CCNA Design for New Solutions Questions

64 of 514 questions · Page 7/7 · Design for New Solutions · Answers revealed

451
MCQeasy

A company is designing a new web application that will be deployed on AWS. The application consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances running a web server. The application must be highly available across multiple Availability Zones. The company expects variable traffic patterns, including sudden spikes. The operations team wants to minimize manual intervention. The application stores session state in a shared data store. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. The company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates. The ALB must terminate SSL/TLS connections. Which combination of actions should the company take to meet these requirements?

A.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using the same ACM certificate. Configure health checks on the target group to use HTTP on port 80 with path /health.
B.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTP health checks on port 80.
C.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using a self-signed certificate. Configure health checks to use HTTPS on port 443.
D.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS health checks on port 443 using a separate ACM certificate.
AnswerA

This encrypts backend traffic, uses ACM for backend (same cert), and health checks use HTTP to avoid certificate issues.

Why this answer

Option A is correct because it meets all requirements: the ALB terminates SSL/TLS using an ACM certificate on an HTTPS listener, encrypts traffic between ALB and EC2 instances by using HTTPS on the target group with the same ACM certificate (mutual TLS is not required; the ALB re-encrypts using the same certificate), and uses HTTP health checks on port 80 to avoid certificate validation issues during health checks. This ensures end-to-end encryption, high availability across multiple AZs, and minimizes manual intervention by automating certificate management with ACM.

Exam trap

The trap here is that candidates often assume health checks must use the same protocol as the target group traffic, but AWS recommends using HTTP health checks even for HTTPS target groups to avoid certificate validation failures and ensure reliable health monitoring.

How to eliminate wrong answers

Option B is wrong because it configures the target group with HTTP health checks on port 80 but does not specify HTTPS for the target group traffic, leaving traffic between the ALB and EC2 instances unencrypted, violating the security requirement. Option C is wrong because it uses a self-signed certificate for the target group HTTPS, which would cause the ALB to reject the certificate during health checks and traffic forwarding (ALB requires trusted certificates for HTTPS target groups), and health checks using HTTPS on port 443 would fail due to certificate validation issues. Option D is wrong because it uses a separate ACM certificate for the target group HTTPS health checks, which is unnecessary and introduces complexity; the same ACM certificate can be used, and health checks should use HTTP to avoid certificate validation overhead and ensure reliable health monitoring.

452
MCQeasy

A company is designing a new web application that will be accessed by users worldwide. The application should have low latency and high availability. The application uses a stateless web tier and a relational database. Which architecture minimizes latency for global users?

A.Deploy the application in multiple regions with Route 53 latency-based routing, and use Amazon Aurora Global Database for the database tier.
B.Deploy the application in a single region and use Route 53 geolocation routing.
C.Deploy the application in multiple regions, use CloudFront to cache static content, and route dynamic requests to the nearest region via Route 53 latency-based routing.
D.Deploy the application in a single region and use Amazon CloudFront to cache content globally.
AnswerA

Aurora Global Database allows reads from local regions, reducing latency for read-heavy workloads.

Why this answer

Using Amazon Route 53 with latency-based routing to direct users to the closest region, and deploying the application in multiple regions with a global database, minimizes latency. Option D is correct. Option A is wrong because CloudFront alone doesn't handle dynamic content efficiently for all use cases.

Option B is wrong because a single region cannot provide low latency globally. Option C is wrong because CloudFront can cache static content but dynamic requests still go to origin.

453
MCQmedium

A company is designing a new serverless application on AWS. The application consists of multiple AWS Lambda functions that process incoming events from an Amazon SQS queue. The company wants to ensure that each message is processed exactly once. Which configuration should the company use?

A.Use a standard SQS queue and set the Lambda function reserved concurrency to 1.
B.Use an SQS FIFO queue and enable content-based deduplication.
C.Use a standard SQS queue and configure Lambda destinations for the queue.
D.Use an SQS FIFO queue and configure DynamoDB Streams as the event source for Lambda.
AnswerB

SQS FIFO queues support exactly-once processing when combined with deduplication IDs.

Why this answer

Option B is correct because SQS FIFO queues guarantee exactly-once processing. Option A is wrong because standard SQS queues do not guarantee exactly-once. Option C is wrong because Lambda destination is for success/failure, not exactly-once.

Option D is wrong because DynamoDB Streams are not for SQS.

454
Multi-Selecteasy

A company is designing a new application that will run on Amazon ECS with Fargate. The application needs to store files in Amazon S3. The company has a strict security requirement that the application must not have any long-term credentials stored in the container image or environment variables. Which THREE steps should the company take to meet this requirement? (Choose THREE.)

Select 3 answers
A.Store AWS access keys in AWS Secrets Manager and retrieve them at runtime.
B.Create an IAM role with permissions to access the S3 bucket.
C.Attach the IAM role to the ECS task definition as the task role.
D.Enable the ECS task execution role to pass the task role to the container.
E.Configure the application to use the AWS CLI with environment variables for credentials.
AnswersB, C, D

The task role will assume this role to get temporary credentials.

Why this answer

IAM roles for tasks allow containers to obtain temporary credentials. An IAM policy with S3 permissions is attached to the role. The task definition must include a taskRoleArn.

Option A, B, and D are correct. Option C is wrong because storing credentials in Secrets Manager still requires credentials to access the secret. Option E is wrong because AWS CLI will automatically use credentials from the task role, no configuration needed.

455
MCQeasy

A company wants to give its developers access to specific Amazon S3 buckets based on their team membership. The company uses AWS IAM Identity Center (successor to AWS SSO) for user management. Which approach should the company use to grant fine-grained access?

A.Create an IAM policy that allows access to specific buckets based on tags, and assign the policy to an IAM role that developers can assume.
B.Create separate IAM groups for each team and attach policies granting access to the appropriate buckets.
C.Use resource-based policies on the buckets to allow access from the IAM Identity Center users.
D.Use S3 bucket policies that grant access to specific IAM users based on their usernames.
AnswerA

ABAC with tags enables fine-grained, scalable access control.

Why this answer

Using attribute-based access control (ABAC) with IAM Identity Center allows dynamic permissions based on user attributes like team. Option B (IAM groups) is less dynamic. Option C (S3 bucket policies) is not tied to user attributes.

Option D (resource-based policies) is not scalable.

456
MCQeasy

A company is designing a serverless data processing pipeline using AWS Lambda functions. The pipeline processes messages from an Amazon SQS queue. Each message takes approximately 30 seconds to process, and the pipeline must handle bursts of up to 10,000 messages per minute. The messages must be processed in the order they are received. Which solution meets these requirements?

A.Use an SQS FIFO queue with a Lambda function that sets the Concurrency limit to 100.
B.Use an SQS FIFO queue with a Lambda function configured with a reserved concurrency of 1000.
C.Use an SQS Standard queue with a Lambda function that processes messages in batches.
D.Use an Amazon Kinesis Data Stream with a Lambda function that processes multiple records per invocation.
AnswerB

FIFO queues preserve order; Lambda with reserved concurrency avoids throttling.

Why this answer

SQS FIFO queues guarantee exactly-once processing and preserve message order. Lambda can poll the FIFO queue with a batch size of 1 to maintain order. Option A is correct.

Option B is wrong because Kinesis Data Streams does not guarantee order across shards. Option C is wrong because SQS Standard does not guarantee order. Option D is wrong because Lambda concurrency limits can cause throttling.

457
MCQhard

A company is designing a new application that will process sensitive financial data. They need to ensure that data at rest is encrypted using customer-provided encryption keys (SSE-C) in Amazon S3. Which action is required to enable this?

A.Use AWS KMS to generate a key
B.Enable default encryption on the bucket
C.Provide the encryption key in the request headers
D.Configure a bucket policy to require SSE-C
AnswerC

SSE-C requires the key to be provided with each request.

Why this answer

SSE-C requires the customer to provide the encryption key in the request headers when uploading or accessing objects. Amazon S3 uses the provided key to encrypt data at rest and then discards the key; the customer is responsible for managing the key lifecycle. This is the only way to enforce customer-provided encryption keys at the object level.

Exam trap

The trap here is that candidates confuse SSE-C with SSE-KMS or SSE-S3, assuming that a bucket policy or default encryption alone can enforce customer-provided keys, when in fact SSE-C requires the key to be explicitly supplied in every request.

