CCNA Continuous Improvement Questions

75 of 428 questions · Page 2/6 · Continuous Improvement topic · Answers revealed

76
Multi-Selectmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The application experiences a sudden spike in traffic. The operations team notices that the Auto Scaling group is not scaling out quickly enough. Which TWO actions should the team take to improve the scaling responsiveness?

Select 2 answers
A.Increase the instance size to handle more traffic per instance.
B.Switch from a step scaling policy to a target tracking scaling policy based on CPU utilization.
C.Increase the health check grace period for the Auto Scaling group.
D.Decrease the cooldown period for the Auto Scaling group.
E.Decrease the minimum number of instances in the Auto Scaling group.
AnswersB, D

Target tracking provides more responsive scaling than step scaling.

Why this answer

Options A and C are correct. A buffer-based scaling policy (target tracking) is more responsive than step scaling. Decreasing the cooldown period allows faster scaling out.

B is wrong because increasing instance size does not improve scaling responsiveness. D is wrong because decreasing minimum size could worsen performance. E is wrong because increasing cooldown slows down scaling.

77
MCQhard

A company uses Amazon API Gateway with a Lambda authorizer to control access to its APIs. Recently, some requests are returning 401 Unauthorized errors even though the tokens are valid. The Lambda authorizer logs show that the function is invoked and returns an IAM policy. What is the MOST likely cause?

A.The Lambda function is returning a malformed IAM policy.
B.The token has expired.
C.The Lambda authorizer is not being invoked due to throttling.
D.The authorizer result is cached, and a previous invalid token caused a deny policy to be cached.
AnswerD

Cached deny responses cause subsequent valid tokens to be rejected.

Why this answer

Option B is correct because API Gateway caches authorizer responses; if the cache is enabled and the token is cached with a deny, subsequent requests with the same token will fail. Option A is wrong because the authorizer is being invoked. Option C is wrong because token expiration would cause a different error.

Option D is wrong because the Lambda function returns a policy.

78
MCQeasy

A company is using Amazon ECS with Fargate launch type for a microservices application. The application experiences intermittent latency spikes. CloudWatch metrics show high CPU utilization but no obvious pattern. What should the company do to identify the cause?

A.Increase the CPU and memory for all ECS tasks.
B.Enable AWS X-Ray tracing on the ECS tasks to trace requests across microservices.
C.Set up CloudWatch Synthetics canaries to monitor the endpoints.
D.Use CloudWatch Logs Insights to analyze application logs for errors.
AnswerB

Identifies latency sources.

Why this answer

Option A is correct because AWS X-Ray provides distributed tracing to pinpoint performance bottlenecks. Option B is wrong because CloudWatch Logs Insights is for querying logs, not tracing. Option C is wrong because increasing task size is a reactive fix.

Option D is wrong because CloudWatch Synthetics monitors endpoints, not internal traces.

79
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer. The application stores session state in an Amazon ElastiCache Redis cluster. During a traffic spike, the Redis cluster's CPU utilization reaches 90%, causing increased latency. The company wants to reduce the load on Redis without changing the application code. Which solution should the company implement?

A.Enable cluster mode on the ElastiCache Redis cluster to distribute data across multiple shards.
B.Use Amazon ElastiCache Global Datastore to distribute traffic across regions.
C.Add read replicas to the Redis cluster to offload read traffic.
D.Upgrade to a larger Redis node type with more vCPUs.
AnswerA

Cluster mode partitions data across shards, reducing CPU utilization per shard.

Why this answer

Option A is correct because enabling ElastiCache for Redis cluster mode allows data to be distributed across multiple shards, reducing CPU load per node. Option B is wrong because read replicas are for read-heavy workloads, not for reducing CPU load on the primary. Option C is wrong because a larger node type may help but is less cost-effective than sharding.

Option D is wrong because ElastiCache does not support Lambda extensions.

80
Multi-Selecthard

A company uses AWS Organizations to manage multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted at rest. Currently, some buckets are not encrypted. Which THREE steps should the team take to enforce encryption? (Select THREE.)

Select 3 answers
A.Apply an S3 bucket policy on each bucket that denies PutObject without encryption.
B.Create an SCP that denies PutBucketAcl or PutBucketPolicy actions if the bucket does not have encryption enabled.
C.Use AWS CloudTrail to monitor S3 API calls and alert on unencrypted bucket creation.
D.Enable AWS Config managed rule s3-bucket-server-side-encryption-enabled to detect non-compliant buckets.
E.Enable default encryption on all S3 buckets using the AWS S3 console or API.
AnswersB, D, E

SCPs can restrict actions that create unencrypted buckets.

Why this answer

Option A is correct because a service control policy can prevent creating unencrypted buckets. Option C is correct because AWS Config rules can detect non-compliant buckets. Option D is correct because S3 default encryption ensures new objects are encrypted.

Option B is wrong because S3 bucket policies enforce encryption at upload time, not after creation. Option E is wrong because CloudTrail logs events but does not enforce encryption.

81
MCQeasy

A company runs a containerized microservices application on Amazon ECS with Fargate launch type. The application consists of a frontend service and a backend service. The backend service is CPU-intensive and experiences high load during business hours. The operations team observes that the frontend service sometimes returns 503 errors during peak load. The team has already configured an ECS service auto scaling policy for the backend service based on average CPU utilization with a target value of 70%. The backend service is currently running 4 tasks, and the frontend is running 2 tasks. The errors seem to correlate with the backend scaling up. Which solution should the team implement to improve the application's performance and reduce errors?

A.Update the backend service auto scaling policy to use a combination of CPU and memory utilization metrics with a step scaling policy, and increase the cooldown period to allow tasks to stabilize before additional scaling actions.
B.Reduce the target CPU utilization for the backend auto scaling policy from 70% to 50% to trigger scaling earlier and keep CPU lower.
C.Change the backend service from Fargate to EC2 launch type and use larger instance types to provide more CPU capacity.
D.Increase the desired count of the frontend service to 4 tasks to handle more requests and reduce the load on the backend service.
AnswerA

Multiple metrics and step scaling with proper cooldown prevent premature scaling and handle spikes better.

Why this answer

Option A is correct because the 503 errors during backend scale-up are likely caused by the backend tasks not being fully ready to handle traffic immediately after launch. By using a combination of CPU and memory utilization metrics with a step scaling policy, the team can make scaling decisions more responsive to actual load patterns. Increasing the cooldown period prevents additional scaling actions from being triggered prematurely, giving new tasks time to stabilize and reducing the window where the backend is overwhelmed, which in turn reduces frontend timeouts.

Exam trap

The trap here is that candidates often assume the solution is to scale earlier (Option B) or add more frontend capacity (Option D), when the real issue is the instability during the scaling event itself, which is addressed by stabilizing the scaling process with step policies and cooldowns.

How to eliminate wrong answers

Option B is wrong because simply reducing the target CPU utilization to 50% would cause the backend to scale up even more aggressively, potentially increasing the frequency of 503 errors during the scaling event itself, without addressing the root cause of instability during scale-up. Option C is wrong because switching to EC2 launch type and larger instances does not solve the transient overload during scaling; it only changes the underlying compute platform, and the same scaling instability would persist. Option D is wrong because increasing the frontend desired count does not reduce the load on the backend; it would only distribute incoming requests across more frontend tasks, but the backend would still be the bottleneck and could continue to return errors when it cannot keep up.

82
MCQmedium

A company is using AWS CodePipeline to automate deployments of a web application. The deployment to an Amazon ECS cluster often fails during the 'Deploy' stage due to insufficient capacity in the target group. The operations team wants to improve the pipeline to automatically handle such failures without manual intervention. Which solution is MOST operationally efficient?

A.Use Amazon CloudWatch Alarms to trigger an AWS Lambda function that restarts the pipeline.
B.Modify the CodeBuild project to run integration tests after deployment.
C.Add a manual approval step before the deploy stage to verify capacity.
D.Configure the ECS service to automatically scale down the desired count on deployment failure.
E.Add a retry action in the CodePipeline stage for the ECS deployment.
AnswerE

Correct because CodePipeline supports retry actions that automatically retry the stage on failure, reducing operational overhead.

Why this answer

Option C is correct because configuring CodePipeline with a manual approval action that retries on failure would require manual intervention, which is not operationally efficient. Option A is correct because adding a retry action in the pipeline stage automatically retries the deployment on failure. Option B is wrong because scaling down the ECS service would reduce capacity, making the problem worse.

Option D is wrong because modifying the CodeBuild project to run smoke tests does not address capacity failures. Option E is wrong because using CloudWatch Alarms to trigger a Lambda function adds complexity and latency compared to a built-in retry mechanism.

83
MCQhard

A company runs a stateful application on Amazon EC2 instances in an Auto Scaling group. The application stores data on an Amazon EBS volume attached to each instance. The company wants to implement a patching strategy that minimizes downtime and preserves data. What should a solutions architect do?

