CCNA Continuous Improvement Questions

75 of 428 questions · Page 4/6 · Continuous Improvement topic · Answers revealed

226
MCQmedium

A company is using Amazon CloudFront to serve content from an S3 origin. The content is updated infrequently. Users in some regions report seeing stale content. The company wants to ensure that users always see the latest version without waiting for TTL expiration. What is the MOST cost-effective solution?

A.Use file versioning in the URL (e.g., appending a query string or using a unique object key).
B.Set a very short TTL (e.g., 0 seconds) for the CloudFront distribution.
C.Use an origin shield to reduce the number of requests to S3.
D.Create a CloudFront invalidation request for the changed files after each update.
AnswerA

Unique URLs force CloudFront to fetch new content from origin.

Why this answer

Option D is correct because file versioning (changing the URL) guarantees fresh content without cache invalidation costs. Option A is wrong because it is costly and not automatic. Option B is wrong because reducing TTL increases origin load.

Option C is wrong because it does not invalidate existing cache.

227
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application runs on a single EC2 instance and uses an attached EBS volume for data storage. The company wants to improve high availability. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Migrate the database to Amazon RDS with Multi-AZ deployment.
B.Use an EBS volume with higher IOPS to improve performance.
C.Store data on the instance store instead of EBS to reduce latency.
D.Place the EC2 instance in an Auto Scaling group that spans multiple Availability Zones.
E.Place the EC2 instances behind an Application Load Balancer.
AnswersA, D, E

Multi-AZ provides automatic failover for the database.

Why this answer

Option A is correct because Multi-AZ RDS provides database high availability. Option B is correct because Auto Scaling across multiple AZs provides compute high availability. Option C is correct because an ALB distributes traffic across healthy instances.

Option D is wrong because a single EBS volume is not highly available. Option E is wrong because storing data only on the instance store is not durable.

228
MCQeasy

A company hosts a static website on Amazon S3 with public read access. The website uses a custom domain name (www.example.com). The company wants to improve performance for global users and also add HTTPS support. They have already set up a CloudFront distribution with the S3 bucket as the origin. However, users still cannot access the website via HTTPS. What should they do?

A.Request an SSL certificate from AWS Certificate Manager (ACM) and import it into CloudFront.
B.Enable static website hosting on the S3 bucket and configure the bucket policy to allow HTTPS.
C.Place an Application Load Balancer in front of the S3 bucket and attach an SSL certificate.
D.Configure the CloudFront distribution to use a custom SSL certificate and set the alternate domain name (CNAME) to www.example.com.
AnswerD

This enables HTTPS on CloudFront with the custom domain.

Why this answer

Option D is correct. An SSL/TLS certificate must be associated with the CloudFront distribution, and the custom domain must be configured in the distribution settings. Option A: S3 supports HTTPS but CloudFront needs its own certificate.

Option B: ELB is not needed for static websites. Option C: ACM certificates can be used but must be in US East (N. Virginia) region for CloudFront.

229
MCQeasy

A company is running a stateless web application on Amazon EC2 instances in an Auto Scaling group. The application stores session data in an Amazon ElastiCache Redis cluster. After a recent deployment, users are being logged out frequently. What is the most likely cause?

A.The Auto Scaling group's min size is too small.
B.The Elastic Load Balancer's health check is too aggressive.
C.The application is not using the ElastiCache cluster for session storage.
D.The ElastiCache cluster's security group is blocking traffic from the ALB.
AnswerC

If sessions are stored locally on EC2 instances, they are lost when instances are terminated or scaled, causing logouts.

Why this answer

Option B is correct because if the application is not properly configured to use the ElastiCache cluster, session data may be lost on instance replacement or scaling events. Option A is wrong because the Auto Scaling group is configured, but the issue is session persistence. Option C is wrong because health checks do not affect session data.

Option D is wrong because the ALB is not causing logout; the issue is session storage.

230
MCQhard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. During a recent failover, they experienced a few minutes of downtime because the application's connection string pointed to the primary instance DNS name. What is the MOST effective solution to minimize downtime during failover?

A.Use the RDS Multi-AZ DNS name (CNAME) that automatically updates after failover.
B.Assign an Elastic IP address to the RDS instance.
C.Create a read replica in another Region and promote it during failover manually.
D.Configure a Network Load Balancer in front of the RDS instance.
AnswerA

The Multi-AZ DNS name automatically points to the new primary after failover.

Why this answer

Option B is correct because using the RDS cluster endpoint (for Aurora) or the Multi-AZ DNS name (which automatically points to the current primary) ensures the application reconnects with minimal disruption. Option A is wrong because read replicas are for read scaling, not automatic failover. Option C is wrong because using an Elastic IP with RDS is not supported.

Option D is wrong because a Network Load Balancer adds complexity and latency.

231
Multi-Selecteasy

A company uses AWS CloudFormation to deploy infrastructure. They need to ensure that updates to a stack do not cause downtime for a critical database. Which TWO strategies should they use?

Select 2 answers
A.Create a new stack and migrate data.
B.Use an UpdatePolicy attribute for rolling updates.
C.Disable rollback on stack update failures.
D.Use a service role for CloudFormation.
E.Use a DeletionPolicy attribute of Retain on the database resource.
AnswersB, E

Rolling updates minimize downtime.

Why this answer

Correct answers are B and C. Option B prevents deletion of the database. Option C uses update policies to control how changes are applied.

Option A is wrong because a new stack would require data migration. Option D is wrong because disabling rollback is risky. Option E is wrong because service roles don't prevent downtime.

232
MCQeasy

A company stores sensitive data in an S3 bucket encrypted with SSE-KMS. They need to audit all access requests to the bucket. Which AWS service should they use?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs all S3 data plane and control plane operations.

Why this answer

Option C is correct because AWS CloudTrail logs all API calls to S3, including KMS decrypt calls. Option A is wrong because AWS Config records resource configuration, not access. Option B is wrong because VPC Flow Logs track network traffic, not API calls.

Option D is wrong because CloudWatch Logs can store logs but not generate them from S3 access.

233
MCQmedium

A company runs a production application on Amazon EC2 instances behind an Application Load Balancer. Recently, error rates increased due to a misconfiguration. The operations team wants to automatically roll back to the previous working configuration if errors exceed a threshold. Which solution provides the fastest rollback?

A.Manually restore AMI snapshots of the previous deployment.
B.Use AWS Elastic Beanstalk with rolling updates and health checks.
C.Use AWS CloudFormation with a stack policy to prevent updates.
D.Implement AWS CodeDeploy with automatic rollback triggered by CloudWatch alarms.
AnswerD

CodeDeploy can automatically roll back to the previous revision based on alarms.

Why this answer

Option C is correct because AWS CodeDeploy allows automatic rollback based on CloudWatch alarms. Option A is wrong because manual rollback is slower. Option B is wrong because CloudFormation stack rollback requires stack update, not real-time.

Option D is wrong because Elastic Beanstalk uses CodeDeploy internally but with less control.

234
MCQeasy

A developer is deploying a serverless application using AWS SAM. The deployment fails with a 'ResourceNotReady' error. What is the most likely cause?

A.The SAM template has invalid YAML syntax.
B.The application has too many tags.
C.A resource that the application depends on is not yet created.
D.The Lambda function code has a runtime error.
AnswerC

Dependency not ready causes ResourceNotReady.

Why this answer

Option B is correct because 'ResourceNotReady' indicates a dependency is not ready. Option A is incorrect because template syntax errors would show before deployment. Option C is incorrect because code errors would show during invocation.

Option D is incorrect because tags do not cause this error.

235
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is invoked with a batch size of 10. Some messages are failing repeatedly, causing the function to retry them up to the maximum retry count and then they are sent to a dead-letter queue (DLQ). The company wants to improve the resilience of the application by handling partial batch failures more efficiently. What should a solutions architect do?

A.Move the messages to a DLQ immediately after the first failure.
B.Implement reportBatchItemFailures in the Lambda function and enable partial batch response for the SQS event source mapping.
C.Decrease the batch size to 1 so that each invocation processes a single message.
D.Increase the batch size to 100 to process more messages per invocation.
AnswerB

This allows Lambda to report individual failures so only those messages are retried.

Why this answer

Option B is correct because implementing reportBatchItemFailures in the Lambda function and enabling partial batch response for the SQS event source mapping allows the function to signal which specific messages within a batch failed. This prevents the entire batch from being retried or sent to the DLQ, and only the failed messages are retried individually, improving resilience and efficiency.

Exam trap

The trap here is that candidates often think decreasing batch size to 1 is the simplest fix, but that ignores the throughput impact and the fact that AWS provides a native partial batch failure mechanism that is more efficient and scalable.

How to eliminate wrong answers

Option A is wrong because moving messages to a DLQ immediately after the first failure defeats the purpose of retries and would cause unnecessary data loss for transient failures. Option C is wrong because decreasing the batch size to 1 reduces throughput and does not address partial batch failures; it simply avoids the problem by processing one message at a time, which is less efficient. Option D is wrong because increasing the batch size to 100 would amplify the impact of partial failures, as the entire batch would be retried or sent to the DLQ if any message fails, making the problem worse.

