CCNA Continuous Improvement Questions

75 of 428 questions · Page 5/6 · Continuous Improvement topic · Answers revealed

301
MCQmedium

A company has a serverless application using AWS Lambda and Amazon API Gateway. The application experiences cold starts that cause latency spikes. Which solution would reduce the impact of cold starts?

A.Configure Provisioned Concurrency for the Lambda function.
B.Increase the Lambda function memory allocation.
C.Decrease the Lambda function timeout.
D.Use a VPC and enable Lambda to access resources in the VPC.
AnswerA

Ensures a set number of environments are initialized and ready.

Why this answer

Option D is correct because Provisioned Concurrency keeps a number of execution environments warm. Option A is wrong because increasing memory reduces cold start duration but does not eliminate it. Option B is wrong because it increases cost and complexity.

Option C is wrong because it reduces performance.

302
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS MySQL Multi-AZ DB instance. During a recent load test, the application became unresponsive for several minutes. The monitoring shows that the RDS instance CPU utilization spiked to 100% during the test. The application reads and writes to the same database. Which design change would provide the BEST improvement in database scalability and reduce CPU contention?

A.Create RDS read replicas for the DB instance and route read queries from the application to the replicas.
B.Configure an in-memory cache like Amazon ElastiCache to cache frequent queries.
C.Increase the instance size of the RDS DB instance to a larger instance type.
D.Enable Multi-AZ for the RDS instance to distribute the load across two instances.
AnswerA

Read replicas offload read traffic, reducing CPU on the primary.

Why this answer

The correct answer is A because creating RDS read replicas offloads read queries from the primary DB instance, reducing CPU contention from read-heavy workloads. Since the application reads and writes to the same database, directing read traffic to replicas decreases the primary instance's CPU utilization, directly addressing the 100% CPU spike observed during the load test. This improves database scalability by distributing read operations horizontally without altering write capacity.

Exam trap

The trap here is that candidates often confuse Multi-AZ with read replicas, thinking Multi-AZ distributes read traffic, when in fact Multi-AZ only provides a standby replica for failover and does not serve read requests.

How to eliminate wrong answers

Option B is wrong because while an in-memory cache like ElastiCache reduces read load on the database, it does not address CPU contention from write operations or provide the same level of scalability as read replicas for read-heavy workloads; it is a complementary solution, not the best improvement for database scalability in this scenario. Option C is wrong because scaling vertically (increasing instance size) provides only a temporary fix and does not improve scalability; it increases cost without addressing the root cause of read contention, and the CPU spike could recur under higher load. Option D is wrong because enabling Multi-AZ provides high availability and failover support, not load distribution; the standby instance in a Multi-AZ deployment is not active for reads or writes, so it does not reduce CPU contention on the primary instance.

303
MCQhard

A company is experiencing increased latency in their web application running on EC2 instances behind an Application Load Balancer. The application uses an RDS MySQL database. The CloudWatch metrics show elevated CPU utilization on the database instance during peak hours. Which design change would be MOST effective to reduce database load without application code changes?

A.Add a second RDS read replica to distribute read traffic.
B.Upgrade the RDS instance to a larger instance type with more vCPUs.
C.Implement an ElastiCache for Redis cluster to cache frequently accessed data.
D.Enable RDS Proxy to manage database connections.
AnswerC

Caching reduces database read load without application modifications.

Why this answer

Option A is correct because ElastiCache for Redis provides an in-memory cache that reduces database read load without code changes. Option B is wrong because it would not reduce database load. Option C is wrong because RDS Proxy is for connection pooling, not caching.

Option D is wrong because increasing instance size is a vertical scaling approach that may not be as cost-effective as caching.

304
MCQhard

A gaming company uses Amazon DynamoDB as the database for a leaderboard feature. The table has a partition key of 'game_id' and a sort key of 'score'. The table uses on-demand capacity mode. During a new game launch, write traffic to a few popular game_id partitions becomes very hot, causing throttling. The company wants to improve performance for these hot partitions without changing the application code. What should they do?

A.Add a global secondary index with a different partition key.
B.Enable DynamoDB Accelerator (DAX) for the table to cache frequently accessed data.
C.Switch to provisioned capacity and increase read/write capacity units for the table.
D.Implement an Amazon SQS queue to buffer write requests.
AnswerB

DAX reduces the number of reads to the table, alleviating hot partition contention.

Why this answer

Option D is correct. Using DynamoDB Accelerator (DAX) caches hot data and reduces read/write load on partitions. Option A: Increasing read/wix capacity units does not apply to on-demand mode.

Option B: Adding a secondary index does not reduce throttling on the base table. Option C: Using SQS for writes would add latency and change application behavior.

305
Multi-Selecthard

A company runs a critical application on EC2 instances in an Auto Scaling group. They want to ensure that during a patching cycle, the application remains available and no requests are dropped. Which TWO strategies should they implement? (Choose TWO.)

Select 2 answers
A.Increase the desired capacity of the Auto Scaling group before patching.
B.Stop all instances at the same time to apply patches consistently.
C.Perform a rolling update using a batch size of 50% with a pause time.
D.Use an Auto Scaling lifecycle hook to wait for a custom action before terminating instances.
E.Use Amazon Inspector to automatically patch instances.
AnswersC, D

Rolling update ensures that only a portion of instances are replaced at a time.

Why this answer

Options B and D are correct. B: Using a lifecycle hook with a custom action can pause the instance before termination, allowing graceful draining. D: Using a rolling update with a batch size ensures that only a portion of instances are patched at a time.

Option A is wrong because stopping instances all at once causes downtime. Option C is wrong because increasing desired capacity without draining connections may cause issues. Option E is wrong because Amazon Inspector identifies vulnerabilities but does not implement patching.

306
Multi-Selecthard

A company is using AWS CloudTrail to log API activity. The security team wants to ensure that log files are tamper-proof and can be used for forensic analysis. Which TWO actions should the company take?

Select 2 answers
A.Enable S3 Object Lock on the CloudTrail S3 bucket.
B.Enable CloudTrail log file validation.
C.Use server-side encryption with AWS KMS managed keys (SSE-KMS).
D.Enable S3 Transfer Acceleration on the CloudTrail S3 bucket.
E.Set an S3 Lifecycle policy to transition logs to Amazon S3 Glacier.
AnswersA, B

Prevents deletion and overwrites.

