CCNA Continuous Improvement Questions

75 of 428 questions · Page 3/6 · Continuous Improvement topic · Answers revealed

151
MCQmedium

A company uses AWS CloudTrail to log API activity. The compliance team requires that logs be stored for 7 years and be immediately accessible for the first 90 days, after which access can take up to 12 hours. Which storage solution meets these requirements cost-effectively?

A.Store logs in Amazon S3 Standard for 90 days, then transition to Amazon S3 Glacier for the remainder.
B.Store logs in Amazon S3 One Zone-Infrequent Access for 90 days, then delete.
C.Store logs in Amazon S3 Standard for 90 days, then transition to Amazon S3 Glacier Deep Archive.
D.Store logs in Amazon S3 Standard-Infrequent Access for 90 days, then transition to Amazon S3 Standard.
AnswerC

Deep Archive offers low cost with 12-hour retrieval.

Why this answer

Option C is correct because S3 Standard for 90 days then transition to S3 Glacier Deep Archive meets access needs and cost. Option A is wrong because S3 Glacier is more expensive than Deep Archive for long-term. Option B is wrong because S3 Standard-IA is not cost-effective for 7 years.

Option D is wrong because S3 One Zone-IA has lower durability and not suitable for compliance.

152
MCQmedium

A company uses Amazon CloudFront with an S3 origin to serve static content. They recently updated the content in S3, but users still see the old files. What is the MOST likely reason?

A.The CloudFront distribution's cache TTL is too long
B.S3 versioning is enabled and the objects are not updated
C.CloudFront is not configured to forward the Cache-Control header
D.S3 Transfer Acceleration is disabled
AnswerA

CloudFront caches content; long TTL prevents immediate updates.

Why this answer

Option A is correct because CloudFront caches objects at edge locations based on TTL; if the TTL has not expired, users will get cached old content. Option B is wrong because S3 versioning does not affect cache invalidation. Option C is wrong because CloudFront does not have a 'Cache-Control' header by default; it's set by the origin.

Option D is wrong because S3 Transfer Acceleration is irrelevant to caching.

153
MCQmedium

A company runs a critical database on an Amazon RDS for PostgreSQL instance. The database experiences high write latency during peak hours. The company wants to improve write performance without changing the application code. Which action should the Solutions Architect take?

A.Create a read replica and offload read traffic.
B.Modify the RDS instance to use a larger instance type with higher IOPS.
C.Enable Multi-AZ deployment for the RDS instance.
D.Change the DB parameter group to optimize for write operations.
AnswerB

Larger instance types with higher IOPS reduce write latency.

Why this answer

Option C is correct because provisioning GP3 volumes with higher IOPS can improve write performance without code changes. Option A is wrong because Multi-AZ improves availability, not write latency. Option B is wrong because read replicas improve read performance, not write.

Option D is wrong because modifying parameter groups does not directly increase IOPS.

154
MCQhard

A startup runs a containerized microservices application on Amazon ECS with Fargate. They use an Application Load Balancer to distribute traffic. The application consists of 10 services, each with its own ECS service. Recently, the startup launched a marketing campaign and traffic increased 10x. The application started returning HTTP 503 errors. The ECS service metrics show that the number of running tasks is at the maximum desired count for each service. The ALB target group health checks are failing intermittently. The startup needs to handle the increased traffic and prevent 503 errors. What should they do?

A.Increase the desired count and maximum number of tasks for each ECS service.
B.Increase the CPU and memory limits for each task definition.
C.Decrease the health check interval to detect failures faster.
D.Add additional Application Load Balancers and split traffic across them.
AnswerA

Scaling out increases capacity to handle the higher load.

Why this answer

Option A is correct. Increasing the desired count and maximum tasks allows the service to scale out to handle more traffic. Option B: Increasing task CPU/memory may help but tasks are already at max count, so scaling out is needed.

Option C: Adding more ALBs does not address the capacity issue. Option D: Reducing health check interval may cause premature task termination.

155
Multi-Selecteasy

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all Amazon S3 buckets across the organization are encrypted at rest. Which TWO steps should the security team take to enforce this requirement?

Select 2 answers
A.Create an AWS Config rule that checks for S3 bucket default encryption and auto-remediates using SSM Automation.
B.Create a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present.
C.Use Amazon GuardDuty to monitor S3 data access patterns.
D.Create an IAM role with permissions to encrypt S3 buckets and assign it to all users.
E.Enable AWS CloudTrail to log all S3 API calls.
AnswersA, B

Config rules can enforce and remediate non-compliant resources.

Why this answer

Option A is correct because AWS Config can be configured with a managed rule (e.g., s3-bucket-server-side-encryption-enabled) to detect buckets without default encryption, and an automatic remediation action using AWS Systems Manager (SSM) Automation can enforce encryption by applying the bucket's default encryption settings. Option B is correct because a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present ensures that any object uploaded to S3 must include encryption headers, effectively enforcing encryption at the API level across all accounts in the organization.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config or CloudTrail) with preventive controls (like SCPs), or they mistakenly think that IAM roles or GuardDuty can enforce encryption policies, when in fact only SCPs and bucket policies with condition keys can deny unencrypted uploads at the API level.

156
Multi-Selectmedium

A company wants to reduce costs for a batch processing workload that runs nightly on Amazon EMR. The workload is fault-tolerant and can handle interruptions. Which TWO strategies should they implement? (Choose TWO.)

Select 2 answers
A.Use On-Demand Instances for all nodes.
B.Right-size the cluster by analyzing resource utilization metrics.
C.Purchase Reserved Instances for the cluster.
D.Use Dedicated Instances to improve performance.
E.Use Spot Instances for task nodes.
AnswersB, E

Right-sizing prevents over-provisioning and reduces cost.

Why this answer

Using Spot instances reduces cost significantly for fault-tolerant workloads. Right-sizing the cluster ensures efficient resource use. Option A is correct (Spot) and Option D is correct (right-sizing).

Option B (On-Demand) increases cost. Option C (Reserved Instances) is for steady-state. Option E (dedicated) is more expensive.

157
MCQeasy

A DevOps engineer notices that an EC2 instance is running but is not reachable via SSH. The instance was launched with a security group that allows SSH from anywhere (0.0.0.0/0). What is the most likely cause?

A.The instance does not have a public IP address.
B.The instance is failing system status checks.
C.The security group is not attached to the instance.
D.The subnet's network ACL is blocking inbound SSH traffic.
AnswerD

Network ACLs are stateless and must allow both inbound and outbound traffic.

Why this answer

Option A is correct because the network ACL must allow inbound SSH traffic on port 22. Option B is incorrect because security group already allows SSH. Option C is incorrect because the instance status check failing would show other symptoms.

Option D is incorrect because the instance has a public IP.

158
MCQmedium

A company has a multi-tier application running on AWS. The web tier uses an Application Load Balancer (ALB) with an Auto Scaling group of EC2 instances. The application tier runs on a separate Auto Scaling group of EC2 instances. The database tier uses Amazon RDS for MySQL. During a recent load test, the application became unresponsive. Monitoring showed that the database's CPU utilization was at 100% and the number of database connections was at the maximum limit. The application tier instances were healthy, but the web tier instances were returning 503 errors. The Solutions Architect determined that the application tier was making too many database connections because each request opened a new connection and did not close it properly. The team wants to fix the issue with minimal changes to the application code. Which solution should the Solutions Architect recommend?

A.Migrate the database from RDS MySQL to Amazon Aurora MySQL with read replicas.
B.Increase the max_connections parameter in the RDS parameter group to allow more connections.
C.Scale the application tier horizontally by increasing the desired capacity of the Auto Scaling group.
D.Configure Amazon RDS Proxy to pool database connections from the application tier.
AnswerD

RDS Proxy manages connection pooling, reducing the number of connections and CPU usage with minimal code changes.

Why this answer

Option C is correct. Using Amazon RDS Proxy allows connection pooling, reducing the number of database connections and reusing connections, which reduces CPU load on the database. It requires minimal code changes.

Option A is wrong because increasing the max connections limit does not address the root cause; it may lead to more resource contention. Option B is wrong because scaling the application tier horizontally will increase the number of connections further, making the problem worse. Option D is wrong because switching to Aurora does not inherently solve connection management; RDS Proxy is still needed.

159
MCQmedium

A media company delivers video content to a global audience using Amazon CloudFront, AWS Lambda@Edge, and Amazon S3. The origin is an S3 bucket that stores video files. Recently, users in Asia-Pacific report slow load times. The operations team checks CloudFront metrics and sees a high cache miss rate for content popular in that region. The team wants to improve performance for all users without significantly increasing costs. The application uses a single CloudFront distribution with a default cache behavior. The S3 bucket is in us-east-1. Which solution should the team implement?