236
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer. The instances are in an Auto Scaling group with a dynamic scaling policy based on average CPU utilization. After a recent deployment, users report intermittent timeouts. CloudWatch metrics show CPU utilization spikes to 90% before scaling out, but the new instances take 5 minutes to become healthy. What is the MOST effective solution to reduce timeouts during traffic spikes?

A.Use a scheduled scaling policy to add instances before expected peak times
B.Pre-warm the load balancer to reduce latency
C.Decrease the cooldown period and set a lower CPU utilization threshold for scale-out
D.Switch to predictive scaling
AnswerC

This triggers scale-out earlier and reduces the time to launch new instances.

Why this answer

Option B is correct because increasing the target CPU utilization threshold and decreasing the cooldown period may cause more aggressive scaling but does not address the 5-minute startup lag. Predictive scaling (C) is proactive but still has the same startup delay. Option D (pre-warming) is not a standard AWS feature.

Option A is correct because using a scheduled scaling policy to add instances before known peak hours can pre-empt the startup delay for predictable traffic patterns. However, the question asks for MOST effective; if traffic spikes are unpredictable, using a larger instance type (E) would reduce per-instance CPU but increase cost. The best answer is to reduce the cooldown period and set a lower CPU threshold (B) but that still has lag.

Actually, the best is to use a weighted target group with EC2 instances in a warm pool that are already registered with the ALB but not serving traffic until needed. Since warm pools are not an option, the correct answer is to use a step scaling policy with a lower scale-out threshold and reduce the health check grace period to speed up instance registration. But among given options, B is best because it triggers scale-out earlier and reduces the time to reach desired capacity.

Reviewing: A is scheduled, not reactive; B reduces cooldown and threshold; C is predictive; D is not a thing; E changes instance type. Correct: B.

237
Multi-Selectmedium

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences high CPU utilization during peak hours. The company wants to reduce the load on the primary database instance without making changes to the application code. Which TWO solutions should the solutions architect recommend?

Select 2 answers
A.Increase the instance size of the primary RDS instance.
B.Create one or more Read Replicas in the same region and direct read traffic to them.
C.Enable Amazon RDS Proxy to manage database connections.
D.Convert the RDS instance to a Multi-AZ deployment if not already.
E.Implement an Amazon ElastiCache cluster to cache the results of frequently accessed queries.
AnswersB, E

Read Replicas offload read queries from the primary, reducing its CPU load.

Why this answer

Options B and D are correct. Read Replicas can offload read traffic from the primary, reducing CPU utilization. Amazon ElastiCache caches frequent query results, reducing database queries.

Option A is wrong because increasing instance size of the primary helps but is not the only solution and may require downtime. Option C is wrong because converting to Multi-AZ does not reduce read load; Multi-AZ is for failover. Option E is wrong because RDS Proxy helps with connection pooling but not CPU reduction from queries.

238
Multi-Selectmedium

A company is building a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. They want to improve performance and reduce costs. Which THREE actions should they take? (Choose THREE.)

Select 3 answers
A.Enable Lambda Provisioned Concurrency for the function.
B.Use DynamoDB on-demand capacity mode.
C.Use DynamoDB Accelerator (DAX) for read-heavy workloads.
D.Enable API Gateway caching to reduce backend calls.
E.Increase the Lambda function timeout to 5 minutes.
AnswersA, C, D

Reduces cold start latency for predictable traffic.

Why this answer

Options A, C, and D are correct. A: Lambda Provisioned Concurrency reduces cold starts for predictable traffic. C: Using DAX reduces read latency and DynamoDB costs.

D: API Gateway caching reduces the number of requests to Lambda and DynamoDB. Option B is wrong because increasing timeout may increase costs without improving performance. Option E is wrong because DynamoDB on-demand can be more expensive for predictable workloads.

239
Multi-Selecteasy

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application stores session state in an Amazon ElastiCache Redis cluster. The operations team has noticed that during peak hours, application response times increase significantly. They need to improve performance without downtime. Which THREE actions should they take? (Choose 3)

Select 3 answers
A.Enable connection draining on the ALB.
B.Decrease the idle timeout of the ALB.
C.Increase the EC2 instance size to a larger instance type.
D.Add read replicas to the ElastiCache Redis cluster.
E.Add more EC2 instances to the Auto Scaling group.
AnswersA, D, E

Connection draining allows existing connections to complete before instances are deregistered, improving availability during scaling events.

Why this answer

Option A: Adding more EC2 instances scales horizontally, distributing load. Option B: Increasing instance size vertical scaling may cause downtime if done without rolling replacement. Option C: Adding read replicas to ElastiCache offloads read traffic.

Option D: Enabling ELB connection draining ensures in-flight requests complete during instance replacement, improving availability. Option B is not chosen because it can cause downtime.

240
Multi-Selecteasy

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application occasionally receives traffic spikes that cause the Auto Scaling group to launch new instances. However, the new instances take several minutes to become healthy, causing a temporary performance degradation. Which TWO actions would improve the scaling responsiveness? (Select TWO.)

Select 2 answers
A.Increase the Auto Scaling group cooldown period.
B.Reduce the target group health check interval to 5 seconds.
C.Decrease the health check grace period to 30 seconds.
D.Use a launch template with a pre-provisioned AMI that includes the application and dependencies.
E.Configure a scheduled scaling policy to add instances before expected traffic spikes.
AnswersD, E

Pre-warmed AMI reduces launch time.

Why this answer

Option B is correct because using a launch template with a pre-warmed Amazon Machine Image (AMI) reduces instance startup time. Option D is correct because scheduled scaling can add capacity before expected spikes. Option A is wrong because decreasing the health check grace period may cause instances to be terminated prematurely.

Option C is wrong because increasing cooldown period delays scaling. Option E is wrong because reducing the health check interval does not speed up instance initialization.

241
MCQmedium

A company uses Amazon DynamoDB for a gaming application. During a new game launch, they experience higher than expected latency on write operations. The table has on-demand capacity. What is the best way to improve write performance?

A.Use auto scaling with provisioned capacity.
B.Enable DynamoDB Accelerator (DAX) for caching.
C.Increase the write capacity units (WCU).
D.Add a global secondary index (GSI) to the table.
AnswerB

DAX reduces response times for read-heavy workloads, but it can also help with write latency by offloading reads.

Why this answer

For write-heavy workloads, using DynamoDB Accelerator (DAX) can reduce latency by caching writes. Option B is correct. Option A (increase WCU) is unnecessary with on-demand.

Option C (GSI) adds overhead. Option D (Auto Scaling) is for provisioned capacity.

242
MCQeasy

A company has a legacy application that runs on an Amazon EC2 instance. The application writes logs to a local file. The company wants to centralize log monitoring without modifying the application code. Which solution should the company use?

A.Use Amazon Kinesis Agent to stream the log file to Amazon Kinesis Data Firehose.
B.Install the Amazon CloudWatch agent on the EC2 instance and configure it to tail the log file.
C.Modify the application to use the AWS SDK for logging to Amazon CloudWatch Logs.
D.Turn on AWS CloudTrail for the EC2 instance to capture logs.
E.Configure the application to write logs to Amazon S3 using the AWS SDK.
AnswerB

CloudWatch agent can collect logs from files and send to CloudWatch Logs.

Why this answer

Option D is correct because the CloudWatch agent can be installed on EC2 to send logs to CloudWatch Logs without code changes. Option A is wrong because copying logs to S3 requires custom scripting. Option B is wrong because Amazon Kinesis Agent is more complex and not necessary.

Option C is wrong because it would require modification to the application. Option E is wrong because CloudTrail is for API activity, not application logs.

243
Multi-Selecthard

Which THREE factors should be considered when designing a disaster recovery plan for a multi-tier application using AWS? (Choose three.)

Select 3 answers
A.Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
B.Data replication strategy (e.g., synchronous vs. asynchronous).
C.DNS failover using Amazon Route 53.
D.Deploying the application across multiple Availability Zones.
E.Using larger instance sizes for better performance.
AnswersA, B, C

Key metrics for DR planning.

Why this answer

Options A, B, and D are correct. A: RTO and RPO define recovery objectives. B: Replication of data ensures consistency.

D: DNS failover routes traffic to DR site. C is incorrect because using larger instances may not be needed. E is incorrect because multiple AZs solve high availability within a region, not DR across regions.

244
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group. The application receives a variable workload. The company wants to scale based on a custom metric that tracks the number of active users. What is the MOST efficient way to achieve this?

A.Use a scheduled scaling policy to add or remove instances based on historical usage patterns.
B.Use AWS Lambda to periodically evaluate the custom metric and adjust the desired capacity via API calls.
C.Create a step scaling policy that uses CloudWatch alarms based on the custom metric.
D.Create a target tracking scaling policy using the custom metric as the target.
AnswerD

Target tracking automatically adjusts capacity to maintain the target metric value.

Why this answer

Option B is correct because a target tracking scaling policy automatically adjusts capacity based on the metric. Option A is wrong because step scaling is more complex and less efficient. Option C is wrong because scheduled scaling is for predictable patterns.

Option D is wrong because Lambda is not needed for this.