Why this answer

Option A is correct because enabling log file validation creates a digest file that can be used to verify integrity. Option D is correct because S3 Object Lock prevents objects from being deleted or overwritten. Option B is incorrect because SSE-KMS does not prevent tampering.

Option C is incorrect because S3 Lifecycle does not prevent deletion. Option E is incorrect because S3 Transfer Acceleration does not provide security.

307
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM group. When a user in the group tries to start a stopped EC2 instance with the tag 'Environment: production', the action fails. What is the MOST likely reason?

A.The policy is attached to a group, not directly to the user.
B.The user does not have MFA enabled.
C.The policy does not allow 'ec2:StartInstances' on all resources.
D.The 'ec2:StartInstances' action does not support resource-level conditions.
AnswerD

StartInstances only supports instance-level conditions, but the condition is on the resource tag; however, the condition must be on the request, not resource, for such actions.

Why this answer

Option B is correct because the Condition block requires the resource tag to be 'Environment: production', but the action 'StartInstances' does not support resource-level authorization; it requires 'ec2:StartInstances' to be allowed without conditions, or the condition must be on the request. AWS evaluates conditions on the resource only for actions that support it. Option A is wrong because the policy allows all actions.

Option C is wrong because the policy does not enforce MFA. Option D is wrong because the policy is attached to a group, not a user, but that should still work.

308
MCQeasy

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application needs to maintain a fixed number of instances and should automatically replace any unhealthy instance. Which scaling policy should be used?

A.Scheduled scaling policy
B.Simple scaling policy
C.Target tracking scaling policy
D.Manual scaling with health check replacement
AnswerD

Manual scaling sets the desired capacity and health checks replace unhealthy instances.

Why this answer

A manual scaling policy set to maintain a fixed number of instances combined with health checks ensures that unhealthy instances are replaced.

309
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance does not have a public IP. What is the most secure way to provide internet access?

A.Create a VPC endpoint for the internet.
B.Launch a NAT instance in the private subnet.
C.Attach an Internet Gateway directly to the private subnet.
D.Add a NAT Gateway in the public subnet and update the private subnet's route table.
AnswerD

NAT Gateway provides outbound internet access securely.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows outbound internet traffic while preventing inbound connections. Option B is incorrect because a NAT instance is less managed and secure. Option C is incorrect because a VPC endpoint is for AWS services only.

Option D is incorrect because an Internet Gateway attached to the private subnet would allow inbound traffic.

310
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent latency spikes. The operations team has enabled detailed CloudWatch metrics and logs, but cannot identify the root cause. What is the MOST effective way to troubleshoot the latency issue?

A.Enable detailed ALB metrics and create a CloudWatch dashboard.
B.Migrate the application to AWS Lambda to eliminate EC2 overhead.
C.Replace the ALB with a Network Load Balancer (NLB) for lower latency.
D.Use AWS X-Ray to trace requests from the ALB to the application and downstream services.
E.Add more EC2 instances behind the ALB to distribute the load.
AnswerD

X-Ray provides end-to-end tracing to pinpoint latency sources.

Why this answer

Option B is correct because leveraging AWS X-Ray to trace requests end-to-end helps identify which component is causing latency. Option A is wrong because adding more EC2 instances may not address the root cause and could increase costs. Option C is wrong because switching to a Network Load Balancer (NLB) does not provide visibility into application-level latency.

Option D is wrong because enabling detailed monitoring on the ALB only provides metrics, not traces. Option E is wrong because migrating to Lambda adds complexity and may not solve latency issues caused by other factors.

311
MCQmedium

A solutions architect runs the above commands for an EC2 instance. The instance state is 'running' but the system status is 'impaired'. What should the solutions architect do to restore the instance?

A.Start the instance.
B.Stop and start the instance.
C.Modify the instance type.
D.Reboot the instance.
AnswerB

Stop/start migrates the instance to new hardware.

Why this answer

Option C is correct. AWS recommends stopping and starting the instance to move it to new underlying hardware when system status checks fail. Option A is wrong because the instance is already running.

Option B is wrong because reboot may not resolve hardware issues. Option D is wrong because changing instance type does not fix underlying hardware impairment.

312
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application is experiencing high latency. A Solutions Architect reviews the CloudWatch metrics and notices that the ALB's SurgeQueueLength is consistently high. What does this indicate, and how should the architect respond?

A.The ALB is buffering requests because the backend instances are overwhelmed; increase the number of instances or improve instance performance.
B.The backend instances are failing health checks; review the health check configuration.
C.Clients are sending too many requests; implement API rate limiting.
D.The ALB is experiencing a high number of new connections; increase the idle timeout setting.
AnswerA

SurgeQueueLength indicates request buffering; scaling out the backend will reduce latency.

Why this answer

Option A is correct because a high SurgeQueueLength means the ALB is receiving more requests than the healthy instances can handle, causing queuing. Option B is wrong because surge queue is for HTTP requests, not connections. Option C is wrong because it is not a client-side issue.

Option D is wrong because the queue is at the ALB level, not instance level.

313
MCQhard

A company runs a customer-facing web application on EC2 instances behind an Application Load Balancer. The application stores session data in an RDS MySQL database. Recently, they have been experiencing increased latency and occasional timeouts during peak hours. The operations team has observed that the RDS instance's CPU utilization is consistently above 80%, and the number of database connections is near the maximum allowed. The application code is not easily modifiable in the short term. The company needs a solution that reduces the load on the database with minimal changes to the application. What should a solutions architect recommend?

A.Increase the RDS instance size to a larger instance type.
B.Create an RDS read replica and offload read traffic to it.
C.Implement an Amazon ElastiCache cluster and modify the application to cache frequent queries.
D.Migrate the database to Amazon Aurora with Multi-AZ.
AnswerC

Caching reduces database load and can be done with minimal code changes if using a caching abstraction.

Why this answer

Option C is correct because implementing an in-memory cache like ElastiCache can offload frequent reads, reducing database load without code changes if the application uses caching libraries or can be configured to use a caching layer. Option A is wrong because read replicas would help with read scaling, but the issue is both CPU and connections; also, the application might not be read-heavy. Option B is wrong because switching to Aurora would require migration and may not address the connection limit.

Option D is wrong because increasing instance size is a temporary fix and doesn't address the architectural issue.