A.Enable S3 Transfer Acceleration on the S3 bucket and update CloudFront to use the accelerated endpoint.
B.Create separate CloudFront distributions for each geographic region and use Route 53 latency-based routing.
C.Use Lambda@Edge to redirect requests to the nearest S3 bucket based on the viewer's location.
D.Set up multiple origin groups in the existing CloudFront distribution with one S3 bucket per region, and configure cache behaviors based on geographic headers.
AnswerD

Origin groups and geographic routing improve cache hit ratio and reduce latency.

Why this answer

Option B (multiple origin groups with region-specific behaviors) is ideal for global distribution because CloudFront can route based on geographic headers. Option A (multiple distributions) increases complexity. Option C (Lambda@Edge for origin selection) can work but requires code changes.

Option D (S3 Transfer Acceleration) speeds up uploads, not downloads.

160
MCQmedium

A company is using AWS CodePipeline to automate deployments. They want to add a manual approval step before deploying to production. How should they configure this?

A.Add a manual approval action in the pipeline stage with an SNS topic for notification.
B.Use Amazon CloudWatch Events to trigger an SNS topic for approval.
C.Create a custom action using AWS CodeDeploy.
D.Add a Lambda function that sends an email and pauses the pipeline until a token is provided.
AnswerA

CodePipeline's manual approval action pauses and sends notification.

Why this answer

Option C is correct because CodePipeline supports a manual approval action using SNS notification. Option A is wrong because approval is not a Lambda function. Option B is wrong because CloudWatch Events is not for approvals.

Option D is wrong because approval is a built-in action.

161
MCQhard

A company runs a production application on Amazon ECS with Fargate launch type. The application uses an Application Load Balancer (ALB) to distribute traffic to tasks. The company has configured an Auto Scaling target tracking policy based on average CPU utilization. During a marketing campaign, traffic spikes cause the ALB to return 503 errors. The ECS service dashboard shows that the number of tasks scaled out to the maximum allowed but the CPU utilization remained high. What is the MOST likely cause of the 503 errors?

A.The ECS service scaled out to the maximum number of tasks, but the new tasks are not yet registered as healthy with the ALB, or the existing tasks are overwhelmed.
B.The target tracking scaling policy takes too long to trigger, and the service cannot scale quickly enough.
C.The Fargate tasks have exhausted their elastic network interface (ENI) limits.
D.The ALB connection limit has been exceeded due to the traffic spike.
AnswerA

When max tasks is reached and CPU is high, tasks may be overwhelmed; also, if health check grace period is too short, new tasks may be considered unhealthy and dropped.

Why this answer

Option B is correct because with target tracking based on CPU, the service scales out until max tasks is reached; if CPU is still high, the ALB may be overloaded or tasks are not accepting traffic fast enough. A surge queue or health check grace period issue could cause 503s. Option A is wrong because an ALB can handle many connections; the issue is task capacity.

Option C is wrong because target tracking scaling can take minutes; the issue is max tasks reached. Option D is wrong because Fargate tasks have sufficient ENIs; the error is at the ALB level.

162
MCQmedium

A company uses AWS Elastic Beanstalk to deploy a web application. They want to update the environment's configuration to use a larger instance type without any downtime. Which update policy supports this?

A.All at once
B.Blue/Green
C.Immutable
D.Rolling
AnswerD

Rolling updates replace instances in batches, ensuring availability.

Why this answer

Option C is correct because Rolling update with batch size updates instances in batches, keeping the environment running. Option A is wrong because All at once replaces all instances simultaneously, causing downtime. Option B is wrong because Immutable update launches new instances in a separate ASG and then swaps, which also causes brief downtime? Actually, immutable updates swap the entire environment, but can cause a brief interruption.

However, Rolling update is designed for zero downtime. Option D is wrong because Blue/Green deployment is not built into Elastic Beanstalk natively as an update policy; it's a manual approach.

163
Multi-Selecteasy

A company uses AWS CloudFormation to deploy infrastructure. The operations team wants to implement a change management process that requires approval before stack updates can proceed. Which TWO approaches can achieve this?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy updates across multiple accounts.
B.Create a service role with specific IAM policies and require that updates be initiated with that role.
C.Manually review all template changes before uploading to S3.
D.Configure a stack policy to prevent updates to critical resources.
E.Use CloudFormation change sets to review proposed changes before executing them.
AnswersB, E

By controlling who can assume the service role, you can enforce approval workflows.

Why this answer

Options A and D are correct. Using a change set allows review before execution. Using a service role with IAM policies can enforce approval workflows.

B is wrong because stack policies protect resources, not control updates. C is wrong because stack sets are for multi-account deployments. E is wrong because it is a manual process, not automated.

164
Multi-Selecteasy

A company uses AWS CodeCommit to store source code and CodePipeline for CI/CD. The pipeline includes a build stage using CodeBuild and a deploy stage to Elastic Beanstalk. The team wants to add a manual approval step before deployment to production. Which THREE resources are needed? (Choose three.)

Select 3 answers
A.An approval action in the CodePipeline stage.
B.A CloudWatch Events rule to trigger the approval action.
C.An IAM role for CodePipeline to publish to the SNS topic.
D.An AWS Lambda function to process approval requests.
E.An Amazon SNS topic to send approval notifications.
AnswersA, C, E

Required for manual approval.

Why this answer

Options A, B, and C are correct. The approval action is added to the pipeline, requires an SNS topic for notifications, and an IAM role for the pipeline to publish to SNS. Option D is wrong because a Lambda function is not required for approval.

Option E is wrong because a CloudWatch Events rule is not needed.

165
MCQeasy

A company is using AWS Lambda functions to process files uploaded to an S3 bucket. Recently, the processing time has increased significantly. A solutions architect notices that the Lambda functions are using the default VPC configuration. What is the MOST likely cause of the performance degradation?

A.Lambda function is using too much memory.
B.Lambda function is attached to a VPC, causing network latency for S3 API calls.
C.S3 bucket has versioning enabled, causing extra overhead.
D.S3 bucket is in a different region.
AnswerB

Lambda in a VPC uses ENIs and routes through NAT for internet access, adding latency.

Why this answer

Option B is correct because Lambda functions in a VPC use an Elastic Network Interface (ENI) in a private subnet, which can add latency for internet-bound requests. Options A, C, and D do not directly cause increased processing time.

166
Multi-Selectmedium

A company is deploying a web application that uses an Application Load Balancer and an Auto Scaling group of EC2 instances. The application must be able to handle sudden spikes in traffic. Which TWO actions should the Solutions Architect take to improve scalability and reduce latency? (Choose two.)

Select 2 answers
A.Enable HTTP/2 on the Application Load Balancer.
B.Increase the default cooldown period for the Auto Scaling group.
C.Use larger EC2 instance types for the Auto Scaling group.
D.Configure the Auto Scaling group to use a predictive scaling policy.
E.Increase the health check interval on the Application Load Balancer.
AnswersA, D

HTTP/2 allows multiplexing, reducing latency and improving throughput.

Why this answer

Options B and C are correct. Option B: Using a predictive scaling policy helps prepare for traffic spikes. Option C: Enabling HTTP/2 on the ALB reduces latency through multiplexing.

Option A is wrong because increasing cooldown delays scaling. Option D is wrong because larger instances are a vertical scaling approach, not horizontal. Option E is wrong because increasing health check interval delays detection of unhealthy instances.

167
MCQmedium

A company uses AWS Lambda functions to process orders. Recently, some orders have been lost due to Lambda throttling. The operations team wants to implement a solution to capture failed invocations and retry them. What is the MOST reliable approach?

A.Enable CloudWatch Logs for Lambda and create a metric filter to trigger an alarm.
B.Use Amazon EventBridge to capture Lambda errors and route them to a recovery function.
C.Configure an SQS queue as the Lambda event source with a dead-letter queue for failed messages.
D.Publish failed invocation details to an SNS topic and subscribe a Lambda function to process them.
AnswerC

SQS provides reliable message delivery and retries; dead-letter queue captures messages that exceed retry attempts.

Why this answer

Option D is correct because SQS with a dead-letter queue provides reliable capture and retry of failed Lambda invocations. Option A is wrong because CloudWatch Logs only capture logs, not failed invocations. Option B is wrong because SNS does not store messages for retries.

Option C is wrong because EventBridge does not automatically retry failed Lambda invocations.

168
MCQhard

A company is migrating a legacy monolithic application to AWS. They plan to use Amazon ECS with Fargate for containerized microservices. The application requires sticky sessions and SSL termination. What should the company use to meet these requirements?

A.Network Load Balancer (NLB) with target group stickiness.
B.Application Load Balancer (ALB) with stickiness and SSL termination.
C.Classic Load Balancer (CLB) with SSL termination at the instance.
D.AWS Lambda with API Gateway.
AnswerB

ALB supports both session stickiness and SSL termination.

Why this answer

Option C is correct because ALB supports sticky sessions (session affinity) and SSL termination. Option A is wrong because NLB does not support sticky sessions natively. Option B is wrong because CLB is legacy and less recommended.