245
MCQhard

A financial services company runs a critical application on EC2 instances in an Auto Scaling group across multiple Availability Zones. They need to ensure that in the event of a single AZ failure, the application remains available with no data loss. The application uses EBS volumes for persistent storage. What should a solutions architect recommend?

A.Take periodic EBS snapshots and restore in another AZ.
B.Use Amazon EFS instead of EBS volumes.
C.Use an EBS volume in one AZ and attach it to instances in another AZ.
D.Use an EBS multi-attach volume with a cluster-aware file system.
AnswerD

Multi-attach allows simultaneous attachment to multiple instances; cluster file system ensures consistency.

Why this answer

Option D is correct because using an EBS multi-attach enabled volume with a cluster file system allows instances in different AZs to share the same storage, providing high availability and no data loss. Option A is wrong because EBS snapshots are not real-time. Option B is wrong because EBS volumes cannot be attached to instances in different AZs.

Option C is wrong because EFS is a different service and not EBS.

246
Multi-Selectmedium

A company is migrating a monolithic application to a microservices architecture on AWS. They want to improve deployment frequency and reduce risk. Which TWO strategies should they adopt?

Select 2 answers
A.Deploy all microservices from a single codebase.
B.Implement blue/green deployments.
C.Use CI/CD pipelines with automated testing.
D.Require manual approval for each production deployment.
E.Use feature branches with manual merge approvals.
AnswersB, C

Blue/green deployments reduce risk by switching traffic between environments.

Why this answer

Correct answers are A and E. Option A reduces risk by limiting blast radius. Option E speeds up releases by automating testing and deployment.

Option B is wrong because long-lived branches increase merge complexity. Option C is wrong because manual gates slow down frequency. Option D is wrong because rebuilding from scratch is risky and slow.

247
MCQhard

A company has a microservices architecture running on Amazon ECS with Fargate. Each service writes logs to CloudWatch Logs. The operations team needs to search across all logs for a specific error pattern. Currently, they manually query each log group, which is time-consuming. What is the MOST efficient way to enable centralized log search?

A.Export logs to Amazon S3 and use Amazon Athena to query them.
B.Use CloudWatch Contributor Insights to identify the top error sources.
C.Create a subscription filter for each log group that sends logs to a Kinesis Data Firehose delivery stream.
D.Use CloudWatch Logs Insights to query all log groups from a single query.
AnswerD

CloudWatch Logs Insights supports querying multiple log groups simultaneously.

Why this answer

Option A is correct because CloudWatch Logs Insights allows querying multiple log groups in a single query, enabling centralized search. Option B is wrong because subscription filters send logs to a destination, but Kinesis Data Firehose is not designed for ad-hoc search. Option C is wrong because S3 is for long-term storage, not real-time search.

Option D is wrong because CloudWatch Contributor Insights analyzes top contributors, not arbitrary patterns.

248
MCQeasy

A company is using Amazon RDS for MySQL and wants to minimize downtime during a major version upgrade. Which approach is the MOST effective?

A.Take a snapshot, restore as a new instance with the new version, and update the application endpoint.
B.Create a read replica with the new version, promote it to primary, and update the application endpoint.
C.Launch a new RDS instance with the new version, use DMS to migrate data, and switch the application endpoint.
D.Use the AWS RDS modify-db-instance command with the --allow-major-version-upgrade option. This typically causes a few minutes of downtime but is the simplest.
AnswerB

This approach minimizes downtime as the promotion is fast.

Why this answer

Creating a read replica, upgrading it, and then promoting it to primary minimizes downtime because the promotion is a quick operation.

249
MCQmedium

A company is using AWS CodePipeline to build and deploy a Java application to Elastic Beanstalk. Recently, deployments have been failing due to unit test failures in the build stage. The team wants to receive immediate notifications when a pipeline fails. What is the MOST efficient way to achieve this?

A.Configure CodePipeline to send notifications to an Amazon SNS topic when the pipeline fails.
B.Have the build script send a notification on failure using the AWS CLI.
C.Set up a CloudWatch Events rule to trigger an AWS Lambda function that sends an email via Amazon SES.
D.Create a CloudWatch alarm on the CodePipeline failure metric.
AnswerA

Direct and efficient.

Why this answer

Option B is correct because CodePipeline can publish events to Amazon SNS when the pipeline state changes, enabling notifications. Option A is wrong because CloudWatch alarms are for metrics, not pipeline state. Option C is wrong because CloudWatch Events (now Amazon EventBridge) can trigger notifications, but using SNS directly from CodePipeline is simpler.

Option D is wrong because SES is for email sending, but SNS is more appropriate.

250
MCQhard

A company runs a production database on Amazon RDS for PostgreSQL. The database experiences high write latency during peak hours. The company wants to improve write performance with minimal cost. Which action should a solutions architect take?

A.Enable Multi-AZ deployment for automatic failover.
B.Add multiple read replicas in different Availability Zones.
C.Use RDS for PostgreSQL with multiple write replicas and configure application-level sharding.
D.Increase the allocated storage and provisioned IOPS.
AnswerC

Sharding distributes writes across multiple instances, reducing latency.

Why this answer

Option D is correct because using multiple write replicas with sharding distributes the write load. Option A is wrong because adding more read replicas does not help write performance. Option B is wrong because Multi-AZ does not improve write performance; it provides failover.

Option C is wrong while increasing IOPS helps, it may not be cost-effective compared to sharding.

251
MCQmedium

A financial services company uses Amazon RDS for MySQL as the backend for a trading application. The application runs on EC2 instances in an Auto Scaling group behind an ALB. The database is a Multi-AZ DB instance with 500 GB provisioned storage. During peak trading hours, the application becomes slow. The RDS metrics show high CPU utilization and high read IOPS. The application performs many read-heavy queries. The team needs to improve performance without application changes. What should they do?

A.Create one or more read replicas and direct read traffic to them.
B.Modify the DB instance to a larger instance type with more vCPUs.
C.Enable Performance Insights and create a CloudWatch dashboard.
D.Convert the DB instance to a Multi-AZ cluster with two readable standbys.
AnswerA

Read replicas offload read queries, reducing load on the primary instance.

Why this answer

Option C is correct. Adding read replicas offloads read traffic from the primary instance, reducing CPU and IOPS load. Option A: Increasing instance size helps but may require downtime.

Option B: Multi-AZ is for high availability, not read scaling. Option D: Enabling Performance Insights provides monitoring but does not directly improve performance.

252
Multi-Selectmedium

A company is running a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application needs to process a large batch job that runs once per month and takes 2 hours. The company wants to optimize costs while ensuring the batch job has sufficient capacity. Which THREE steps should a solutions architect recommend?

Select 3 answers
A.Create a scheduled scaling policy that increases the desired capacity before the batch job starts.
B.Use a launch template with multiple instance types to increase the chances of obtaining Spot capacity.
C.Use On-Demand Instances only for the batch job to ensure availability.
D.Use Spot Instances in the Auto Scaling group for the batch job.
E.Purchase Reserved Instances for the batch job capacity.
AnswersA, B, D

Scheduled scaling ensures capacity is available when needed.

Why this answer

Option A is correct because a scheduled scaling policy allows you to increase the desired capacity of the Auto Scaling group before the batch job starts, ensuring sufficient resources are available exactly when needed. This proactive approach avoids the latency of dynamic scaling and optimizes cost by not maintaining extra capacity outside the batch window.

Exam trap

The trap here is that candidates may assume On-Demand or Reserved Instances are required for reliability, but the question emphasizes cost optimization and the batch job's fault tolerance, making Spot Instances with a scheduled scaling policy the correct approach.

253
MCQhard

A company is migrating from a monolithic application to microservices on AWS. They need to reduce the blast radius of failures. Which architecture pattern should they implement?

A.Implement Auto Scaling groups for each microservice without separating data stores.
B.Use a cell-based architecture where each microservice runs in isolated cells with independent data stores.
C.Route all traffic through a single Application Load Balancer to simplify management.
D.Deploy all microservices in a single Availability Zone with a shared database.
AnswerB

Cell-based architecture isolates failures to one cell, reducing overall impact.

Why this answer

Option B is correct because adopting a cell-based architecture isolates failures to individual cells, reducing blast radius. Option A is wrong because a single shared database creates a single point of failure. Option C is wrong while Auto Scaling helps with capacity, it does not isolate failures.

Option D is wrong because a single Application Load Balancer can still be a bottleneck.

254
Matchingmedium

Match each AWS monitoring and logging service to its capability.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collect metrics, logs, and set alarms

Record API activity for auditing

Assess, audit, and evaluate resource configurations

Trace and analyze distributed application requests

Automated security assessment of workloads

Why these pairings

These services provide observability, compliance, and security insights.

255
MCQeasy

A company uses Amazon CloudWatch Logs to collect application logs. The operations team wants to be notified when a specific error message appears in the logs. What is the SIMPLEST way to achieve this?

A.Configure S3 event notifications on the log file destination to send an alert.
B.Subscribe a Lambda function to the log group and have it check for the error message.
C.Create a metric filter on the log group for the error message and set up a CloudWatch alarm on the metric.
D.Use CloudWatch Logs Insights to run a query periodically and send results via email.
AnswerC

Metric filters convert log events into metrics, and alarms can trigger notifications.

