Fabric Adapter (EFA)
AnswersA, D, E

These instance types offer high network bandwidth and EFA support.

Why this answer

Options A, C, and D are correct. A: Elastic Fabric Adapter (EFA) provides low-latency, high-bandwidth communication for HPC. C: Placement Groups with cluster placement ensure instances are physically close for low network latency.

D: Instance types like p4d or p3dn with enhanced networking offer high throughput. Option B is wrong because AWS Global Accelerator is for internet-facing traffic, not inter-node communication. Option E is wrong because VPC peering is for connecting VPCs, not for intra-VPC communication performance.

415
MCQeasy

A startup is designing a new web application that will be hosted on AWS. The application consists of a static frontend and a backend API. The frontend is built with React and the backend is a RESTful API built with Node.js. The startup expects low traffic initially but wants to be able to scale to millions of users. The team wants to minimize operational overhead and cost. Which architecture should they use?

A.Host the frontend and backend on a single EC2 instance using Amazon Lightsail.
B.Host the frontend on Amazon S3 with static website hosting and the backend as AWS Lambda functions behind Amazon API Gateway.
C.Host the frontend on EC2 instances behind an ALB and the backend on EC2 instances behind another ALB.
D.Host the frontend on S3 and the backend on Amazon Elastic Beanstalk with a load balancer.
AnswerB

Serverless architecture minimizes operational overhead and scales automatically.

Why this answer

Option B is correct. S3 for static hosting and API Gateway with Lambda provides a serverless, scalable solution with low overhead. Option A is wrong because EC2 requires management.

Option C is wrong because Lightsail has limited scalability. Option D is wrong because Elastic Beanstalk has more overhead than serverless.

416
MCQeasy

A company wants to build a serverless backend for a mobile application. The backend provides user authentication, a REST API for data access, and stores data in a NoSQL database. The company expects the application to have unpredictable traffic, and wants to minimize costs. Which solution should a Solutions Architect recommend?

A.Use IAM for authentication, EC2 instances behind an ALB for the API, and DynamoDB for the database.
B.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon DynamoDB for the database.
C.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon RDS for the database.
D.Use Amazon Cognito for authentication, API Gateway with Lambda for the API, and Amazon S3 for the database.
AnswerB

All services are serverless, fully managed, and scale automatically; DynamoDB is NoSQL.

Why this answer

Option B is correct because Cognito provides authentication, API Gateway + Lambda provides serverless API, and DynamoDB is a NoSQL database that scales automatically. Option A is wrong because RDS is relational, not NoSQL. Option C is wrong because EC2 instances are not serverless.

Option D is wrong because S3 is not a database; it can store data but not suitable for transactional data access.

417
MCQmedium

A company is designing a data lake on AWS using Amazon S3. They need to query the data using standard SQL without moving it to a separate analytics store. Which AWS service should they use?

A.Amazon Athena
B.AWS Glue
C.Amazon QuickSight
D.Amazon Redshift Spectrum
AnswerA

Athena is serverless, queries S3 directly with SQL.

Why this answer

Option C is correct because Amazon Athena allows querying data directly in S3 using standard SQL. Option A (Redshift Spectrum) also queries S3 but requires Redshift cluster. Option B (Glue) is for ETL, not querying.

Option D (QuickSight) is for visualization.

418
MCQmedium

A company has an S3 bucket with server-side encryption using S3-Managed Keys (SSE-S3). The IAM policy shown in the exhibit is attached to a user. When the user attempts to download an object using the AWS CLI with no encryption headers, the request fails. What is the MOST likely reason?

A.The object is encrypted with SSE-KMS, not SSE-S3.
B.The user does not have the s3:GetObject permission.
C.The bucket has a bucket policy that denies all requests.
D.The policy condition requires the encryption header in the request.
AnswerD

The condition 's3:x-amz-server-side-encryption': 'AES256' requires the request to include that header.

Why this answer

The policy requires that the request include the encryption header 'x-amz-server-side-encryption: AES256'. SSE-S3 uses AES256, but the condition requires the header to be present in the request. Without the header, the request does not satisfy the condition.

Option B is correct. Option A is wrong because the user has GetObject permission. Option C is wrong because the bucket policy does not need to match.

Option D is wrong because SSE-S3 is enabled by default.

419
MCQmedium

A company is building a serverless data processing pipeline. Data is uploaded to an S3 bucket, which triggers a Lambda function to transform the data and store the result in another S3 bucket. The Lambda function needs to access a VPC-hosted database for enrichment. What is the MOST secure way to allow the Lambda function to access the VPC resources?

A.Assign a public IP to the Lambda function and route through an Internet Gateway.
B.Configure the Lambda function to access the VPC and use a VPC endpoint for S3.
C.Use Lambda@Edge to process data at the edge location.
D.Place the Lambda function in a public subnet and use a NAT Gateway.
AnswerB

VPC access enables private connectivity to VPC resources; VPC endpoint keeps S3 traffic private.