How to eliminate wrong answers

Option A is wrong because AWS KMS generates AWS-managed or customer-managed keys (SSE-KMS), not customer-provided keys (SSE-C) that are supplied per request. Option B is wrong because enabling default encryption on the bucket applies SSE-S3 or SSE-KMS automatically, not SSE-C, which requires the key to be sent with each request. Option D is wrong because a bucket policy can require SSE-C (e.g., via a condition key like s3:x-amz-server-side-encryption-customer-algorithm), but it does not enable SSE-C itself; the key must still be provided in the request headers.

458
MCQhard

An administrator runs the above commands and observes the outputs. The instance is in a public subnet with an internet gateway. What is the most likely issue preventing users from accessing the web server?

A.The security group allows SSH from a restricted IP, but not from the users.
B.The security group does not allow outbound traffic, so responses cannot be sent.
C.The security group allows HTTP only from the IP range 203.0.113.0/24.
D.The security group does not allow inbound HTTP traffic.
AnswerB

Egress rules are empty, blocking response traffic.

Why this answer

Option B is correct because the security group allows inbound HTTP (80) from 0.0.0.0/0, but the egress rules are empty, which means all outbound traffic is denied. The web server cannot send responses back. Option A is wrong because HTTP port 80 is open.

Option C is wrong because SSH is not required for web access. Option D is wrong because the security group allows HTTP.

459
MCQmedium

A company is designing a new solution to host a static website on AWS. The website content is stored in an Amazon S3 bucket. The company wants to use a custom domain name (e.g., www.example.com) and enforce HTTPS. Which combination of AWS services should the company use?

A.Configure the S3 bucket for static website hosting and attach a custom SSL certificate using AWS Certificate Manager.
B.Use Amazon CloudFront with an SSL certificate from AWS Certificate Manager and point the CloudFront distribution to the S3 bucket.
C.Use Amazon Route 53 with an alias record pointing to the S3 bucket and enable DNSSEC.
D.Use an Application Load Balancer in front of the S3 bucket and attach an SSL certificate from AWS Certificate Manager.
AnswerB

CloudFront provides HTTPS and works with ACM.

Why this answer

Option D is correct because Amazon CloudFront can serve content from S3, and AWS Certificate Manager (ACM) can provision an SSL/TLS certificate for the custom domain, allowing HTTPS. Option A is wrong because S3 does not support custom SSL certificates natively. Option B is wrong because ELB is not needed for static website hosting.

Option C is wrong because Route 53 does not provide HTTPS termination.

460
MCQhard

A company is designing a new data lake on Amazon S3. The data is ingested from various sources and must be encrypted at rest. The company has a strict requirement to use an AWS KMS customer master key (CMK) that is stored in a different AWS account for additional security. The S3 bucket is in Account A, and the KMS key is in Account B. Which steps are necessary to enable server-side encryption with AWS KMS (SSE-KMS) for objects in the S3 bucket?

A.Enable SSE-KMS on the S3 bucket in Account A and specify the ARN of the KMS key from Account B. S3 will automatically use the key.
B.Update the KMS key policy in Account B to grant Account A access to the key. No changes needed in Account A.
C.Update the KMS key policy in Account B to grant Account A access to the key, and update the S3 bucket policy in Account A to allow the kms:Encrypt and kms:Decrypt actions for the key.
D.Update the S3 bucket policy in Account A to allow s3:PutObject with the kms:Encrypt permission. No changes needed in Account B.
AnswerC

Both policies are required for cross-account SSE-KMS.

Why this answer

Option D is correct because cross-account KMS access requires both a key policy in Account B granting Account A permission to use the key, and an S3 bucket policy in Account A that allows the necessary actions and specifies the KMS key. Option A is wrong because the KMS key policy must allow Account A to use the key, but the S3 bucket policy also needs to be updated. Option B is wrong because the KMS key policy must explicitly grant access to Account A.

Option C is wrong because S3 does not automatically use the KMS key; the bucket policy must specify the key.

461
Matchingmedium

Match each AWS security service to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect web applications from common exploits

Enhanced DDoS protection for critical workloads

Create and manage encryption keys

Rotate and manage secrets securely

Manage user identities and permissions

Why these pairings

Security services address different aspects of threat protection and access control.

462
MCQmedium

A company is designing a new application that will run on Amazon ECS with Fargate. The application needs to output logs to CloudWatch Logs. Which configuration should be used to send logs from the container to CloudWatch?

A.Use the awslogs log driver in the task definition and specify the log group.
B.Install and configure the CloudWatch agent in the container image.
C.Output logs to stdout/stderr and use a Lambda function to push them.
D.Configure a sidecar container running the CloudWatch agent.
AnswerA

The awslogs log driver is the native integration for ECS and Fargate to send logs to CloudWatch.

Why this answer

The awslogs log driver is the native, built-in mechanism for Amazon ECS tasks using the Fargate launch type to send container logs directly to CloudWatch Logs. By specifying the 'awslogs' log driver in the task definition and providing the log group name, ECS automatically streams stdout and stderr from the container to the specified CloudWatch log group without requiring any additional agents or infrastructure.

Exam trap

The trap here is that candidates often over-engineer the solution by thinking a separate agent or sidecar is required for log shipping, when in fact the awslogs log driver is the simplest and most efficient native integration for ECS with Fargate.

How to eliminate wrong answers

Option B is wrong because installing the CloudWatch agent inside the container image is unnecessary and adds complexity; the awslogs log driver handles log shipping natively at the container runtime level. Option C is wrong because using a Lambda function to push logs from stdout/stderr is an overly complex, non-standard approach that introduces latency and potential data loss, whereas the awslogs driver streams logs in real time. Option D is wrong because a sidecar container running the CloudWatch agent is redundant and consumes additional resources; the awslogs log driver is the recommended and simpler method for Fargate tasks.

463
MCQhard

A company is designing a multi-region disaster recovery solution for a critical application using Amazon RDS for MySQL. They need a Recovery Point Objective (RPO) of less than 5 seconds and a Recovery Time Objective (RTO) of less than 1 minute. Which solution should they choose?

A.Use Amazon RDS with cross-Region read replicas and promote the replica to a primary instance in a disaster.
B.Use Amazon Aurora Global Database.
C.Use Amazon RDS with automated backups and restore in another Region.
D.Use Amazon RDS Multi-AZ with a standby in a different AWS Region.
AnswerA

Cross-Region read replicas use asynchronous replication with minimal lag, and can be promoted quickly, meeting the RPO/RTO requirements.

Why this answer

Amazon RDS Multi-AZ with a standby replica in a different region is not supported. However, cross-region read replicas can be promoted to a standalone instance in a disaster. For low RPO/RTO, using a cross-region read replica with automatic failover via Route 53 can achieve near-real-time replication and fast failover.

464
Multi-Selectmedium

A company is building a new application that requires a relational database with high availability across multiple Availability Zones. The database must automatically failover with minimal downtime. Which two AWS services or features meet these requirements?

Select 2 answers
A.Amazon Aurora DB cluster with multiple Availability Zones
B.Amazon RDS Multi-AZ deployment
C.Amazon RDS Single-AZ deployment with automated backups
D.Amazon DynamoDB with global tables
E.Amazon RDS Read Replica
AnswersA, B

Aurora automatically fails over to a replica in another AZ.

Why this answer

Amazon RDS Multi-AZ deployment provides synchronous replication and automatic failover across AZs. Option A and D are correct. Option B is wrong because read replicas are for read scaling, not automatic failover.

Option C is wrong because single AZ is not highly available. Option E is wrong because DynamoDB is NoSQL, not relational.

465
MCQeasy

A company is designing a microservices architecture on Amazon ECS with AWS Fargate. The services need to communicate with each other using HTTP APIs. The company wants to minimize operational overhead and enable canary deployments. Which solution should the company use for service discovery and traffic routing?

A.Use Amazon API Gateway with VPC Link
B.Use an Application Load Balancer with target groups per service
C.Use Amazon Route 53 with weighted routing policies
D.Use AWS App Mesh with Envoy sidecars
AnswerD

App Mesh provides traffic splitting and observability for canary deployments.

Why this answer

AWS App Mesh with Envoy sidecars provides a service mesh that handles service discovery, traffic routing, and canary deployments at the application layer. It integrates natively with ECS Fargate, offloading operational overhead by managing traffic splitting, retries, and observability without modifying application code. This makes it ideal for microservices requiring fine-grained control over HTTP traffic routing.