Option D is wrong because Lambda is not a load balancer.

169
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. The team wants to automatically remediate any non-compliant buckets created in the future. Which solution is MOST effective and requires the least ongoing maintenance?

A.Use AWS Config rules with auto-remediation using SSM Automation.
B.Use an AWS Lambda function triggered by S3 bucket creation events to enable encryption.
C.Enable AWS CloudTrail and create a metric filter to alert on non-encrypted bucket creation.
D.Apply a service control policy (SCP) that denies s3:PutBucketEncryption actions unless encryption is set.
AnswerD

SCP proactively denies non-compliant actions, enforcing encryption at creation time.

Why this answer

Option D is correct because a service control policy (SCP) can deny the creation of S3 buckets without encryption, enforcing compliance across all accounts. Option A is wrong because it relies on Lambda execution after bucket creation, which may have a delay. Option B is wrong because AWS Config rules can detect but not automatically remediate without additional automation.

Option C is wrong because CloudTrail logs events but does not prevent non-compliant actions.

170
Multi-Selecteasy

A company is using an AWS Lambda function to process records from an Amazon Kinesis stream. The function stores results in an Amazon DynamoDB table. The team notices that the Lambda function sometimes fails due to throttling from DynamoDB. Which TWO actions should the team take to improve the continuous processing of records? (Choose TWO.)

Select 2 answers
A.Increase the number of shards in the Kinesis stream to reduce data per Lambda invocation.
B.Configure reserved concurrency for the Lambda function to limit its maximum concurrency.
C.Increase the concurrency limit for the Lambda function to allow more parallel executions.
D.Switch the DynamoDB table to on-demand capacity mode.
E.Enable DynamoDB auto scaling for the table to adjust read/write capacity automatically.
AnswersD, E

On-demand mode eliminates throttling by scaling automatically.

Why this answer

Option D is correct because switching the DynamoDB table to on-demand capacity mode eliminates the need to provision read/write capacity, allowing the table to automatically scale to handle any throttling caused by sudden spikes in Lambda writes. This directly addresses the throttling issue without requiring manual capacity management.

Exam trap

The trap here is that candidates often choose to increase Lambda concurrency or shards, thinking more parallelism will improve processing, but they fail to recognize that the bottleneck is DynamoDB capacity, and increasing Lambda concurrency only worsens the throttling.

171
MCQmedium

A company runs a critical application on Amazon RDS for PostgreSQL. The database performance has degraded over time. The Solutions Architect notices that read queries are slow and the DB instance's ReadIOPS metric is consistently high. Which action would improve read performance with minimal operational overhead?

A.Increase the allocated storage of the DB instance.
B.Enable Multi-AZ deployment for the DB instance.
C.Migrate the database to Amazon Aurora with PostgreSQL compatibility.
D.Create an RDS read replica and redirect read queries to it.
AnswerD

Read replicas offload read traffic from the primary, reducing IOPS and improving performance.

Why this answer

Option A is correct because adding a read replica distributes read traffic off the primary instance, reducing ReadIOPS and improving query performance. Option B is wrong because increasing storage size does not directly improve IOPS or read performance. Option C is wrong because Multi-AZ is for high availability, not read scaling.

Option D is wrong because switching to a different engine is unnecessary and would require application changes.

172
Multi-Selectmedium

A company runs a production AWS environment with Amazon EC2 instances managed by Auto Scaling groups. The operations team notices that after a recent deployment, the application is returning higher error rates. Which TWO steps should the team take to enable a quick rollback and improve future deployments?

Select 2 answers
A.Configure Auto Scaling lifecycle hooks to automatically terminate new instances if health checks fail.
B.Implement canary deployments using AWS CodeDeploy to shift traffic gradually and monitor error rates.
C.Use AWS CloudFormation change sets to automatically roll back failed deployments.
D.Use AWS Elastic Beanstalk to perform a blue/green deployment, swapping the environment URL after testing.
E.Enable AWS CloudTrail to track deployment API calls and automatically revert if errors exceed a threshold.
AnswersB, D

Canary deployments allow early detection and rollback if errors increase.

Why this answer

Option A (use Elastic Beanstalk for blue/green deployment) allows rollback by swapping environments. Option D (implement canary deployments in CodeDeploy) reduces blast radius and allows monitoring before full rollout. Option B (CloudFormation change sets) is for previewing changes, not rollback.

Option C (CloudTrail) is for auditing, not deployment control. Option E (Lifecycle hooks) are for custom actions during instance launch/termination, not rollback.

173
MCQeasy

A company uses AWS Lambda functions to process files uploaded to an S3 bucket. The processing time varies, but some files fail with a timeout error. The function has the default timeout setting. What is the MOST cost-effective way to resolve this issue?

A.Increase the memory allocation for the Lambda function.
B.Use an SQS queue to buffer the S3 events.
C.Use AWS Step Functions to orchestrate the processing.
D.Increase the Lambda function timeout.
AnswerD

Increasing timeout allows the function to run longer without timing out.

Why this answer

Option C is correct because increasing the timeout allows longer-running functions to complete without failing. Option A is wrong because increasing memory also increases cost and may not be needed. Option B is wrong because SQS is for decoupling, not for fixing timeouts.

Option D is wrong because Step Functions add complexity and cost; simpler is to adjust the timeout.

174
MCQhard

Refer to the exhibit. A CloudFormation template is used to create an S3 bucket with versioning enabled and a DeletionPolicy of Retain. The stack is deleted. What happens to the bucket and its objects?

A.The bucket and all its objects are deleted
B.The bucket and its objects are retained
C.The bucket is deleted only if it is empty
D.The bucket is deleted, but versioning information is retained
AnswerB

DeletionPolicy Retain preserves the resource.

Why this answer

Option D is correct. With DeletionPolicy set to Retain, the bucket is preserved along with all its objects when the stack is deleted. Option A is wrong because the bucket is not deleted.

Option B is wrong because versioning status remains as set. Option C is wrong because buckets with versioning enabled can be deleted via console with force delete option, but CloudFormation respects DeletionPolicy.

175
MCQeasy

A company is using Amazon CloudFront to deliver static content from an S3 bucket. The company wants to ensure that users can only access content through CloudFront and not directly from the S3 bucket. What should the company do?

A.Use CloudFront Origin Access Control (OAC) and update the bucket policy to only allow access from the CloudFront distribution.
B.Set S3 Object Ownership to BucketOwnerPreferred.
C.Configure the S3 bucket policy to allow public read access.
D.Generate CloudFront key pairs and require signed URLs for all content.
AnswerA

Restricts direct access.

Why this answer

Option C is correct by using Origin Access Control (OAC) to restrict S3 bucket access to only CloudFront. Option A is wrong because it does not restrict direct access. Option B is wrong because Object Ownership is not a security feature.

Option D is wrong because CloudFront key pairs are for signed URLs, not bucket access.

176
Multi-Selecthard

A company has a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application experiences occasional timeouts during peak hours. After reviewing AWS X-Ray traces, the team finds that DynamoDB queries are slow. Which THREE actions should the team take to improve performance and continuously optimize the solution?

Select 3 answers
A.Optimize DynamoDB queries by using global secondary indexes and reducing the number of separate queries.
B.Configure DynamoDB auto scaling to adjust read and write capacity based on demand.
C.Use Amazon ElastiCache for Redis to cache DynamoDB query results.
D.Implement Lambda function warmers to keep containers initialized and reduce cold starts.
E.Enable Amazon DynamoDB Accelerator (DAX) for read-heavy workloads.
AnswersA, B, E

GSIs and efficient query patterns reduce latency and consumed capacity.

Why this answer

Option A (DAX) reduces read latency. Option B (read capacity auto scaling) adapts to demand. Option E (connection pooling) reduces cold start overhead.

Option C (ElastiCache) is for external caching, not DynamoDB. Option D (warm containers) is for Lambda optimization but not directly addressing DynamoDB performance.

177
MCQhard

A media company uses S3 for storing video files and CloudFront for distribution. They implemented a Lambda@Edge function to add copyright headers. After deployment, some users report that older videos still lack the headers. What is the most likely reason?

A.The Lambda@Edge function is not triggered for viewer request events.
B.The CloudFront behavior for older videos does not include the Lambda function association.
C.The S3 bucket policy denies access to the Lambda function.
D.The videos are cached in CloudFront and the function runs only on cache misses.
AnswerB

If the distribution has multiple behaviors (e.g., based on path pattern), the function may only be associated with the behavior for newer videos.

Why this answer

Lambda@Edge functions can be associated with CloudFront behaviors. If the function is only triggered for specific behaviors (e.g., only for certain file extensions or cache behaviors), older videos served under other behaviors may not get the headers. Option C is correct.