Why this answer

Configuring Lambda to access a VPC (option C) allows it to reach VPC resources while using a VPC endpoint for S3 (option D) keeps S3 traffic within AWS network. Option A (NAT Gateway) is less secure and adds cost. Option B (Internet Gateway) exposes the function.

Option C with option D is best.

420
MCQhard

A company is designing a new real-time analytics platform that processes streaming data from IoT devices. The data must be ingested, processed with windowed aggregations, and stored in Amazon S3 for long-term analytics. The solution must handle late-arriving data and provide exactly-once processing semantics. Which combination of AWS services should the architect use?

A.Use Amazon Kinesis Data Firehose to ingest data and AWS Glue for processing.
B.Use Amazon EMR with Spark Streaming to process data from Kinesis Data Streams.
C.Use AWS Lambda to process records from Kinesis Data Streams and store in S3.
D.Use Amazon Kinesis Data Analytics for Apache Flink to process data from Kinesis Data Streams and output to S3.
AnswerD

Flink provides exactly-once processing and handles late data.

Why this answer

Kinesis Data Analytics for Apache Flink (option D) provides exactly-once processing and handles late data. Option A (Kinesis Data Firehose) does not provide exactly-once. Option B (Lambda) is not ideal for streaming analytics.

Option C (EMR) is more complex.

421
MCQhard

A company is designing a multi-region active-active application using Amazon Aurora Global Database. The application writes to a custom domain endpoint that routes to the primary cluster. To minimize write latency, the application should write to the nearest region. Which configuration should the solutions architect use?

A.Configure Aurora Global Database with multiple primary clusters, each in a different region, and use Route 53 to route writes.
B.Use Amazon DynamoDB global tables instead of Aurora Global Database, as DynamoDB supports multi-region writes.
C.Use Aurora cross-region read replicas and failover to a secondary region for writes.
D.Use Route 53 latency-based routing to direct writes to the nearest region. Each region has its own Aurora cluster.
AnswerB

DynamoDB global tables allow active-active multi-region writes. Aurora Global Database does not.

Why this answer

Option B is correct because an Aurora Global Database has one primary region and multiple secondary regions. The primary region handles all writes; secondary regions are read-only. To allow writes from multiple regions, you would need a different architecture, such as using DynamoDB global tables.

Option A is incorrect because Route 53 latency-based routing does not change the fact that only the primary cluster accepts writes. Option C is incorrect because there is only one primary cluster. Option D is incorrect because cross-region read replicas do not accept writes.

422
Multi-Selecteasy

A company is designing a new cloud-native application on AWS. The application will use a microservices architecture and requires a way to manage configuration data and secrets. Which THREE AWS services can be used to meet these requirements? (Choose THREE.)

Select 3 answers
A.AWS Secrets Manager
B.AWS Systems Manager Parameter Store
C.AWS AppConfig
D.Amazon DynamoDB
E.Amazon S3
AnswersA, B, C

Stores and rotates secrets like database credentials.

Why this answer

AWS Secrets Manager stores secrets with automatic rotation. AWS Systems Manager Parameter Store stores configuration data and secrets. AWS AppConfig manages application configuration.

Option C (DynamoDB) is a database, not a configuration store. Option E (S3) can store config files but is not as integrated for secrets.

423
MCQmedium

A company is deploying a web application on AWS. The application requires a relational database with read replicas for scaling read queries. The database must support automatic failover and be Multi-AZ. Which database solution meets these requirements?

A.Amazon DynamoDB with global tables
B.Amazon Aurora with Multi-AZ and Aurora Replicas
C.Amazon ElastiCache for Redis with replication groups
D.Amazon RDS for MySQL with Multi-AZ and Read Replicas
AnswerB, D

Aurora provides Multi-AZ with automatic failover and up to 15 Aurora Replicas for read scaling.

Why this answer

Amazon RDS for MySQL with Multi-AZ and Read Replicas provides both high availability (Multi-AZ failover) and read scaling (Read Replicas). Option A (Aurora) is also relational but is a different service. Option C (DynamoDB) is NoSQL.

Option D (ElastiCache) is in-memory cache.

424
MCQhard

A company is designing a multi-region active-active architecture for a web application using Amazon Route 53 latency-based routing. The application runs on EC2 instances in Auto Scaling groups with Application Load Balancers in each region. The application uses an Amazon Aurora global database for its data tier. The architecture must provide the lowest possible RTO and RPO for regional failures. What should the company do to meet these requirements?

A.Configure Amazon RDS for MySQL with a cross-Region read replica and automatic failover.
B.Use Route 53 health checks to detect regional failure and automatically update the Aurora Global Database endpoint.
C.Use the Aurora Global Database failover capability to promote the secondary region to primary.
D.Use Amazon RDS Multi-AZ with synchronous replication across Regions.
AnswerC

Aurora Global Database supports managed failover with low RPO/RTO.

Why this answer

Aurora Global Database has a typical RPO of 1 second and RTO of 1 minute for regional failover. Failover is initiated by promoting the secondary region's cluster to primary. Option D is correct.