A.Use a rolling update with a new Auto Scaling group and delete old instances.
B.Create a new launch template with a patched AMI, then perform a rolling update that detaches and reattaches the existing EBS volumes.
C.Terminate all instances and launch new ones with a patched AMI.
D.Use Systems Manager Patch Manager to apply patches to running instances.
AnswerB

This replaces instances while preserving data by reattaching volumes, minimizing downtime.

Why this answer

Option D is correct because replacing instances with a new launch template and attaching the existing EBS volumes preserves data. Option A is wrong because it causes downtime. Option B is wrong because it does not preserve state.

Option C is wrong because it does not preserve data.

84
Multi-Selectmedium

A company is running a web application on EC2 instances in an Auto Scaling group behind an ALB. The application uses an Amazon RDS for MySQL database. Recently, the application has become slow, and the operations team identifies that the database is the bottleneck due to a high number of read queries. Which TWO actions should a solutions architect take to improve read performance? (Choose two.)

Select 2 answers
A.Enable Multi-AZ for the RDS instance.
B.Implement DynamoDB Accelerator (DAX) in front of the database.
C.Scale up the RDS instance to a larger instance type.
D.Add an Amazon RDS Read Replica in the same AWS Region.
E.Implement an Amazon ElastiCache for Redis cluster to cache frequent queries.
AnswersD, E

Read Replicas can handle read queries, reducing load on the primary.

Why this answer

Option D is correct because adding an Amazon RDS Read Replica offloads read traffic from the primary MySQL database, allowing read queries to be served by the replica and reducing load on the source instance. This directly addresses the high number of read queries causing the bottleneck, as read replicas are designed for read-heavy workloads and can be promoted to a standalone instance if needed.

Exam trap

The trap here is that candidates often confuse Multi-AZ with read replicas, assuming the standby instance can serve reads, when in fact Multi-AZ only provides failover and the standby is not accessible for read operations.

85
MCQeasy

A company runs a static website on Amazon S3 with a custom domain using Amazon Route 53. The website content is updated frequently by multiple developers. The company wants to implement a workflow where updates are automatically tested and deployed. They have existing CI/CD tools that integrate with AWS CodeCommit. The Solutions Architect needs to design a deployment pipeline that rebuilds the website only when changes are pushed to the main branch, and then invalidates the Amazon CloudFront cache if a CloudFront distribution is used. Which solution meets these requirements with the least operational overhead?

A.Use AWS CloudFormation with a custom resource that triggers a build on CodeCommit push.
B.Configure an S3 event notification to invoke an AWS Lambda function that builds and deploys the website.
C.Use AWS CodePipeline with a source stage tied to CodeCommit, a build stage using AWS CodeBuild, and a deploy stage that syncs the S3 bucket and invalidates CloudFront.
D.Use AWS Lambda@Edge to generate the website on the fly and cache at CloudFront.
AnswerC

Fully managed CI/CD pipeline.

Why this answer

Option A is correct because AWS CodePipeline integrated with CodeBuild and CodeCommit provides a fully managed CI/CD service. Option B is wrong because Lambda@Edge is for edge computing, not deployment. Option C is wrong because S3 triggers are for event notifications, not full CI/CD.

Option D is wrong because CloudFormation is for infrastructure, not deployment pipeline.

86
MCQmedium

A Solutions Architect runs the above command for an EC2 instance that is part of an Auto Scaling group. The instance is in a private subnet and should only receive traffic from an Application Load Balancer. However, the instance is accessible from the internet. Based on the output, what is the most likely reason?

A.The subnet's route table has a route to an internet gateway.
B.The instance has an Elastic IP address attached.
C.The instance has a public IP address assigned.
D.The security group attached to the instance allows inbound traffic from 0.0.0.0/0.
AnswerD

The security group 'sg-web-app' might have an inbound rule allowing all traffic, making the instance accessible even in a private subnet if there is a NAT gateway or if the instance has a public IP.

Why this answer

Option B is correct. The output shows the instance has a security group 'sg-web-app' attached to its network interface. If that security group allows inbound traffic from 0.0.0.0/0, the instance would be accessible from the internet.

The subnet being private does not matter if a security group allows public access. Option A is wrong because the instance is in a private subnet, so it should not have a public IP. Option C is wrong because the output does not show a route table.

Option D is wrong because the instance does not have a public IP attached; it's in a private subnet.

87
MCQeasy

A company has an S3 bucket that stores sensitive data. The company wants to ensure that all objects uploaded to the bucket are encrypted at rest. Which solution should the solutions architect recommend?

A.Use a bucket policy to deny uploads that do not include the x-amz-server-side-encryption header.
B.Create an AWS Lambda function that encrypts objects after they are uploaded.
C.Configure an S3 Access Point with a policy that requires encryption.
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
AnswerD

Default encryption automatically encrypts all objects at rest.

Why this answer

Option D is correct because S3 default encryption ensures that all objects are encrypted at rest using SSE-S3 or SSE-KMS, regardless of whether the upload request specifies encryption. Option A is wrong because bucket policies cannot enforce encryption; they can deny uploads without encryption headers but are not the simplest method. Option B is wrong because S3 Access Points are used for managing access, not encryption.

Option C is wrong while valid, it's more complex than simply enabling default encryption.

88
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. They want to ensure that any changes to a production stack are reviewed and approved before being applied. What is the BEST way to achieve this?

A.Enable termination protection on the stack.
B.Use AWS CodePipeline to automatically deploy changes.
C.Use Change Sets and require manual approval to execute them.
D.Use stack policies to prevent updates.
AnswerC

Change Sets show the impact of changes and can be executed after review.

Why this answer

Option B is correct because Change Sets allow you to review changes before executing them. Option A is automatic, C is for changesets but does not require approval, D is not related.

89
MCQeasy

A DevOps engineer notices that an EC2 instance's CPU utilization is consistently above 90%. They need to optimize costs without affecting performance. What should they do?

A.Add more EC2 instances behind a load balancer.
B.Rightsize the instance to a larger instance type.
C.Purchase a Reserved Instance for the current instance type.
D.Terminate the instance and launch a new one of the same type.
AnswerB

A larger instance provides more CPU capacity, improving performance.

Why this answer

Option C is correct because rightsizing the instance to a larger type can provide more CPU capacity, potentially reducing contention and allowing the same workload to run efficiently. Option A is wrong because buying Reserved Instances locks in cost but does not solve performance. Option B is wrong because terminating and recreating does not change instance type.

Option D is wrong because adding more instances may increase cost unnecessarily.

90
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The stack creation fails with the error 'Resource handler returned message: 'User: arn:aws:sts::123456789012:assumed-role/Admin/MySession is not authorized to perform: ec2:RunInstances'. What is the MOST likely cause?

A.The IAM role used by CloudFormation does not have ec2:RunInstances permission.
B.The region specified in the template is disabled.
C.The CloudFormation template has a syntax error.
D.The AWS account is not subscribed to EC2 service.
AnswerA

The error clearly states the role is not authorized.

Why this answer

Option C is correct because the IAM role assumed by CloudFormation lacks the necessary permissions. Option A is wrong because the error is about the user/role, not AWS. Option B is wrong because the error does not mention S3.

Option D is wrong because the region is specified in the template.

91
MCQmedium

A company has a CI/CD pipeline that builds and deploys a containerized application to Amazon ECS Fargate. The pipeline uses AWS CodeBuild to run tests and build Docker images. Recently, the pipeline has been failing intermittently with the error 'CannotPullContainerError: Error response from daemon: manifest for <image> not found'. The image is stored in Amazon ECR. The team suspects the issue is related to image tag inconsistency. The pipeline tags images with the commit hash. Which change will prevent this error?

A.Store the Docker image in Amazon S3 instead of ECR.
B.Ensure the pipeline builds and pushes the image with a unique tag, such as the commit hash, and uses that tag in the ECS task definition.
C.Use the 'latest' tag for all images.
D.Retry the failed pipeline step after a delay.
AnswerB

Unique tags prevent collisions and ensure the correct image is used.

Why this answer

Ensuring that the image tag is unique and not reused prevents stale image references. Using the commit hash ensures uniqueness.

92
MCQmedium

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be encrypted in transit and that the load balancer use a certificate from AWS Certificate Manager (ACM). The application currently uses HTTP. What should the company do to meet the security requirement?

A.Replace the ALB with a Network Load Balancer and associate an ACM certificate with it.
B.Change the ALB listener to TCP and use a self-signed certificate on the EC2 instances.
C.Place a CloudFront distribution in front of the ALB and configure HTTPS between viewers and CloudFront.
D.Add an HTTPS listener to the ALB using an ACM certificate, and configure the HTTP listener to redirect to HTTPS.
AnswerD

This provides encryption and uses ACM for certificate management.

Why this answer

Option C is correct because creating an HTTPS listener with an ACM certificate and redirecting HTTP to HTTPS ensures encryption. Option A is wrong because CloudFront adds complexity and cost. Option B is wrong because a TCP listener does not terminate TLS.

Option D is wrong because ACM cannot be directly associated with a TCP listener.