Exam trap

The trap here is that candidates often confuse DNS-based routing (Route 53) or load balancer-level routing (ALB) with the application-layer traffic management needed for canary deployments, overlooking that only a service mesh like App Mesh provides the granular, proxy-based control required for HTTP traffic splitting without operational overhead.

How to eliminate wrong answers

Option A is wrong because Amazon API Gateway with VPC Link is designed for external API management and routing to private VPC resources, not for internal service-to-service communication within a microservices architecture, and it adds unnecessary latency and complexity for internal calls. Option B is wrong because an Application Load Balancer with target groups per service can route traffic but does not natively support canary deployments with weighted traffic splitting across service versions; it requires external tooling or custom scripting for gradual rollouts. Option C is wrong because Amazon Route 53 with weighted routing policies operates at the DNS level, which cannot handle HTTP-level traffic routing, session affinity, or fine-grained canary percentages, and DNS caching can cause uneven traffic distribution during deployments.

466
MCQeasy

A company is building a serverless application using AWS Lambda. The Lambda function needs to process files uploaded to an S3 bucket. The function should be triggered as soon as a new object is created. How should the architect configure this?

A.Configure S3 to send event notifications to the Lambda function directly
B.Configure S3 to send event notifications to an SNS topic, which triggers the Lambda function
C.Configure S3 to send event notifications to an SQS queue, and have the Lambda function poll the queue
D.Configure S3 to send event notifications to Amazon CloudWatch Events, which triggers the Lambda function
AnswerA

S3 event notifications can directly invoke Lambda functions.

Why this answer

S3 can send events directly to Lambda via an S3 event notification. Option A (SNS) adds unnecessary intermediate service. Option B (CloudWatch Events) is not designed for S3 object creation triggers.

Option D (SQS) adds latency and complexity.

467
Multi-Selecthard

A company is designing a microservices architecture on Amazon ECS with Fargate. The services need to communicate securely and efficiently. The company wants to implement service-to-service authentication and authorization. Which THREE steps should the company take? (Choose THREE.)

Select 3 answers
A.Use AWS Secrets Manager to store and rotate service credentials.
B.Configure mutual TLS (mTLS) between services using certificates from ACM.
C.Enable ECS Service Connect between services for automatic DNS and TLS encryption.
D.Deploy an API Gateway in front of each microservice.
E.Use IAM roles for tasks and attach policies that allow access to other services.
AnswersA, C, E

Secrets Manager securely stores credentials for database or API keys.

Why this answer

Options A, C, and E are correct. A: ECS Service Connect provides DNS and encryption. C: IAM roles for tasks grant permissions.

E: Secrets Manager stores secrets. Option B is not needed with Service Connect. Option D is for public APIs.

468
MCQeasy

A company is building a new application that will run on AWS Lambda. The application needs to store and retrieve user preferences in a key-value format. The data is accessed frequently and must be highly available. The company expects low latency for reads and writes. Which AWS service should be used as the data store?

A.Amazon S3
B.Amazon ElastiCache for Memcached
C.Amazon RDS for PostgreSQL
D.Amazon DynamoDB
AnswerD

DynamoDB is a key-value database with low latency and high availability.

Why this answer

Option B is correct because Amazon DynamoDB is a key-value store designed for low-latency, high-availability access. Option A: S3 is object storage, not key-value. Option C: RDS is relational.

Option D: ElastiCache is in-memory but not persistent by default.

469
MCQmedium

A company is designing a new serverless application using AWS Lambda. The function must process a file uploaded to S3 and then send a notification to an external API. The external API has a rate limit of 10 requests per second. Which approach should they use to handle throttling?

A.Use Amazon SQS to buffer the requests and set a Lambda reserved concurrency to limit the processing rate
B.Increase the Lambda function timeout and retry on failure
C.Configure a Lambda function destination on failure to reprocess
D.Use Amazon SNS to fan out the notification to multiple Lambda functions
AnswerA

SQS can buffer requests and Lambda reserved concurrency can limit concurrency, effectively throttling the rate.

Why this answer

Option D is correct because using SQS as a dead-letter queue with a Lambda reserved concurrency and a throttle can control the rate. Option A is wrong because increasing timeout does not handle rate limiting. Option B is wrong because SNS does not provide rate control.

Option C is wrong because Lambda destination on failure alone does not throttle.

470
Multi-Selecthard

Which THREE design patterns can help a microservices application achieve loose coupling and independent deployability? (Choose three.)

Select 3 answers
A.Shared database schema across services
B.Circuit breaker pattern to handle service failures
C.Synchronous RESTful HTTP calls between services
D.Event-driven communication using Amazon SNS and SQS
E.API Gateway as a facade for service endpoints
AnswersB, D, E

Circuit breakers isolate failures, allowing services to degrade gracefully without impacting others.

Why this answer

Options B, C, and D are correct. B: Event-driven communication via SNS/SQS decouples services. C: API Gateway provides a facade that routes to different services independently.

D: Circuit breaker pattern prevents cascading failures, allowing independent failure handling. Option A is wrong because shared database creates tight coupling. Option E is wrong because synchronous HTTP calls create tight coupling.

471
MCQeasy

A company wants to deploy a new web application on AWS that uses a microservices architecture. The company expects rapid growth and wants to decouple services to allow independent scaling and development. The team wants to use Docker containers for consistency across environments. Which solution should a Solutions Architect recommend?

A.Use Amazon Lightsail containers to deploy each microservice as a container service.
B.Deploy each microservice on separate EC2 instances behind an Application Load Balancer.
C.Use Amazon ECS with Fargate to run each microservice as a separate task definition, with service auto scaling.
D.Use AWS Elastic Beanstalk with Docker platform to deploy each microservice as a separate environment.
AnswerC

ECS with Fargate is a fully managed container service that decouples services and scales independently.

Why this answer

Option D is correct because ECS with Fargate is a managed container service that scales automatically and decouples services. Option A is wrong because EC2 instances are not containerized. Option B is wrong because Elastic Beanstalk is a PaaS that abstracts containers but may not provide as much control.

Option C is wrong because Lightsail is for simpler workloads, not microservices at scale.

472
Multi-Selecteasy

A company is designing a new application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The application must be highly available and fault-tolerant across multiple Availability Zones. Which TWO actions should be taken to achieve this? (Choose two.)

Select 2 answers
A.Use an Auto Scaling group to launch instances only in one Availability Zone.
B.Use a Network Load Balancer instead of ALB for better performance.
C.Launch EC2 instances in at least two Availability Zones.
D.Configure the ALB to be internet-facing and register instances from multiple AZs.
E.Launch all EC2 instances in a single Availability Zone for low latency.
AnswersC, D

Multiple AZs provide fault tolerance if one AZ fails.

Why this answer

Option C is correct because launching EC2 instances in at least two Availability Zones (AZs) ensures that if one AZ fails, the application continues to run from the other AZ, providing fault tolerance and high availability. Option D is correct because configuring the ALB to be internet-facing and registering instances from multiple AZs allows the ALB to distribute incoming traffic across healthy instances in different AZs, automatically rerouting traffic if an AZ becomes impaired.

Exam trap

The trap here is that candidates often think a single AZ with Auto Scaling is sufficient for high availability, but true fault tolerance requires distributing resources across multiple AZs to survive an AZ-level failure.

473
MCQeasy

A company wants to decouple a web application frontend from a backend processing service. The frontend sends jobs that are processed asynchronously. Which AWS service is best suited for this decoupling?

A.Amazon SQS
B.Amazon SNS
C.Amazon Kinesis
D.AWS Step Functions
AnswerA

SQS provides a reliable message queue.

Why this answer

Option B is correct because Amazon Simple Queue Service (SQS) is a fully managed message queue for decoupling. Option A is wrong because SNS is pub/sub. Option C is wrong because Kinesis is for streaming.

Option D is wrong because Step Functions is for workflows.

474
MCQhard

A company is designing a microservices architecture using Amazon ECS with Fargate. The services need to communicate with each other. The company wants to minimize operational overhead and ensure that service discovery is automatically updated when services scale. Which service discovery option should be used?