314
MCQhard

A company has a hybrid architecture with an AWS Direct Connect connection to its on-premises data center. The company wants to improve network availability and ensure that if the Direct Connect fails, traffic automatically uses a VPN backup. Which configuration should the company implement?

A.Use a NAT gateway to route traffic through the internet as a backup.
B.Configure a Direct Connect gateway and attach a VPN to it, then advertise the same prefixes via BGP with lower priority on the VPN.
C.Create a Site-to-Site VPN connection and update route tables to point all traffic to the VPN.
D.Set up a second Direct Connect connection from a different provider.
AnswerB

Allows automatic failover to VPN if Direct Connect fails.

Why this answer

Option B is correct because AWS VPN CloudHub provides a hub-and-spoke model for multiple VPN connections, but for failover, using BGP with Direct Connect and VPN as backup is standard. However, the best answer is to use a Direct Connect gateway with a VPN attachment for failover. Option A is wrong because it adds latency.

Option C is wrong because it bypasses Direct Connect. Option D is wrong because it does not provide automatic failover.

315
Multi-Selecthard

A company is designing a serverless event-driven application using AWS Lambda. The application processes messages from an Amazon SQS queue. The team needs to ensure that messages are processed in order and exactly once. Which THREE steps should be taken?

Select 3 answers
A.Enable Lambda function's batch window to 0.
B.Configure the Lambda event source mapping to use the FIFO queue.
C.Use a standard SQS queue.
D.Set the Lambda function's reserved concurrency to 1.
E.Use a FIFO SQS queue with a message deduplication ID.
AnswersB, D, E

The event source mapping must be configured to read from the FIFO queue.

Why this answer

To achieve ordering and exactly-once processing, use a FIFO queue with a deduplication ID and configure a reserved concurrency of 1 to prevent parallel processing.

316
Matchingmedium

Match each AWS database service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

MySQL/PostgreSQL-compatible with high availability

Fully managed NoSQL key-value and document database

Petabyte-scale data warehouse for analytics

In-memory caching with Redis or Memcached

Managed relational database for multiple engines

Why these pairings

AWS offers specialized database services for various workloads.

317
MCQmedium

A company runs a web application on EC2 instances behind an ALB. Users report intermittent 503 errors during peak hours. The metrics show the target group's healthy host count drops to zero periodically. What is the most likely cause?

A.The ALB's idle timeout is set too low.
B.The security group for the EC2 instances does not allow inbound traffic from the ALB.
C.The EC2 instances are in an Auto Scaling group with insufficient capacity.
D.The health check path is misconfigured and returns HTTP 404.
AnswerD

A 404 response causes the ALB to mark the instance as unhealthy, reducing the healthy host count.

Why this answer

The ALB sends requests to targets based on health checks. If the health check path returns a non-200 status, the target is marked unhealthy. A misconfigured health check path (e.g., pointing to a non-existent endpoint) can cause all instances to be marked unhealthy, leading to 503 errors.

Option B is correct because it directly affects health check status. Options A, C, and D would not cause the healthy host count to drop to zero.

318
Drag & Dropmedium

Drag and drop the steps to troubleshoot an EC2 instance that is unreachable via SSH in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with security groups, then network ACLs, then public IP, then system status, and finally console output.

319
Multi-Selecthard

A company runs a containerized microservices application on Amazon EKS. The operations team notices that some pods are frequently being evicted due to resource constraints. The team wants to improve resource utilization and reduce evictions. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Configure Horizontal Pod Autoscaler based on CPU and memory utilization.
B.Increase the resource requests for all pods to ensure they have enough resources.
C.Set resource quotas per namespace to limit resource consumption.
D.Enable Cluster Autoscaler to add more worker nodes.
E.Use Vertical Pod Autoscaler to automatically adjust pod resource requests.
AnswersA, C

Scales pods to handle load.

Why this answer

Options A and C are correct. Resource quotas prevent a single namespace from consuming all resources. Horizontal Pod Autoscaler automatically scales pods based on resource usage.

Option B is wrong because Vertical Pod Autoscaler adjusts resource requests, but can cause pod restarts. Option D is wrong because cluster autoscaler adds nodes, not reduces evictions due to pod-level constraints. Option E is wrong because increasing requests may lead to over-provisioning.

320
MCQmedium

A Lambda function logs are being retained for 30 days. The company wants to reduce costs by deleting logs older than 7 days. What should they do?

A.Export the logs to S3 and delete the log group.
B.Use the put-retention-policy command to set retentionInDays to 7.
C.Configure an S3 Lifecycle policy on the log group's underlying storage.
D.Create a CloudTrail trail to capture log events and expire them after 7 days.
AnswerB

This command directly sets the log group's retention period.

Why this answer

The exhibit shows the log group has a retention policy of 30 days. To change it to 7 days, use the put-retention-policy CLI command. Option B is correct.

Option A (CloudTrail) is for API logs. Option C (S3 lifecycle) is for objects, not CloudWatch Logs. Option D (export to S3) is for archival, not deletion.

321
MCQhard

A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application stores session state in an Amazon ElastiCache for Redis cluster. Recently, the operations team noticed that during traffic spikes, the ALB returns 5xx errors and the application becomes slow. CloudWatch metrics show that the Redis cluster's CPU utilization reaches 100% and memory usage is high. The Auto Scaling group scales out, but the new instances take several minutes to warm up and become healthy. The company needs to improve the application's ability to handle traffic spikes with minimal impact on performance. Which solution should the company implement?

A.Configure ElastiCache Auto Scaling to automatically add nodes when CPU utilization exceeds 75%.
B.Enable cluster mode for the Redis cluster and add more shards.
C.Enable Multi-AZ replication for the Redis cluster.
D.Increase the instance size of the Redis cluster to a larger node type.
AnswerB

Cluster mode distributes data and load across multiple shards, increasing CPU and memory capacity.

Why this answer

Enabling cluster mode for the Redis cluster and adding more shards horizontally partitions the data across multiple nodes, distributing both CPU and memory load. This directly addresses the 100% CPU and high memory utilization during traffic spikes, allowing the cluster to handle more concurrent requests without performance degradation. Cluster mode also provides linear scalability, which is essential for a critical web application experiencing variable traffic.

Exam trap

The trap here is that candidates often confuse vertical scaling (increasing instance size) with horizontal scaling (adding shards), and fail to recognize that cluster mode is the only option that distributes both CPU and memory load across multiple nodes, which is necessary when a single node reaches 100% CPU utilization.