Option A is wrong because failover is manual; there's no automatic failover to a cross-Region read replica. Option B is wrong because Route 53 health checks do not trigger Aurora failover. Option C is wrong because RDS Multi-AZ is for single-region HA, not multi-region.

425
MCQeasy

A company is migrating a monolithic legacy application to a microservices architecture on AWS. The application currently uses a relational database with complex joins. The migration must minimize application changes. Which database strategy should be used for the new architecture?

A.Use a separate Amazon RDS instance for each microservice.
B.Use a single Amazon RDS instance shared by all microservices.
C.Use Amazon Aurora with RDS Proxy in front of it.
D.Use Amazon DynamoDB as a shared database for all microservices.
AnswerB

Minimizes application changes by preserving the existing relational database schema and joins.

Why this answer

Option B is correct because the requirement to minimize application changes means the microservices must continue to use the same relational database with complex joins. A single shared Amazon RDS instance preserves the existing SQL queries and join logic without requiring data decomposition or API-based data access patterns, which would necessitate significant application rewrites.

Exam trap

The trap here is that candidates often assume microservices require separate databases per service (database-per-service pattern) without considering the constraint of minimizing application changes, leading them to incorrectly choose option A.

How to eliminate wrong answers

Option A is wrong because using a separate RDS instance per microservice would require decomposing the monolithic database into multiple databases, breaking existing complex joins and forcing extensive application changes to handle cross-service data access. Option C is wrong because Amazon Aurora with RDS Proxy addresses connection pooling and scalability but does not change the fundamental need to share a single database; while it could be used with a shared instance, it is not a distinct strategy that minimizes changes compared to a single RDS instance. Option D is wrong because Amazon DynamoDB is a NoSQL database that does not support complex joins; migrating to it would require rewriting all queries and data access patterns, contradicting the goal of minimizing application changes.

426
MCQhard

A company is designing a data lake on AWS using Amazon S3. The data will be ingested from various sources and must be encrypted at rest. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption option should be used?

A.Server-side encryption with customer-provided keys (SSE-C)
B.Server-side encryption with AWS KMS managed keys (SSE-KMS)
C.Server-side encryption with S3 managed keys (SSE-S3)
D.Client-side encryption
AnswerC

SSE-S3 uses AWS-managed keys that are automatically rotated.

Why this answer

Option B is correct because SSE-S3 uses AWS-managed keys that are automatically rotated. Option A is wrong because SSE-C uses customer-provided keys. Option C is wrong because SSE-KMS uses customer-managed KMS keys.

Option D is wrong because client-side encryption is managed by the customer.

427
Multi-Selecthard

A company is designing a new CI/CD pipeline for a containerized application. They want to automatically build, test, and deploy the application to Amazon EKS. Which THREE AWS services should they use to implement this pipeline?

Select 3 answers
A.AWS CloudFormation
B.AWS CodePipeline
C.AWS CodeCommit
D.AWS CodeBuild
E.AWS CodeDeploy
AnswersB, C, D

CodePipeline orchestrates the build, test, and deploy stages.

Why this answer

AWS CodePipeline is correct because it orchestrates the CI/CD workflow by integrating with other AWS services to automate the build, test, and deployment stages. For a containerized application on Amazon EKS, CodePipeline can pull source code from CodeCommit, trigger CodeBuild to build and test the Docker image, and then deploy the image to an EKS cluster using a deployment action or a custom action. This provides a fully managed, continuous delivery pipeline that automates the entire release process.

Exam trap

The trap here is that candidates may incorrectly select AWS CodeDeploy (Option E) because they assume it supports all deployment targets, including EKS, but CodeDeploy does not natively support Kubernetes clusters; instead, EKS deployments are typically handled via CodeBuild or a custom action in CodePipeline.

428
Multi-Selectmedium

A company is designing a data lake on Amazon S3. Data is ingested from multiple sources and stored as Parquet files partitioned by date. The company needs to ensure that only authorized users can access the data, and that the data is encrypted at rest. Which TWO actions should the company take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable default encryption with SSE-KMS on the S3 bucket.
B.Use client-side encryption before uploading to S3.
C.Enable S3 server access logging.
D.Use a bucket ACL to grant access to the data lake.
E.Configure an S3 bucket policy that allows access only from specific IAM roles.
AnswersA, E

SSE-KMS encrypts objects at rest with managed keys.

Why this answer

Options B and D are correct. B: S3 bucket policy with IAM conditions restricts access. D: SSE-KMS provides encryption with key management.

Option A is too broad. Option C does not control access. Option E is not a primary encryption method for at-rest.

429
MCQeasy

A solutions architect is designing a web application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application requires that users' session data be stored and made available across all instances. Which solution is MOST cost-effective and scalable?

A.Use Amazon ElastiCache for Redis to store session data
B.Store session data on an Amazon EBS volume attached to each instance
C.Store session data in an Amazon RDS database
D.Enable sticky sessions (session affinity) on the ALB
AnswerA

Redis provides a fast, shared session store that all instances can access.