93
MCQeasy

A Solutions Architect is reviewing an Amazon S3 bucket policy that grants access to users from another AWS account. The policy uses the Principal element with "AWS": "arn:aws:iam::123456789012:root". The users in the other account are unable to access the bucket. What is the most likely cause?

A.The policy must specify the IAM user ARN, not the root user ARN.
B.The bucket policy must also include a VPC endpoint condition.
C.Cross-account access is not supported with bucket policies.
D.The bucket policy must use the CanonicalUser ID instead of the account ID.
AnswerA

The root user ARN does not cover IAM users in that account.

Why this answer

Option A is correct because the root user ARN does not grant access to individual IAM users; the policy must allow the entire account or specific user ARNs. Option B is wrong because the bucket policy can refer to another account. Option C is wrong because S3 does not require VPC endpoints for cross-account access.

Option D is wrong because the bucket policy can use IAM user ARNs.

94
MCQhard

A company runs a containerized application on Amazon ECS with Fargate launch type. The application is deployed across multiple Availability Zones. Recently, deployments have been failing because new tasks cannot register with the Application Load Balancer (ALB) target group. The health checks are failing. What is the MOST likely cause?

A.The security group for the tasks does not allow inbound traffic from the ALB on the health check port.
B.The ECS service is configured with a desired count of zero.
C.The task definition specifies an invalid container image.
D.The ECS cluster has insufficient capacity.
AnswerA

Health checks fail if traffic is blocked.

Why this answer

Option C is correct because if the security group for the tasks does not allow inbound traffic from the ALB on the health check port, health checks fail. Options A, B, and D do not directly cause health check failures.

95
Multi-Selecteasy

A company uses Amazon CloudFront to distribute content globally. The company wants to restrict access to content based on geographic location. Which TWO actions can the company take?

Select 3 answers
A.Configure an S3 bucket policy to deny access from specific IP ranges.
B.Use CloudFront geo-restriction to allow or block countries.
C.Associate an AWS WAF web ACL with the CloudFront distribution and use a geo match condition.
D.Use CloudFront geographic restriction.
E.Use Lambda@Edge to check the request's country and return a 403.
AnswersB, C, D

Directly restricts access by country.

Why this answer

Option A is correct because CloudFront geo-restriction allows whitelisting or blacklisting countries. Option D is correct because the geographic restriction feature is built-in. Option B is incorrect because S3 bucket policies do not support geographic restrictions.

Option C is incorrect because Lambda@Edge can be used but is more complex. Option E is incorrect because WAF can block based on country using geo match conditions.

96
MCQeasy

A startup runs its application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer to distribute traffic. During a recent marketing campaign, the application experienced high latency and some requests returned 503 errors. The team suspects that the tasks are hitting resource limits. The team wants to automatically scale the tasks based on CPU utilization. Which solution should the team implement?

A.Configure Application Auto Scaling for the ECS service with a target tracking scaling policy based on average CPU utilization.
B.Create a CloudWatch alarm that triggers a Lambda function to stop idle tasks.
C.Create an Auto Scaling group for the ECS cluster and configure it to scale based on CPU utilization.
D.Use AWS Lambda to periodically check CPU utilization and update the desired count of the ECS service.
AnswerA

Target tracking automatically adjusts the desired count to maintain a target CPU utilization.

Why this answer

Option A (Application Auto Scaling with target tracking) is the correct approach for ECS services. Option B (Auto Scaling group) is for EC2. Option C (CloudWatch alarm to stop tasks) is not scaling.

Option D (Lambda to add tasks) is less efficient.

97
MCQhard

A company uses this CloudFormation template to manage an S3 bucket. They notice that old object versions are not being deleted after 30 days. What is the most likely reason?

A.The bucket contains delete markers that are not being expired.
B.The bucket has a bucket policy that prevents deletion.
C.Versioning is not enabled on the bucket.
D.The lifecycle rule is disabled.
AnswerA

Lifecycle does not automatically delete delete markers; need ExpiredObjectDeleteMarker.

Why this answer

Option C is correct because NoncurrentVersionExpirationInDays applies to noncurrent versions, but if the object has no current version (e.g., all versions are delete markers), the rule doesn't clean up delete markers. Option A is wrong because the rule is enabled. Option B is wrong because versioning is enabled.

Option D is wrong because bucket policy doesn't affect lifecycle.

98
MCQmedium

A CloudFormation stack is created using the template above. The stack creation fails with the error: 'The following resource(s) failed to create: [EC2Instance]'. Logs show: 'AMI 'ami-0abcdef1234567890' does not exist.' What is the most likely cause?

A.The AMI ID is not available in the region where the stack is being deployed.
B.The SQS queue name 'my-queue' is already in use.
C.The AMI ID is invalid because it contains letters.
D.The instance type t2.micro is not supported in the region.
AnswerA

AMI IDs are region-specific; hardcoding can cause cross-region failures.

Why this answer

Option B is correct because the AMI ID is region-specific. The template uses a hardcoded AMI ID that likely does not exist in the region where the stack is being created. Option A is incorrect because the AMI ID is syntactically correct.

Option C is incorrect because the instance type is valid. Option D is incorrect because SQS queue creation succeeds.

99
MCQhard

A company has a data pipeline that uses AWS Glue to process large datasets in Amazon S3. The pipeline runs daily and takes over 12 hours to complete. The company wants to reduce the processing time. Which approach would be MOST effective?

A.Increase the Glue job timeout setting to 24 hours.
B.Enable S3 Transfer Acceleration on the source bucket.
C.Increase the number of DPUs allocated to the Glue job.
D.Convert the input data from CSV to Parquet format.
AnswerC

More DPUs provide more parallelism and reduce runtime.

Why this answer

Option D is correct because increasing the number of DPUs (data processing units) allocated to the Glue job can parallelize processing and reduce runtime. Option A is wrong because converting to Parquet is a good practice but does not reduce processing time if the job is CPU-bound. Option B is wrong because increasing the timeout does not speed up processing.

Option C is wrong because S3 Transfer Acceleration speeds up uploads, not Glue processing.

100
MCQeasy

A company uses AWS CloudFormation to manage its infrastructure. The operations team reports that stack updates often fail because of resource conflicts. The team wants to improve the reliability of updates without manual intervention. Which solution provides the MOST automated recovery from update failures?

A.Use CloudFormation change sets to review and approve all changes before update.
B.Write a custom AWS Lambda function that reverts changes when a stack update fails.
C.Apply a stack policy to prevent updates to critical resources.
D.Use the default CloudFormation rollback behavior that automatically reverts changes on failure.
AnswerD

CloudFormation automatically rolls back failed stack updates by default.

Why this answer

Option D is correct because CloudFormation's built-in rollback behavior automatically reverts all changes made during a failed stack update, restoring the stack to its last known stable state without requiring any custom code or manual intervention. This provides the most automated recovery mechanism as it is natively integrated into the CloudFormation service and requires no additional infrastructure or scripting.

Exam trap

The trap here is that candidates may overthink the solution and choose a custom Lambda function (Option B) thinking it provides more control, when in fact CloudFormation's native rollback is the most automated and reliable approach, and custom solutions often introduce additional failure points.

How to eliminate wrong answers

Option A is wrong because change sets are a review and approval mechanism that helps prevent errors before an update is executed, but they do not provide any automated recovery after a failure occurs. Option B is wrong because writing a custom Lambda function to revert changes introduces unnecessary complexity, potential for errors, and is not as reliable or automated as CloudFormation's native rollback, which handles state management and resource dependencies correctly. Option C is wrong because stack policies only prevent updates to specific critical resources during a stack update, but they do not provide any recovery mechanism if the update fails due to conflicts elsewhere.

101
MCQmedium

A company is using AWS CloudFormation to manage its infrastructure. They have a production stack that creates an Amazon RDS DB instance. The company wants to update the DB instance class to a larger size with minimal downtime. Which approach should they use?

A.Modify the DBInstanceClass property in the CloudFormation template and use an UpdatePolicy of AutoScalingReplacingUpdate.
B.Create a new CloudFormation stack with the new DB instance class and delete the old stack.
C.Edit the CloudFormation template to change the DBInstanceClass and update the stack directly.
D.Use AWS OpsWorks to manage the DB instance and apply the change.
AnswerA

This allows CloudFormation to create a new DB instance and switch over with minimal downtime.

Why this answer

Option A is correct because modifying the DBInstanceClass property in CloudFormation with an UpdatePolicy of AutoScalingReplacingUpdate will cause a replacement with minimal downtime. Option B is wrong because changing the template and updating the stack directly may cause downtime. Option C is wrong because creating a new stack and deleting the old one is not minimal downtime.

Option D is wrong because AWS OpsWorks is not relevant.

102
MCQmedium

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key. What is the MOST efficient way to achieve this?

A.Enable CloudTrail Insights to detect unusual key creation patterns.
B.Create a CloudWatch Events rule that matches the CreateAccessKey API call and sends an SNS notification.
C.Use CloudTrail to publish logs to CloudWatch Logs and create a metric filter to trigger an alarm.
D.Configure Amazon Athena to query CloudTrail logs and set up a scheduled query to notify.
AnswerB

CloudWatch Events can react to specific CloudTrail events in real-time.