A.AWS Cloud Map
B.Amazon ECS service connect
C.Elastic Load Balancing with internal NLB
D.Amazon Route 53 private hosted zones with health checks
AnswerA

Cloud Map automatically manages service discovery.

Why this answer

AWS Cloud Map provides service discovery that automatically updates with service scaling.

475
Multi-Selecteasy

A company wants to store configuration data for multiple applications securely. Each application runs on Amazon EC2 instances in an Auto Scaling group. The configuration includes database credentials and API keys. Which TWO services should be used together to achieve this?

Select 2 answers
A.AWS Secrets Manager.
B.Amazon S3 with bucket policies.
C.IAM roles for EC2 instances.
D.EC2 user data scripts.
E.AWS Systems Manager Parameter Store.
AnswersC, E

IAM roles allow instances to access Parameter Store without credentials.

Why this answer

Options A and B are correct. AWS Systems Manager Parameter Store securely stores configuration data, and IAM roles for EC2 provide secure access without hardcoding credentials. Option C is wrong because Secrets Manager is also a valid service but the question asks for two services.

Option D is wrong because EC2 user data is not secure for credentials. Option E is wrong because S3 requires managing access keys.

476
MCQmedium

A company is designing a new solution that uses Amazon S3 to store large amounts of archival data. The data must be retained for 7 years and then automatically deleted. Which S3 feature should they use?

A.S3 Replication
B.S3 Versioning
C.S3 Object Lock
D.S3 Lifecycle policies
AnswerD

Lifecycle policies can automatically delete objects after a set period.

Why this answer

S3 Lifecycle policies allow you to define rules that automatically expire objects after a specified period, such as 7 years. This directly meets the requirement to retain archival data for a fixed duration and then delete it without manual intervention.

Exam trap

The trap here is that candidates often confuse S3 Object Lock's retention period with automatic deletion, not realizing that Object Lock only prevents deletion during the retention window and requires a separate lifecycle rule to actually remove the objects afterward.

How to eliminate wrong answers

Option A is wrong because S3 Replication is used to copy objects across buckets for redundancy or compliance, not to manage retention or deletion based on time. Option B is wrong because S3 Versioning preserves multiple versions of an object and does not provide automatic deletion after a set period; it can actually increase storage costs if not combined with lifecycle rules. Option C is wrong because S3 Object Lock is designed to prevent object deletion or overwrites for a fixed retention period (compliance or governance mode), but it does not automatically delete objects after that period ends—it only prevents premature deletion, and objects remain until manually removed or a lifecycle rule is applied.

477
Multi-Selectmedium

A company is designing a new solution to host a static website with global low latency. The website content is stored in an S3 bucket. The company wants to use a custom domain name and SSL/TLS termination. Which THREE services should the company use together to meet these requirements? (Choose THREE.)

Select 3 answers
A.Amazon CloudFront with an S3 origin.
B.AWS WAF to protect the website.
C.Amazon S3 to store the website content.
D.Application Load Balancer to distribute traffic across multiple S3 buckets.
E.Amazon Route 53 to point the custom domain to CloudFront.
AnswersA, C, E

CloudFront provides global content delivery and SSL termination.

Why this answer

CloudFront can serve content from S3 globally, with custom domain and SSL. S3 is the origin. Route 53 manages DNS for the custom domain.

Option A, B, and D are correct. Option C is wrong because ALB is not needed for static content. Option E is wrong because AWS WAF is for security, not required.

478
Multi-Selecteasy

A company wants to implement a serverless data processing pipeline on AWS. The pipeline reads CSV files from Amazon S3, transforms the data, and loads it into Amazon Redshift. Which THREE AWS services should be used to build this pipeline?

Select 3 answers
A.AWS Database Migration Service (DMS)
B.Amazon EC2
C.AWS Lambda
D.AWS Glue
E.Amazon Redshift
AnswersC, D, E

Lambda can be triggered by S3 events to start the pipeline.

Why this answer

AWS Lambda is correct because it can be triggered by S3 events when a CSV file is uploaded, and it can execute lightweight data transformation logic (e.g., parsing CSV rows, filtering, or converting formats) before loading the data into Amazon Redshift. Lambda is serverless, scales automatically, and integrates natively with S3 and Redshift via the AWS SDK, making it ideal for event-driven, short-running transformations in a serverless pipeline.

Exam trap

The trap here is that candidates often confuse AWS DMS (option A) as a data loading tool for Redshift, but DMS is for database migration, not for serverless file transformation and loading from S3.

479
MCQmedium

A company is designing a new microservices application on AWS. Each microservice will be deployed as a containerized application using Amazon ECS with Fargate launch type. The company expects variable traffic patterns and needs to ensure that the application can scale automatically based on demand. Which scaling solution should be used?

A.Use Amazon EC2 Auto Scaling to add more Fargate tasks.
B.Configure Application Auto Scaling with a target tracking scaling policy based on average CPU utilization.
C.Use AWS Auto Scaling Plans with predictive scaling.
D.Manually adjust the desired count of tasks in the ECS service based on traffic analysis.
AnswerB

Application Auto Scaling with target tracking is the standard method to automatically scale ECS services based on a metric like CPU.

Why this answer

Amazon ECS with Fargate uses Application Auto Scaling to automatically adjust the desired count of tasks based on demand. A target tracking scaling policy based on average CPU utilization is the correct approach because it allows you to define a target value (e.g., 70% CPU) and Application Auto Scaling will add or remove tasks to maintain that target, matching the variable traffic patterns described.

Exam trap

The trap here is confusing EC2 Auto Scaling (which manages instances) with Application Auto Scaling (which manages ECS tasks), leading candidates to choose Option A despite Fargate being serverless and not requiring EC2 instance management.

How to eliminate wrong answers

Option A is wrong because Amazon EC2 Auto Scaling manages EC2 instances, not Fargate tasks; Fargate tasks are serverless and scaled via Application Auto Scaling, not EC2 Auto Scaling. Option C is wrong because AWS Auto Scaling Plans with predictive scaling is designed for recurring, predictable traffic patterns (e.g., based on historical data), not for variable, unpredictable traffic patterns as described in the question. Option D is wrong because manually adjusting the desired count of tasks does not meet the requirement for automatic scaling based on demand; it requires human intervention and analysis, which is not automated.

480
MCQeasy

A company is designing a new web application that will run on Amazon EC2 instances behind an Application Load Balancer. They need to offload SSL/TLS termination to reduce CPU usage on the instances. What should they do?

A.Install a self-signed certificate on each EC2 instance
B.Use a Network Load Balancer (NLB) with SSL pass-through
C.Configure the ALB with an SSL certificate
D.Use Amazon CloudFront for SSL termination
AnswerC

ALB can terminate SSL/TLS, reducing compute load on instances.

Why this answer

ALB can terminate SSL/TLS by installing a certificate on it. Option B (NLB) does not support SSL termination natively, Option C (CloudFront) is a CDN, and Option D (self-signed certificate) is less secure and not recommended for production.

481
MCQhard

A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The team wants to decouple the database layer and allow each microservice to own its data. Which design pattern should the team implement?

A.Implement an event-driven architecture using Amazon SQS and AWS Lambda with CQRS.
B.Deploy a read replica of the database for each microservice to offload queries.
C.Use a single Amazon RDS instance with multiple schemas for each microservice.
D.Use a database-per-service pattern with each microservice having its own Amazon DynamoDB table or RDS instance.
AnswerD

Database-per-service ensures each microservice owns its data, enabling independent development and scaling.

Why this answer

Option D is correct because the database-per-service pattern ensures each microservice has its own database, promoting loose coupling and independent scaling. Option A is wrong because a shared database contradicts the goal of decoupling. Option B is wrong because an event-driven architecture with CQRS is a separate pattern for query optimization.

Option C is wrong because a read replica does not decouple the database per service.

482
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user is trying to download an object from the 'confidential' folder in 'my-bucket' using HTTP (not HTTPS). What will happen?

A.The request is denied because the second statement denies access from the IP range.
B.The request is denied because the first statement only allows from a specific IP range.
C.The request is denied because the second statement explicitly denies access when using HTTP.
D.The request is allowed because the first statement allows s3:GetObject.
AnswerC

The Deny statement denies all S3 actions on confidential/* when SecureTransport is false.

Why this answer

Option C is correct because the Deny statement explicitly denies s3:* actions on the confidential folder when SecureTransport is false (HTTP). Since the first statement allows GetObject for the whole bucket, but the Deny overrides (explicit deny), the request will be denied. Option A (allowed) ignores the Deny.