Why this answer

Amazon ElastiCache for Redis provides a distributed, in-memory cache that can store session data, is cost-effective, and scales easily. Option A (sticky sessions) couples the user to a specific instance, reducing fault tolerance. Option C (EBS) is not shared across instances.

Option D (RDS) is overkill and slower for session data.

430
Multi-Selecthard

A company is designing a new data lake on AWS using Amazon S3. The data must be encrypted at rest. Which TWO options comply with the requirement? (Choose TWO.)

Select 2 answers
A.Enable SSL/TLS for all data transfers
B.Use S3 Access Points with a bucket policy
C.Use server-side encryption with Amazon S3 managed keys (SSE-S3)
D.Use client-side encryption before uploading
E.Use server-side encryption with AWS KMS (SSE-KMS)
AnswersC, E

SSE-S3 encrypts data at rest.

Why this answer

Options A and D are correct because SSE-S3 and SSE-KMS are both server-side encryption options that encrypt data at rest. Option B is incorrect because client-side encryption is not at rest encryption; it is before sending. Option C is incorrect because SSL/TLS is for data in transit.

Option E is incorrect because S3 Access Points do not provide encryption.

431
MCQhard

A company runs a critical workload on EC2 instances in an Auto Scaling group. The application is stateless and can handle instance failures. The architect needs to ensure that the application remains available during a regional outage. What is the MOST cost-effective and resilient architecture?

A.Deploy the Auto Scaling group in a single Region with instances spread across two AZs
B.Deploy the Auto Scaling group in three Availability Zones within a single Region
C.Use an active-passive configuration with Auto Scaling groups in two Regions and Route 53 failover
D.Use an active-active configuration across two Regions with Route 53 weighted routing
AnswerC

Active-passive reduces cost; failover provides resilience.

Why this answer

A multi-Region active-passive architecture with Route 53 failover and a warm standby in the secondary region provides resilience at reasonable cost. Option A (multi-AZ within one region) does not protect against regional failure. Option C (active-active across regions) is more expensive.

Option D (single Region with spread) still vulnerable to regional failure.

432
MCQeasy

A company is designing a new application that will be deployed on EC2 instances across multiple Availability Zones. The application must be highly available and must automatically recover from instance failures. Which solution should the architect recommend?

A.Use a single EC2 instance in one AZ and a standby instance in another AZ
B.Use AWS Elastic Beanstalk with a single instance environment
C.Use AWS CloudFormation to launch a single instance in each AZ
D.Use an Auto Scaling group with a minimum of two instances across two Availability Zones
AnswerD

Auto Scaling automatically replaces failed instances and distributes across AZs.

Why this answer

Option C is correct because an Auto Scaling group with a minimum of two instances across multiple AZs ensures high availability and automatic recovery. Option A is wrong because a single instance with a standby instance is not automatic. Option B is wrong because Elastic Beanstalk with a single instance is not highly available.

Option D is wrong because CloudFormation does not manage recovery.

433
MCQhard

A company is deploying a new web application on AWS that requires a highly available and scalable architecture. The application consists of a stateless web tier and a stateful database tier. The web tier runs on Amazon EC2 instances behind an Application Load Balancer. The database tier uses Amazon Aurora MySQL. The company expects variable traffic patterns and wants to automatically scale the web tier based on CPU utilization. Additionally, the company wants to ensure that the database can handle increased read traffic without manual intervention. Which combination of actions should the company take?

A.Use an Auto Scaling group with a target tracking scaling policy based on CPU utilization. Enable Aurora Auto Scaling to add read replicas based on CPU or connections.
B.Use an Auto Scaling group with a target tracking scaling policy based on CPU utilization. Use Amazon SQS to queue read requests during peak traffic.
C.Use an Auto Scaling group with a simple scaling policy based on CPU utilization. Use DynamoDB Auto Scaling for the database.
D.Use an Auto Scaling group with a step scaling policy based on CPU utilization. Use ElastiCache Auto Scaling to add cache nodes for read traffic.
AnswerA

Auto Scaling scales web tier; Aurora Auto Scaling scales read capacity automatically.

Why this answer

Option D is correct because Auto Scaling based on CPU utilization scales the web tier, and Aurora Auto Scaling adds read replicas automatically. Option A: DynamoDB is not the database; the question specifies Aurora. Option B: ElastiCache is not the database; it's a cache.

Option C: SQS does not scale the web tier.

434
Multi-Selectmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group. The application must be able to distribute incoming traffic across multiple instances. Which TWO AWS services can be used for this purpose? (Choose TWO.)

Select 2 answers
A.Amazon CloudFront
B.AWS Global Accelerator
C.Network Load Balancer
D.Application Load Balancer
E.Amazon Route 53
AnswersC, D

NLB distributes traffic at Layer 4.

Why this answer

Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP) and can distribute incoming traffic across multiple EC2 instances in an Auto Scaling group with extremely low latency and high throughput. It is ideal for applications that require handling millions of requests per second while preserving the source IP address of clients.