Why this answer

Option A is correct because CloudWatch Events can filter CloudTrail events and trigger a notification via SNS. Option B is wrong because it requires creating a custom metric. Option C is wrong because it is passive.

Option D is wrong because it requires custom analytics.

103
MCQhard

A company uses AWS CloudFormation to manage infrastructure. The stack fails to update with the error: 'Resource handler returned message: The subnet 'subnet-xxx' is in use by a network interface.' The subnet is associated with a Lambda function in a VPC. The CloudFormation template is trying to delete the subnet. What should the company do to resolve this?

A.Update the Lambda function configuration to remove the VPC settings, then delete the subnet.
B.Modify the CloudFormation template to ignore the deletion failure using a DeletionPolicy attribute.
C.Use the AWS CLI to force delete the subnet.
D.Manually delete the Elastic Network Interface (ENI) from the AWS Management Console.
AnswerA

This releases the ENI, allowing subnet deletion.

Why this answer

Option C is correct because the Lambda function's ENI must be deleted first by deleting the Lambda function or updating its configuration to not use the subnet. Option A is incorrect because the ENI is managed by Lambda and cannot be manually deleted. Option B is incorrect because the subnet is in use, so the stack cannot continue.

Option D is incorrect because force delete is not a valid operation for subnets.

104
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. The operations team wants to implement a change management process where all stack updates must be reviewed and approved before execution. The team currently uses AWS CodePipeline for CI/CD. Which solution meets these requirements with the LEAST operational overhead?

A.Use CloudFormation Change Sets and require a senior engineer to execute them.
B.Write an AWS Lambda function that triggers on stack update events and requires approval via Amazon SNS.
C.Use AWS Service Catalog to govern CloudFormation templates and require approval for provisioning.
D.Store CloudFormation templates in AWS CodeCommit and use AWS CLI to execute updates after peer review.
E.Create a CodePipeline pipeline with an approval stage before the CloudFormation deployment action.
AnswerE

CodePipeline supports manual approval actions that pause the pipeline until approval.

Why this answer

Option B is correct because using CloudFormation StackSets with approval gates in CodePipeline allows centralized management and approval workflow. Option A is wrong because Change Sets require manual review and execution, increasing operational overhead. Option C is wrong because direct CLI updates bypass approval.

Option D is wrong because Service Catalog is for end-user provisioning, not for change management of existing stacks. Option E is wrong because it adds an extra service (Lambda) without need.

105
Multi-Selectmedium

A company uses Amazon DynamoDB for a gaming application. The table has a partition key of 'user_id' and a sort key of 'game_id'. The application experiences high latency during peak hours. Which TWO actions would improve read performance?

Select 2 answers
A.Use DynamoDB global tables to replicate data to another region.
B.Increase the read capacity units for the table.
C.Enable DynamoDB Accelerator (DAX) for the table.
D.Change the table's sort key to a more evenly distributed attribute.
E.Add a Global Secondary Index with a different partition key.
AnswersB, E

More read capacity reduces throttling and latency.

Why this answer

Options B and C are correct. Adding a Global Secondary Index with a different partition key can distribute reads across partitions. Adjusting read capacity units increases throughput.

Option A is wrong because changing the sort key would require a new table. Option D is wrong because DynamoDB Accelerator (DAX) improves read performance but is not a capacity change. Option E is wrong because table replication is for disaster recovery.

106
MCQhard

A company uses AWS Lambda functions to process events from Amazon SQS. The function's duration has increased, causing a backlog. The team wants to improve throughput without changing the function code. Which action should the team take?

A.Increase the SQS visibility timeout to allow more time per message.
B.Increase the Lambda function reserved concurrency.
C.Increase the Lambda function memory and timeout settings.
D.Increase the SQS batch size to the maximum of 100.
AnswerB

More concurrent executions allow processing more messages simultaneously.

Why this answer

Option B is correct because increasing the number of Lambda function instances will increase concurrency and process more messages in parallel. Option A is wrong because increasing batch size may cause timeouts. Option C is wrong because increasing function memory/timeout does not directly improve throughput.

Option D is wrong because SQS visibility timeout does not affect Lambda concurrency.

107
MCQmedium

Refer to the exhibit. $ aws ec2 describe-instances --region us-east-1 --filters Name=tag:Name,Values=WebServer --query 'Reservations[].Instances[].{ID:InstanceId,State:State.Name,Type:InstanceType,LaunchTime:LaunchTime}' --output table A DevOps engineer runs the above command. The Auto Scaling group for WebServer instances has a desired count of 3, but the engineer notices that there are 5 instances with the same tag. What is the MOST likely cause?

A.The Auto Scaling group has a cooldown period that prevents immediate termination.
B.The command is filtering by the wrong tag key.
C.The other two instances are in a 'terminating' state and are not returned by the command.
D.The instances were launched with a different launch template that does not have the tag.
AnswerC

Instances in 'terminating' state are still returned by describe-instances. Actually, they are. So this is incorrect.

Why this answer

Option C is correct because the Auto Scaling group might have replaced instances, leaving old instances in 'terminating' state. However, the command should still return them. The more likely answer is that the other two instances are in a different state and the query filters them out? Actually, the query does not filter by state.

I think the correct answer is that the other two instances are in 'stopped' state, but the command still returns them. I'll go with Option C as it's a common scenario: the ASG's termination policy might cause instances to be terminated slowly, so they still appear but are in 'shutting-down' state. The command would display them.

Perhaps the issue is that the command only shows instances that are 'running'? No, it shows all states. I'll choose Option C.

108
MCQhard

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. During a traffic spike, some API requests fail with 5xx errors. The CloudWatch logs show 'ProvisionedThroughputExceededException' for DynamoDB. The team wants to handle this gracefully without losing requests. What should they do?

A.Enable auto scaling for DynamoDB and implement retry logic with exponential backoff in the Lambda function.
B.Increase the provisioned read/write capacity of the DynamoDB table to a high fixed value.
C.Use an SQS queue between API Gateway and Lambda to buffer requests.
D.Configure API Gateway to automatically retry failed requests.
AnswerA

Auto scaling handles capacity, retries handle transient errors.

Why this answer

Option A is correct because enabling DynamoDB auto scaling adjusts capacity dynamically, and adding retry logic with exponential backoff in Lambda handles transient errors. Option B is wrong because SQS with Lambda can buffer requests. C is wrong because increasing capacity might be costly and does not handle spikes.

D is wrong because Lambda retries on its own but without backoff.

109
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to example-bucket with SSE-S3 (AES256) encryption. What will happen?

A.The upload fails because the Deny statement explicitly denies it
B.The upload fails because there is no explicit Allow for PutObject
C.The upload succeeds because the Allow statement permits it
D.The upload succeeds because SSE-S3 is allowed by the first statement
AnswerA

Deny condition matches when encryption is not aws:kms.

Why this answer

Option D is correct. The Deny statement explicitly denies PutObject if the encryption is NOT aws:kms. Since the user uses SSE-S3 (AES256), the condition 'StringNotEquals' evaluates to true (AES256 != aws:kms), so the Deny applies and the request is denied.

Option A is wrong because the Allow statement is for GetObject, not PutObject. Option B is wrong because the Deny overrides any allow. Option C is wrong because the Deny explicitly denies.

110
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. The Auto Scaling group has a minimum of 2 and maximum of 10 instances. CloudWatch metrics show that CPU utilization rarely exceeds 30%. What is the MOST likely cause of the 503 errors?

A.The ALB connection draining is enabled with a very short timeout, causing in-flight connections to be dropped.
B.The EC2 instances are running out of memory.
C.The Auto Scaling group launch configuration uses an AMI that is not compatible with the instance type.
D.The ALB health check is misconfigured, causing healthy instances to be marked unhealthy.
AnswerA

Connection draining with a short timeout can cause 503 errors when the ALB stops sending traffic to an instance before in-flight requests complete.

Why this answer

The 503 errors are likely due to the ALB connection draining setting. If connection draining is enabled and the drain timeout is too short, in-flight requests may be terminated, causing 503 errors. Low CPU utilization suggests the instances are not overloaded.

111
Multi-Selectmedium

A company has a web application running on EC2 instances in an Auto Scaling group. The application experiences unpredictable traffic spikes. The company wants to ensure that the application can scale out quickly and scale in to reduce costs. Which TWO actions should the solutions architect recommend?

Select 2 answers
A.Configure a lifecycle hook to delay instance termination during scale-in.
B.Manually increase the desired capacity during peak times.
C.Create a target tracking scaling policy based on Average CPU Utilization.
D.Create a simple scaling policy with a step adjustment to add instances when CPU exceeds 80%.
E.Use a scheduled scaling policy to add instances during expected peak hours.
AnswersC, D

Target tracking dynamically adjusts capacity to maintain a target metric.

Why this answer

Options B and C are correct. A target tracking scaling policy based on a metric like CPU utilization automatically adjusts capacity. A simple scaling policy with a step adjustment allows rapid scaling out.