How to eliminate wrong answers

Option A is wrong because ElastiCache Auto Scaling is not a native feature; it requires custom automation using CloudWatch alarms and Lambda, and even then it adds nodes reactively, not proactively preventing the latency and 5xx errors during spikes. Option C is wrong because Multi-AZ replication provides high availability and failover, but it does not distribute read/write load or reduce CPU/memory pressure on the primary node. Option D is wrong because increasing the instance size (vertical scaling) has a hard limit based on the largest available node type and can still be overwhelmed during extreme spikes, whereas horizontal scaling with cluster mode offers near-unlimited scalability.

322
MCQmedium

A company runs a web application on Amazon EC2 instances in an Auto Scaling group across three Availability Zones. The application writes logs to local instance storage. The company wants to centralize log collection and ensure logs are retained even if instances are terminated. The current solution uses Amazon CloudWatch Logs agent, but log streams are frequently missing when instances are replaced. What should the company do to ensure complete log collection?

A.Configure the CloudWatch agent to use a persistent buffer on an EBS volume.
B.Configure an S3 Lifecycle policy to transition logs to S3 Glacier.
C.Use the CloudWatch agent to send logs directly to Amazon S3.
D.Attach an EBS volume to each instance and store logs there.
AnswerA

Persistent buffer ensures logs are sent before instance termination.

Why this answer

Option D is correct because the CloudWatch agent can be configured to buffer logs to disk, preventing data loss during instance termination. Option A is incorrect because EBS volumes do not persist when an instance is terminated unless termination protection is enabled, but logs are on instance store. Option B is incorrect because S3 Lifecycle does not affect CloudWatch log retention.

Option C is incorrect because CloudWatch agent does not export to S3 directly without additional configuration.

323
MCQhard

A company runs a web application on Amazon ECS with Fargate launch type behind an Application Load Balancer. The application stores session state in a local file system on the container. Users report that they are frequently logged out and lose session data. What is the most likely cause?

A.ECS tasks are being replaced by the service scheduler during deployments or health checks.
B.The security group for the ECS tasks is blocking inbound traffic from the ALB.
C.The ECS service is configured to scale out, causing new tasks to be created without existing session data.
D.The Application Load Balancer is not configured with sticky sessions.
AnswerA

Fargate tasks are ephemeral; replacement causes loss of local session data.

Why this answer

Option B is correct because Fargate tasks are ephemeral; they can be replaced due to deployments or health checks, causing loss of local session data. Option A is wrong because ALB sticky sessions are irrelevant if the container itself is replaced. Option C is wrong because scaling out does not cause individual container replacement.

Option D is wrong because the issue is about session persistence, not security groups.

324
MCQhard

A company runs a critical application on Amazon ECS with Fargate launch type. The application experiences intermittent latency spikes. CloudWatch metrics show high CPU utilization on tasks during these spikes. The current task definition has 1 vCPU and 2 GB memory. Which improvement will most effectively reduce latency without over-provisioning?

A.Increase the number of tasks (desired count) to distribute the load.
B.Increase the vCPU to 2 while keeping 2 GB memory.
C.Increase both memory and vCPU to 4 GB and 2 vCPUs.
D.Increase the memory to 4 GB while keeping 1 vCPU.
AnswerC

Balanced increase addresses both CPU and memory constraints.

Why this answer

Option C is correct because increasing memory and vCPU together can improve performance for CPU-bound tasks. Option A is wrong because increasing only memory doesn't address CPU. Option B is wrong because increasing only vCPU might not be enough if memory is also a bottleneck.

Option D is wrong because scaling horizontally may not reduce latency for a single request if the task itself is underpowered.

325
Multi-Selectmedium

A company is using AWS Lambda functions behind an Amazon API Gateway REST API. The Lambda functions are written in Python and use the boto3 SDK to interact with DynamoDB. Recently, the company has observed increased latency and occasional 5xx errors from the API. The operations team wants to implement continuous improvements. Which TWO actions should be taken to improve performance and reliability? (Choose 2)

Select 2 answers
A.Set Lambda reserved concurrency to 5 for each function.
B.Configure provisioned concurrency for all Lambda functions.
C.Enable API Gateway caching with a TTL of 60 seconds.
D.Increase the Lambda function timeout to 30 seconds.
E.Enable DynamoDB auto scaling for the table.
AnswersC, E

Caching reduces the number of requests reaching Lambda and DynamoDB, improving latency and reducing load.

Why this answer

Option B: Enabling DynamoDB auto scaling adjusts capacity based on traffic patterns, reducing throttling-related errors. Option C: Configuring API Gateway caching reduces the load on Lambda and DynamoDB for repeated requests. Option A: Increasing Lambda timeout may not address root cause and could mask issues.

Option D: Provisioned concurrency helps with cold starts but not with DynamoDB throttling. Option E: Lambda reserved concurrency limits concurrency, which could worsen throttling.

326
MCQmedium

A company is migrating an on-premises application to AWS. The application requires persistent shared storage that can be accessed by multiple EC2 instances simultaneously with strong consistency. Which AWS storage solution should the company use?

A.Amazon S3 with S3 File Gateway.
B.Amazon S3 Glacier Deep Archive.
C.Amazon EBS with Multi-Attach enabled.
D.Amazon EFS
AnswerD

EFS provides a POSIX file system with strong consistency across instances.

Why this answer

Option D is correct because Amazon EFS provides a fully managed NFS file system that can be mounted by multiple EC2 instances with strong consistency. Option A is wrong because EBS volumes can only be attached to one instance at a time (multi-attach is limited). Option B is wrong because S3 is object storage, not a file system.

Option C is wrong because S3 Glacier is for archival.

327
Multi-Selecthard

A company runs a microservices architecture on Amazon ECS with Fargate. The operations team observes that some services are experiencing high latency during peak hours. The team wants to identify the root cause. Which THREE approaches should the team use? (Choose THREE.)

Select 3 answers
A.Use AWS X-Ray to trace requests through the microservices
B.Enable AWS CloudTrail to log API calls
C.Enable VPC Flow Logs to analyze network traffic
D.Use Amazon CloudWatch ServiceLens to correlate metrics, logs, and traces
E.Enable Container Insights for Amazon ECS
AnswersA, D, E

Identifies bottlenecks in the application flow.