Options A and B are less likely because the function is invoked on every request, and S3 permissions do not affect Lambda@Edge execution. Option D is incorrect because the issue is about missing headers, not caching of old content.

178
MCQhard

A company has a legacy application that runs on an EC2 instance with a large attached EBS volume. The application writes log files to the volume, and the volume is frequently full, causing application errors. The Solutions Architect needs to implement a solution to automatically manage disk space without application changes. Which solution meets these requirements?

A.Configure an S3 Lifecycle policy to transition log files to Amazon S3 Glacier after 30 days.
B.Increase the EBS volume size and enable auto-scaling.
C.Use a script with Amazon Data Lifecycle Manager to snapshot the volume and delete old snapshots.
D.Install the CloudWatch Logs agent and stream logs to CloudWatch Logs, then delete local logs.
AnswerC

Data Lifecycle Manager automates snapshots, but the script can move old logs and free space.

Why this answer

Option D is correct because using a lifecycle policy to move old logs to S3 Glacier and delete from volume automates space management. Option A is wrong because S3 Lifecycle policies apply to S3 objects, not EBS volumes. Option B is wrong because CloudWatch Logs agent requires application changes to send logs.

Option C is wrong because increasing volume size does not automatically manage space.

179
MCQmedium

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS MySQL instance. The stack template defines the DBInstanceClass as db.t3.medium. After deployment, the database performance is insufficient for the workload. The company wants to change the instance class to db.r5.large without recreating the database. What should they do?

A.Create a new stack with the new instance class and migrate the data.
B.Use AWS Database Migration Service to perform a blue/green deployment.
C.Delete the stack and create a new one with the new instance class.
D.Update the CloudFormation stack with the new instance class and apply the change.
AnswerD

CloudFormation will modify the DB instance in-place with minimal downtime.

Why this answer

Option B is correct because RDS supports modifying the DB instance class without recreating the database; the update will cause a brief downtime but preserves data. Option A is wrong because deleting the stack would destroy the database. Option C is wrong because creating a new stack would create a new database, not modify the existing one.

Option D is wrong because RDS does not support blue/green deployments for instance class changes as a standard feature.

180
MCQmedium

A company deploys the above CloudFormation template. After deployment, an EC2 instance launched in mySubnet can access the internet. However, the instance cannot receive inbound traffic from the internet. What is the MOST likely reason?

A.The subnet does not have auto-assign public IP enabled.
B.No security group or network ACL allows inbound traffic.
C.The VPC does not have an internet gateway attached.
D.The route table does not have a route to the internet gateway.
AnswerB

Inbound traffic is blocked by default.

Why this answer

Option B is correct because the template does not configure a security group or network ACL to allow inbound traffic. The route table and internet gateway are correctly set up for outbound traffic. Option A is wrong because the subnet has MapPublicIpOnLaunch: true.

C is wrong because the route exists. D is wrong because the VPC is not missing an internet gateway.

181
MCQeasy

Refer to the exhibit. A company configured an Amazon Route 53 alias record for a domain name pointing to an Application Load Balancer (ALB). Users report that occasionally they are directed to an unhealthy ALB node. Which change should the company make to improve availability?

A.Change the record type to CNAME.
B.Configure the ALB health check to mark unhealthy nodes.
C.Use weighted routing policy.
D.Use multi-value answer routing.
AnswerB

Proper health checks ensure unhealthy nodes are not used.

Why this answer

Option D is correct because setting EvaluateTargetHealth to true ensures that Route 53 only returns IP addresses of healthy ALB nodes. The exhibit shows EvaluateTargetHealth: true, so it is already set. But the question says users are directed to unhealthy nodes, so perhaps the ALB health check is misconfigured.

However, the correct answer is to ensure health checks are properly configured. Option A is wrong because changing to a simple record does not provide health checking. Option B is wrong because weighted routing is for distributing traffic, not for health.

Option C is wrong because multi-value answer routing can return multiple values, but it does not inherently improve health checking beyond what alias records provide. Actually, the issue is that the ALB health check might be misconfigured; the best solution is to configure the ALB health check correctly. Among the options, D is the most relevant.

182
MCQmedium

A company runs a production web application on EC2 instances in an Auto Scaling group behind an ALB. The application logs are stored on an EBS volume attached to each instance. The operations team notices that the logs are not being sent to a central location. What is the MOST efficient way to centralize log collection with minimal code changes?

A.Modify the application to use the AWS SDK to send logs to CloudWatch Logs via PutLogEvents API.
B.Use Amazon Kinesis Agent to send logs to Kinesis Data Firehose and then to S3.
C.Set up an S3 bucket with a lifecycle policy to transition logs to Glacier.
D.Install the CloudWatch Logs agent on each EC2 instance and configure it to stream the log files to CloudWatch Logs.
AnswerD

Minimal code changes, efficient centralized logging.

Why this answer

Option C is correct because the CloudWatch Logs agent can be installed on EC2 instances to stream logs to CloudWatch Logs without modifying application code. Option A is wrong because modifying the application to send logs via API requires code changes. Option B is wrong because S3 lifecycle policies do not collect logs.

Option D is wrong because Amazon Kinesis Agent is more complex and not typically used for EC2 log collection.

183
MCQmedium

A company runs a monolithic application on a single EC2 instance. The application is critical and must be highly available. The company wants to migrate to a containerized architecture on Amazon ECS with minimal downtime. Which approach should the company take?

A.Launch a new ECS cluster with the containerized application and use Route 53 weighted routing to shift traffic.
B.Deploy the monolith as a single task in ECS and update the task definition with new container versions.
C.Use AWS CodeStar to automatically deploy the application to ECS with blue/green deployments.
D.Use an Application Load Balancer with blue/green deployment using AWS CodeDeploy and ECS.
AnswerD

CodeDeploy with ECS supports blue/green deployments for minimal downtime.

Why this answer

Option D is correct because a blue/green deployment with ECS minimizes downtime by switching traffic gradually. Option A is wrong because migrating all at once risks downtime. Option B is wrong because launching a separate ECS cluster adds complexity.

Option C is wrong because CodeStar is not a deployment strategy.

184
MCQeasy

A company uses AWS Config to record resource changes. The security team wants to be notified when an S3 bucket policy changes to allow public access. What is the most efficient way to achieve this?

A.Create an AWS Config rule that triggers a custom Lambda function to check bucket policies and publish to SNS.
B.Configure S3 event notifications on the bucket to send events to SNS.
C.Set up an AWS Config rule to directly publish to an SNS topic when noncompliant.
D.Enable AWS CloudTrail and create a metric filter for PutBucketPolicy events.
AnswerA

Config rules evaluate resource compliance and can invoke Lambda for remediation or notification.

Why this answer

Option C is correct because AWS Config rules can trigger custom Lambda functions to evaluate resources and send notifications. Option A is wrong because CloudTrail logs API calls but does not directly evaluate resource compliance. Option B is wrong because S3 events do not trigger on policy changes by default.

Option D is wrong because Config rules do not directly publish to SNS.

185
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The operations team notices that stack updates frequently fail because of updates to resources that are not supported for updates. What is the BEST way to handle this?

A.Use AWS Config rules to prevent updates.
B.Delete the stack and create a new one for each update.
C.Use AWS Service Catalog to enforce version control.
D.Use a change set to review the proposed changes before executing the update.
AnswerD

Change sets allow you to see what changes will be made and if any resources will be replaced.

Why this answer

The best practice is to use a change set to preview changes and identify unsupported updates before executing the update.

186
MCQeasy

A company has an Amazon S3 bucket that stores sensitive data. The company wants to ensure that all data in the bucket is encrypted at rest. Which action should the Solutions Architect take?

A.Enable default encryption on the S3 bucket using SSE-S3, SSE-KMS, or SSE-C.
B.Use AWS CloudHSM to manage encryption keys.
C.Configure a bucket policy that denies unencrypted uploads.
D.Require the use of pre-signed URLs for uploads.
AnswerA

Default encryption encrypts all objects stored.

Why this answer

Option A is correct because enabling default encryption on the bucket ensures all objects are encrypted. Option B is wrong because bucket policies do not encrypt data. Option C is wrong because CloudHSM is not required.

Option D is wrong because pre-signed URLs do not enforce encryption.

187
MCQeasy

A company uses AWS Lambda functions to process events from an SQS queue. The Lambda function is configured with a reserved concurrency of 5. The SQS queue has a high volume of messages, and the Lambda function is experiencing throttling errors. What is the most cost-effective solution to reduce throttling?

A.Create multiple Lambda functions each processing a subset of the queue.
B.Decrease the reserved concurrency to force the function to process messages more efficiently.
C.Increase the reserved concurrency for the Lambda function.
D.Increase the batch size of the SQS event source mapping.
AnswerC

This allows more concurrent executions, reducing throttling.

Why this answer

Option A is correct because increasing reserved concurrency allows more concurrent invocations. Option B is wrong because adding more Lambda functions is not how concurrency works. Option C is wrong because increasing batch size may cause timeouts.