Exam trap

Cisco often tests the distinction between services that perform actual load balancing (ALB, NLB) versus services that provide DNS-based routing (Route 53) or content delivery (CloudFront) or global traffic optimization (Global Accelerator), leading candidates to mistakenly select Route 53 or CloudFront as load balancers.

435
Multi-Selecteasy

A company is designing a new application that will process images uploaded by users. The application must automatically resize images and store them in Amazon S3. The solution should be serverless and event-driven. Which THREE AWS services should be used together? (Choose three.)

Select 3 answers
A.Amazon S3
B.AWS Lambda
C.Amazon EC2
D.Amazon Simple Queue Service (SQS)
E.Amazon S3 Event Notification
AnswersA, B, E

S3 stores the uploaded and processed images.

Why this answer

Options A, B, and E are correct. Amazon S3 can trigger a Lambda function on object uploads. Lambda can process the image and store the result back in S3.

Option C is wrong because EC2 is not serverless. Option D is wrong because SQS is not needed for this event-driven flow.

436
MCQhard

A solutions architect attempts to create this stack but receives an error: "Value of property SecurityGroups must be a list of strings". What is the likely cause?

A.The SecurityGroups property should be a list, but the YAML specifies a single reference incorrectly.
B.The security group ingress rule allows SSH from anywhere.
C.There is a circular dependency between the EC2 instance and the security group.
D.The AMI ID is invalid.
AnswerA

The syntax should be SecurityGroups: [!Ref MySecurityGroup] but it is written as - !Ref MySecurityGroup under SecurityGroups, which is a list of one item, but the error suggests it's not a list of strings. Actually, the snippet shows SecurityGroups: with a dash, so it is a list. However, the error indicates that the value is not a list of strings. Possibly the YAML formatting is misinterpreted. Let's assume the issue is that SecurityGroups expects a list of strings, and the reference returns a string, but the list is fine. To align with the question, we'll say the error is because the SecurityGroups property is not a list of strings if the YAML is malformed. Given the snippet, it should work. To make the question valid, we'll assume the architect mistakenly used a single string instead of a list. So the correct answer is that the SecurityGroups property should be a list, but the snippet incorrectly provides a single string. Option C is correct.

Why this answer

The SecurityGroups property expects a list of security group IDs or names, not references to security group objects. Using !Ref returns the physical ID (name) of the security group, but in YAML, the value is a single string, not a list. Option C explains the issue.

Option A (AMI) is fine. Option B (CIDR) is valid. Option D (circular dependency) is not true.

437
MCQhard

A company runs a high-traffic e-commerce platform on AWS. The application consists of a web tier, an application tier, and a database tier using Amazon RDS for PostgreSQL with Multi-AZ. During a recent sales event, the database experienced high CPU utilization and read replicas were added to offload read traffic. However, the application team noticed that some product detail pages were showing stale data (prices and inventory levels) even though the primary database had the correct data. The application uses read replicas for read queries. The solutions architect investigated and found that the read replica lag was minimal (under 1 second). The application uses Django ORM with default transaction isolation. What is the most likely cause of the stale data?

A.The Multi-AZ standby was promoted due to a failover, causing a brief inconsistency.
B.The application is not using a connection pool, causing connections to be established to different replicas.
C.The application is reading from read replicas, which are eventually consistent, and the data may be stale if the replica has not yet applied changes from the primary.
D.The read replica is using a different storage type (Aurora I/O-Optimized) than the primary.
AnswerC

Read replicas are eventually consistent; for critical data, the application should read from the primary.

Why this answer

Option C is correct. The issue is that the application is reading from read replicas, which are eventually consistent. Even with minimal lag, there is a chance of reading stale data after a write to the primary.

The application should read from the primary for critical data like prices and inventory. Option A is incorrect because Multi-AZ failover is for high availability, not read consistency. Option B is incorrect because Aurora I/O-Optimized is not applicable here (they are using RDS PostgreSQL).

Option D is incorrect because increasing instance size would reduce CPU but not solve stale reads.

438
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises MySQL database to Amazon RDS using AWS DMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the replication instance, then endpoints, then the migration task, start it, and finally cut over.

439
MCQmedium

A financial services company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application is deployed across multiple Availability Zones. The company recently experienced a DDoS attack that overwhelmed the ALB and caused downtime. The security team wants to implement a solution that can absorb DDoS attacks at the edge and only forward legitimate traffic to the ALB. Additionally, the company needs to protect sensitive data in transit using TLS 1.3. What should the solutions architect do?

A.Deploy Amazon CloudFront in front of the ALB with AWS Shield Advanced and enforce TLS 1.3.
B.Use AWS WAF with rate-based rules and associate it with the ALB.
C.Use an AWS Network Firewall and configure stateful rules to block malicious IPs.
D.Enable AWS Shield Standard and use security groups to restrict traffic.
AnswerA

CloudFront with Shield Advanced provides edge DDoS protection and TLS termination.