Why this answer

Option A provides detailed metrics for each service. Option C helps trace requests across services. Option E shows latency distribution.

Option B (CloudTrail) is for API calls. Option D (VPC Flow Logs) is for network traffic analysis, not application latency.

328
MCQeasy

A company is using Amazon CloudFront to deliver content to users worldwide. The origin is an S3 bucket. Users in some regions experience high latency. What is the most effective way to reduce latency?

A.Add more CloudFront edge locations in the affected regions.
B.Enable CloudFront's SSL/TLS certificate using SNI only.
C.Use an origin shield to reduce the number of requests to the S3 bucket.
D.Enable S3 Transfer Acceleration on the bucket.
AnswerC

Origin shield increases cache hit ratio and reduces origin load.

Why this answer

Option B is correct because using an origin shield reduces load on the origin and improves cache hit ratio, reducing latency. Option A is wrong because enabling additional SSL methods does not affect latency. Option C is wrong while adding more edge locations is not directly configurable; CloudFront automatically uses a global network.

Option D is wrong because S3 Transfer Acceleration speeds up uploads, not downloads.

329
MCQhard

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an S3 bucket and a Lambda function that processes objects uploaded to the bucket. Recently, updates to the Lambda code caused the stack update to fail because the S3 bucket already existed in the account. What is the most efficient way to allow future updates without error?

A.Use AWS CloudFormation resource import to bring the existing bucket into the stack.
B.Set the DeletionPolicy attribute to Retain on the S3 bucket resource in the CloudFormation template.
C.Use a custom resource to check if the bucket exists before creation.
D.Manually delete the S3 bucket before each stack update.
AnswerB

Retain prevents replacement and allows update even if bucket exists.

Why this answer

Option B is correct because setting the bucket's DeletionPolicy to Retain allows the stack to update even if the bucket already exists, and manual deletion is avoided. Option A is wrong because it does not prevent the update failure if the bucket exists. Option C is wrong because importing requires manual steps and does not prevent update failures.

Option D is wrong because it does not address the root cause.

330
MCQhard

A company has a legacy monolithic application running on a single EC2 instance. The application stores customer data in an attached EBS volume. The company wants to modernize the application to improve scalability and availability. Which approach should a solutions architect recommend?

A.Use a larger EC2 instance with enhanced networking.
B.Configure multiple EC2 instances to share the same EBS volume using Multi-Attach.
C.Replace the EBS volume with an Aurora RDS database.
D.Refactor the application into microservices running on Amazon ECS with data stored in Amazon S3.
AnswerD

Containers and S3 provide scalability, availability, and stateless design.

Why this answer

Option D is correct because migrating to a containerized, stateless application decouples storage and allows scaling. Option A is wrong because a larger instance still has a single point of failure. Option B is wrong because RDS is for databases, not for application data stored in files.

Option C is wrong because a Multi-Attach EBS volume has limited support and multiple instances writing to the same volume can cause data corruption.

331
Multi-Selecteasy

A company is using Amazon CloudFront to distribute content globally. They want to improve the cache hit ratio. Which TWO actions are most effective? (Choose two.)

Select 2 answers
A.Configure the cache behavior to forward all query strings but cache based on a whitelist.
B.Increase the minimum TTL for objects.
C.Configure custom error responses to serve cached content on errors.
D.Decrease the default TTL for objects.
E.Enable automatic compression for compressible objects.
AnswersA, B

This prevents multiple cache entries for different query string orders.

Why this answer

Option B is correct because increasing the TTL allows objects to stay in cache longer. Option C is correct because normalizing query strings ensures that different query string orders don't create multiple cache entries. Option A is wrong because shorter TTL reduces cache hits.

Option D is wrong because custom error responses don't affect cache hit ratio. Option E is wrong because enabling compression improves speed, not cache hit ratio.

332
Multi-Selecthard

A company is deploying a new application on AWS and wants to implement a least-privilege IAM policy for an EC2 instance that needs to read from an S3 bucket (my-bucket) and write logs to CloudWatch Logs. Which THREE statements should be included in the IAM policy? (Choose three.)

Select 3 answers
A.{"Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*"}
B.{"Effect": "Allow", "Action": ["s3:*"], "Resource": "arn:aws:s3:::my-bucket/*"}
C.{"Effect": "Allow", "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:*"}
D.{"Effect": "Allow", "Action": ["logs:PutLogEvents"], "Resource": "*"}
E.{"Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::my-bucket/*"}
AnswersA, C, E

Grants read access to objects in the bucket.

Why this answer

Option A is correct because the EC2 instance only needs to read objects from the S3 bucket, so the least-privilege action is s3:GetObject. The resource ARN 'arn:aws:s3:::my-bucket/*' correctly targets all objects within the bucket, which is required for reading objects. This adheres to the principle of granting only the necessary permissions.

Exam trap

The trap here is that candidates often include overly broad actions (like s3:* or logs:* on wildcard resources) instead of scoping to the specific actions and resources needed, failing the least-privilege requirement.

333
MCQhard

A company is using t3.large instances in an Auto Scaling group. They want to launch instances that support both x86_64 and arm64 architectures. Based on the exhibit, can they meet this requirement with t3.large?

A.No, because t3.large instances only support x86_64 architecture.
B.Yes, because t3.large supports both architectures.
C.No, because t3.large is not a current generation instance type.
D.Yes, but only if they use a custom AMI that supports both architectures.
AnswerB

The output shows SupportedArchitectures: ["x86_64", "arm64"].

Why this answer

Option A is correct because the exhibit shows SupportedArchitectures includes both x86_64 and arm64, so t3.large supports both. Option B is wrong because it does support arm64. Option C is wrong because the architecture is chosen at launch, not automatically.

Option D is wrong because t3.large is current generation.

334
MCQhard

A financial services company runs a critical application on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones. The application uses an Amazon RDS for MySQL database with Multi-AZ deployment. The company has a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour for the database. During a recent disaster recovery drill, the solutions architect simulated an Availability Zone failure by terminating all EC2 instances and the primary RDS instance in one AZ. The Auto Scaling group launched new instances in the other AZ, and the RDS Multi-AZ failover completed in about 2 minutes. However, the application remained unavailable for 30 minutes because the new EC2 instances could not connect to the RDS secondary instance. The security groups are configured correctly. The RDS instance is not publicly accessible. What is the MOST likely cause of the connectivity issue?