Option D is wrong because decreasing concurrency worsens the problem.

188
MCQhard

Refer to the exhibit. An EC2 instance in subnet-11111 (10.0.1.0/24) cannot access the internet. The route table for the subnet is shown. What is the MOST likely cause?

A.The route table does not have a default route (0.0.0.0/0).
B.The VPC does not have a local route.
C.The route table is not associated with the subnet.
D.The NAT gateway is not in a public subnet with an internet gateway.
AnswerD

NAT gateway requires a public subnet and internet gateway to function.

Why this answer

Option C is correct. The route table has a route to a NAT gateway in the same subnet, but the NAT gateway must be in a public subnet with an internet gateway. If the NAT gateway is in a private subnet, it cannot route to the internet.

Option A is wrong because there is a default route. Option B is wrong because the local route is present. Option D is wrong because the route table is associated with the subnet.

189
MCQeasy

A company is using Amazon RDS for MySQL and needs to capture slow query logs for performance tuning. The logs must be stored for 30 days for analysis. What is the MOST cost-effective way to achieve this?

A.Enable slow query logging and use an RDS event subscription to send logs to an SQS queue for processing.
B.Enable slow query logging and store logs in an S3 bucket with lifecycle policy to delete after 30 days.
C.Enable slow query logging and store logs on the RDS instance's EBS volume, then take daily snapshots.
D.Enable slow query logging and stream logs to Amazon CloudWatch Logs with a retention policy of 30 days.
AnswerD

RDS can publish logs to CloudWatch Logs, where retention is configurable.

Why this answer

Option B is correct because CloudWatch Logs can stream RDS slow query logs and retain them for 30 days at low cost. Option A is wrong because storing in S3 directly is not a built-in RDS feature. Option C is wrong because RDS doesn't write logs to EBS volumes by default.

Option D is wrong because it requires additional infrastructure and cost.

190
MCQmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences occasional read replica lag of up to 5 seconds. The application requires read-after-write consistency. Which action should the company take to improve the solution?

A.Modify the application to always read from the primary instance.
B.Increase the number of read replicas to distribute the load.
C.Implement Amazon ElastiCache to cache read results.
D.Use Amazon RDS Proxy to route read queries to the read replica.
AnswerA

Primary instance provides strong consistency.

Why this answer

Option C is correct because reading from the primary instance ensures strong consistency. Option A is wrong because RDS Proxy does not eliminate read replica lag. Option B is wrong because adding more read replicas does not solve consistency.

Option D is wrong because ElastiCache is for caching, not consistency.

191
Multi-Selecteasy

A company uses AWS CloudFormation to deploy a multi-tier application. The deployment includes an Application Load Balancer, Auto Scaling group, and Amazon RDS database. The company wants to ensure that updates to the database do not cause downtime. Which TWO strategies should the company use? (Choose two.)

Select 2 answers
A.Enable Multi-AZ on the RDS instance to allow failover during updates.
B.Update the CloudFormation stack directly without creating a new database.
C.Use AWS CloudFormation with a blue/green deployment strategy for the database.
D.Use a read replica to serve traffic during the update.
E.Use a database snapshot to restore the database if the update fails.
AnswersC, E

Blue/green allows you to create a new database and switch traffic.

Why this answer

Option A is correct because a blue/green deployment minimizes downtime by creating a new database environment. Option C is correct because taking a snapshot before updates provides a rollback option. Option B is wrong because Multi-AZ is for high availability, not for zero-downtime updates.

Option D is wrong because a read replica is for read scaling, not for updates. Option E is wrong because modifying the stack directly may cause downtime.

192
Multi-Selecteasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that no S3 buckets in any account are publicly accessible. Which TWO services can the team use to achieve this?

Select 2 answers
A.AWS Resource Access Manager
B.AWS WAF
C.AWS IAM Identity Center (SSO)
D.AWS Config
E.AWS Organizations Service Control Policies (SCPs)
AnswersD, E

Can evaluate bucket policies and auto-remediate non-compliant buckets.

Why this answer

Options A and D are correct: SCPs can deny public access at the OU level, and AWS Config can detect and remediate. Option B is wrong because it's for resource restrictions, not access control. Option C is wrong because it's a firewall, not for bucket policies.

Option E is wrong because it's for identity federation.

193
MCQeasy

A company uses AWS CloudFormation to deploy resources. The operations team notices that some stack updates fail due to resource conflicts. What is the BEST practice to minimize such failures?

A.Enable termination protection on the stack.
B.Use AWS CloudFormation change sets before updating the stack.
C.Use AWS CloudFormation nested stacks.
D.Use stack policies to protect critical resources.
AnswerB

Change sets allow you to review proposed changes and identify conflicts before execution.

Why this answer

Option C is correct because change sets allow you to preview the changes before execution, helping to identify conflicts. Option A is wrong because it does not directly address conflicts. Option B is wrong because resource deletion is not the primary goal.

Option D is wrong because it targets templates, not update execution.

194
Multi-Selecteasy

Which TWO AWS services can be used to monitor and troubleshoot network connectivity issues between EC2 instances? (Choose two.)

Select 2 answers
A.Amazon Inspector.
B.AWS CloudTrail.
C.AWS Config.
D.VPC Reachability Analyzer.
E.VPC Flow Logs.
AnswersD, E

Tests network paths between resources.

Why this answer

Options A and D are correct. A: VPC Flow Logs capture IP traffic information. D: Reachability Analyzer checks network paths.

B is incorrect because CloudTrail records API calls, not network traffic. C is incorrect because Config records resource configuration, not real-time connectivity. E is incorrect because Inspector is for security assessments.

195
Multi-Selecteasy

A company runs a web application on EC2 instances behind an ALB. They want to improve the security posture by implementing defense in depth. Which TWO measures should they implement? (Choose TWO.)

Select 2 answers
A.Store static assets in a public S3 bucket.
B.Place EC2 instances in public subnets for easier management.
C.Allow direct internet access to the EC2 instances.
D.Configure security groups to restrict traffic to only necessary ports.
E.Use AWS WAF to filter common web exploits.
AnswersD, E

Security groups act as a firewall for EC2 instances.

Why this answer

Defense in depth includes multiple layers. AWS WAF protects against web exploits. Security groups act as a virtual firewall.

Option A (WAF) and Option D (security groups) are correct. Option B (public subnets) is less secure. Option C (direct internet access) bypasses security.

Option E (public S3) is not relevant.

196
MCQmedium

A company runs a batch processing job on Amazon EMR every night. The job processes data from an S3 bucket and writes results to another S3 bucket. The job currently takes 6 hours to complete. The company wants to reduce the runtime to under 2 hours to meet a new SLA. The data volume is expected to grow by 20% each month. The EMR cluster uses a single master node and 10 core nodes of type m5.xlarge. The job is CPU-bound. What should they do?

A.Change the core node instance type to m5.4xlarge.
B.Use spot instances for the core nodes to reduce costs.
C.Add task nodes with spot instances to the cluster.
D.Increase the number of core nodes in the EMR cluster.
AnswerD

Adding more nodes increases parallelism for CPU-bound tasks, reducing runtime.

Why this answer

Option A is correct. Adding more core nodes (horizontal scaling) distributes the CPU load and reduces runtime. Option B: Using spot instances can reduce cost but may cause interruptions if nodes are reclaimed.

Option C: Using larger instance types (vertical scaling) helps but may not be as cost-effective as adding more nodes. Option D: Using task nodes with spot instances could help but also risk interruptions.

197
MCQhard

A company runs a data processing pipeline on AWS using AWS Glue and Amazon Redshift. Recently, the pipeline has been failing due to insufficient memory in the Glue job. The team wants to improve the pipeline to handle larger datasets without manual intervention. Which solution is MOST cost-effective?

A.Enable job bookmarking and configure incremental processing to reduce data volume per run.
B.Use a larger node type for the Amazon Redshift cluster to offload processing.
C.Replace AWS Glue with Amazon EMR and use spot instances for cost savings.
D.Partition the input data in Amazon S3 into more files with smaller sizes.
E.Increase the number of DPUs (Data Processing Units) for the Glue job.
AnswerA

Reduces the amount of data processed each time, preventing memory exhaustion.

Why this answer

Option B is correct because using Glue job bookmarking with incremental processing reduces the data processed per run, avoiding memory issues. Option A is wrong because increasing DPUs increases cost linearly. Option C is wrong because using a larger instance type for Redshift does not affect Glue memory.

Option D is wrong because switching to EMR adds complexity and may not be more cost-effective. Option E is wrong because partitioning data in Amazon S3 with more files does not directly solve memory issues.

198
MCQhard

A company uses Amazon RDS for PostgreSQL with Multi-AZ and automated backups set to 35 days. The database experiences a sudden spike in write IOPS, causing performance degradation. The team needs to investigate the cause without affecting production. What should they do?