Option A is wrong because scheduled scaling is for predictable patterns. Option D is wrong because manual scaling is not automated. Option E is wrong because a lifecycle hook delays scale-in, increasing costs.

112
MCQhard

A media company uses AWS CloudFront to distribute video content. They notice that some users in Europe experience high latency. CloudFront metrics show low cache hit ratios for European edge locations. The origin is an S3 bucket in us-east-1. What is the MOST effective optimization?

A.Increase the default TTL for objects in CloudFront.
B.Add additional cache behaviors for different file types.
C.Add a second origin in eu-west-1 and configure origin groups with failover.
D.Enable S3 Transfer Acceleration on the bucket.
AnswerC

A geographically close origin improves cache fill latency and overall performance.

Why this answer

Option C is correct because creating an additional CloudFront distribution with an origin in Europe or using a multi-region origin setup reduces latency for European users. Option A is wrong because S3 Transfer Acceleration improves uploads, not downloads. Option B is wrong because increasing TTL would reduce origin load but not latency for uncached objects.

Option D is wrong because adding more cache behaviors doesn't help with geographic latency.

113
MCQmedium

A company runs a production application on EC2 instances behind an Application Load Balancer. After a recent deployment, users report intermittent 503 errors. The CloudWatch metrics show that the ALB's 'TargetResponseTime' is within normal range, but 'RequestCount' has increased by 50%. There are no changes to the security groups. What is the MOST likely cause of the 503 errors?

A.The ALB's idle timeout is set too low.
B.The security group for the ALB does not allow inbound traffic on the listener port.
C.The ALB's target group health check settings are misconfigured.
D.The deployment removed the health check path from the application.
AnswerD

If the health check path is removed, health checks fail, causing targets to be marked unhealthy, and ALB returns 503.

Why this answer

Option A is correct because an increase in request count without a corresponding increase in target capacity can cause the ALB to return 503 errors when all targets are unhealthy or overloaded. Option B is incorrect because security groups were not changed. Option C is incorrect because if the health check path was removed, health checks would fail consistently, not intermittently.

Option D is incorrect because a missing security group rule would block traffic entirely, not cause intermittent errors.

114
MCQeasy

A company runs a web application on AWS Elastic Beanstalk. The application experiences periodic traffic spikes that cause the environment to scale out. However, the scaling is slow, leading to increased latency during spikes. The operations team wants to improve the responsiveness of the Auto Scaling group. The application is stateless and runs on a single instance type. What should a solutions architect recommend?

A.Configure the Auto Scaling group to use multiple instance types.
B.Use scheduled scaling to add capacity before expected spikes.
C.Decrease the Auto Scaling group's cooldown period.
D.Change the instance type to a larger size.
AnswerC

Shorter cooldown allows more frequent scaling decisions, improving responsiveness.

Why this answer

Option A is correct because increasing the cooldown period makes the Auto Scaling group more conservative, but that would slow scaling. Actually, decreasing the cooldown allows faster scaling. The question asks for improved responsiveness; Option A (decreasing cooldown) is the correct answer.

Option B is wrong because a larger instance type may not help if the issue is scaling speed. Option C is wrong because multiple instance types add complexity and might not speed up scaling. Option D is wrong because scheduled scaling is proactive but does not respond to unexpected spikes.

115
MCQmedium

Refer to the exhibit. An S3 bucket policy is shown. A user from IP 10.0.0.5 makes a GET request over HTTPS. Will the request succeed?

A.Yes, because the request matches the Allow condition and the Deny condition does not apply.
B.No, because the Deny statement explicitly denies all actions.
C.Yes, because the IP address is within the allowed range.
D.No, because the Deny statement overrides the Allow statement.
AnswerA

HTTPS satisfies SecureTransport true, so Deny is not triggered.

Why this answer

Option A is correct. The first statement allows GET from the specified IP range. The second statement denies all actions if not using HTTPS.

Since the request uses HTTPS (SecureTransport true), the Deny condition does not apply, so the Allow takes effect.

116
Multi-Selecthard

A company is running a critical microservices application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) to distribute traffic. Recently, the team noticed that the ALB's 5xx error rate has increased. The error is HTTP 503. The team suspects the target group is unhealthy. Which THREE steps should the team take to diagnose and resolve the issue?

Select 3 answers
A.Verify the ECS service's desired count and compare with the number of healthy tasks in the target group.
B.Replace the ALB with a Network Load Balancer (NLB) to bypass health checks.
C.Check the ECS service events and task status to ensure tasks are running and passing health checks.
D.Verify that sticky sessions (session affinity) are enabled on the target group.
E.Check the ALB access logs and health check settings for the target group.
AnswersA, C, E

A mismatch may indicate scaling issues.

Why this answer

Option A, Option C, and Option E are correct. Option A checks health check settings and logs. Option C checks if the service is running and tasks are healthy.

Option E checks if the service's desired count matches running tasks. Option B (Check target group stickiness) is not directly related to 503 errors. Option D (Switch to Network Load Balancer) is a major change and not diagnostic.

117
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The stack fails to update due to a resource conflict. The operations team needs to identify the resource causing the failure and modify the template to allow the update. Which approach is MOST effective?

A.Create a Change Set for the stack to preview the changes and identify the conflict.
B.Review the stack's 'Events' tab in the AWS Management Console to find the error message.
C.Use AWS CloudFormation StackSets to deploy the update across multiple accounts.
D.Run a drift detection operation on the stack to identify manual changes.
AnswerA

Change Sets allow you to see the impact and errors before applying.

Why this answer

Option B is correct because Change Sets show the changes and potential errors before execution. Option A is wrong because it only shows the last event, not the planned changes. Option C is wrong because StackSets manage multiple accounts/regions, not single stack updates.

Option D is wrong because Drift detection shows differences from the template, not update conflicts.

118
MCQhard

Refer to the exhibit. A CloudFormation stack was successfully created. The stack's template includes an S3 bucket and a Lambda function. A developer runs the CLI command shown but receives an error that the stack does not exist. What is the MOST likely cause?

A.The AWS CLI is configured to use a different region than where the stack was deployed.
B.The stack was deleted after creation.
C.The stack name is case-sensitive and should be 'MyApp'.
D.The '--query' parameter is incorrectly formatted.
AnswerA

Stack names are unique per region; querying the wrong region returns 'stack does not exist'.

Why this answer

Option A is correct because the CLI command is querying the wrong region. The stack was created in us-east-1 but the CLI default region might be different. Option B is wrong because the stack was created successfully.

Option C is wrong because outputs are returned correctly. Option D is wrong because the stack name is exactly as used.

119
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate. The application needs to access an Amazon S3 bucket that contains sensitive data. The security team requires that all traffic between the ECS tasks and S3 remain within the AWS network and not traverse the internet. What is the MOST secure way to meet this requirement?

A.Use an internet gateway and route traffic through a NAT gateway.
B.Enable S3 Transfer Acceleration on the bucket.
C.Create a VPC endpoint for S3 and attach it to the VPC.
D.Use a NAT gateway and update the route table to direct S3 traffic to the NAT.
AnswerC

VPC endpoint enables private connectivity to S3 without internet.

Why this answer

Option C is correct because using a VPC endpoint for S3 (Gateway or Interface) ensures traffic stays within the AWS network. Option A is wrong because internet traffic goes over the public internet. Option B is wrong because a NAT gateway is for outbound internet, not private access to S3.

Option D is wrong because S3 Transfer Acceleration uses the internet.

120
MCQhard

A company uses AWS Lambda to process files uploaded to an S3 bucket. The Lambda function writes results to a DynamoDB table. Over time, the function's execution time has increased, and some operations fail with ProvisionedThroughputExceededException. The function is configured with 1024 MB memory and a 5-minute timeout. The DynamoDB table has 1000 RCUs and 500 WCUs. The Lambda function performs reads and writes on the same table. What is the MOST cost-effective way to resolve the throttling without sacrificing performance?

A.Enable DynamoDB Accelerator (DAX) for the table
B.Use SQS to decouple the S3 trigger from the Lambda function and implement a batching strategy to DynamoDB
C.Increase DynamoDB write capacity units to 1000 WCUs
D.Increase the Lambda function memory to 2048 MB
AnswerB

SQS buffers requests, allowing batch writes and reducing throttling.

Why this answer

Option C is correct because increasing WCUs alone would cost more and might not be efficient if the issue is read-heavy. Option D (DAX) reduces read latency but doesn't increase write capacity. Option A (increase memory) increases CPU but not write capacity.

Option B (SQS) decouples the writes, allowing retries and smoothing out spikes, which is cost-effective because SQS is cheap and prevents throttling by buffering requests.

121
MCQhard

An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance in us-east-1 using the AWS CLI. What will happen?

A.The user cannot describe instances or terminate instances.
B.The user can terminate instances and describe instances.
C.The user can describe instances but cannot terminate instances in any region.
D.The user can describe instances but cannot terminate any instances.
AnswerC

The Deny resource uses a wildcard for instance ID, effectively denying termination of any instance in the account in us-east-1.