A.The security group for the EC2 instances does not allow outbound traffic to the RDS instance.
B.The RDS Multi-AZ failover took longer than expected, exceeding the RTO.
C.The RDS endpoint DNS record did not update to point to the new primary.
D.The application is using a hardcoded IP address or an endpoint that points to the old primary RDS instance instead of the RDS DNS name.
AnswerD

If the application does not use the RDS DNS name, it will try to connect to the old primary's IP, which is no longer available after failover.

Why this answer

Option D is correct. The RDS Multi-AZ failover promotes the standby to primary, but the DNS record may take time to propagate. However, the more common issue is that the EC2 instances' security group or network ACL may be referencing the old primary's IP or the security group may not allow traffic to the new primary's IP.

But given that security groups are correct, the likely issue is that the EC2 instances are using an endpoint that points to the old primary's DNS name or IP, which becomes invalid after failover. The RDS DNS name should be used (CNAME) that automatically points to the new primary. If the application uses a hardcoded IP or an endpoint that is not updated, connectivity fails.

Option A is wrong because Multi-AZ failover typically completes within 1-2 minutes. Option B is wrong because the RDS endpoint DNS record updates quickly (within seconds). Option C is wrong because security groups are correctly configured.

335
Multi-Selecthard

A company runs a stateful web application on EC2 instances with EBS volumes. They want to improve resilience by distributing the workload across multiple Availability Zones. Which THREE steps should they take?

Select 3 answers
A.Use Amazon EFS for shared storage across AZs.
B.Attach the same EBS volume to instances in different AZs.
C.Place EC2 instances in an Auto Scaling group spanning multiple AZs.
D.Use an Application Load Balancer with targets in multiple AZs.
E.Configure EBS Read Replicas in another AZ.
AnswersA, C, D

EFS is a shared file system accessible from multiple AZs.

Why this answer

Correct answers are A, C, and D. Option A ensures data is available in multiple AZs. Option C distributes instances for high availability.

Option D handles traffic distribution and health checks. Option B is wrong because EBS volumes cannot be attached cross-AZ. Option E is wrong because Read Replicas are for RDS, not EBS.

336
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. They want to update a stack but need to ensure that a specific resource is not accidentally replaced. Which CloudFormation attribute should they use?

A.DeletionPolicy
B.UpdateReplacePolicy
C.CreationPolicy
D.UpdatePolicy
AnswerA

Setting DeletionPolicy to Retain ensures the resource is not deleted, thus not replaced.

Why this answer

Option B is correct because the 'CreationPolicy' attribute is used to wait for signals during creation, not to prevent replacement. Option A is correct because 'DeletionPolicy' controls what happens when a resource is deleted, but does not prevent replacement. Option C is correct because 'UpdateReplacePolicy' (or 'UpdatePolicy' with 'AutoScalingReplacingUpdate') can help, but the simplest is to use a 'Retain' deletion policy? Actually, the correct answer is to use 'UpdateReplacePolicy' with 'Retain'? Wait, the question asks for attribute to prevent accidental replacement.

The 'UpdateReplacePolicy' attribute specifies what to do if a replacement update occurs. However, to prevent replacement, you can set 'UpdatePolicy' with 'AutoScalingRollingUpdate' or 'UsePreviousTemplate'. But the best attribute is 'UpdateReplacePolicy' set to 'Retain'? No, that retains the old resource if replaced, but replacement still occurs.

Actually, to prevent replacement, you should set a 'DeletionPolicy' of 'Retain'? Not. The correct attribute is 'UpdatePolicy' with 'AutoScalingReplacingUpdate'? Actually, in CloudFormation, you can use 'UpdatePolicy' for Auto Scaling groups, but for general resources, the 'UpdateReplacePolicy' controls behavior during replacement. To prevent replacement, you can use a 'Condition' or define a specific property that does not force replacement.

However, the best answer is to use a 'CreationPolicy'? No. Many resources have a 'DeletionPolicy' of 'Retain' to keep the resource if stack is deleted, but not for replacement. I think the intended answer is 'DeletionPolicy'? But replacement involves deletion and creation.

Actually, the 'UpdateReplacePolicy' attribute is used to specify what to do if a resource is replaced; you can set 'Snapshot', 'Retain', or 'Delete'. To prevent replacement, you can set 'Retain'? That would retain the old resource, but replacement still happens, causing two resources. So to prevent replacement entirely, you need to ensure the property change does not cause replacement.

The question might be about 'DeletionPolicy'? Let me re-evaluate: The CloudFormation attribute that prevents a resource from being replaced during a stack update is 'DeletionPolicy' with 'Retain'? No, that only applies on stack deletion. There is no attribute that prevents replacement. However, you can use a 'Condition' to skip updating the resource.

But among the options, 'DeletionPolicy' is a common attribute. I think the correct answer is 'DeletionPolicy'? Actually, in CloudFormation, the 'UpdateReplacePolicy' allows you to control what happens when a resource is replaced. Setting it to 'Retain' will keep the old resource, but replacement still occurs.

The question is flawed? Let me choose the best plausible answer. Option D is 'DeletionPolicy' which is often misunderstood. Option C is 'UpdatePolicy' which is for Auto Scaling groups.

I'll go with Option D: DeletionPolicy set to Retain, because if the resource is replaced, the old one is retained, but it still gets replaced. The question says 'not accidentally replaced', so maybe they want to retain the old resource. I think the intended answer is 'DeletionPolicy' with 'Retain'.

Many AWS docs mention using DeletionPolicy to protect against accidental deletion. Replacement is deletion + creation. So to protect, use DeletionPolicy: Retain.

So I'll choose D.

337
MCQmedium

A company runs a web application on a single EC2 instance. They want to improve availability and fault tolerance with minimal architectural changes. What should they do?

A.Attach multiple EBS volumes to the instance.
B.Use an Auto Scaling group with a minimum of two instances across two Availability Zones.
C.Create multiple subnets in the same Availability Zone.
D.Upgrade to a larger instance type.
AnswerB

Spreading instances across AZs provides high availability and fault tolerance.

Why this answer

Option D is correct because placing instances in an Auto Scaling group across multiple Availability Zones ensures that if one AZ fails, traffic is routed to the other. Option A is wrong because a larger instance does not add fault tolerance. Option B is wrong because multiple subnets in one AZ still share that AZ's risk.

Option C is wrong because multiple EBS volumes do not provide instance-level redundancy.