Option B (denied due to first statement) is wrong because first statement allows. Option D (denied due to IP condition) is wrong because the IP condition is only on the Allow statement.

483
MCQeasy

A solutions architect is designing a new serverless application using AWS Lambda for business logic, Amazon API Gateway for RESTful APIs, and Amazon DynamoDB for data storage. The application will experience unpredictable traffic spikes. What is the MOST cost-effective way to handle concurrency and scaling?

A.Use Lambda provisioned concurrency to pre-warm instances.
B.Use Lambda reserved concurrency to set a limit on concurrent executions.
C.Configure DynamoDB auto scaling to handle traffic spikes.
D.Set a usage plan in API Gateway with a throttling limit.
AnswerB

Reserved concurrency controls the maximum number of concurrent Lambda invocations, preventing excessive scaling and cost.

Why this answer

Option B is correct because Lambda reserved concurrency sets a hard limit on the number of concurrent executions for a function, preventing runaway scaling and controlling costs during unpredictable traffic spikes. It ensures that the function does not consume more concurrency than allocated, which avoids excessive DynamoDB read/write capacity usage and keeps costs predictable without needing to pre-warm instances.

Exam trap

The trap here is that candidates confuse provisioned concurrency (which reduces latency but adds cost) with reserved concurrency (which controls scaling and cost), or they mistakenly think DynamoDB auto scaling or API Gateway throttling directly manages Lambda concurrency.

How to eliminate wrong answers

Option A is wrong because provisioned concurrency pre-warms a fixed number of instances to reduce cold starts, but it incurs additional costs even when idle and does not control scaling or concurrency limits during spikes—it is not cost-effective for unpredictable traffic. Option C is wrong because DynamoDB auto scaling adjusts read/write capacity based on actual traffic, but it does not directly handle Lambda concurrency or scaling; it only manages the database side and can still lead to high costs if Lambda invocations spike. Option D is wrong because a usage plan in API Gateway throttles requests at the API level, but it does not control Lambda concurrency or scaling; it may reject valid requests rather than managing cost-efficient concurrency.

484
MCQhard

A company is designing a real-time analytics platform that ingests data from thousands of IoT devices. Each device sends a JSON payload every second. The company needs to store the raw data for a month and then aggregate it into hourly summaries for long-term storage. The solution must be serverless and cost-effective. Which combination of AWS services should the company use?

A.Amazon Kinesis Data Streams to ingest data, AWS Lambda to transform and aggregate, Amazon S3 for storage.
B.Amazon Kinesis Data Streams to ingest data, Amazon Kinesis Data Analytics to aggregate in real-time, Amazon Kinesis Data Firehose to deliver aggregated data to S3, and an S3 Lifecycle policy to expire raw data after 30 days.
C.Amazon Kinesis Data Streams to ingest data, Amazon Kinesis Data Firehose to deliver to S3, and Amazon Athena to query raw data.
D.Amazon SQS to ingest data, AWS Lambda to process and aggregate, Amazon DynamoDB for raw data, S3 for summaries.
AnswerB

This design uses serverless services for real-time ingestion, aggregation, and cost-effective storage.

Why this answer

Option D is correct because Kinesis Data Streams ingests real-time data, Kinesis Data Analytics performs real-time aggregation, and Firehose delivers to S3. Option A uses Lambda for aggregation, which is not ideal for streaming aggregations. Option B uses SQS, which is not designed for real-time streaming.

Option C misses the real-time aggregation step.

485
MCQhard

A company is migrating a monolithic application to microservices on Amazon ECS with Fargate. The application has variable traffic patterns, with high traffic during business hours and low traffic at night. They want to optimize costs while maintaining performance. Which scaling strategy should they implement?

A.Use target tracking scaling with a schedule to increase minimum capacity during business hours.
B.Use step scaling policies based on memory utilization.
C.Use scheduled scaling to increase capacity during business hours.
D.Use simple scaling policies based on CPU utilization.
AnswerA

This combination handles both patterns.

Why this answer

Option A is correct because combining target tracking scaling with a scheduled action allows the application to dynamically adjust capacity based on actual demand while ensuring a higher baseline during peak business hours. This hybrid approach optimizes costs by scaling down at night and maintains performance by preventing cold starts or lag during traffic spikes, which is ideal for variable patterns on ECS Fargate.

Exam trap

The trap here is that candidates often choose scheduled scaling alone (Option C) thinking it directly handles variable traffic, but they miss that it cannot react to unexpected spikes or lulls within the scheduled window, whereas target tracking with a schedule provides both proactive and reactive scaling.

How to eliminate wrong answers

Option B is wrong because step scaling policies based on memory utilization are less responsive to traffic-driven CPU spikes and can cause thrashing if memory is not the bottleneck; they also lack the predictive baseline needed for variable patterns. Option C is wrong because scheduled scaling alone cannot adapt to real-time fluctuations within business hours, leading to either over-provisioning or under-provisioning if traffic deviates from the schedule. Option D is wrong because simple scaling policies are deprecated in AWS and lack the cooldown and metric stabilization features of target tracking, making them prone to oscillation and inefficient for variable traffic.

486
MCQmedium

A company is designing a new microservices architecture on AWS. They need to ensure that services can communicate asynchronously without tight coupling. Which AWS service should they use to decouple the services while providing durable message storage?

A.Amazon SNS
B.Amazon EventBridge
C.Amazon Kinesis Data Streams
D.Amazon SQS
AnswerD

SQS provides a fully managed message queue that decouples microservices with durable, scalable message storage.

Why this answer

Amazon SQS (Simple Queue Service) is the correct choice because it provides a fully managed message queue that enables asynchronous communication between microservices, decoupling them so that producers and consumers operate independently. SQS offers durable message storage by persisting messages across multiple Availability Zones, ensuring messages are not lost even if a consumer fails. This aligns with the requirement for loose coupling and reliable message delivery.

Exam trap

The trap here is that candidates often confuse Amazon SNS (pub/sub) with SQS (queue), overlooking that SNS does not provide durable message storage or consumer-driven polling, which are essential for decoupled asynchronous communication.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers, but it does not provide durable message storage; messages are not persisted if a subscriber is unavailable, and it lacks the queue-based decoupling needed for asynchronous microservices. Option B is wrong because Amazon EventBridge is a serverless event bus for routing events between services, but it does not offer durable message storage; events are not retained after delivery, and it is designed for event-driven architectures rather than persistent queueing. Option C is wrong because Amazon Kinesis Data Streams is designed for real-time streaming of large data volumes with a focus on ordered processing and replay, not for simple asynchronous decoupling with durable message storage; it requires consumers to manage checkpoints and does not provide the same at-least-once delivery semantics as SQS.

487
MCQmedium

A company is designing a serverless application using AWS Lambda. The application needs to store and retrieve JSON documents. The company wants the lowest cost for infrequent access. Which data store should be used?

A.Amazon RDS for MySQL
B.Amazon S3 Standard
C.Amazon ElastiCache for Redis
D.Amazon DynamoDB (on-demand)
AnswerD

DynamoDB with on-demand capacity is serverless and cost-effective for infrequent access.

Why this answer

Option D is correct because Amazon DynamoDB with on-demand capacity is serverless and cost-effective for infrequent access. Option A is wrong because S3 Standard is not ideal for small JSON documents and has higher cost for frequent updates. Option B is wrong because RDS is relational and not serverless.

Option C is wrong because ElastiCache is a cache, not a durable store.

488
MCQmedium

A company is designing a new data lake on AWS using Amazon S3. The data will be ingested from various sources, including IoT devices, application logs, and streaming data. The data must be processed in near real-time as it arrives. Which combination of services should be used for ingestion and processing?

A.Amazon S3 Transfer Acceleration and AWS Lambda
B.Amazon Kinesis Data Firehose and Amazon Kinesis Data Analytics
C.Amazon Athena and Amazon S3
D.AWS Glue and Amazon Redshift
AnswerB

Kinesis Data Firehose can ingest streaming data and deliver it to S3 for the data lake. Kinesis Data Analytics can process the data in near real-time.