Why this answer

The IAM policy attached to the group allows the user to describe instances (ec2:DescribeInstances) but explicitly denies the ability to terminate instances (ec2:TerminateInstances) in any region. Since the policy is attached to the group, the user inherits these permissions, so they can list instances but any attempt to terminate them will be denied by AWS IAM, regardless of the region specified.

Exam trap

The trap here is that candidates may assume that a Deny on a specific action (terminate) also blocks related read actions (describe), but IAM evaluates each action independently, so describe is still allowed.

How to eliminate wrong answers

Option A is wrong because the user can describe instances, as the policy grants ec2:DescribeInstances permission; the user is not blocked from describing instances. Option B is wrong because the user cannot terminate instances; the policy explicitly denies ec2:TerminateInstances, so termination will fail. Option D is wrong because it states the user cannot terminate 'any instances' but does not specify the region limitation; the correct answer clarifies that the denial applies to all regions, which is already implied by the policy's effect, but Option D is incomplete and less precise than Option C.

122
MCQhard

A company has an IAM policy attached to a user. When the user tries to stop an EC2 instance using the AWS CLI, they receive an 'AccessDenied' error. The instance is tagged with 'Environment=Production'. What is the most likely cause?

A.The user is using an incorrect CLI command syntax.
B.The policy does not allow the ec2:StopInstances action for instances with the 'Environment=Production' tag.
C.The policy does not specify the instance ID in the Resource field.
D.A service control policy (SCP) or a resource-based policy is denying the action.
AnswerD

An SCP at the account level can deny actions even if IAM allows them.

Why this answer

Option D is correct because the error occurs even though the user has the StopInstances permission; likely the instance is protected by a resource-based policy or a service control policy (SCP) at the account level. Option A is wrong because the policy uses Resource '*' which includes all instances. Option B is wrong because there is no condition requiring tags.

Option C is wrong because the CLI syntax is correct.

123
MCQmedium

A company applies the above IAM policy to an IAM user. The user attempts to upload an object to my-bucket using the AWS CLI with the command: aws s3 cp file.txt s3://my-bucket/. What is the outcome?

A.The upload fails with an access denied error because the Deny statement is evaluated first.
B.The upload fails with an access denied error because the Deny statement with StringNotEquals blocks the request.
C.The upload succeeds because the Allow statement matches.
D.The upload succeeds because the Deny statement does not apply when no encryption header is present.
AnswerB

Deny applies when condition is not met.

Why this answer

Option C is correct because the Deny statement with StringNotEquals will block any PutObject that does not specify SSE-S3 (AES256). Since the CLI command does not specify encryption, the Deny applies. Option A is wrong because the Allow statement requires encryption.

Option B is wrong because the object is not encrypted. Option D is wrong because it would be denied.

124
MCQeasy

A company uses Amazon S3 to store sensitive customer data. The security team requires that all data be encrypted at rest using server-side encryption with a customer-managed key (SSE-KMS). What is the MOST secure way to enforce this requirement across all S3 buckets?

A.Use AWS Config rules to detect unencrypted objects and remediate with Lambda.
B.Enable default encryption on each bucket with SSE-KMS.
C.Create an IAM policy that requires kms:Encrypt permission for all S3 operations.
D.Use an S3 bucket policy that denies PutObject if the x-amz-server-side-encryption-aws-kms-key-id header is not present.
AnswerD

Enforces encryption at upload.

Why this answer

Option A is correct because S3 bucket policies can deny PutObject requests that do not specify the required encryption, ensuring SSE-KMS is used. Option B is wrong because S3 default encryption only applies if no encryption header is set, but can be overridden. Option C is wrong because IAM policies can restrict API calls but not enforce encryption on objects.

Option D is wrong because AWS Config can detect non-compliant objects but not prevent them.

125
MCQmedium

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application experiences intermittent high latency due to CPU spikes on some instances. The company wants to automatically replace unhealthy instances and optimize costs. What should a solutions architect do?

A.Configure a target tracking scaling policy based on average CPU utilization.
B.Use a lifecycle hook to perform a health check and terminate unhealthy instances.
C.Use an AWS Lambda function to terminate instances with high CPU.
D.Implement a scheduled scaling policy to increase instances during peak hours.
AnswerA

A target tracking policy scales the group to maintain CPU utilization at a target value and works with ALB health checks to replace unhealthy instances.

Why this answer

Option B is correct because a dynamic scaling policy adjusts the number of instances based on CPU utilization. Option A is wrong because it does not replace unhealthy instances. Option C is wrong because it replaces all instances at fixed times.

Option D is wrong because it only replaces instances on a schedule.

126
MCQeasy

A company runs a static website on Amazon S3 behind Amazon CloudFront. The website uses a custom domain and SSL certificate from AWS Certificate Manager (ACM). Users report that they sometimes see an older version of the website after updates. What should the company do to ensure users always see the latest content?

A.Disable and re-enable the CloudFront distribution after each update.
B.Enable S3 bucket versioning and use version IDs in URLs.
C.Reduce the CloudFront TTL to 0 seconds for all objects.
D.Create a CloudFront invalidation for the updated files.
AnswerD

Invalidation removes cached objects, forcing refresh.

Why this answer

Option B is correct because creating a CloudFront invalidation removes cached objects, forcing CloudFront to fetch the latest content from the origin. Option A is wrong because S3 bucket versioning controls object versions but does not invalidate CloudFront cache. Option C is wrong because decreasing TTL affects future caching but does not clear existing cache.

Option D is wrong because disabling the distribution is disruptive and unnecessary.

127
Multi-Selecthard

A company runs a critical database on Amazon RDS for PostgreSQL. The database is experiencing performance degradation due to high CPU utilization. The operations team wants to analyze the root cause. Which THREE steps should the team take to diagnose the issue?

Select 3 answers
A.Enable Enhanced Monitoring to view OS-level metrics such as CPU and memory usage.
B.Increase the instance size to provisioned IOPS to handle the load.
C.Enable Amazon RDS Performance Insights to identify the queries consuming the most CPU.
D.Review Amazon RDS events to check for any recent maintenance or failover activities.
E.Enable Multi-AZ deployment for automatic failover.
AnswersA, C, D

Enhanced Monitoring provides detailed OS metrics.

Why this answer

Options A, B, and D are correct. Enabling Performance Insights helps identify queries causing load. Enabling enhanced monitoring provides OS-level metrics.

Using RDS events can indicate maintenance or issues. C is wrong because increasing instance size is a remedy, not a diagnostic step. E is wrong because Multi-AZ is for high availability, not performance diagnosis.

128
MCQeasy

A company uses Amazon RDS for MySQL for its database. The operations team notices that read queries are slow during peak hours. The application is read-heavy and can tolerate eventual consistency. Which solution would improve read performance with minimal application changes?

A.Increase the DB instance class to a larger size.
B.Enable Multi-AZ deployment for failover support.
C.Enable RDS Proxy to pool database connections.
D.Create an RDS read replica and direct read traffic to it.
AnswerD

Read replicas offload read queries and can be added without application changes.

Why this answer

Option B is correct because creating a read replica offloads read traffic from the primary instance, improving read performance. Option A is wrong because increasing the DB instance size may help but is more expensive and not as targeted. Option C is wrong because RDS Proxy is for connection pooling, not read scaling.

Option D is wrong because Multi-AZ provides high availability, not read scaling.

129
MCQeasy

A solutions architect runs the AWS CLI command shown in the exhibit to troubleshoot a failed CloudFormation stack creation. What is the most likely cause of the failure?

A.The VPC configuration is incorrect, causing the Auto Scaling group to fail.
B.The LaunchConfigurationName property in the Auto Scaling group resource was not provided or was an incorrect type.
C.The Auto Scaling group resource type is not supported in the region.
D.The IAM role for the stack does not have permission to create Auto Scaling groups.
AnswerB

The error states that LaunchConfigurationName must be of type String, implying it was missing or wrong.

Why this answer

Option B is correct. The error message indicates that the LaunchConfigurationName property must be a string, meaning it was probably not provided or was of the wrong type. Option A is wrong because the error does not mention IAM.

Option C is wrong because the error is about LaunchConfigurationName, not VPC. Option D is wrong because the error is about the creation, not the resource type itself.

130
MCQhard

Refer to the exhibit. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Admin" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "123456789012" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Admin" }, "Action": [ "kms:Decrypt" ], "Resource": "*" } ] } A solutions architect is reviewing the above KMS key policy. The Admin role cannot decrypt data using the key. What is the MOST likely reason?

A.The second statement does not include kms:GenerateDataKey, which is required for decryption.
B.The condition in the first statement restricts decryption to requests coming from account 123456789012, but the role might be used by a user from a different account.
C.There is an explicit deny statement elsewhere in the policy.
D.The condition key kms:CallerAccount is not a valid condition key for KMS key policies.
AnswerB

Cross-account role assumption changes the caller account.

Why this answer

Option A is correct because the condition kms:CallerAccount restricts to requests originating from account 123456789012, but if the Admin role is assumed by a user from a different AWS account (cross-account access), the caller account would be that user's account, not 123456789012, causing the condition to fail. The second statement also allows Decrypt but without a condition, so it should apply; however, KMS key policies are evaluated such that if a condition is not met, the statement is not applied. But the second statement has no condition, so it should allow.