Why this answer

Option B is correct because a metric filter can create a metric from log events, and an alarm can trigger when the metric breaches a threshold. Option A is wrong because CloudWatch Logs Insights is for querying, not real-time alerting. Option C is wrong because an S3 event notification is for S3 events, not log content.

Option D is wrong because Lambda subscriptions are for real-time processing, but simpler is metric filter + alarm.

256
Multi-Selecthard

A company runs a critical application on Amazon RDS for MySQL. The database size is 500 GB and growing. The application experiences high write latency during peak hours. A Solutions Architect needs to improve write performance with minimal downtime. Which THREE actions should the architect take? (Choose three.)

Select 3 answers
A.Migrate the database to Amazon Aurora with MySQL compatibility.
B.Add a read replica to offload read traffic.
C.Enable Multi-AZ deployment for the DB instance.
D.Change the storage type to Provisioned IOPS.
E.Increase the allocated storage of the DB instance.
AnswersA, D, E

Aurora offers better write throughput and scalability compared to RDS MySQL.

Why this answer

Options A, C, and D are correct. Option A: Increasing storage IOPS directly improves write performance. Option C: Enabling Multi-AZ provides a standby that can be used for failover, but it does not improve write performance; however, the question asks for improving write performance, so this is incorrect.

Wait, Multi-AZ does not improve write performance; it adds availability. Option D: Adding read replicas does not help writes. Actually, let's re-evaluate.

The correct answer should be: A (increase IOPS), B (use provisioned IOPS), and E (switch to Aurora) or similar. But the instruction says exactly 3 correct. Let me correct: Option A (increase allocated storage) can improve IOPS because larger volumes have higher baseline IOPS.

Option B (enable Performance Insights) is for monitoring, not performance. Option C (Multi-AZ) does not improve write performance. Option D (read replica) does not help writes.

Option E (migrate to Aurora) improves write performance. But that's only two. Actually, increasing storage size (A) and migrating to Aurora (E) are two.

Another could be using provisioned IOPS. But the options don't have that. Let me adjust the options to make three correct.

I'll revise the options. Since the question is generated, I can choose the correct ones. Let's set: Options A, C, and E are correct.

A: Increase allocated storage (increases IOPS). C: Enable Multi-AZ (does not improve write performance, so not correct). Hmm.

Let me think: For write performance, you can: 1) Increase storage (more IOPS), 2) Use provisioned IOPS, 3) Use Aurora. So the options should include those. I'll modify the options to include provisioned IOPS.

For the sake of this response, I'll set the correct options as: A (increase storage), B (use provisioned IOPS), and E (migrate to Aurora). But I need to ensure the distractors are wrong. Let me rewrite the options properly.

Given the constraints, I'll produce a consistent answer. Actually, I have to follow the original options I wrote. Let me correct the explanation accordingly: For multi-select, I'll define options that make sense.

I'll set: Correct: A (increase storage), C (enable Multi-AZ - though it doesn't improve write performance, but it's a common misconception; wait, it does not. So I'll not include it. Better to set: A (increase storage), D (add read replica - no), that's not correct.

I'll restart: The correct three actions to improve write performance are: 1) Increase storage size (increases baseline IOPS), 2) Switch to provisioned IOPS (if not already), 3) Migrate to Amazon Aurora (better write performance). So in options, include those. Let me define options: A: Increase allocated storage, B: Enable Multi-AZ, C: Enable Performance Insights, D: Add a read replica, E: Migrate to Amazon Aurora.

Then correct: A, E, and maybe B? No, Multi-AZ does not improve write performance. So only A and E are two, need a third. Could be: Change instance class to a memory optimized instance? Not listed.

Alternatively, use Amazon RDS Proxy? Not listed. I'll add an option for provisioned IOPS. Let me redo the options: A: Increase allocated storage, B: Enable Multi-AZ, C: Change storage type to Provisioned IOPS, D: Add a read replica, E: Migrate to Amazon Aurora.

Then correct: A, C, E. That works. So I'll use that.

Explanation: Increasing storage (A) improves baseline IOPS, Provisioned IOPS (C) provides consistent performance, and Aurora (E) has better write throughput. Multi-AZ (B) does not improve writes, and read replicas (D) are for reads.

257
MCQhard

A company has a monolithic application running on a single Amazon EC2 instance. The application consists of a web server and a backend worker process. The company wants to migrate to a microservices architecture using containers on Amazon ECS with Fargate. The solutions architect needs to design a solution that minimizes downtime during the migration. Which approach should the solutions architect recommend?

A.Create a Docker image of the entire monolithic application and run it on ECS with Fargate.
B.Use a strangler fig pattern: gradually replace parts of the monolith with microservices, routing traffic via an Application Load Balancer.
C.Run the monolithic application on the same EC2 instance as the new microservices, using different ports.
D.Refactor the entire application into microservices, then deploy all microservices at once on ECS.
AnswerB

This incremental approach minimizes downtime and risk, allowing both old and new to coexist.

Why this answer

Option D is correct because a strangler fig pattern allows incremental migration of functionality from the monolith to microservices, with the ALB routing traffic to either the monolith or new services. This minimizes downtime because the old application remains operational while pieces are moved. Option A is wrong because a lift-and-shift of the entire application into a single container does not decompose it into microservices.

Option B is wrong because refactoring the entire application at once introduces significant risk and downtime. Option C is wrong because running both the monolith and new services on the same instance but on different ports does not inherently minimize downtime and complicates routing.

258
MCQmedium

A company uses AWS Systems Manager Patch Manager to patch Amazon EC2 instances. After a patching operation, some instances fail to report their compliance status. What is the MOST efficient way to identify the cause of the failure?

A.Run a script on each instance to list missing patches.
B.Use Systems Manager Inventory to query patch compliance details and identify non-compliant instances.
C.Use the Patch Manager dashboard in the AWS Management Console.
D.Check the EC2 console for each instance's patch status.
AnswerB

Inventory provides detailed compliance data that can be queried.

Why this answer

Option A is correct because Systems Manager Inventory collects and queries patch compliance data. Option B is wrong because it only shows state, not failures. Option C is wrong because Patch Manager does not have a dashboard.

Option D is wrong because it's not about missing patches.

259
MCQeasy

A company is using AWS CloudTrail to log all API activity. The security team wants to be alerted when an IAM user creates a new access key. What is the simplest way to achieve this?

A.Configure an S3 event notification on the CloudTrail log bucket to trigger a Lambda function.
B.Set up a CloudTrail trail with log file validation enabled.
C.Use AWS Config to create a rule that checks for access keys.
D.Create an Amazon EventBridge rule that matches the 'CreateAccessKey' API call and sends an SNS notification.
AnswerD

EventBridge can filter CloudTrail events and trigger actions.

Why this answer

Option A is correct because CloudWatch Events (now Amazon EventBridge) can match IAM CreateAccessKey events and trigger a notification. Option B is wrong because S3 events are for object-level operations, not API calls. Option C is wrong because CloudTrail logs events but doesn't natively send alerts.

Option D is wrong because Config rules evaluate resource configurations, not API calls.

260
MCQmedium

A company runs a critical web application on EC2 instances behind an ALB. The application stores session data in an ElastiCache Redis cluster. During a recent outage, the Redis cluster failed and all active sessions were lost, causing users to be logged out. Which solution would provide the HIGHEST availability for session data?

A.Enable Cluster Mode and deploy Redis in Multi-AZ with replicas.
B.Deploy a single-node Redis cluster with automatic backups.
C.Disable Redis persistence to improve performance.
D.Use a larger Redis instance type to handle more connections.
AnswerA

Multi-AZ with replicas provides automatic failover and high availability.

Why this answer

Option D is correct because ElastiCache for Redis with Cluster Mode enabled and Multi-AZ provides automatic failover and data replication across Availability Zones. Option A is wrong because a single-node cluster has no redundancy. Option B is wrong because increasing instance size does not provide failover.

Option C is wrong because disabling persistence reduces durability.

261
MCQhard

A company uses AWS Lambda functions within a VPC to process data from an Amazon SQS queue. The Lambda functions frequently timeout with the error 'Task timed out after 3.00 seconds'. The functions perform database operations on an RDS instance in the same VPC. The average database query takes 2 seconds. What is the MOST likely cause of the timeouts?

A.The Lambda function does not have the required VPC permissions to access the RDS instance.
B.The VPC does not have a NAT gateway, so the Lambda function cannot poll the SQS queue.
C.The Lambda function timeout should be increased to accommodate database query time.
D.The RDS instance is under-provisioned and causing slow queries.
AnswerB

Lambda in a VPC needs a NAT gateway to access public endpoints like SQS; without it, SQS polling fails, causing timeouts.

Why this answer

Option D is correct because Lambda functions in a VPC require a NAT gateway or VPC endpoints to access the SQS API, which is outside the VPC. Without a NAT gateway, the function cannot poll the SQS queue, causing timeouts. Option A is wrong because Lambda can access RDS within the same VPC without issues.

Option B is wrong because 3-second timeout should be sufficient for a 2-second query if network is fine. Option C is wrong because the RDS instance size does not affect network connectivity to SQS.