A.Use the enhanced monitoring feature to collect OS-level metrics on the production instance.
B.Review Amazon CloudWatch metrics for the production DB instance to identify the cause.
C.Enable Performance Insights on the production instance to analyze queries.
D.Create a read replica from the latest automated snapshot and enable Performance Insights on the replica.
AnswerD

This provides a copy for analysis without impacting production.

Why this answer

Option B is correct because creating a read replica from the latest snapshot provides a near-current copy without impacting production. Option A is wrong because enabling Performance Insights on the current instance adds overhead. Option C is wrong because querying the production database directly affects performance.

Option D is wrong because CloudWatch metrics alone do not show query-level details.

199
MCQmedium

A company is using Amazon RDS for MySQL and notices that read replicas are falling behind the primary. The primary instance is experiencing high write traffic. What is the best solution to reduce replica lag?

A.Increase the instance class of the read replica.
B.Enable Multi-AZ on the primary instance.
C.Disable binary logging on the primary.
D.Move the read replica to the same AWS Region as the primary.
AnswerA

Larger instance class can apply changes faster.

Why this answer

Option C is correct because increasing the replica instance class size improves its ability to apply changes. Option A is incorrect because Multi-AZ does not affect read replica lag. Option B is incorrect because read replicas cannot be in the same region.

Option D is incorrect because disabling binary logging would break replication.

200
MCQeasy

A solutions architect runs the command shown in the exhibit. Which statement is true about the output?

A.There are two instances with the Environment=production tag.
B.The command displays the instance ID, instance type, and launch time of three running instances.
C.One of the instances is stopped.
D.The command lists all instances in the account regardless of tags.
AnswerB

The output shows three instances with those attributes.

Why this answer

The command `aws ec2 describe-instances --query 'Reservations[].Instances[?State.Name==`running`].[InstanceId,InstanceType,LaunchTime]' --output table` filters for running instances and projects only the InstanceId, InstanceType, and LaunchTime fields. The output shows three rows, each representing a running instance with those three attributes. Therefore, option B is correct because it accurately describes the displayed data.

Exam trap

The trap here is that candidates may assume the output includes all instances or tag information, but the JMESPath query explicitly filters for running instances and projects only the specified fields, so any inference about tags or stopped instances is unsupported by the output.

How to eliminate wrong answers

Option A is wrong because the command does not filter or display tags; it only queries instances with State.Name==`running` and projects InstanceId, InstanceType, and LaunchTime, so there is no way to determine the Environment tag from this output. Option C is wrong because the command explicitly filters for instances where State.Name equals `running`, so a stopped instance would not appear in the output. Option D is wrong because the command uses a JMESPath query to filter for running instances only, not all instances in the account regardless of tags.

201
Multi-Selectmedium

A company is using Amazon CloudFront to distribute content globally. They want to optimize cost and performance. Which TWO actions are recommended?

Select 2 answers
A.Enable Regional Edge Caches to reduce load on the origin.
B.Disable compression to reduce CPU usage on the origin.
C.Use a single origin server to simplify configuration.
D.Use multiple CloudFront distributions for the same content.
E.Select the appropriate Price Class to limit the number of edge locations used.
AnswersA, E

Regional Edge Caches improve performance and reduce origin load.

Why this answer

Using Regional Edge Caches reduces origin load and latency. Price Class selection reduces cost by limiting edge locations.

202
MCQmedium

A company is using Amazon CloudFront with an S3 origin. They notice that users are receiving outdated content. What configuration change should be made to ensure users always get the latest content?

A.Use signed URLs to serve content.
B.Create an invalidation for the objects.
C.Enable compression on the S3 bucket.
D.Reduce the TTL to 0 in the CloudFront distribution.
AnswerB

Invalidation removes cached objects, forcing fresh fetch.

Why this answer

Option D is correct because creating an invalidation removes cached objects. Option A is incorrect because TTL to 0 would increase origin load. Option B is incorrect because signed URLs control access, not cache.

Option C is incorrect because compression doesn't affect freshness.

203
MCQmedium

A developer notices that CloudWatch Logs for a Lambda function show no logs after a recent deployment. The function is invoked successfully. What is the most likely cause?

A.The Lambda function is exceeding the CloudWatch Logs API rate limits.
B.The Lambda execution role does not have permissions to write to CloudWatch Logs.
C.The log group retention policy is set to 7 days, which expired old logs.
D.The log group was deleted and not recreated.
AnswerB

Without proper IAM permissions, Lambda cannot create log streams or write logs.

Why this answer

Option B is correct because if the Lambda execution role lacks logs:CreateLogGroup and logs:PutLogEvents permissions, Lambda cannot write logs. Option A is wrong because the log group exists but has 0 stored bytes. Option C is wrong because retention policy doesn't prevent new logs.

Option D is wrong because the log group exists.

204
MCQmedium

A company migrated a monolithic application to a microservices architecture on Amazon ECS. They notice that the CPU utilization of the cluster is high, but individual services are underutilized. What is the best optimization?

A.Increase the number of tasks for each service.
B.Use AWS Fargate Spot for interruptible workloads.
C.Switch from Fargate to EC2 launch type.
D.Right-size the task definitions by adjusting CPU and memory reservations.
AnswerD

Proper sizing reduces over-provisioning and improves cluster utilization.

Why this answer

Right-sizing the task definitions ensures each service gets the appropriate resources, reducing wasted capacity. Option C is correct. Option A (EC2 launch type) might not help with utilization.

Option B increases capacity unnecessarily. Option D (Fargate) can help but is not specific to the utilization issue.

205
Multi-Selecthard

A company uses Amazon DynamoDB for a gaming application. The table has a partition key of user_id and a sort key of timestamp. During a new game launch, the table experiences throttling on a few partitions. The company wants to improve the partition distribution. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Add a random suffix to the partition key to distribute writes more evenly.
B.Use DAX (DynamoDB Accelerator) to cache read-heavy workloads.
C.Increase the read capacity units for the table.
D.Implement write sharding by using a composite partition key.
E.Switch the table to on-demand capacity mode.
AnswersA, B, D

Random suffixes spread writes across partitions.

Why this answer

Option A is correct because adding a suffix to partition key can spread writes across partitions. Option C is correct because using DynamoDB Accelerator (DAX) reduces read load, indirectly helping write capacity. Option D is correct because using write sharding distributes writes across multiple partitions.

Option B is wrong because increasing read capacity does not help write throttling. Option E is wrong because changing to on-demand may help but does not improve partition distribution.

206
MCQhard

An IAM policy attached to a user allows s3:GetObject and s3:PutObject on my-bucket, but denies all actions on the confidential/ prefix. The user reports that they can still upload objects to the confidential/ folder. Why?

A.The Allow statement appears before the Deny statement in the policy.
B.The Deny statement is not explicit enough to override the Allow.
C.The Deny statement is in a separate policy that is not attached to the user.
D.The Deny statement's resource ARN does not match the confidential folder objects.
AnswerC

If the Deny policy is not attached, it has no effect.

Why this answer

IAM policy evaluation logic: an explicit Deny overrides any Allow. However, the Deny statement uses a specific resource ARN for the confidential folder, but the Allow statement uses my-bucket/* which includes the confidential folder. Since the Deny is explicit, it should block.

But the user can still upload, likely because the policy is not applied correctly or there is another policy allowing the action. Wait: Actually, an explicit Deny always overrides Allow. The most likely reason is that the user has another policy that allows s3:PutObject on the bucket, and the Deny is not effective because the resource pattern in the Deny might not match the specific object ARN? In IAM, resource ARNs must match.

The Deny uses arn:aws:s3:::my-bucket/confidential/* which should match any object under that prefix. So the Deny should work. The correct answer is that the policy order is irrelevant, but perhaps the Deny is not being evaluated because of missing condition? Actually, the most common issue is that the user has a separate policy that explicitly allows the action, and the Deny is not applied? No, explicit Deny always wins.

The issue could be that the policy is not attached to the user. Option D is correct: the Deny statement might be in a different policy that is not attached. Option A is incorrect because order does not matter.

Option B is incorrect because explicit Deny overrides Allow. Option C is incorrect because the resource matches.

207
Multi-Selecthard

A company runs a web application on EC2 instances in an Auto Scaling group. The application writes logs to local instance storage. The operations team wants to centralize log analysis using Amazon CloudWatch Logs. The team needs a solution that is resilient to instance failures and does not lose logs. Which TWO options should the team implement? (Choose TWO.)

Select 2 answers
A.Use the CloudWatch agent with the auto-scaling group lifecycle hooks
B.Mount an EFS volume to the instances for log storage
C.Install the CloudWatch Logs agent on each EC2 instance to stream logs to CloudWatch Logs
D.Configure the Auto Scaling group to send logs to Amazon S3 on instance termination
E.Use Amazon SQS to buffer log events before sending to CloudWatch Logs
AnswersB, C

Persistent storage ensures logs survive instance termination.