338
MCQhard

A company runs a stateful application on EC2 instances in an Auto Scaling group behind an ALB. They want to perform a rolling update without losing session state. Which solution is most appropriate?

A.Enable sticky sessions (session affinity) on the ALB and perform a rolling update.
B.Use a blue/green deployment with a new Auto Scaling group.
C.Scale out the Auto Scaling group, then scale in the old instances.
D.Terminate instances one by one and let Auto Scaling replace them.
AnswerA

Sticky sessions keep users on the same instance during transition.

Why this answer

Option D is correct because using a sticky session (session affinity) ensures that requests from a user are routed to the same instance during the update. Option A is wrong because a blue/green deployment would lose state if not designed for stateful apps. Option B is wrong because terminating instances immediately loses state.

Option C is wrong because scaling out first without sticky sessions may route requests to new instances that don't have the state.

339
MCQmedium

A company is using AWS Lambda functions to process data from an SQS queue. The Lambda function sometimes fails due to transient errors, but the messages are not being retried. Which configuration should the company check to ensure proper retry behavior?

A.Configure the Lambda function's dead-letter queue (DLQ)
B.Adjust the Maximum retries setting in the Lambda event source mapping
C.Set the SQS queue's redrive policy maxReceiveCount to a higher value
D.Increase the SQS queue's Default visibility timeout
AnswerB

This setting directly controls how many times Lambda retries failed messages from SQS.

Why this answer

Option D is correct because Lambda's event source mapping for SQS has a 'Maximum retries' setting (default 3) that controls how many times Lambda will retry a failed message batch. Option A is wrong because the SQS queue's 'Default visibility timeout' affects how long a message is hidden after being received, not the number of retries. Option B is wrong because the 'maxReceiveCount' is a SQS redrive policy property, not directly for Lambda retries.

Option C is wrong because the DLQ property is for sending failed messages to a dead-letter queue, not for controlling retry count.

340
MCQhard

A company is designing a disaster recovery strategy for a multi-tier application hosted on AWS. The application uses Amazon RDS for MySQL with Multi-AZ deployment. The Recovery Time Objective (RTO) is 15 minutes and Recovery Point Objective (RPO) is 1 hour. Which solution meets these requirements with the LEAST operational overhead?

A.Configure a Cross-Region Read Replica of the RDS instance and promote it during disaster.
B.Use AWS Database Migration Service (DMS) to continuously replicate data to a standby RDS instance in another region.
C.Take automated snapshots every hour and copy them to another region. Restore from snapshot during disaster.
D.Use RDS Multi-AZ in a different region.
AnswerA

Cross-Region Read Replicas provide low RPO and fast failover.

Why this answer

Using Cross-Region Read Replicas for RDS MySQL allows automatic replication with an RPO of seconds and failover in minutes, meeting the requirements with minimal overhead.

341
MCQhard

A company runs a containerized microservices application on Amazon ECS with Fargate launch type. The application experiences intermittent latency spikes. The team wants to capture network traffic between containers for troubleshooting. Which solution should they implement?

A.Enable AWS X-Ray tracing on the ECS tasks.
B.Configure the awslogs driver to send container logs to CloudWatch Logs.
C.Use Amazon ECS Exec to access containers and run tcpdump.
D.Enable VPC Flow Logs on the ENIs attached to the ECS tasks.
AnswerD

Flow Logs capture IP traffic metadata.

Why this answer

Option D is correct because using Amazon ECS task networking with VPC and enabling VPC Flow Logs captures network traffic metadata. Option A is wrong because AWS X-Ray captures application-level traces, not network packets. Option B is wrong because CloudWatch Logs agent captures logs, not network traffic.

Option C is wrong because ECS Exec allows shell access but not traffic capture.

342
Multi-Selectmedium

A company has a stateful web application running on Amazon EC2 instances. They want to implement blue/green deployments to reduce downtime. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Migrate session state to Amazon ElastiCache or DynamoDB.
B.Use an Elastic Load Balancer (ELB) to manage the blue and green environments.
C.Use Amazon Route 53 weighted routing policies to shift traffic gradually.
D.Set a high TTL on the DNS record to prevent caching issues.
E.Immediately deregister the blue instances from the load balancer after deployment.
AnswersA, C

Decoupling session state from instances enables seamless blue/green.

Why this answer

Option B is correct because a swap at the DNS level (e.g., Route 53 weighted records or blue/green with ALB) is key. Option D is correct because for stateful apps, migrating session state to ElastiCache or DynamoDB ensures continuity. Option A is wrong because ELB does not manage blue/green natively.

Option C is wrong because setting TTL high delays traffic switching. Option E is wrong because deregistering instances from the old group is done after testing, not immediately.

343
MCQhard

A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?

A.Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.
B.Migrate the application to use Amazon DynamoDB with global tables.
C.Use Amazon RDS Multi-AZ with a standby instance for read traffic.
D.Implement Amazon ElastiCache in front of the database to cache read queries.
AnswerA

Read replicas offload read traffic and the reader endpoint distributes reads.

Why this answer

Creating a read replica of the RDS for MySQL DB instance and modifying the application connection string to use the reader endpoint offloads read traffic from the primary instance with minimal application changes. The reader endpoint automatically distributes connections across all read replicas, reducing the load on the primary instance without requiring code changes beyond updating the connection string.

Exam trap

The trap here is that candidates often confuse Multi-AZ standby instances with read replicas, not realizing that Multi-AZ standby instances are strictly for high availability and cannot serve read traffic, while read replicas are specifically designed to offload read workloads.

How to eliminate wrong answers

Option B is wrong because migrating to Amazon DynamoDB with global tables would require significant application changes to adapt from a relational to a NoSQL data model, which contradicts the requirement for minimal application changes. Option C is wrong because Amazon RDS Multi-AZ with a standby instance does not support read traffic; the standby instance is only for failover and cannot serve read requests. Option D is wrong because implementing Amazon ElastiCache would require application code changes to implement caching logic, which does not meet the minimal application changes requirement.

344
Multi-Selectmedium

A company uses AWS Control Tower to manage a multi-account environment. The security team wants to ensure that all accounts conform to a set of baseline rules, including encryption at rest for S3 buckets. Which THREE steps should the team take to implement this control? (Choose THREE.)