262
MCQhard

A company is migrating a monolithic application to microservices on Amazon ECS. The application uses a legacy database that does not support distributed transactions. The team wants to ensure data consistency across services. Which solution is BEST for achieving eventual consistency with minimal code changes?

A.Use Amazon DynamoDB transactions across all services.
B.Modify the legacy database to support two-phase commit.
C.Use Amazon SQS to queue all database writes and process them sequentially.
D.Implement the Saga pattern using AWS Step Functions.
AnswerD

Step Functions can orchestrate a saga, handling failures and compensating transactions.

Why this answer

Implementing the Saga pattern with AWS Step Functions allows orchestrating distributed transactions across services, managing rollbacks and compensating actions. This is the best approach for eventual consistency with minimal code changes.

263
MCQhard

A media company runs a video transcoding pipeline on AWS using Amazon EC2 Spot Instances. The pipeline uses a custom AMI with pre-installed software. The operations team notices that the latest AMI is not always used when new instances launch, causing inconsistent transcoding results. What should the team do to ensure that all new Spot Instances use the latest AMI?

A.Create a new launch configuration each time a new AMI is released and associate it with the Auto Scaling group.
B.Use AWS CloudFormation to update the stack with the new AMI ID and then manually trigger a rolling update.
C.Manually update the AMI ID in the EC2 Auto Scaling group configuration every time a new AMI is released.
D.Use an EC2 Auto Scaling group with a launch template that dynamically references the latest AMI ID from AWS Systems Manager Parameter Store.
AnswerD

This allows automatic retrieval of the latest AMI ID at launch time.

Why this answer

Option A is correct because Amazon EC2 Auto Scaling with a launch template can reference the latest AMI ID using SSM Parameter Store. Option B is wrong because updating the AMI ID in the Auto Scaling group requires manual intervention. Option C is wrong because it does not automatically update the AMI.

Option D is wrong because CloudFormation does not automatically update the AMI.

264
Multi-Selectmedium

A company stores sensitive data in an S3 bucket. The security team requires that all data be encrypted at rest and that the encryption keys be rotated automatically every year. The company also needs to audit who accessed the key and when. Which THREE services should the solutions architect use to meet these requirements?

Select 3 answers
A.S3 server-side encryption with AWS KMS (SSE-KMS).
B.AWS CloudTrail to log KMS Decrypt and GenerateDataKey events.
C.AWS Identity and Access Management (IAM) to control access to the keys.
D.AWS Key Management Service (KMS) with automatic key rotation enabled.
E.S3 server-side encryption with S3-managed keys (SSE-S3).
AnswersA, B, D

SSE-KMS uses KMS keys for encryption, enabling rotation and auditing.

Why this answer

Options A, C, and D are correct. AWS KMS provides managed keys with automatic annual rotation. AWS CloudTrail logs KMS API calls for auditing.

S3 uses server-side encryption with KMS keys (SSE-KMS). Option B is wrong because S3 SSE-S3 uses S3-managed keys, not customer-controlled. Option E is wrong because IAM is for access control, not encryption key management.

265
MCQhard

An IAM policy is attached to an IAM user. The user reports being unable to download objects from the bucket 'example-bucket' when connecting from their office IP address 203.0.113.5. What is the most likely reason?

A.The user's IP address is not in the allowed range.
B.The condition key 'aws:SourceIp' is invalid.
C.The resource ARN is incorrect.
D.The s3:GetObject action is misspelled.
AnswerA

The condition restricts access to 192.0.2.0/24.

Why this answer

Option B is correct because the policy only allows access from the IP range 192.0.2.0/24, and the user's IP 203.0.113.5 is not in that range. Option A is wrong because the resource is correct. Option C is wrong because the action is correct.

Option D is wrong because the condition is valid.

266
MCQeasy

A company uses AWS CodePipeline to deploy a static website to an S3 bucket. The pipeline includes a source stage from GitHub and a deploy stage that syncs the S3 bucket. Recently, the deployment has been failing intermittently with the error 'Access Denied' when the pipeline tries to write to the S3 bucket. The bucket policy allows the pipeline's service role to perform s3:PutObject. The service role has the following IAM policy attached: { 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::my-bucket/*' }. What is the MOST likely cause of the failure?

A.The S3 bucket has default encryption enabled.
B.The pipeline is in a VPC without an S3 VPC endpoint.
C.The pipeline's source stage is not configured with Git credentials.
D.The bucket has a bucket policy that denies the pipeline's service role.
AnswerD

An explicit deny in the bucket policy overrides the IAM allow.

Why this answer

Option A is correct. The bucket policy might deny access even if the IAM role allows it, because bucket policies are evaluated in addition to IAM policies. Option B is wrong because the pipeline uses the service role, not Git credentials.

Option C is wrong because there is no mention of encryption. Option D is wrong because the error is Access Denied, not a network issue.

267
Multi-Selecthard

A company runs a web application on Amazon ECS with Fargate launch type. The application is behind an Application Load Balancer. During traffic spikes, the application becomes slow. The team suspects that the ECS service is not scaling fast enough. Which THREE actions should the team take to improve the scalability? (Choose three.)

Select 3 answers
A.Decrease the number of subnets in the VPC.
B.Decrease the scale-in and scale-out cooldown periods.
C.Decrease the ALB idle timeout.
D.Increase the maximum number of tasks in the ECS service.
E.Increase the target value for the scaling metric (e.g., CPU utilization).
AnswersB, D, E

Shorter cooldowns allow scaling actions to happen more frequently.

Why this answer

Options A, C, and E are correct. Option A: Increasing the number of tasks per service allows handling more concurrent requests. Option C: Decreasing the cooldown period allows faster scaling.

Option E: Increasing the target value for the scaling metric makes scaling more aggressive. Option B is wrong because decreasing the number of subnets reduces capacity. Option D is wrong because decreasing the ALB idle timeout does not affect scaling.

268
MCQeasy

A company uses an Application Load Balancer (ALB) to distribute traffic to an Auto Scaling group of EC2 instances. The operations team notices that the ALB is returning a high number of 504 errors during peak hours. Which configuration change is MOST likely to reduce the 504 errors?

A.Enable cross-zone load balancing on the ALB.
B.Increase the idle timeout setting on the ALB.
C.Increase the health check interval for the target group.
D.Increase the deregistration delay on the target group.
AnswerB

Higher idle timeout allows longer-lived connections to complete without timing out.

Why this answer

Option B is correct because increasing the idle timeout setting on the ALB can help prevent premature connection closures that cause 504 errors. Option A is wrong because increasing the deregistration delay only affects instance draining, not idle timeouts. Option C is wrong because enabling cross-zone load balancing does not address timeout issues.

Option D is wrong because increasing the health check interval does not affect idle timeouts.

269
MCQhard

Refer to the exhibit. A company uses this IAM policy to allow an automation script to manage Amazon EBS snapshots. The script runs on an EC2 instance with this attached IAM role. The script is failing when trying to create a snapshot from a volume and tag it. The error message indicates an authorization failure. What is the root cause?

A.The policy does not grant permission to call ec2:DescribeSnapshots, which is required before creating a snapshot.
B.The policy lacks a condition key to restrict the snapshot creation to specific volumes.
C.The policy does not grant permission to call ec2:CreateSnapshot on the volume resource.
D.The policy does not include ec2:CreateTags for the volume, only for snapshots.
AnswerC

CreateSnapshot requires permission on the volume (e.g., arn:aws:ec2:region:account:volume/*) and optionally on the snapshot.

Why this answer

The error occurs because the IAM policy grants `ec2:CreateSnapshot` only on the `arn:aws:ec2:*::snapshot/*` resource, but the API call to create a snapshot also requires permission on the source volume resource (`arn:aws:ec2:*:*:volume/*`). Without that volume-level permission, the request fails with an authorization error, even though the snapshot-level permission is present.

Exam trap

The trap here is that candidates assume only the target snapshot resource needs permission, but AWS requires explicit authorization on the source volume resource for the `ec2:CreateSnapshot` action.

How to eliminate wrong answers

Option A is wrong because `ec2:DescribeSnapshots` is a read-only action and is not required before creating a snapshot; the failure is due to missing resource-level permissions, not a missing read action. Option B is wrong because the policy does not include any condition keys, but the absence of a condition key is not the root cause—the core issue is the missing volume resource in the `ec2:CreateSnapshot` action. Option D is wrong because the policy does include `ec2:CreateTags` on the snapshot resource (`arn:aws:ec2:*::snapshot/*`), and the error is about creating the snapshot itself, not tagging it.

270
Multi-Selecteasy

A company is migrating a legacy application to AWS. The application requires a relational database with high availability and automated backups. Which TWO AWS services should the company consider? (Choose two.)

Select 2 answers
A.Amazon Redshift
B.Amazon RDS with Multi-AZ deployment
C.Amazon ElastiCache
D.Amazon DynamoDB
E.Amazon Aurora
AnswersB, E

Provides high availability and automated backups.

Why this answer

Options A and C are correct. Option A: Amazon RDS Multi-AZ provides high availability and automated backups. Option C: Amazon Aurora is a MySQL/PostgreSQL-compatible relational database with high availability and automated backups.

Option B is wrong because DynamoDB is NoSQL. Option D is wrong because ElastiCache is an in-memory cache. Option E is wrong because Redshift is a data warehouse.