Why this answer

Option A ensures logs are sent to CloudWatch in near real-time. Option B ensures that if the instance fails, logs are not lost by writing to a persistent volume. Option C (S3) is not necessary if using CloudWatch Logs.

Option D (SQS) adds complexity. Option E (CloudWatch agent with auto-scaling) is not a separate feature.

208
MCQeasy

A company uses AWS Elastic Beanstalk to deploy a web application. The application experiences increased traffic, and the environment's Auto Scaling group is not scaling out quickly enough. What should a solutions architect do to improve the scaling response?

A.Decrease the CPU utilization threshold for scale-out alarms.
B.Increase the minimum number of instances in the Auto Scaling group.
C.Reduce the cooldown period for the Auto Scaling group.
D.Use a larger instance type to handle more traffic.
AnswerC

A shorter cooldown allows new instances to be launched sooner after a scaling activity.

Why this answer

Option C is correct because reducing the cooldown period allows the Auto Scaling group to respond faster to changes. Option A is wrong because increasing min size does not speed up scaling. Option B is wrong because it changes the threshold.

Option D is wrong because it's not about instance type.

209
MCQmedium

A company uses Amazon S3 to store backups. The backup process uploads objects with a prefix 'backups/' and sets the storage class to STANDARD_IA. The company wants to automatically move objects older than 30 days to GLACIER. What is the most efficient way to achieve this?

A.Use an AWS Lambda function triggered by S3 events to change the storage class.
B.Use S3 Batch Operations to copy objects to a new bucket with GLACIER storage class.
C.Create an S3 Lifecycle rule that transitions objects with prefix 'backups/' to GLACIER after 30 days.
D.Enable S3 Intelligent-Tiering on the bucket.
AnswerC

Lifecycle rules automate transitions based on age.

Why this answer

Option D is correct because an S3 Lifecycle rule can be configured to transition objects with the specified prefix to GLACIER after 30 days. Option A is incorrect because S3 Batch Operations are for one-time bulk operations. Option B is incorrect because S3 Intelligent-Tiering may not move to GLACIER automatically.

Option C is incorrect because Lambda would be less efficient.

210
MCQhard

A company is using an AWS Direct Connect connection to access its VPC. The company is experiencing intermittent connectivity issues. The Solutions Architect suspects a routing problem. Which AWS service can help diagnose the issue by providing real-time metrics and logs?

A.Amazon CloudWatch with Direct Connect metrics
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Trusted Advisor
AnswerA

CloudWatch provides metrics like connection state and BGP status.

Why this answer

Option C is correct because AWS Direct Connect provides metrics and logs via CloudWatch and can be used with VPC Flow Logs. Option A is wrong because CloudTrail does not provide network metrics. Option B is wrong because VPC Flow Logs alone do not provide Direct Connect specific metrics.

Option D is wrong because AWS Trusted Advisor provides recommendations but not real-time diagnostics.

211
MCQhard

A company uses Amazon ElastiCache for Redis to cache frequently accessed data. The cache cluster is a single node (cache.r5.large). Over time, the cache hit ratio has decreased, and the CPU utilization is consistently above 80%. What should a solutions architect do to improve performance?

A.Reduce the Time-to-Live (TTL) of cached objects.
B.Add a read replica to offload read traffic.
C.Scale up to a larger node type, such as cache.r5.xlarge.
D.Enable cluster mode and distribute the cache across multiple shards.
AnswerD

Cluster mode allows horizontal scaling and reduces CPU pressure.

Why this answer

Option D is correct because moving to a cluster mode enabled configuration distributes data across multiple shards, reducing CPU load and improving hit ratio. Option A is wrong because simply increasing instance size may help temporarily but doesn't address architectural issues. Option B is wrong because read replicas are for read scaling, not reducing CPU on the primary.

Option C is wrong because TTL reduction may increase misses.

212
MCQmedium

A company runs a critical application on an Amazon RDS for PostgreSQL DB instance. The database experiences periodic slowdowns. The team notices that the DB instance has a large number of connections in an idle state. What is the BEST way to address this issue?

A.Migrate the database to Amazon Aurora.
B.Configure AWS Lambda to manage database connections.
C.Use an RDS Proxy to pool database connections.
D.Increase the max_connections parameter in the DB parameter group.
AnswerC

RDS Proxy reduces the number of idle connections by pooling and reusing them.

Why this answer

Option B is correct because using an RDS Proxy reduces the number of idle connections by pooling and reusing them. Option A is wrong because switching to Aurora may not directly address idle connections. Option C is wrong because increasing max_connections might worsen the problem.

Option D is wrong because Lambda is not a database connection management tool.

213
MCQeasy

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session data locally on the EC2 instances. The company wants to make the application stateless to improve availability and scalability. Which solution should the solutions architect recommend?

A.Use Amazon ElastiCache for Redis to store session data externally.
B.Configure session stickiness on the ALB to route requests from the same user to the same EC2 instance.
C.Mount an Amazon EFS file system on the EC2 instances and store session files there.
D.Store session data in Amazon S3 and update the application to read and write sessions to S3.
AnswerA

ElastiCache for Redis is a fast, in-memory store ideal for session management, making the application stateless.

Why this answer

Option C is correct because ElastiCache with Redis provides a centralized, fast, and durable session store, making the application stateless. Option A is wrong because storing sessions in S3 would introduce high latency and is not designed for high-frequency read/write. Option B is wrong because session stickiness (sticky sessions) on the ALB prevents true statelessness and can cause uneven load.

Option D is wrong because mounting an EFS volume for session files still ties sessions to a filesystem but adds complexity and latency compared to ElastiCache.

214
Multi-Selecteasy

A company has an AWS Lambda function that processes messages from an SQS queue. The function is experiencing timeouts. Which TWO changes could help resolve the timeout issue? (Choose 2)

Select 2 answers
A.Increase the batch size in the SQS event source mapping.
B.Enable SQS queue encryption.
C.Increase the Lambda function timeout.
D.Increase the Lambda function memory allocation.
E.Decrease the SQS visibility timeout.
AnswersC, D

Allows longer execution.

Why this answer

Options A and B are correct. Increasing timeout gives more time, increasing memory provides more CPU. C does not affect timeout, D reduces visibility timeout (opposite), E is for SQS, not Lambda.

215
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. What is the MOST scalable and efficient way to enforce this policy?

A.Use an AWS Lambda function that runs periodically across all accounts to check and remediate buckets.
B.Use an SCP that denies s3:PutBucketEncryption actions unless the encryption is set to aws:kms.
C.Use AWS Config rules in each account to detect unencrypted buckets and trigger auto-remediation.
D.Use AWS CloudTrail to monitor PutBucketEncryption calls and alert the security team.
AnswerB

SCPs can prevent the creation of non-compliant buckets across all accounts in the organization.

Why this answer

Option D is correct because using a service control policy (SCP) that denies the creation of unencrypted S3 buckets if encryption is not set to aws:kms is the most scalable way to enforce this across all accounts. Option A is wrong because it requires manual auditing. Option B is wrong because Config rules are per-account.

Option C is wrong because CloudTrail does not enforce policies.

216
MCQhard

A company has a legacy application that runs on a single EC2 instance. The application stores data on an attached EBS volume. The company wants to improve availability and reduce the recovery time objective (RTO) in case of instance failure. What should the company do?

A.Create an Auto Scaling group with a minimum of 2 instances across multiple Availability Zones and use a load balancer.
B.Take frequent EBS snapshots and automate the creation of a new instance from the latest snapshot.
C.Configure the EBS volume as a Multi-Attach volume and attach it to a standby instance.
D.Convert the instance to an AMI and launch a new instance from that AMI in a different Availability Zone.
AnswerA

This provides high availability and fast recovery by automatically replacing failed instances.

Why this answer

Option D is correct because AMI-backed instances launch from a stored AMI, and data on instance store is ephemeral; the application should store data on EBS. Option A is wrong because high availability requires multiple instances. Option B is wrong because Multi-Attach is for specific use cases.

Option C is wrong because EBS snapshots are for backups, not quick recovery.

217
MCQhard

A company runs a high-traffic web application on EC2 instances in an Auto Scaling group. The application uses a Redis cluster for caching. Recently, they have noticed that the cache hit ratio has dropped significantly, causing increased load on the database. The operations team observed that the Redis cluster's CPU utilization is high and memory usage is near capacity. They need to improve the cache performance with minimal changes to the application code. What should a solutions architect recommend?

A.Migrate from ElastiCache to Amazon MemoryDB for Redis.
B.Upgrade the Redis cluster to a larger node type with more CPU and memory.
C.Increase the TTL values for cached objects in the application.
D.Enable encryption in transit for the Redis cluster.
AnswerB

More resources directly improve performance and cache hit ratio.