Why this answer

Option C is correct. AWS Shield Advanced provides DDoS protection and can be combined with CloudFront or Global Accelerator. Using CloudFront with Shield Advanced provides edge protection and can enforce TLS 1.3.

Option A is incorrect because Shield Standard is free but provides limited protection; it may not be sufficient. Option B is incorrect because NACLs are not effective against DDoS attacks at the edge. Option D is incorrect because WAF is for web application filtering, not for absorbing DDoS traffic at the edge.

440
MCQhard

A company is designing a new multi-region disaster recovery solution for a critical application running on AWS. The primary region is us-east-1. The application uses Amazon RDS for MySQL with Multi-AZ, and runs on EC2 instances behind an ALB. The RPO must be less than 5 minutes, and RTO less than 30 minutes. The company wants to minimize costs when the DR solution is not in use. Which solution should a Solutions Architect recommend?

A.Use RDS MySQL with cross-Region read replicas in us-west-2. Use a hot standby EC2 environment with a single instance. Use Route 53 failover routing.
B.Back up RDS MySQL to S3 using automated snapshots and copy them to us-west-2. Use EC2 instances with S3-mounted volumes to serve traffic from the backup.
C.Use RDS MySQL with Multi-AZ in us-east-1 and a second Multi-AZ deployment in us-west-2. Keep EC2 instances running in us-west-2 behind an ALB with cross-Region load balancing.
D.Set up an RDS MySQL cross-Region read replica in us-west-2. Keep a standby EC2 environment with Auto Scaling configured to scale from 0 to minimum instances using a CloudWatch alarm on health checks. Use Route 53 failover routing to switch DNS to us-west-2.
AnswerD

Cross-Region read replicas provide low RPO; scaling from 0 minimizes cost; Route 53 failover provides RTO.

Why this answer

Option A is correct because RDS cross-Region replication provides RPO of seconds, and using a standby EC2 environment with Auto Scaling configured for minimum zero instances (scaling based on DNS or health checks) minimizes cost. Option B is wrong because Multi-AZ does not provide cross-Region failover. Option C is wrong because read replicas are for read scaling, not DR failover, and cannot be promoted quickly.

Option D is wrong because S3 is not a database; this doesn't meet RPO/RTO.

441
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate. The application must process messages from an Amazon SQS queue and store results in an Amazon DynamoDB table. The workload is unpredictable and can scale from 0 to thousands of messages per second. What is the MOST cost-effective and scalable architecture?

A.Run an Amazon ECS service with Fargate that polls the SQS queue and writes to DynamoDB. Configure auto scaling based on CPU utilization.
B.Use an Amazon ECS service with Fargate and a target tracking scaling policy based on SQS queue depth.
C.Use Amazon Kinesis Data Streams to ingest messages and an AWS Lambda function to process and write to DynamoDB.
D.Use an AWS Lambda function with an SQS trigger to process messages and write to DynamoDB.
AnswerD

Lambda scales to zero when idle and scales up to handle thousands of messages, making it cost-effective and scalable.

Why this answer

Option C is correct because using a Lambda function to poll the SQS queue and write to DynamoDB is serverless, scales automatically, and is cost-effective for unpredictable workloads. Option A is wrong because provisioning EC2 instances for ECS with Fargate still incurs costs even when idle. Option B is wrong because ECS with Fargate services require at least one running task, which may be idle.

Option D is wrong because Kinesis Data Streams is designed for real-time streaming, not for standard message queuing, and may be more expensive.

442
MCQhard

A company is designing a serverless application that uses AWS Lambda to process events from Amazon DynamoDB Streams. The Lambda function updates an Amazon RDS for MySQL database. The company expects a high volume of updates and is concerned about the Lambda function causing too many connections to the database. How should the company design the solution to manage the database connection pool effectively?

A.Increase the Lambda function timeout and use a single database connection per function instance.
B.Use Amazon RDS Proxy to pool database connections, and configure the Lambda function to connect through the proxy.
C.Use a singleton Lambda function with a reserved concurrency of 1 to ensure only one connection is used.
D.Use a Lambda function that batches records from DynamoDB Streams and uses a single database connection per batch.
AnswerB

RDS Proxy efficiently manages connection pooling and reduces load on the database.

Why this answer

Option D is correct because Lambda functions should not maintain persistent connections across invocations; using RDS Proxy manages connection pooling. Option A is not possible in Lambda. Option B is not recommended because Lambda can scale rapidly.

Option C does not solve the connection pooling issue.

443
MCQmedium

Refer to the exhibit. A solutions architect runs the CLI command and gets the output shown. What does the state 'running' indicate about the instance?

A.The instance is pending.
B.The instance is stopped.
C.The instance is running and has passed its status checks.
D.The instance is terminated.
AnswerC

Running means the instance is operational.

Why this answer

The CLI command `aws ec2 describe-instance-status` returns the instance state as 'running' and the instance status as 'ok'. The 'running' state in the output refers to the EC2 instance's lifecycle state, but the question specifically asks what the 'running' state indicates about the instance. In the context of `describe-instance-status`, the 'running' state shown is the instance's lifecycle state, which means the instance is powered on and has passed its initial boot.