271
MCQeasy

Refer to the exhibit. An AWS Lambda function logs the error above. The function uses the AWS SDK to call an Amazon DynamoDB table. What is the MOST likely cause?

A.The Lambda function timed out while waiting for a response.
B.The DynamoDB table specified in the function does not exist.
C.The Lambda function does not have permission to access DynamoDB.
D.The DynamoDB table is throttling requests.
AnswerB

ResourceNotFoundException means the resource is not found.

Why this answer

Option B is correct. ResourceNotFoundException indicates the DynamoDB table does not exist or has been deleted. Option A is wrong because insufficient permissions cause AccessDeniedException.

Option C is wrong because throttling causes ProvisionedThroughputExceededException. Option D is wrong because a different error would occur if the function timed out.

272
Multi-Selectmedium

Which TWO actions would improve the security of an S3 bucket that contains sensitive data? (Choose two.)

Select 2 answers
A.Enable S3 Server Access Logging.
B.Enable default encryption (SSE-S3).
C.Enable S3 Block Public Access.
D.Enable S3 Versioning.
E.Configure S3 Lifecycle to expire objects.
AnswersB, C

Encrypts objects at rest.

Why this answer

Options A and D are correct. A: Blocking public access prevents unintended exposure. D: Enabling encryption protects data at rest.

B is incorrect because versioning is for data protection, not security. C is incorrect because logging is for auditing. E is incorrect because lifecycle policies manage storage, not security.

273
MCQeasy

A company wants to reduce costs for its Amazon RDS for MySQL database without affecting performance. The database is used by a read-intensive application. Which action should the company take?

A.Change the DB instance to a Multi-AZ deployment.
B.Upgrade to the latest generation instance type.
C.Implement a Read Replica and direct read traffic to it.
D.Purchase Reserved Instances for the database.
AnswerC

Offloads reads, enabling a smaller primary instance to handle writes.

Why this answer

Option A is correct because using Read Replicas offloads read traffic from the primary instance, allowing the primary to be smaller. Option B is wrong because Reserved Instances reduce cost but do not change the instance size. Option C is wrong because it reduces availability.

Option D is wrong because it increases cost.

274
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. CloudWatch logs show the ALB's healthy host count occasionally drops to zero during traffic spikes. Which design change should a solutions architect implement to improve availability?

A.Enable EC2 instance refresh for the Auto Scaling group.
B.Increase the size of the Auto Scaling group and adjust scaling policies.
C.Purchase Reserved Instances for the existing EC2 fleet.
D.Replace the ALB with a larger Network Load Balancer.
AnswerB

More instances and proper scaling prevent zero healthy hosts during spikes.

Why this answer

The correct answer is D because increasing the number of instances and adding an Auto Scaling group ensures capacity can handle spikes, preventing all hosts from becoming unhealthy. Option A is wrong because Reserved Instances don't help with scaling. Option B is wrong because instance refresh is for updates, not capacity.

Option C is wrong because a larger ALB does not fix the root cause of insufficient capacity.

275
MCQeasy

A company uses Amazon ECS with Fargate launch type for a web application. During deployments, the new tasks fail health checks and the deployment rolls back. What should the team do to identify why the new tasks are failing?

A.View the stopped task logs in Amazon CloudWatch Logs.
B.Review the task definition for misconfigured environment variables.
C.Check the ECS service event stream for error messages.
D.Use ECS Exec to connect to the failing tasks and debug.
AnswerA

Stopped tasks send logs to CloudWatch, revealing failure reasons.

Why this answer

Option D is correct because checking the stopped task logs in CloudWatch Logs reveals application errors. Option A is wrong because the task definition is likely correct if the old tasks work. Option B is wrong because the service event stream shows deployment events, not task logs.

Option C is wrong because ECS Exec requires the task to be running.

276
MCQeasy

A company uses AWS Lambda functions to process events from Amazon S3. They notice that some Lambda invocations are failing with 'ResourceNotFoundException' errors when trying to write to an Amazon DynamoDB table. The Lambda execution role has a policy that grants dynamodb:PutItem on the table. What is the most likely cause of these errors?

A.The Lambda function is using the wrong AWS credentials.
B.The Lambda function is in a VPC without a DynamoDB VPC endpoint.
C.The DynamoDB table is in a different AWS account and the Lambda role does not have cross-account access.
D.The DynamoDB table name is misspelled in the Lambda code.
AnswerC

Cross-account DynamoDB access requires the Lambda role to be trusted by the other account.

Why this answer

Option A is correct because if the DynamoDB table is in a different AWS account, the Lambda execution role must have cross-account trust permissions. Option B is wrong because DynamoDB does not require VPC endpoints for access. Option C is wrong because Lambda's temporary credentials are sufficient.

Option D is wrong because DynamoDB table names are case-sensitive but the error is ResourceNotFoundException, not AccessDeniedException.

277
MCQmedium

A company uses Amazon CloudFront to serve static content from an S3 bucket. Users in Europe report slow load times. The CloudFront distribution uses the default cache behavior. What is the MOST cost-effective improvement?

A.Enable CloudFront Lambda@Edge to optimize content delivery.
B.Use an S3 Transfer Acceleration to speed up content delivery.
C.Configure CloudFront with multiple origins and use geographic restrictions to route users to the nearest origin.
D.Add additional cache behaviors to serve different content from different origins.
AnswerC

Multiple origins in different regions reduce latency.

Why this answer

Option B is correct because adding multiple origins in different regions and using geographic distribution or origin failover reduces latency for users in Europe. Option A is wrong because Lambda@Edge adds cost and complexity. Option C is wrong because cache behaviors do not affect latency.

Option D is wrong because Transfer Acceleration is for uploads.

278
MCQhard

A financial services company runs a critical trading application on Amazon EC2 instances behind an Application Load Balancer (ALB) in three Availability Zones. The application uses a MySQL-compatible Amazon RDS for MariaDB database with Multi-AZ deployment. Recently, the operations team noticed that during periods of heavy trading, the database CPU utilization spikes to 100%, causing query timeouts and application errors. The team has already reviewed slow query logs and enabled Performance Insights, but the issue persists. The application is read-heavy with frequent writes. The team needs to reduce database load with minimal changes to the application code. Which solution is the MOST effective and scalable?

A.Migrate the database to Amazon Aurora MySQL-Compatible Edition with Auto Scaling and enable performance insights.
B.Implement an in-memory caching layer using Amazon ElastiCache for Memcached and modify the application to check the cache first.
C.Replace the RDS database with Amazon DynamoDB and use DynamoDB Accelerator (DAX) for caching.
D.Create read replicas of the RDS for MariaDB instance and configure the application to send read queries to the read replicas.
AnswerD

Read replicas offload read traffic with minimal application changes (connection string).

Why this answer

Option D (RDS for MariaDB read replicas with read-only database connections) offloads read traffic without code changes, as read replicas can be used by modifying the connection string. Option A (Aurora) would require migration. Option B (ElastiCache) requires application code to cache data.

Option C (DynamoDB Accelerator) is for DynamoDB, not MariaDB.

279
MCQmedium

A company is running a containerized microservices application on Amazon ECS with Fargate launch type. The application experiences increased latency during peak hours. Upon investigation, the CPU utilization of the tasks reaches 90%. The ECS service is configured with a target tracking scaling policy based on average CPU at 70%. However, scaling is not keeping up with demand. What should a solutions architect do to improve the responsiveness of the scaling?

A.Increase the task-level CPU limit to 2048 units.
B.Decrease the target tracking value to 50% average CPU.
C.Add a step scaling policy that adds 4 tasks when CPU exceeds 80% for 1 minute.
D.Decrease the scale-in cooldown period to 60 seconds.
AnswerC

Step scaling can add capacity in larger increments, improving response to spikes.

Why this answer

Option C is correct because adding a step scaling policy provides a more aggressive and immediate scaling response when CPU exceeds 80% for 1 minute, which complements the existing target tracking policy. Target tracking scaling policies are reactive and may not scale quickly enough during rapid demand spikes, whereas step scaling can add a fixed number of tasks instantly when a breach occurs, reducing latency during peak hours.

Exam trap

The trap here is that candidates assume decreasing the target tracking threshold (Option B) will make scaling faster, but they overlook that target tracking is inherently gradual and cannot match the immediate response of a step scaling policy during sudden load spikes.

How to eliminate wrong answers

Option A is wrong because increasing the task-level CPU limit to 2048 units (2 vCPU) does not address the scaling responsiveness issue; it only allows each task to use more CPU, which may not help if tasks are already CPU-bound and scaling is slow. Option B is wrong because decreasing the target tracking value to 50% average CPU would cause the service to scale out at a lower threshold, but it does not improve the speed of scaling; target tracking still uses a gradual, proportional approach that may not keep up with rapid demand spikes. Option D is wrong because decreasing the scale-in cooldown period to 60 seconds affects scale-in behavior (reducing tasks), not scale-out responsiveness; it could even cause thrashing if tasks are scaled in too quickly after a spike.

280
MCQhard

A company runs a stateful web application on EC2 instances behind an Application Load Balancer (ALB). The application uses WebSockets for real-time communication. During scale-in events, users experience disconnections. How can the company maintain WebSocket connections during scaling?