Why this answer

Option D is correct because using a larger node type provides more CPU and memory, improving performance without code changes. Option A is wrong because increasing TTL may reduce churn but does not address capacity. Option B is wrong because ElastiCache is already in use.

Option C is wrong because enabling encryption adds overhead and does not solve the capacity issue.

218
MCQmedium

A company is running a stateful web application on EC2 instances in an Auto Scaling group. Users report that their sessions are lost when instances are terminated during scale-in. What should a solutions architect do to preserve session state?

A.Use lifecycle hooks to save session data to Amazon S3 before instance termination.
B.Enable sticky sessions (session affinity) on the Application Load Balancer.
C.Store session state in Amazon ElastiCache.
D.Increase the Auto Scaling group's cooldown period to prevent rapid scaling.
AnswerC

ElastiCache provides a durable, shared session store independent of EC2 instances.

Why this answer

Option D is correct because ElastiCache provides a centralized, fast session store that persists across instance terminations. Option A is wrong because sticky sessions (session affinity) can cause uneven load and still lose sessions if all instances in a target group are replaced. Option B is wrong because increasing cooldown delays scaling but does not prevent session loss.

Option C is wrong because lifecycle hooks allow custom actions before termination, but moving session data during termination is complex and may not be reliable.

219
MCQhard

A company runs a data processing application on EC2 instances that read from an Amazon SQS queue. The application processes each message in about 2 seconds. The company expects a sudden spike in messages and wants to minimize processing latency. Which configuration will handle the spike most cost-effectively?

A.Replace the EC2 instances with AWS Lambda functions that are triggered by SQS events.
B.Increase the EC2 instance size to handle more messages per instance.
C.Increase the Auto Scaling group's desired capacity to a higher fixed value during the expected spike.
D.Use Auto Scaling with a step scaling policy based on the SQS queue depth.
AnswerA

Lambda scales automatically with the number of messages and is cost-effective for variable loads.

Why this answer

Option B is correct because using a Lambda function with SQS triggers scales automatically and cost-effectively for variable workloads. Option A is wrong because Auto Scaling with a fixed schedule may not react quickly to a sudden spike. Option C is wrong because Auto Scaling based on queue length may be slower to scale.

Option D is wrong because increasing instance size is less cost-effective than serverless.

220
MCQhard

A company uses cross-account S3 access. The above IAM policy is attached to an IAM user in Account A. The user tries to upload an object to a bucket in Account B, but the upload fails. What is the MOST likely reason?

A.The upload request does not include the 'x-amz-acl' header with value 'bucket-owner-full-control'.
B.The resource ARN in the policy is incorrect; it should include the bucket name only.
C.The bucket policy in Account B denies the upload.
D.The IAM user does not have permission to call s3:PutObject.
AnswerA

The condition requires that header to be set.

Why this answer

Option B is correct. The policy requires the x-amz-acl header to be set to 'bucket-owner-full-control', but the user likely did not include that header. Option A is wrong because the policy allows s3:PutObject.

Option C is wrong because the resource is the bucket ARN. Option D is wrong because the bucket policy is not shown, but the IAM policy is correct.

221
MCQhard

A company runs a critical e-commerce platform on AWS. The application consists of an Application Load Balancer (ALB) that distributes traffic to an Auto Scaling group of EC2 instances running a web server. The web servers store session data locally on the instance's ephemeral storage. The Auto Scaling group is configured with a min of 2, max of 10, and desired of 2. Recently, during a flash sale, traffic surged and the Auto Scaling group scaled out to 10 instances. However, many users reported that their shopping carts were lost and they were logged out during the event. The Cognito user pool was used for authentication, and the application uses cookies to maintain session state. The ALB's stickiness is enabled. The team observed that the ALB's RequestCountPerTarget metric was well below the instance's capacity, but the error rate increased. The CloudWatch logs show that the web server returned 503 errors for a subset of requests. After the flash sale ended, the Auto Scaling group scaled back to 2 instances, and the issue disappeared. The team wants to prevent this from happening in future events. Which solution should the Solutions Architect recommend?

A.Increase the minimum size of the Auto Scaling group to 10 to handle the surge without scaling down.
B.Disable stickiness on the ALB so that any instance can handle any request.
C.Modify the application to store session data in an Amazon ElastiCache for Redis cluster instead of local ephemeral storage.
D.Increase the health check interval on the ALB to prevent instances from being marked unhealthy too quickly.
AnswerC

This decouples sessions from instances, making them persistent across scaling events and instance replacements.

Why this answer

Option A is correct. The root cause is that session data stored on ephemeral storage is lost when instances are terminated or replaced. Even with ALB stickiness, if an instance is scaled in (terminated) or replaced, the session data is gone.

Using ElastiCache for session storage decouples sessions from instances, ensuring persistence across scaling events. Option B is wrong because increasing the min size does not solve the data loss; sessions are still lost on instance termination. Option C is wrong because disabling stickiness would make it worse, as requests would go to different instances, potentially losing sessions even without scaling.

Option D is wrong because increasing health check interval does not solve the data loss; it only delays detection of unhealthy instances.

222
MCQeasy

A DevOps team wants to automatically enforce tagging standards on all AWS resources created in an account. If a resource is created without the required tags, the team wants to prevent the creation or remediate it. Which AWS service should the team use?

A.AWS Config
B.AWS Organizations
C.AWS Identity and Access Management (IAM)
D.AWS Resource Groups & Tag Editor
AnswerA

Can evaluate resource compliance and trigger remediation actions.

Why this answer

Option C is correct because AWS Config with managed rules (e.g., required-tags) can detect non-compliant resources and trigger auto-remediation. Option A is wrong because it is a governance tool but does not auto-remediate. Option B is wrong because it manages permissions, not tagging.

Option D is wrong because it visualizes resources but does not enforce policies.

223
Multi-Selectmedium

A company is designing a disaster recovery strategy for a critical application that runs on Amazon EC2. The application data is stored on Amazon EBS volumes and Amazon RDS for MySQL. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 1 hour. Which THREE steps should the company take to meet these objectives?

Select 3 answers
A.Configure cross-region replication for the RDS instance using a read replica.
B.Use AWS Database Migration Service (DMS) for continuous replication.
C.Create AMIs of the EC2 instances every hour.
D.Enable automated backups for the RDS instance with a retention period of 1 hour.
E.Schedule EBS snapshots every hour and replicate them to another region.
AnswersA, D, E

Provides a standby in another region with low RPO.

Why this answer

Option A is correct because automated backups of RDS allow point-in-time recovery with RPO of 5 minutes. Option C is correct because EBS snapshots can be created frequently and replicated. Option E is correct because cross-region replication provides a secondary site.

Option B is incorrect because AMIs do not include data. Option D is incorrect because application-level replication is less reliable.

224
MCQhard

A company uses Amazon DynamoDB with provisioned capacity for a critical workload. They notice that write requests are being throttled during peak hours. The table has a partition key of 'user_id' and a sort key of 'timestamp'. The access pattern is evenly distributed. What should a solutions architect do to reduce throttling?

A.Increase the read capacity units for the table.
B.Add a DynamoDB Accelerator (DAX) cluster in front of the table.
C.Switch the table to DynamoDB On-Demand capacity mode.
D.Enable DynamoDB Auto Scaling for write capacity.
AnswerD

Auto Scaling dynamically adjusts write capacity to handle peak loads.

Why this answer

Option D is correct because DynamoDB Auto Scaling adjusts capacity based on actual usage, reducing throttling. Option A is wrong because changing to on-demand is a valid solution but may be more expensive; Auto Scaling is more cost-effective if usage is predictable. Option B is wrong because DAX is a cache for reads, not writes.

Option C is wrong because increasing read capacity doesn't help write throttling.

225
Multi-Selecteasy

A company uses AWS Lambda to process files uploaded to an S3 bucket. The Lambda function takes too long to execute and frequently times out. The function downloads the entire file to /tmp before processing. Which TWO changes would improve performance? (Choose two.)

Select 2 answers
A.Increase the Lambda function's reserved concurrency.
B.Increase the memory allocation for the Lambda function.
C.Modify the function to stream the file from S3 instead of downloading it entirely.
D.Increase the Lambda function timeout.
E.Increase the /tmp storage limit for the Lambda function.
AnswersC, D

Streaming reduces the time spent on I/O and eliminates the need to store the entire file in /tmp.

Why this answer

Options B and D are correct. Option B: Increasing the Lambda timeout gives more time for processing. Option D: Streaming the file instead of downloading it reduces I/O time.

Option A is wrong because more memory also increases CPU, but it's not the best approach; streaming is better. Option C is wrong because /tmp is ephemeral and its size limit does not affect performance significantly. Option E is wrong because concurrency limits affect throughput, not individual execution time.

← PreviousPage 3 of 6 · 428 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Continuous Improvement questions.