Why this answer

Option B is correct because Amazon Kinesis Data Firehose can ingest streaming data and deliver it to S3, and Kinesis Data Analytics can process the data in near real-time. Option A is wrong because S3 Transfer Acceleration is for uploading to S3, not for streaming. Option C is wrong because AWS Glue is a batch ETL service, not real-time.

Option D is wrong because Amazon Athena is an interactive query service, not for ingestion.

489
MCQeasy

A company wants to deploy a containerized web application on AWS. They need to manage container orchestration, automatic scaling, and service discovery. Which AWS service should they use?

A.Amazon Lightsail
B.Amazon Elastic Container Service (ECS)
C.Amazon Elastic Kubernetes Service (EKS)
D.AWS Elastic Beanstalk
AnswerB

ECS provides orchestration, auto scaling, and service discovery.

Why this answer

Option B is correct because Amazon ECS provides container orchestration, auto scaling, and service discovery. Option A (EKS) also does but is Kubernetes-based, more complex. Option C (Lightsail) is for simple projects.

Option D (Beanstalk) is for PaaS, not container-native.

490
MCQhard

A CloudFormation stack creation failed with the status shown in the exhibit. The stack was created using a template that defines an EC2 instance, a security group, and an Elastic IP address. What is the MOST likely cause of the failure?

A.The AWS account has reached the Elastic IP address limit.
B.The security group rule is invalid.
C.The EC2 instance failed to associate with the Elastic IP.
D.The EC2 instance type is not supported in the region.
AnswerA

The error message explicitly states the maximum number of addresses has been reached.

Why this answer

The reason for the EIP creation failure is 'The maximum number of addresses has been reached', indicating the AWS account has reached the limit of Elastic IP addresses. Option D is correct. Option A is wrong because the EC2 instance was created successfully.

Option B is wrong because the security group was created successfully. Option C is wrong because the EIP resource failed, not the instance.

491
MCQeasy

A company wants to deploy a containerized application on AWS. The application requires persistent storage that can be shared across multiple containers running on different EC2 instances. Which AWS service should be used?

A.EC2 Instance Store
B.Amazon EFS
C.Amazon S3
D.Amazon EBS
AnswerB

EFS provides a shared file system for multiple instances.

Why this answer

Option D is correct. Amazon EFS provides a shared file system that can be mounted by multiple EC2 instances. Option A is wrong because EBS volumes can only be attached to one instance at a time.

Option B is wrong because S3 is object storage, not a file system. Option C is wrong because Instance Store is ephemeral.

492
Drag & Dropmedium

Drag and drop the steps to set up a cross-region VPC peering connection in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First initiate, then accept, then add routes, then update security groups, and finally network ACLs.

493
MCQmedium

A company is designing a new microservices architecture on AWS. Each service must be independently deployable and scale based on demand. The company wants to minimize operational overhead for container orchestration. Which AWS service should the company use?

A.Amazon Elastic Kubernetes Service (EKS)
B.Amazon EC2 with Auto Scaling
C.Amazon Elastic Container Service (ECS) with AWS Fargate
D.AWS Lambda
AnswerC

ECS with Fargate is serverless and reduces operational overhead for container orchestration.

Why this answer

Option D is correct because Amazon ECS with Fargate is a fully managed container orchestration service that reduces operational overhead. Option A is wrong because EC2 requires manual management of instances. Option B is wrong because Lambda is for serverless functions, not container orchestration.

Option C is wrong because EKS requires managing the Kubernetes control plane.

494
Multi-Selecthard

A company is designing a new serverless application using AWS Lambda. The application must be invoked by an Amazon S3 bucket event. The company wants to ensure that the Lambda function has the necessary permissions to be invoked. Which THREE steps are required?

Select 3 answers
A.Add a resource-based policy to the Lambda function that grants S3 permission to invoke it.
B.Configure an S3 bucket notification event to send events to the Lambda function.
C.Attach an IAM role to the S3 bucket that allows it to invoke Lambda functions.
D.Create an event source mapping in Lambda for the S3 bucket.
E.Create an IAM role for the Lambda function with permissions to read from the S3 bucket.
AnswersA, B, E

A resource-based policy (function policy) allows S3 to invoke the Lambda function.

Why this answer

Options A, B, and D are correct. A resource-based policy on the Lambda function allows S3 to invoke it. An S3 bucket notification configuration triggers the Lambda.

IAM permissions on the S3 bucket are not required for invocation; the resource-based policy is. Option E is wrong because the event source mapping is not needed for S3.

495
Multi-Selectmedium

A company is designing a new application on AWS that requires a highly available and scalable web tier. The web servers must be stateless and scale automatically based on CPU utilization. Which TWO actions should the company take to meet these requirements?

Select 2 answers
A.Configure an Auto Scaling group with a launch template that includes a user data script to bootstrap the web server
B.Attach the Auto Scaling group to an Application Load Balancer
C.Configure lifecycle hooks in the Auto Scaling group to drain connections
D.Use a single large EC2 instance (e.g., c5n.18xlarge) to handle all traffic
E.Use a Network Load Balancer to distribute traffic to web servers
AnswersA, B

Auto Scaling group provides automatic scaling and high availability.

Why this answer

Option A is correct because a launch template with user data allows the Auto Scaling group to bootstrap web server software automatically when new instances launch, ensuring they are stateless and ready to serve traffic. Option B is correct because attaching an Application Load Balancer (ALB) distributes incoming traffic across the Auto Scaling group's instances, enabling horizontal scaling and high availability. Together, these actions support stateless web servers that scale based on CPU utilization via Auto Scaling policies.

Exam trap

The trap here is that candidates may confuse lifecycle hooks (Option C) as necessary for scaling or connection draining, when in fact the ALB handles connection draining automatically, and lifecycle hooks are an optional feature for custom workflows like patching or logging.

496
MCQhard

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

A.The Lambda function does not have permission to create log groups.
B.The Lambda function is not in the same VPC as DynamoDB.
C.The DynamoDB table 'Orders' does not exist.
D.The IAM role lacks a trust policy that allows Lambda to assume it.
AnswerD

The exhibit shows only permission policies; the trust policy is missing.

Why this answer

The IAM role shown in the exhibit likely includes a permissions policy that grants DynamoDB write access, but it is missing a trust policy that allows the Lambda service (lambda.amazonaws.com) to assume the role. Without this trust relationship, Lambda cannot obtain temporary credentials to execute the function, resulting in an AccessDeniedException when attempting to write to DynamoDB.

Exam trap

The trap here is that candidates often focus on the permissions policy (e.g., DynamoDB actions) and overlook the trust policy, assuming any IAM role can be used by Lambda, but AWS requires an explicit trust relationship for service-to-service role assumption.

How to eliminate wrong answers

Option A is wrong because Lambda automatically creates log groups via the AWSLambdaBasicExecutionRole managed policy if the function has logs:CreateLogGroup permission; a missing log group permission would cause a different error (e.g., 'Unable to write to CloudWatch Logs'), not an AccessDeniedException on DynamoDB writes. Option B is wrong because Lambda functions do not need to be in the same VPC as DynamoDB; DynamoDB is a fully managed service accessible over the public internet or via VPC endpoints, and VPC placement does not affect IAM authorization. Option C is wrong because if the table 'Orders' did not exist, the error would be a ResourceNotFoundException, not an AccessDeniedException.

497
Multi-Selecthard

A company is designing a new multi-tier web application on AWS. The application uses an Auto Scaling group of EC2 instances for the web tier and an Amazon RDS for PostgreSQL DB instance for the database. To improve security, the company wants to ensure that the web tier instances can connect to the database only through a specific port and that the database is not accessible from the internet. Which steps should the company take? (Choose THREE.)

Select 3 answers
A.Launch the database instance in a public subnet.
B.Configure the database security group to allow inbound traffic on port 5432 from the web tier security group.
C.Store database credentials in AWS Systems Manager Parameter Store.
D.Launch the web tier instances in a private subnet.
E.Set the 'Publicly accessible' option of the RDS instance to 'No'.
AnswersB, D, E

Security group rules restrict traffic to only the web tier.

Why this answer

Options A, B, and D are correct. Placing web tier instances in a private subnet (A) ensures they are not internet-facing. Using a security group for the database that allows inbound traffic only from the web tier security group (B) restricts access.

Enabling the 'publicly accessible' flag to 'No' (D) ensures no public endpoint. Option C is wrong because placing the database in a public subnet would expose it. Option E is wrong because storing secrets in Parameter Store is for credentials, not network access.