The discrepancy might be because the second statement specifies the same principal. In KMS, if multiple statements allow, they are additive. So the role should have decrypt from the second statement.

Actually, the second statement does not have a condition, so it should allow decrypt regardless of the caller account. So the role should be able to decrypt. Therefore, the only explanation is that the condition in the first statement is not the issue.

I think the intended answer is that the role is from a different account, but the principal ARN shows the same account. I'll go with the common exam answer: Option D because kms:CallerAccount is not a valid condition key for KMS? It is valid. I'm going to choose Option A based on typical exam logic.

131
MCQhard

A company uses AWS CloudFormation to manage infrastructure. A recent stack update failed because a resource exceeded a service quota. The team wants to be notified proactively when service limits are approaching. Which solution meets this requirement?

A.Use AWS CloudTrail to monitor API calls that indicate quota exhaustion.
B.Use AWS Config rules to check if resources are within limits.
C.Use AWS Trusted Advisor to check service limits regularly.
D.Use Amazon CloudWatch to monitor service quota usage metrics and set CloudWatch alarms.
AnswerD

Service quotas are available as CloudWatch metrics and can trigger alarms.

Why this answer

Option A is correct because CloudWatch can monitor service quotas via metrics published by AWS and trigger alarms. Option B is wrong because AWS Config evaluates resource configurations, not quotas. Option C is wrong because Trusted Advisor provides a dashboard but not proactive alarms.

Option D is wrong because CloudTrail logs API calls, not quota utilization.

132
MCQeasy

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). An audit reveals that some objects were uploaded without encryption. What is the MOST efficient way to enforce encryption for all future uploads?

A.Enable default encryption on the bucket.
B.Use S3 Batch Operations to encrypt existing objects.
C.Add a bucket policy that denies PutObject if the x-amz-server-side-encryption header is not set.
D.Enable AWS CloudTrail to monitor uploads without encryption.
AnswerC

This enforces encryption for all future uploads.

Why this answer

Option C is correct because an S3 bucket policy that denies PutObject without the correct encryption header enforces encryption at upload time. Option A is wrong because default encryption applies only if no encryption header is provided; it can be overridden. Option B is wrong because it only encrypts existing objects, not future ones.

Option D is wrong because CloudTrail does not enforce encryption.

133
Multi-Selecteasy

A company is designing a disaster recovery strategy for a critical application running on Amazon RDS for PostgreSQL. The primary database is in us-east-1. The company needs a Recovery Point Objective (RPO) of less than 5 seconds and a Recovery Time Objective (RTO) of less than 1 minute. Which TWO solutions meet these requirements? (Choose TWO.)

Select 2 answers
A.Use AWS Database Migration Service (DMS) for continuous replication.
B.Configure a Multi-AZ deployment with a standby in a different AWS Region.
C.Create a cross-Region read replica and promote it during a disaster.
D.Take daily snapshots and copy them to another Region.
E.Enable automated backups with a retention period of 35 days.
AnswersB, C

Cross-region Multi-AZ provides synchronous replication and fast failover.

Why this answer

Option A is correct because Multi-AZ with a standby in another region (cross-region) provides synchronous replication with low RPO/RTO. Option D is correct because a read replica in another region can be promoted quickly. Option B is wrong because cross-region snapshot copy has higher RPO.

Option C is wrong because automated backups have higher RPO. Option E is wrong because DMS has higher latency.

134
MCQmedium

A company uses AWS Lambda functions behind an Amazon API Gateway REST API. The Lambda functions query an Amazon RDS for PostgreSQL database. Recently, the company has noticed increased latency and occasional timeouts during peak hours. A solutions architect needs to improve the performance and scalability of the database layer. Which solution will meet these requirements with the LEAST operational overhead?

A.Enable Amazon DynamoDB Accelerator (DAX) on the RDS instance.
B.Add a Multi-AZ RDS Read Replica and modify Lambda to use the Read Replica for queries.
C.Increase the instance size of the RDS database to handle more concurrent connections.
D.Implement Amazon RDS Proxy to manage connection pooling between Lambda and the RDS instance.
AnswerD

RDS Proxy handles connection pooling, reducing database load and improving scalability.

Why this answer

Option A is correct because Amazon RDS Proxy handles connection pooling, reducing database load and improving scalability, which directly addresses latency and timeouts. Option B is wrong because Read Replicas help with read-heavy workloads but do not reduce connection overhead. Option C is wrong because DynamoDB Accelerator (DAX) is used for DynamoDB, not RDS.

Option D is wrong because increasing instance size is a vertical scaling approach that does not address the connection pooling issue and may still lead to timeouts under high connection counts.

135
MCQeasy

A company uses Amazon CloudFront to deliver static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. What configuration should they use?

A.Set the S3 bucket policy to allow access only from CloudFront's public IP ranges.
B.Create an origin access identity (OAI) and grant it read access to the S3 bucket.
C.Attach an IAM role to CloudFront distribution.
D.Configure CloudFront signed URLs.
AnswerB

OAI allows CloudFront to authenticate to S3.

Why this answer

Option C is correct because origin access identity (OAI) allows CloudFront to access S3 securely. Option A is wrong because signed URLs are for end-user access. Option B is wrong because bucket policy with OAI is the right approach, but this option describes OAI.

Option D is wrong because CloudFront does not use IAM roles for S3 access.

136
MCQeasy

A DevOps engineer is troubleshooting an AWS CodePipeline that fails during the Deploy stage. The pipeline deploys a static website to an S3 bucket. The error message indicates 'Access Denied' when putting objects into the bucket. What is the MOST likely cause?

A.The IAM role used by CodePipeline lacks s3:PutObject permission on the bucket.
B.The S3 bucket policy denies access from the pipeline's AWS account.
C.The CodeBuild project does not have the necessary environment variables.
D.The S3 bucket does not have versioning enabled.
AnswerA

The role needs explicit write permissions to the S3 bucket.

Why this answer

Option A is correct because the pipeline role needs s3:PutObject permission on the bucket. Option B is wrong because S3 bucket policy is not the issue if the pipeline uses a role. Option C is wrong unless the role already has the permission.

Option D is wrong because versioning is not required for writes.

137
MCQeasy

A company wants to automatically enforce encryption on all new objects uploaded to an S3 bucket. What should they do?

A.Use Amazon CloudFront to enforce HTTPS.
B.Enable S3 default encryption on the bucket.
C.Require pre-signed URLs for all uploads.
D.Add a bucket policy that denies PutObject without the x-amz-server-side-encryption header.
AnswerD

Bucket policy can deny unencrypted uploads, enforcing encryption.

Why this answer

Option D is correct because an S3 bucket policy with a condition that denies PutObject if encryption headers are not present enforces encryption for all new objects. Option A is wrong because default encryption only encrypts objects that don't specify encryption, but doesn't enforce it. Option B is wrong because pre-signed URLs do not enforce encryption.

Option C is wrong because CloudFront does not enforce encryption at the S3 level.

138
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A recent deployment failed with a stack update error. The error message indicates that a resource was being updated but was in a failed state. What should the engineer do to resolve this issue?

A.Delete the stack and recreate it with the same template.
B.Roll back the stack update to the previous working state.
C.Continue the update by skipping the failed resource.
D.Create a new stack and migrate resources.
AnswerB

Rolling back restores the last successful state.

Why this answer

Option B is correct because rolling back the stack update to the last known good state is the standard approach. Option A is incorrect because continuing update may propagate errors. Option C is incorrect because deleting the stack would remove all resources.

Option D is incorrect because a new stack may have dependencies.

139
MCQhard

A company has a production AWS Lambda function that processes data from an Amazon SQS queue. The function often experiences throttling errors. The company wants to implement a solution to reduce throttling and improve processing performance. Which solution meets these requirements?

A.Configure the SQS queue to use a higher concurrency limit.
B.Increase the reserved concurrency for the Lambda function.
C.Create additional SQS queues and distribute messages across them.
D.Increase the batch size of the Lambda event source mapping.
AnswerB

This ensures the function has enough concurrency to avoid throttling.

Why this answer

Option D is correct because increasing the Lambda function's reserved concurrency ensures the function can handle more concurrent executions, reducing throttling. Option A is wrong because Lambda does not support concurrency limits per queue. Option B is wrong because using a Lambda event source mapping for SQS already batches messages.

Option C is wrong because adding more queues does not increase concurrency per function.

140
Multi-Selecthard

A company runs a web application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer. The operations team notices that the ALB returns 503 errors during peak traffic. Which TWO actions should the solutions architect take to resolve this issue?

Select 2 answers
A.Increase the idle timeout on the ALB.
B.Enable ECS service Auto Scaling to automatically adjust the number of tasks.
C.Increase the deregistration delay on the target group.
D.Review the ECS service events for task failures or health check issues.
E.Increase the task memory allocation in the task definition.
AnswersB, D

Auto Scaling can add tasks to handle increased load.