A.Replace the ALB with a Network Load Balancer (NLB).
B.Use sticky sessions (session affinity) on the ALB.
C.Enable connection draining on the ALB target group.
D.Use an Auto Scaling lifecycle hook to delay instance termination.
AnswerC

Connection draining allows existing connections to complete before the instance is deregistered.

Why this answer

Option D is correct because enabling connection draining on the ALB target group allows in-flight requests and WebSocket connections to complete before the instance is deregistered. Option A is wrong because sticky sessions do not prevent disconnections during scale-in. Option B is wrong because ASG lifecycle hooks do not affect ALB connections.

Option C is wrong because a Network Load Balancer is for TCP/UDP, not HTTP/WebSocket at the application layer.

281
MCQmedium

A company runs a production database on Amazon RDS for PostgreSQL. They need to perform a major version upgrade with minimal downtime. Which strategy should they use?

A.Use AWS Database Migration Service (DMS) to replicate data to a new instance.
B.Create a read replica of the current database using the new version, promote it, and update the connection string.
C.Create a new RDS instance with the new version and migrate data using pg_dump.
D.Take a snapshot of the database, perform an in-place upgrade, and restore if needed.
AnswerB

This approach reduces downtime to a brief cutover window.

Why this answer

Option D is correct because creating a read replica with the new version, promoting it, and switching DNS minimizes downtime. Option A is wrong because in-place upgrade causes downtime. Option B is wrong because snapshots take time.

Option C is wrong because DMS has overhead and potential lag.

282
MCQhard

A company has a legacy application that runs on an EC2 instance with a single EBS volume. The application stores temporary data on a second EBS volume that is attached to the instance. The company wants to improve durability of the temporary data without increasing costs significantly. What should the company do?

A.Increase the IOPS of the current EBS volume to improve performance.
B.Use Amazon S3 for temporary data storage.
C.Add additional EBS volumes and set up RAID 1 for mirroring.
D.Move the temporary data to an instance store volume if the instance type supports it.
AnswerD

Instance store is free, but data is ephemeral. For temporary data, this is acceptable and cost-effective.

Why this answer

Option B is correct because instance store volumes are ephemeral but provide low-cost storage; however, they are not durable. For temporary data, using an EBS volume with snapshots is not cost-effective. Option A is wrong because RAID with additional EBS volumes increases cost.

Option C is wrong because increasing IOPS adds cost. Option D is wrong because S3 is not block-level storage.

283
MCQmedium

A company runs a stateful web application on EC2 instances behind an Application Load Balancer. The application stores session data locally on the instances. The company wants to improve availability and scalability. What should a solutions architect recommend?

A.Move session state to Amazon ElastiCache and make the application stateless.
B.Use Auto Scaling to add more EC2 instances.
C.Enable sticky sessions on the ALB.
D.Use larger EC2 instances to handle more sessions.
AnswerA

This decouples session state from instances, enabling scaling and fault tolerance.

Why this answer

Option C is correct because moving session state to ElastiCache makes the application stateless, allowing instances to be added/removed without session loss. Option A is wrong because Auto Scaling without session management will cause session loss. Option B is wrong because sticky sessions alone don't prevent loss if an instance fails.

Option D is wrong because increasing instance size doesn't improve scalability.

284
MCQhard

A company uses Amazon DynamoDB with on-demand capacity. They notice that a specific table frequently exceeds the write throughput limit and experiences throttling. The table has a partition key with high cardinality. What is the MOST likely cause of throttling?

A.A sudden spike in write traffic exceeds the table's burst capacity
B.The table is using DynamoDB Accelerator (DAX) for writes
C.The write workload exceeds the table's provisioned write capacity
D.The table has auto scaling disabled
AnswerA

On-demand tables have a throughput limit based on previous traffic; spikes beyond that cause throttling.

Why this answer

Option B is correct because on-demand DynamoDB tables can still throttle if traffic exceeds the previous peak by more than double. The table might have a hot partition despite high cardinality if the workload is skewed. Option A is wrong because on-demand can handle sudden increases, but within limits.

Option C is wrong because provisioned capacity is not used. Option D is wrong because DynamoDB Accelerator (DAX) is for reads, not writes.

285
MCQhard

A company has a multi-account strategy using AWS Organizations. They want to enforce that all newly created S3 buckets in any account have server-side encryption enabled. What is the most scalable solution?

A.Configure AWS CloudFormation StackSets to deploy a bucket creation template with encryption.
B.Apply a service control policy (SCP) that denies PutBucketEncryption with no encryption.
C.Create an AWS Config rule in each account to remediate non-compliant buckets.
D.Use AWS CloudTrail to detect bucket creation and trigger a Lambda function to enable encryption.
AnswerB

SCPs can enforce policies across all accounts in the organization.

Why this answer

Using an SCP in AWS Organizations to deny creation of buckets without encryption is the most scalable solution, as it applies to all accounts in the organization. Option B is correct. Option A is per-account.

Option C is reactive. Option D is not scalable across accounts.

286
Multi-Selecthard

A company has a mission-critical application running on Amazon RDS for PostgreSQL. The database experiences high read traffic that causes performance degradation. The company wants to improve read scalability without modifying the application. Which THREE solutions should a solutions architect recommend?

Select 3 answers
A.Implement an Amazon ElastiCache cluster to cache frequently accessed data.
B.Deploy a Multi-AZ RDS instance for automatic failover.
C.Create one or more read replicas of the RDS instance and configure the application to use the reader endpoint.
D.Implement database sharding by splitting the data across multiple RDS instances.
E.Use Amazon RDS Proxy to manage database connections and reduce load.
AnswersA, C, E

Caching reduces database read load, and the application can be modified to read from cache without major changes if using a caching layer.

Why this answer

Options A, C, and E are correct. Read replicas offload read traffic, ElastiCache reduces database load, and Multi-AZ provides high availability but not read scaling. Option B is wrong because it does not support sharding.

Option D is wrong because it only provides failover, not read scaling.

287
Multi-Selecteasy

A company uses AWS CloudFormation to manage infrastructure. The operations team wants to ensure that all future stack updates follow best practices for change management. Which THREE actions should the team implement?

Select 3 answers
A.Enable drift detection to identify resources that have changed outside of CloudFormation.
B.Use IAM policies to restrict who can update stacks and require approval.
C.Use nested stacks to reuse templates across multiple environments.
D.Apply a stack policy to protect critical resources from accidental updates.
E.Require change sets to be created and reviewed before executing stack updates.
AnswersB, D, E

IAM policies control who can perform stack updates.

Why this answer

Options A, C, and D are correct. Change sets allow review, stack policies protect resources, and IAM policies enforce least privilege. Option B is wrong because nested stacks do not enforce change management.

Option E is wrong because Drift detection identifies differences but does not manage changes.

288
MCQeasy

A company is using AWS CloudFormation to manage infrastructure. The operations team wants to be notified when a stack operation fails. Which approach is the MOST efficient?

A.Create a scheduled CloudWatch Events rule that calls the DescribeStacks API and sends an alert if status is FAILED
B.Configure an SNS topic as a notification option in the CloudFormation stack
C.Use a Lambda function that is invoked by CloudFormation via custom resource
D.Use Amazon EventBridge to monitor CloudFormation API calls and trigger a Lambda function
AnswerB

CloudFormation sends real-time notifications on stack events.

Why this answer

Option B is correct because CloudFormation can directly publish to SNS topics on stack events, including failures. Option A is inefficient because it requires polling. Option C is not native.

Option D is expensive and complex.

289
MCQeasy

A development team deploys a web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences intermittent 503 errors. A Solutions Architect notices that the errors coincide with high CPU utilization on the EC2 instances. What is the MOST effective way to improve the application's availability?

A.Increase the idle timeout setting on the Application Load Balancer.
B.Decrease the health check interval on the Application Load Balancer.
C.Configure an Auto Scaling group for the EC2 instances with a scaling policy based on average CPU utilization.
D.Use larger EC2 instance types to handle the load.
AnswerC

Auto Scaling dynamically adds/removes instances based on demand, maintaining availability and reducing 503 errors.

Why this answer

Option C is correct because adding an Auto Scaling group with a scaling policy based on CPU utilization dynamically adjusts capacity to handle load spikes, reducing 503 errors. Option A is wrong because larger instances may not be cost-effective and do not address dynamic scaling. Option B is wrong because increasing the ALB idle timeout does not affect CPU utilization.

Option D is wrong because reducing the health check interval may cause premature instance replacement without fixing the root cause.

290
MCQmedium

An IAM policy is attached to a user. What is the result when the user tries to upload an object with SSE-KMS encryption?

A.The upload succeeds because the Deny statement has no Principal specified.
B.The upload is denied only if the object is larger than 5 GB.
C.The upload succeeds because the user has an Allow for s3:PutObject.
D.The upload is denied because the Deny statement applies to all uploads.
AnswerD

The Deny is unconditional.

Why this answer

Option B is correct because the Deny statement without a condition applies to all uploads, overriding the Allow. Option A is incorrect because the Allow only applies to SSE-S3. Option C is incorrect because the Deny statement applies to all principals.

Option D is incorrect because the Deny statement is explicit.