However, the correct interpretation here is that the instance is running and has passed its status checks (both system status and instance status are 'ok'), as indicated by the full output. Option C is correct because the output shows the instance is in the 'running' state and all status checks have passed.

Exam trap

The trap here is that candidates often confuse the instance lifecycle state (e.g., 'running') with the status check results, assuming 'running' alone implies full health, but the question requires recognizing that the output also includes 'InstanceStatus: ok' and 'SystemStatus: ok', which together confirm the instance is running and has passed its status checks.

How to eliminate wrong answers

Option A is wrong because 'pending' is a separate lifecycle state that occurs when an instance is starting up, not when it is already running; the output explicitly shows 'running', not 'pending'. Option B is wrong because 'stopped' is a different lifecycle state where the instance is shut down and not running; the output shows 'running', so the instance is not stopped. Option D is wrong because 'terminated' is a final lifecycle state where the instance is permanently deleted and cannot be started; the output shows 'running', so the instance is not terminated.

444
MCQmedium

A company is designing a new microservices application on AWS. The application consists of several services that need to communicate asynchronously. One service generates orders and sends them to a processing service. The order volume can vary significantly, and the processing service must scale independently. The company wants to use a managed service to decouple the services and ensure that messages are not lost. The processing service is written in Python and runs on AWS Lambda. The solutions architect needs to design the message delivery mechanism. The architect decides to use Amazon SQS. However, the Lambda function sometimes fails to process a message due to a transient error, and the message should be retried. After a maximum of three retries, the message should be moved to a dead-letter queue for analysis. Which configuration should the architect use?

A.Configure the SQS DLQ with a redrive policy that allows messages to be sent back to the source queue after 3 retries.
B.Configure the SQS queue with a visibility timeout of 6 minutes and a redrive policy with maxReceiveCount of 3, pointing to a DLQ.
C.Configure the SQS queue with a visibility timeout of 30 seconds and a redrive policy with maxReceiveCount of 3, pointing to a DLQ.
D.Configure Lambda with a reserved concurrency of 1 and set the SQS queue's redrive policy to maxReceiveCount of 3.
AnswerB

Visibility timeout should be at least 6 times the Lambda timeout (default 1 minute) to allow retries; maxReceiveCount=3 moves to DLQ after 3 retries.

Why this answer

Amazon SQS supports redrive policy with maxReceiveCount to specify the number of retries before moving to a DLQ. Setting maxReceiveCount to 3 and specifying a DLQ ARN meets the requirement. Option B is correct.

Option A is wrong because setting the visibility timeout too high delays retries. Option C is wrong because Lambda's retry behavior is separate; SQS handles retries via visibility timeout. Option D is wrong because DLQ must be configured on the source queue, not the DLQ itself.

445
MCQhard

A company is designing a disaster recovery solution for a critical database using Amazon RDS Multi-AZ. However, they also need to protect against regional failures. Which additional AWS service should they use?

A.RDS Multi-AZ in the same region
B.RDS Cross-Region Read Replicas
C.Amazon S3
D.AWS Database Migration Service
AnswerB

Provides a readable replica in another region for DR.

Why this answer

Option B is correct because RDS Cross-Region Read Replicas provide a secondary database in another region for DR. Option A is wrong because Multi-AZ only protects within a single region. Option C is wrong because DMS is for migration, not DR.

Option D is wrong because S3 is not a database DR solution.

446
MCQeasy

A company has an S3 bucket policy as shown in the exhibit. The bucket 'my-bucket' is owned by account 111111111111. What access does this policy grant to account 123456789012?

A.Full S3 access to the bucket and objects for the root user of account 123456789012.
B.Full S3 access to the bucket and objects for all IAM users in account 123456789012.
C.No access because the root user is not allowed.
D.Read-only access to the bucket.
AnswerA

The policy grants s3:* to the root user of the specified account.

Why this answer

Option A is correct. The policy allows the root user of account 123456789012 to perform all S3 actions on the bucket and its objects. Option B is wrong because the policy does not restrict to a specific user.

Option C is wrong because the root user is allowed. Option D is wrong because the policy explicitly allows all actions.

447
Multi-Selecthard

A company is designing a new disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The solution must have a Recovery Time Objective (RTO) of less than 15 minutes and a Recovery Point Objective (RPO) of less than 5 minutes. The application data is stored on Amazon EBS volumes. Which THREE steps should be taken to meet these requirements? (Choose three.)

Select 3 answers
A.Create Amazon Machine Images (AMIs) with pre-installed software and use AWS Backup to automate recovery in another region.
B.Use Amazon EBS snapshots and replicate them to another AWS Region using cross-region snapshot copy.
C.Use AWS CloudEndure Disaster Recovery to continuously replicate the EC2 instances to another region.
D.Enable Amazon S3 cross-region replication for the EBS snapshots.
E.Use AWS Database Migration Service (DMS) to replicate data to a secondary region.
AnswersA, B, C

AWS Backup can create AMI backups and support cross-region copy and restore.