Why this answer

Options B and D are correct. 503 errors from ALB indicate the target group has no healthy targets. Checking ECS service events (B) can reveal why tasks are unhealthy. Enabling ECS service Auto Scaling (D) will increase the number of tasks to handle traffic.

Option A is wrong because increasing ALB idle timeout does not affect health. Option C is wrong because increasing deregistration delay might help but is not a primary fix. Option E is wrong because increasing task memory might not solve the health issue if it's due to capacity.

141
Multi-Selecteasy

A company is designing a new microservices architecture on Amazon ECS with Fargate. The company wants to ensure that services can discover each other using DNS names. Which THREE components are required?

Select 3 answers
A.AWS Cloud Map
B.Network Load Balancer (NLB)
C.Amazon ECS Service Connect
D.Amazon Route 53
E.Application Load Balancer (ALB)
AnswersA, D, E

Cloud Map registers service instances with DNS names.

Why this answer

Options A, C, and E are correct. An Application Load Balancer provides DNS names for services. AWS Cloud Map enables service discovery with custom DNS names.

Amazon Route 53 can be used to register custom domain names. Option B is wrong because Amazon ECS Service Connect is a feature for service discovery but is not required; it can be used instead of Cloud Map. Option D is wrong because Network Load Balancer is not required for DNS-based discovery.

142
MCQhard

A company uses AWS CodePipeline to deploy a microservices application to Amazon ECS. Recently, a deployment failed because the new task definition referenced an ECR image that did not exist. The team wants to prevent this type of failure in the future. Which action should be taken?

A.Configure ECR scan on push to verify image integrity.
B.Add an ECR lifecycle policy to expire old images.
C.Add a validation step in CodePipeline to run a task definition dry-run.
D.Enable AWS CloudTrail to log ECR API calls.
AnswerC

Dry-run validates that the image exists and the task definition is valid before deployment.

Why this answer

Option D is correct because running a task definition dry-run in CodePipeline can validate the image existence before deployment. Option A is wrong because ECR lifecycle policies manage images, not validate deployment. Option B is wrong because CloudTrail logs events but does not prevent failures.

Option C is wrong because ECR scan on push only scans for vulnerabilities, not image existence.

143
MCQeasy

A company runs a critical application on EC2 instances in an Auto Scaling group. They want to be notified immediately if any instance fails a status check. What is the simplest solution?

A.Configure an ELB health check and monitor the unhealthy host count.
B.Use AWS Systems Manager Automation to check instance status periodically.
C.Create a CloudWatch alarm on the StatusCheckFailed metric with an SNS action.
D.Enable AWS CloudTrail and create a metric filter for EC2 instance failures.
AnswerC

StatusCheckFailed metric is available and can trigger alarms.

Why this answer

CloudWatch alarms can monitor EC2 status check metrics and trigger an SNS notification. Option B is correct. Option A uses CloudTrail for API calls, not status checks.

Option C is for load balancer target health. Option D uses SSM, which is not real-time for status checks.

144
MCQmedium

A company runs a production AWS Lambda function that processes orders. Recently, the function has been timing out occasionally. The function uses a VPC with a single private subnet and has a timeout of 30 seconds. What is the MOST likely cause of the timeout?

A.The function is experiencing cold starts due to high concurrency.
B.The function is hitting the maximum concurrent execution limit.
C.The function needs to be attached to a public subnet.
D.The function does not have a NAT gateway or VPC endpoints to access external resources.
AnswerD

Lambda in a VPC needs a route to the internet for external calls, otherwise requests hang.

Why this answer

Option A is correct because Lambda functions in a VPC require a NAT gateway or VPC endpoints to access external services; without it, they cannot reach the internet, causing timeouts. Option C is wrong because Lambda automatically scales. Option D is wrong because the function already has a VPC configuration.

Option B is wrong because concurrent executions do not cause timeouts.

145
MCQhard

A company runs a critical database on an RDS for MySQL Multi-AZ DB instance. The database is experiencing high read latency. The application is read-heavy and uses many complex joins. The company needs to improve read performance with minimal application changes. Which solution is MOST appropriate?

A.Migrate the database to Amazon DynamoDB Global Tables.
B.Create one or more RDS read replicas and direct read queries to the replica endpoint.
C.Implement Amazon ElastiCache in front of the database to cache query results.
D.Increase the DB instance class to a larger size with more vCPUs.
AnswerB

Offloads reads, minimal changes.

Why this answer

Option C is correct because setting up RDS read replicas offloads read traffic from the primary instance, and can be done with zero application changes if the application uses a separate endpoint. Option A is wrong because increasing instance size is a vertical scaling approach but may not help with complex joins. Option B is wrong because ElastiCache requires application code changes.

Option D is wrong because DynamoDB is a different database and would require significant application rework.

146
MCQmedium

A company uses Amazon DynamoDB as a data store for a mobile application. The application experiences throttling errors during peak hours. The table has a provisioned read capacity of 5000 RCUs and write capacity of 2000 WCUs. The throttling is on writes. What is the MOST cost-effective solution?

A.Enable DynamoDB Accelerator (DAX) to offload writes.
B.Switch to on-demand capacity mode.
C.Increase write capacity to 4000 WCUs.
D.Enable auto scaling for DynamoDB write capacity.
AnswerD

Auto scaling adjusts capacity based on traffic, reducing throttling and cost.

Why this answer

DynamoDB Accelerator (DAX) is a read cache, not for writes. The most cost-effective solution is to use DynamoDB auto scaling for writes to handle peak loads without over-provisioning.

147
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A Solutions Architect needs to update a stack that includes an RDS DB instance. The update requires modifying the DB instance's storage type from gp2 to io1. What change should be made to the CloudFormation template to minimize downtime?

A.Modify the StorageType property in the CloudFormation template and perform a stack update.
B.Add an UpdateReplacePolicy attribute to the RDS resource.
C.Create a new stack with the updated storage type and migrate data.
D.Set the DeletionPolicy to Retain for the RDS resource.
AnswerA

Changing StorageType from gp2 to io1 is a supported modification that can be done without replacement, minimizing downtime.

Why this answer

Option B is correct because specifying 'UpdateReplacePolicy' does not exist; the correct approach is to allow modification of storage type without replacement. Option A is wrong because creating a new stack is unnecessary. Option C is wrong because DeletionPolicy affects stack deletion, not updates.

Option D is correct because changing the 'StorageType' property in the template will trigger a modification that can be done online with minimal downtime.

148
MCQmedium

A company has a production AWS Lambda function that processes orders. The function's execution time has increased, causing timeouts. The team wants to troubleshoot without affecting production traffic. What should they do?

A.Enable detailed CloudWatch Logs for the production function and analyze them.
B.Create a new Lambda function with a different name to test the code changes.
C.Use a Lambda alias to route a percentage of traffic to a new version with increased timeout.
D.Increase the timeout of the production Lambda function temporarily.
AnswerB

A separate function isolates testing from production.

Why this answer

Option B is correct because creating a separate Lambda function with the same code but a different name allows testing and debugging without impacting the production function. Option A is wrong because version aliases can route traffic but still affect production. Option C is wrong because CloudWatch Logs will show the production function's logs.

Option D is wrong because changing the timeout directly on the production function could break the SLA.

149
MCQeasy

A company has deployed a web application behind an Application Load Balancer (ALB) with an Auto Scaling group. Users report that the application is slow during peak hours. The CPU utilization of the EC2 instances is consistently below 40%, but the ALB's request count per target is high. Which action would MOST improve performance?

A.Increase the instance size (e.g., from t3.medium to t3.large)
B.Increase the desired capacity of the Auto Scaling group
C.Configure the Auto Scaling group to scale based on CPU utilization
D.Change the ALB routing algorithm to least outstanding requests
AnswerB

Adding more instances reduces request count per target.

Why this answer

Option C is correct because high request count per target with low CPU suggests the application is I/O bound or waiting on external calls; adding more instances will distribute the load and reduce queueing. Option A is wrong because increasing instance size may not help if the bottleneck is not CPU. Option B is wrong because scaling based on CPU would not trigger since CPU is low.

Option D is wrong because changing the ALB routing algorithm to least outstanding requests could help but adding more instances is more direct.

150
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team requires that all S3 buckets have server-side encryption enabled. How can the company enforce this across all existing and future buckets?

A.Enable default encryption on each S3 bucket.
B.Create an IAM policy that denies s3:PutObject unless encryption headers are present.
C.Use an S3 bucket policy to deny PutObject without encryption.
D.Use AWS Config to automatically remediate noncompliant buckets.
AnswerA

Default encryption ensures all new objects are encrypted.

Why this answer

Option B is correct because S3 default encryption can be set at the bucket level for all objects. Option A is wrong because bucket policies can enforce encryption but require a policy per bucket. Option C is wrong because AWS Config can detect noncompliant buckets but not enforce encryption.

Option D is wrong because IAM policies cannot enforce encryption on S3 buckets.

← PreviousPage 2 of 6 · 428 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Continuous Improvement questions.