498
Multi-Selecthard

A company is designing a new data lake on Amazon S3. The data must be encrypted at rest using envelope encryption with AWS KMS. The company wants to use an AWS managed key that rotates annually. Which THREE components are required for this design? (Choose THREE.)

Select 3 answers
A.AWS KMS data key
B.AWS KMS customer managed key
C.AWS Certificate Manager
D.AWS CloudHSM
E.Amazon S3 bucket with SSE-KMS enabled
AnswersA, B, E

Used to encrypt the actual data.

Why this answer

KMS key, data key, and S3 are required for envelope encryption.

499
MCQeasy

A company wants to automate the deployment of a three-tier web application on AWS. The deployment should include the network, security groups, EC2 instances, and an Application Load Balancer. Which AWS service should they use?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS CodeDeploy
D.AWS OpsWorks
AnswerB

CloudFormation provisions infrastructure as code, including network, EC2, and ALB.

Why this answer

Option A is correct because AWS CloudFormation allows infrastructure as code to deploy all resources. Option B is incorrect because AWS Elastic Beanstalk abstracts infrastructure but doesn't give full control. Option C is incorrect because AWS CodeDeploy deploys application code, not infrastructure.

Option D is incorrect because AWS OpsWorks is configuration management, not infrastructure provisioning.

500
MCQmedium

A company is designing a new application that will process sensitive financial data. The data must be encrypted at rest and in transit. The application runs on EC2 instances. Which combination of services meets these requirements?

A.Use Amazon S3 with server-side encryption and enforce HTTPS.
B.Use AWS Key Management Service (KMS) to generate keys and enable encryption on EBS volumes.
C.Use AWS Certificate Manager (ACM) to issue TLS certificates and configure the application to use HTTPS.
D.Enable EBS encryption on the volumes and configure the application to use TLS for all network traffic.
AnswerD

EBS encryption provides at-rest encryption; TLS provides in-transit encryption.

Why this answer

Option D is correct because EBS encryption provides at-rest encryption, and TLS provides in-transit encryption. Option A is wrong because S3 is not used for EC2 volumes. Option B is wrong because KMS alone does not encrypt data.

Option C is wrong because ACM manages certificates, not encryption.

501
MCQmedium

A company is designing a microservices architecture using Amazon ECS with Fargate. Each microservice needs to communicate with others via REST APIs. The company wants to ensure that communication is encrypted in transit and that services can discover each other using DNS names. Which set of actions should the company take?

A.Enable ECS Service Connect on each service, and use the service discovery names provided by Service Connect.
B.Create a namespace in AWS Cloud Map, register each service, and configure service-to-service communication using the namespace.
C.Place a Network Load Balancer in front of each service and use the NLB DNS name for communication.
D.Place an Application Load Balancer in front of each service and use the ALB DNS name for communication.
AnswerA

Service Connect provides DNS and encryption out-of-the-box.

Why this answer

Option A is correct because ECS Service Connect provides DNS-based service discovery and automatic encryption via TLS. Option B uses Cloud Map but does not enforce encryption. Option C uses ALB which adds complexity and cost.

Option D uses NLB unnecessarily.

502
Multi-Selectmedium

A company is designing a disaster recovery architecture for a critical application. The primary region runs on Amazon EC2 with an RDS database. The recovery time objective (RTO) is 15 minutes, and recovery point objective (RPO) is 1 minute. Which TWO steps should be taken to meet these objectives?

Select 2 answers
A.Configure RDS Multi-AZ in the primary region.
B.Deploy an Amazon Aurora Global Database with a secondary region.
C.Pre-warm a standby EC2 instance in the DR region.
D.Take hourly snapshots of RDS and copy them to the DR region.
E.Use Amazon S3 Cross-Region Replication for application data.
AnswersA, B

Multi-AZ provides automatic failover with low RTO.

Why this answer

Options A and C are correct. A Multi-AZ RDS instance with synchronous replication provides an RPO of seconds and can failover quickly. An Aurora Global Database with a secondary region also provides low RPO and RTO.

Option B is wrong because cross-region snapshot restore takes longer than 15 minutes. Option D is wrong because RTO would be too high. Option E is wrong because RTO includes database failover.

503
MCQmedium

A company is designing a multi-region active-active application using Amazon DynamoDB. They need to ensure low-latency reads and writes globally. Which DynamoDB feature should they use?

A.Auto Scaling
B.DynamoDB Accelerator (DAX)
C.DynamoDB Streams
D.Global Tables
AnswerD

Global Tables replicate data across regions for low-latency access.

Why this answer

DynamoDB Global Tables provide a fully managed, multi-region, multi-active database. Option B (DAX) is a caching layer, Option C (Auto Scaling) adjusts throughput, and Option D (Streams) captures changes.

504
MCQeasy

A company is designing a new web application that will be accessed by users globally. The application uses Amazon CloudFront as a CDN and stores static content in Amazon S3. The dynamic content is served from EC2 instances in a single AWS Region. Which of the following will improve performance for users in distant regions with the LEAST operational effort?

A.Deploy EC2 instances in multiple AWS Regions and use Route 53 latency-based routing.
B.Use AWS Global Accelerator to route traffic to the EC2 instances via the AWS global network.
C.Move the dynamic content to Lambda@Edge functions running at CloudFront edge locations.
D.Add an Amazon ElastiCache cluster in front of the EC2 instances to cache dynamic responses.
AnswerB

Global Accelerator uses the AWS network to route traffic from edge locations to the nearest healthy endpoint, reducing latency and jitter.

Why this answer

Option A is correct because AWS Global Accelerator improves performance by routing traffic over the AWS global network to the optimal endpoint. Option B is wrong because Lambda@Edge runs at edge locations but is for lightweight compute, not for dynamic content hosting. Option C is wrong because multi-Region deployment adds significant operational complexity.

Option D is wrong because ElastiCache caches data but does not reduce network latency for distant users.

505
MCQmedium

A company is designing a new application that will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application requires that users' session data be stored durably and with low latency. The session data is accessed frequently but is rarely updated. Which solution is MOST cost-effective?

A.Use ElastiCache for Redis with replication.
B.Store session data in Amazon S3 with reduced redundancy.
C.Use DynamoDB with on-demand capacity.
D.Use ElastiCache for Memcached with multiple nodes.
AnswerA

Redis provides low latency and durability via replication, suitable for session storage.

Why this answer

ElastiCache for Redis is a fast, in-memory data store suitable for session management. It provides low latency and durability via replication, and is more cost-effective than DynamoDB for this use case because DynamoDB is optimized for heavy read/write workloads and has higher cost per request. Option A is correct.

Option B is incorrect because ElastiCache for Memcached is not durable. Option C is incorrect because DynamoDB is over-provisioned for this scenario. Option D is incorrect because S3 is too slow for session data.

506
MCQmedium

A company is designing a data lake on AWS using Amazon S3 as the storage layer. The data includes sensitive customer information that must be encrypted at rest. The company also needs to regularly rotate the encryption keys. Which solution meets these requirements with the least operational overhead?

A.Use server-side encryption with S3 managed keys (SSE-S3) and enable S3 bucket key rotation.
B.Implement client-side encryption using the AWS Encryption SDK and store keys in AWS Secrets Manager.
C.Use server-side encryption with AWS KMS (SSE-KMS) and enable automatic key rotation in KMS.
D.Use server-side encryption with customer-provided keys (SSE-C) and rotate keys manually.
AnswerC

SSE-KMS with automatic rotation meets encryption and rotation needs with low overhead.

Why this answer

SSE-KMS with automatic key rotation provides encryption at rest with automated key rotation, minimizing operational overhead. Option A (SSE-S3) does not support key rotation. Option C (client-side encryption) requires managing keys.

Option D (SSE-C) requires managing keys.

507
MCQeasy

A company wants to decouple a frontend API from backend processing to improve scalability and fault tolerance. The frontend sends requests that can be processed asynchronously. Which AWS service should be used to decouple the components?

A.Amazon Simple Notification Service (SNS)
B.Amazon Simple Queue Service (SQS)
C.Amazon Kinesis Data Streams
D.AWS Step Functions
AnswerB

SQS is a message queue that decouples components.