291
Multi-Selecteasy

A company is using AWS CloudFormation to deploy infrastructure. They want to ensure that updates to a stack do not cause downtime for a critical web application. Which THREE strategies should they consider? (Choose THREE.)

Select 3 answers
A.Use the DeletionPolicy attribute to retain resources.
B.Apply a stack policy to protect critical resources.
C.Use a rolling update strategy with an appropriate batch size.
D.Use Change Sets to preview stack updates.
E.Use nested stacks to isolate components.
AnswersB, C, D

Stack policies prevent accidental updates to protected resources.

Why this answer

Option A is correct because change sets allow you to review changes before applying. Option B is correct because stack policies prevent updates to critical resources. Option D is correct because rolling updates with batch size reduce impact.

Option C is wrong because deletion policy only protects against stack deletion, not updates. Option E is wrong because nested stacks don't inherently prevent downtime.

292
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A stack update fails with a resource update failure. The team wants to investigate the specific error without rolling back the stack. What is the BEST approach?

A.Rerun the stack update with the --disable-rollback flag and then describe the stack events.
B.Delete the stack and review the CloudFormation logs.
C.Create a change set to preview the updates.
D.Use the AWS CLI describe-stack-resources command to see the status of each resource.
AnswerA

Disabling rollback preserves the stack for investigation.

Why this answer

Option C is correct because disabling rollback on failure allows the stack to remain in a failed state for investigation. Option A is wrong because you cannot describe stack events of a deleted stack. Option D is wrong because creating a change set does not help with the current failure.

Option B is wrong because you can check the specific resource status reason.

293
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). They have configured an Auto Scaling group with a dynamic scaling policy based on CPU utilization. During a traffic spike, the Auto Scaling group launches new instances, but users report slow response times. What should the company do to improve the scaling responsiveness?

A.Decrease the CPU utilization threshold for scale-out.
B.Increase the cooldown period for the Auto Scaling group.
C.Implement scheduled scaling actions to add capacity before known peak times.
D.Change the scaling policy to step scaling with a higher step adjustment.
AnswerC

Scheduled scaling proactively adds capacity based on expected traffic.

Why this answer

Option C is correct because scheduled scaling can pre-emptively add capacity based on known traffic patterns. Option A is wrong because increasing cooldown would delay scaling. Option B is wrong because step scaling is more aggressive but not proactive.

Option D is wrong because lowering threshold would cause over-scaling and cost.

294
MCQeasy

A company is using Amazon S3 to store sensitive customer data. The security team requires that all data be encrypted at rest. Currently, the S3 bucket uses server-side encryption with S3 managed keys (SSE-S3). The company wants to use a key stored in AWS KMS for additional control. What is the simplest way to achieve this?

A.Add a lifecycle policy to transition objects to SSE-KMS.
B.Use S3 Batch Operations to copy objects and re-encrypt with SSE-KMS.
C.Change the bucket's default encryption configuration to SSE-KMS.
D.Use a bucket policy to deny uploads without SSE-KMS.
AnswerC

Default encryption applies automatically to all new objects; existing objects remain with SSE-S3.

Why this answer

Option C is correct because changing the default encryption configuration to SSE-KMS automatically encrypts new objects with the specified KMS key without re-uploading existing objects. Option A is incorrect because a lifecycle policy does not change encryption. Option B is incorrect because bucket policies do not control encryption keys.

Option D is incorrect because existing objects are not re-encrypted by default encryption changes.

295
MCQeasy

A company uses Amazon RDS for MySQL with Multi-AZ deployment. The database experiences a failover event. After the failover, the application team notices that the new primary DB instance has higher latency than expected. What is the most likely cause?

A.The read replica in a different region is now serving traffic.
B.The Multi-AZ configuration was disabled during the failover.
C.A pending modification to the DB instance was applied during failover.
D.The DB parameter group was changed to a less efficient configuration.
AnswerC

Pending modifications are applied during failover, which can cause latency.

Why this answer

Option A is correct because the new primary may have a pending modification (e.g., scaling) applied during failover, causing a brief performance impact. Option B is incorrect because failover is automatic. Option C is incorrect because parameter group changes require a reboot, not failover.

Option D is incorrect because Multi-AZ does not provide read replicas.

296
Multi-Selectmedium

A company is using AWS CloudFormation to deploy a web application. The stack creation fails with the error: 'The following resource(s) failed to create: [MyEC2Instance].' The EC2 instance creation failed because of an insufficient IAM permissions error. Which TWO actions should the company take to resolve this issue? (Choose two.)

Select 2 answers
A.Modify the CloudFormation template to use a different instance type.
B.Create a new IAM service role for CloudFormation and assign it to the stack.
C.Update the IAM role associated with the CloudFormation stack to include ec2:RunInstances permission.
D.Grant the user additional IAM permissions to create EC2 instances.
E.Execute a stack update with the corrected IAM role.
AnswersC, E

The CloudFormation service needs permission to create the EC2 instance.

Why this answer

Option A is correct because the IAM role used by CloudFormation needs permissions to create EC2 instances. Option C is correct because updating the stack with the corrected IAM role allows the resource creation to proceed. Option B is wrong because the template doesn't need to be changed.

Option D is wrong because the service role is not the issue. Option E is wrong because user does not need more permissions.

297
MCQhard

A company runs a containerized microservices application on Amazon ECS using Fargate. The application includes a service that processes messages from an Amazon SQS queue. The service is CPU-bound and takes longer to process messages as the queue depth increases. The team wants to automatically scale the number of tasks based on the queue depth. Which solution is MOST effective?

A.Use an AWS Lambda function to poll the SQS queue and invoke a new task for each message.
B.Configure ECS Service Auto Scaling with a target tracking scaling policy based on the SQS queue's ApproximateNumberOfMessagesVisible metric.
C.Increase the CPU allocation for the task definition to process messages faster.
D.Use a CloudWatch alarm based on CPU utilization to trigger an Auto Scaling action.
AnswerB

This directly scales tasks based on queue depth, providing proactive scaling.

Why this answer

Option B is correct because ECS Service Auto Scaling can use a target tracking scaling policy with the SQS ApproximateNumberOfMessagesVisible metric to scale the number of tasks. Option A is wrong because CloudWatch alarms on CPU can cause slow reaction. Option C is wrong because Lambda is not suitable for long-running CPU-bound tasks.

Option D is wrong because adjusting CPU allocation does not address scaling; it's a vertical scaling approach.

298
MCQmedium

A solutions architect deployed an AWS Lambda function using a deployment package. The function logs the error shown in the exhibit. What is the most likely cause?

A.The deployment package does not include the 'express' npm dependency.
B.The Lambda function has exceeded the maximum memory limit.
C.The Lambda function handler is incorrectly configured.
D.The Lambda execution role does not have permissions to access the module.
AnswerA

The error 'Cannot find module' means the module is missing from the package.

Why this answer

Option A is correct. The error indicates that the 'express' module is not found, which means it was not included in the deployment package. Option B is wrong because the function ran, so the handler is correct.

Option C is wrong because the Lambda execution role does not affect module availability. Option D is wrong because the error is a missing module, not a memory issue.

299
MCQmedium

A company uses AWS Lambda to process incoming messages from an SQS queue. The Lambda function is triggered by SQS and processes messages in batches of 10. Recently, the number of messages has increased significantly, and some messages are being processed multiple times. What should a solutions architect do to ensure exactly-once processing?

A.Use a DynamoDB table to store unique message IDs and check for duplicates before processing.
B.Set the Lambda function's reserved concurrency to a higher value to prevent throttling.
C.Increase the visibility timeout of the SQS queue to 30 minutes.
D.Change the SQS queue to a FIFO queue and enable content-based deduplication.
AnswerB

Reserved concurrency ensures the function can scale, preventing visibility timeouts and reprocessing.

Why this answer

Option C is correct because enabling the Lambda function's reserved concurrency ensures that the function can scale to handle the increased load without throttling, reducing the chance of reprocessing due to visibility timeouts. Option A is wrong because increasing the SQS visibility timeout solely may not prevent reprocessing if the function is throttled. Option B is wrong because enabling SQS FIFO queues provides exactly-once processing, but Lambda does not support FIFO triggers.

Option D is wrong because using a DynamoDB table for idempotency keys is a valid approach for exactly-once processing, but it adds complexity and latency; the simpler solution is to manage concurrency.

300
MCQeasy

A company uses AWS CloudFormation to manage infrastructure. They want to update a stack that fails due to a resource limit exceeded error. Which approach minimizes downtime while fixing the issue?

A.Manually modify the resource to reduce its capacity and then continue the update.
B.Create a change set that replaces the resource causing the limit error with a smaller instance type.
C.Roll back the stack update and ignore the error.
D.Delete the stack and recreate it with the corrected template.
AnswerB

A change set allows you to review and execute the update with minimal downtime.

Why this answer

Option D is correct because updating the stack with a change set that replaces the resource causing the limit error is the safest way to handle it. Option A is wrong because deleting and recreating causes downtime. Option B is wrong because manual modifications lead to drift.

Option C is wrong because rolling back doesn't fix the underlying issue.

← PreviousPage 4 of 6 · 428 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Continuous Improvement questions.