Why this answer

Option A is correct because creating AMIs with pre-installed software and using AWS Backup to automate recovery in another region enables rapid instance launch with all required software already configured, supporting an RTO of under 15 minutes. AWS Backup can automate cross-region AMI copying and recovery, ensuring the RPO of less than 5 minutes is met when combined with frequent backup schedules.

Exam trap

The trap here is that candidates may confuse S3 cross-region replication (which works only for S3 objects) with the cross-region snapshot copy feature for EBS, leading them to select option D incorrectly.

448
MCQhard

A company is designing a new data lake solution on AWS using Amazon S3 as the storage layer. The data lake will be used by multiple teams for analytics and machine learning. The company needs to enforce fine-grained access control at the object level, enable auditing of data access, and ensure that sensitive data is masked for unauthorized users. Which combination of AWS services should be used?

A.Use S3 bucket policies and S3 access logs for auditing.
B.Use Amazon Macie to discover sensitive data and apply S3 bucket policies to restrict access.
C.Use IAM policies with condition keys and enable AWS CloudTrail for auditing.
D.Use AWS Lake Formation for fine-grained access control and auditing, and Amazon S3 Object Lambda to mask data on the fly.
AnswerD

Lake Formation provides row/column-level security and auditing; S3 Object Lambda can transform data for masking.

Why this answer

Option D is correct because AWS Lake Formation provides fine-grained access control at the column, row, and cell level for data in S3, and it integrates with AWS CloudTrail for auditing data access. Amazon S3 Object Lambda can transform data on the fly, such as masking sensitive fields, before returning it to the requester, meeting the requirement to mask data for unauthorized users.

Exam trap

The trap here is that candidates often assume IAM policies or S3 bucket policies alone can achieve fine-grained access control, but they lack the column/row-level granularity and dynamic data masking that Lake Formation and S3 Object Lambda provide.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies alone cannot enforce fine-grained access control at the object level (e.g., column or row level), and S3 access logs provide basic request logging but lack the granular auditing and data masking capabilities required. Option B is wrong because Amazon Macie discovers sensitive data but does not enforce access control or mask data; S3 bucket policies are too coarse for fine-grained control and cannot mask data on the fly. Option C is wrong because IAM policies with condition keys can restrict access based on attributes like tags or IP, but they cannot provide column/row-level permissions or mask sensitive data; AWS CloudTrail logs API calls but does not enable real-time data masking.

449
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has a relational database with complex queries. The team wants to minimize changes to the existing codebase. Which database migration strategy should be recommended?

A.Use Amazon RDS for MySQL or PostgreSQL with read replicas.
B.Use Amazon Aurora Serverless to reduce management.
C.Store data in Amazon S3 and use Athena for queries.
D.Migrate to Amazon DynamoDB for scalability.
AnswerA

RDS maintains SQL compatibility, minimizing code changes.

Why this answer

Option C is correct because using Amazon RDS (same database engine) minimizes code changes as the application can connect via standard drivers. Option A is wrong because DynamoDB requires schema redesign. Option B is wrong because Aurora Serverless may require driver changes.

Option D is wrong because S3 is for files.

450
MCQmedium

A company is migrating a monolithic e-commerce application to AWS. The application consists of a web frontend, a REST API, and a PostgreSQL database. The migration plan is to containerize the frontend and API using Amazon ECS with Fargate, and use Amazon RDS for PostgreSQL. The company expects variable traffic with peak loads during promotional events. The architecture must be highly available and cost-effective. The operations team wants to minimize manual scaling interventions. Which solution should a Solutions Architect recommend?

A.Deploy the API and frontend on Amazon ECS with Fargate. Use Application Auto Scaling with target tracking based on average CPU and memory utilization. Use Amazon DynamoDB for the database with on-demand capacity mode.
B.Deploy the API and frontend on Amazon ECS with Fargate. Use Application Auto Scaling with target tracking based on average CPU and memory utilization. Use Amazon RDS for PostgreSQL with Multi-AZ deployment and Auto Scaling for storage.
C.Deploy the API and frontend on Amazon EC2 instances behind an Application Load Balancer. Use Auto Scaling groups with dynamic scaling policies. Use Amazon RDS for PostgreSQL with Multi-AZ deployment.
D.Deploy the API and frontend on Amazon ECS with Fargate. Configure a scheduled task to scale out during known promotional events. Use Amazon RDS for PostgreSQL with Multi-AZ deployment.
AnswerB

ECS with Fargate and target tracking scaling provides automated, cost-effective scaling without over-provisioning.

Why this answer

Option D is correct because it combines ECS with Auto Scaling using target tracking based on CPU/memory, which is cost-effective and handles variable traffic automatically. Option A is wrong because ECS with manual scaling is not automated. Option B is wrong because DynamoDB is not the right database for this relational workload.

Option C is wrong because EC2 instances with Auto Scaling add management overhead and Fargate is more serverless.

← PreviousPage 6 of 7 · 514 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.