Why this answer

Amazon Simple Queue Service (SQS) is the correct choice because it provides a fully managed message queue that decouples the frontend API from backend processing. The frontend can send requests to an SQS queue, and backend consumers can poll and process messages asynchronously, which improves scalability by buffering traffic spikes and enhances fault tolerance by persisting messages until they are successfully processed.

Exam trap

The trap here is that candidates often confuse SNS (push-based notification) with SQS (pull-based queue) for decoupling, but SNS does not provide the durable, asynchronous message buffer required for decoupling frontend and backend processing.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub messaging service that pushes messages to subscribers (e.g., HTTP endpoints, Lambda, SQS) but does not provide a durable buffer for asynchronous decoupling; it is designed for fan-out notifications, not for queuing where consumers pull messages at their own pace. Option C is wrong because Amazon Kinesis Data Streams is optimized for real-time streaming of large-scale data (e.g., clickstreams, logs) with ordered records and replay capabilities, not for simple request/response decoupling where each message is processed independently by a single consumer. Option D is wrong because AWS Step Functions is a serverless orchestration service for coordinating multiple AWS services into workflows, not a message queue; it does not inherently decouple frontend from backend via asynchronous message buffering.

508
MCQhard

A company is designing a new application that will use Amazon RDS for PostgreSQL. They need to implement read replicas to offload read traffic. However, they are concerned about replication lag affecting read consistency. Which action would minimize replication lag?

A.Increase the allocated storage on the primary instance
B.Use an encrypted connection between the primary and replica
C.Enable Multi-AZ on the primary instance
D.Use instance types with higher network performance
AnswerD

Higher network performance reduces replication lag.

Why this answer

Using db.r5.large instance types with higher network bandwidth reduces replication lag. Option B (Multi-AZ) is for high availability, not read replicas. Option C (increasing storage) does not directly affect lag.

Option D (using encrypted endpoints) does not impact lag.

509
Multi-Selecthard

A company is designing a new containerized application on Amazon EKS. The application must be able to access secrets (e.g., database credentials) securely. The company requires that secrets be automatically rotated and audited. Which THREE actions should the company take to meet these requirements?

Select 3 answers
A.Mount the Secrets Store CSI Driver volume directly to the pod without using ASCP
B.Use IAM roles for service accounts (IRSA) to grant pods access to Secrets Manager
C.Store secrets in AWS Secrets Manager and enable automatic rotation
D.Use the AWS Secrets and Configuration Provider (ASCP) for the Secrets Store CSI Driver to inject secrets into pods
E.Store secrets in Kubernetes Secrets and use a ConfigMap to reference them
AnswersB, C, D

IRSA provides fine-grained permissions for pods.

Why this answer

Option B is correct because IAM Roles for Service Accounts (IRSA) allows pods in Amazon EKS to assume an IAM role with fine-grained permissions, enabling secure access to AWS Secrets Manager without embedding long-term credentials. This approach integrates with AWS IAM to provide temporary credentials via OIDC federation, ensuring that only authorized pods can retrieve secrets.

Exam trap

The trap here is that candidates may think mounting the CSI driver without ASCP (Option A) is sufficient, but ASCP is the critical component that bridges the CSI driver to AWS Secrets Manager, and without it, the driver cannot retrieve secrets from AWS.

510
Multi-Selectmedium

A company is designing a new batch processing system that processes large files from Amazon S3. The processing is CPU-intensive and can take up to 2 hours per file. The company wants to minimize cost and avoid idle compute capacity. Which THREE components should the architect include? (Choose THREE.)

Select 3 answers
A.EC2 Spot Instances to reduce compute costs.
B.AWS Lambda functions to process each file.
C.AWS Batch with a job queue and compute environment.
D.Amazon S3 Event Notifications to trigger the batch job when a new file is uploaded.
E.Auto Scaling group with scheduled scaling policies.
AnswersA, C, D

Spot Instances are cost-effective for fault-tolerant batch jobs.

Why this answer

AWS Batch (option A) manages job scheduling and scaling. Spot Instances (option C) reduce cost. S3 Event Notifications (option D) trigger jobs when files arrive.

Option B (Auto Scaling) is less efficient. Option E (Lambda) has a 15-minute limit.

511
MCQhard

A company needs to provide temporary credentials for users to access an S3 bucket for exactly 1 hour. The solution must not require any custom code or user management. Which AWS service should be used?

A.Amazon Cognito identity pools
B.An IAM role with a trust policy
C.S3 pre-signed URLs
D.AWS STS
AnswerD

STS generates temporary credentials with a specified duration.

Why this answer

Option A is correct because AWS STS (Security Token Service) issues temporary credentials with configurable expiration. Option B is wrong because IAM roles are not directly assigned to users. Option C is wrong because Cognito is for user pools.

Option D is wrong because S3 pre-signed URLs are for objects, not bucket-level access.

512
Multi-Selectmedium

A company is designing a new system to ingest and process real-time streaming data from thousands of IoT devices. The system must be able to handle variable throughput and provide durable storage for the data. The data will be processed by a Lambda function and then stored in Amazon S3. Which two services should be used together to build this ingestion pipeline?

Select 2 answers
A.AWS Lambda
B.Amazon Kinesis Data Firehose
C.Amazon Simple Queue Service (SQS)
D.Amazon Kinesis Data Streams
E.Amazon Simple Notification Service (SNS)
AnswersA, D

Can process records from Kinesis Data Streams in near real-time.

Why this answer

Amazon Kinesis Data Streams provides durable, scalable ingestion, and AWS Lambda can process the data in real time. Option A and C are correct. Option B is wrong because Kinesis Data Firehose is used for loading data into destinations, not for real-time processing with Lambda (though it can invoke Lambda, but Data Streams is better for real-time).

Option D is wrong because SQS is for message queues, not streaming. Option E is wrong because SNS is for pub/sub notifications.

513
MCQmedium

A company is designing a data lake solution on Amazon S3. Data is ingested from multiple sources and stored in a raw bucket. The data must be processed and transformed before being moved to a curated bucket. The processing logic is complex and includes conditional transformations. Which service should be used to orchestrate the transformation pipeline?

A.AWS Data Pipeline
B.AWS Step Functions
C.AWS Lambda functions
D.AWS Glue ETL jobs
AnswerB

Step Functions can orchestrate complex workflows with conditional branching.

Why this answer

AWS Step Functions is the correct choice because it is designed to orchestrate complex, multi-step workflows with conditional branching, retries, and error handling. It can coordinate AWS Lambda functions, AWS Glue jobs, and other services to process and transform data from a raw S3 bucket to a curated bucket, making it ideal for a transformation pipeline with complex logic.

Exam trap

The trap here is that candidates often confuse AWS Glue ETL jobs as an orchestration tool because it can transform data, but Glue is a processing engine, not a workflow orchestrator; Step Functions is the correct service for coordinating complex, conditional pipelines.

How to eliminate wrong answers

Option A is wrong because AWS Data Pipeline is a legacy service for moving data between sources and destinations, but it lacks native support for complex conditional transformations and is not as flexible as Step Functions for orchestrating custom processing logic. Option C is wrong because AWS Lambda functions are stateless and have a maximum execution timeout of 15 minutes, making them unsuitable for orchestrating long-running or multi-step transformation pipelines; they are better suited for individual processing tasks within the workflow. Option D is wrong because AWS Glue ETL jobs are designed for batch data transformation using Apache Spark, but they are not an orchestration service; they would be a component orchestrated by Step Functions, not the orchestrator itself.

514
MCQhard

A company is migrating a legacy on-premises application to AWS. The application requires a shared file system that can be mounted by multiple EC2 instances concurrently, with strong consistency and low-latency access. Which AWS storage solution should be used?

A.AWS Storage Gateway File Gateway
B.Amazon EFS
C.Amazon EBS with multi-attach enabled
D.Amazon S3
AnswerB

EFS provides a fully managed, scalable NFS file system that can be mounted by many instances with strong consistency.

Why this answer

Option B is correct because Amazon EFS provides a fully managed NFS file system that can be mounted by multiple EC2 instances concurrently with strong consistency. Option A is wrong because EBS volumes can only be attached to one instance at a time. Option C is wrong because S3 is object storage, not a file system.

Option D is wrong because Storage Gateway file gateway provides file access to S3 but adds latency and consistency trade-offs.

← PreviousPage 7 of 7 · 514 questions total

Ready to test yourself?

Try a timed practice session using only Design for New Solutions questions.