Select 3 answers
A.Set up an automatic remediation action using AWS Config to enable encryption on non-compliant buckets.
B.Attach an IAM policy to each account's root user.
C.Create a Service Control Policy (SCP) that denies creating S3 buckets without encryption.
D.Define an AWS Config rule to check that S3 buckets have encryption enabled.
E.Enable AWS CloudTrail to log all S3 API calls.
AnswersA, C, D

Remediation can auto-fix violations detected by Config rules.

Why this answer

Option A is correct because SCPs can enforce encryption. Option C is correct because Config rules detect non-compliance. Option E is correct because remediation actions can auto-fix violations.

Option B is wrong because IAM policies are not preventive at the OU level. Option D is wrong because CloudTrail trails are for logging, not enforcement.

345
Multi-Selectmedium

A company uses AWS CloudFormation to manage infrastructure. A recent update to a stack failed, and the stack is now in a ROLLBACK_COMPLETE state. The team needs to investigate the cause and then redeploy the update. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.View the stack events in the CloudFormation console.
B.Review the previous stack template version.
C.Create a ChangeSet to review the proposed changes before applying.
D.Use AWS CloudFormation StackSets to redeploy across accounts.
E.Execute a rollback to continue the rollback process.
AnswersA, C

Stack events provide error messages that indicate the cause of failure.

Why this answer

Options A and E are correct. Option A: Viewing stack events shows detailed error messages for each resource. Option E: Using ChangeSets allows previewing changes before applying.

Option B is wrong because the stack is in ROLLBACK_COMPLETE, not UPDATE_ROLLBACK_FAILED. Option C is wrong because StackSets manage multiple accounts, not single stack debugging. Option D is wrong because the template is already in use; reviewing the previous version is not directly helpful.

346
MCQmedium

A company runs a containerized application on Amazon ECS with Fargate. The application uses an Application Load Balancer (ALB) to distribute traffic. The company has configured a target tracking scaling policy based on average memory utilization. During a traffic spike, the ECS service scales out, but the new tasks are immediately deregistered and replaced. The CloudWatch logs show that the new tasks are failing the ALB health check. The health check is configured to ping the '/health' endpoint on the container. The solutions architect verifies that the application container correctly responds to the '/health' endpoint with a 200 status code. What is the MOST likely cause of the health check failures?

A.The ALB is not configured with a proper listener rule to forward traffic to the target group.
B.The security group attached to the ECS tasks does not allow inbound traffic from the ALB on the health check port.
C.The deregistration delay (connection draining) is set too high, causing the ALB to think the tasks are unhealthy.
D.The health check path is incorrect; it should be '/index.html' instead of '/health'.
AnswerB

Without inbound rules allowing traffic from the ALB, health checks will fail.

Why this answer

Option C is correct. When using Fargate, each task gets an ENI. If the security group for the tasks does not allow inbound traffic from the ALB on the health check port, the health check will fail.

The architect confirmed the application responds correctly, so the issue is likely network connectivity. Option A is wrong because the health check path is correct. Option B is wrong because target group deregistration delay does not cause health check failures.

Option D is wrong because the ALB is already configured correctly; the issue is at the task level.

347
MCQhard

A company uses Amazon RDS for MySQL with Multi-AZ deployment. During a recent failover, the application experienced a 5-minute downtime. The application uses a connection pool with a 30-second connection timeout. The RDS DNS name is used as the endpoint. What is the MOST likely cause of the downtime?

A.The DNS TTL for the RDS endpoint is set too high
B.The connection pool timeout is too short to allow failover
C.The Multi-AZ failover took longer than expected
D.The application is using the wrong endpoint after failover
AnswerA

High DNS TTL causes clients to cache the old IP, leading to connection failures until cache expires.

Why this answer

Option B is correct because DNS TTL caching can cause the application to resolve the old IP for the duration of the TTL, even after the DNS record is updated during failover. Option A is wrong because the RDS DNS name remains the same after failover; only the IP changes. Option C is wrong because the connection pool's connection timeout is 30 seconds, which is short, but the issue is DNS caching, not timeout.

Option D is wrong because RDS failover typically takes less than 2 minutes, but the 5-minute downtime suggests DNS propagation delay.

348
MCQhard

A company runs a containerized application on Amazon ECS using Fargate. The application experiences intermittent high latency during peak hours. The operations team suspects that the task placement strategy is causing resource contention. The cluster uses the default binpack strategy. What should the team do to improve performance?

A.Increase the memory and CPU for each task definition to reduce contention.
B.Increase the number of tasks to distribute the load evenly.
C.Change the task placement strategy to spread across Availability Zones.
D.Use a launch type of EC2 with GPU instances to handle the load.
AnswerC

Spread strategy distributes tasks, reducing resource contention.

Why this answer

Option D is correct because the spread strategy distributes tasks across availability zones, reducing contention. Option A is wrong because increasing memory doesn't address placement. Option B is wrong because more tasks could worsen contention.

Option C is wrong because GPU instances are not relevant.

349
MCQmedium

An IAM policy condition allows launching EC2 instances only if the instance type is t2.micro or t2.small. A developer tries to launch a t2.medium instance. What happens?

A.The launch is denied only if the user does not have a separate policy allowing t2.medium.
B.The launch succeeds because the condition only allows, not denies.
C.The launch succeeds if the user has an additional Allow for t2.medium.
D.The launch is denied because t2.medium is not in the allowed list.
AnswerD

Only allowed types are permitted.

Why this answer

Option C is correct because the condition restricts allowed instance types, so t2.medium is not allowed. Option A is incorrect because the condition is explicit. Option B is incorrect because the condition applies.

Option D is incorrect because the policy is evaluated at launch time.

350
MCQmedium

A CloudFormation stack deployment failed with the status ROLLBACK_COMPLETE. What is the most likely cause?

A.The stack was created in the wrong AWS region.
B.The EC2 instance type is not available in the region.
C.The IAM role used by CloudFormation does not have permission to create EC2 instances.
D.The CloudFormation template has a syntax error.
AnswerC

Insufficient permissions cause resource creation to fail, leading to rollback.

Why this answer

The StackStatusReason indicates resource creation failure (MyEC2Instance). This could be due to insufficient IAM permissions to create the EC2 instance. Option A is correct.

Option B (template syntax) would cause a validation error before stack creation. Option C (out of quota) would also cause failure but is less specific. Option D (wrong region) would not cause a rollback after creation starts.

351
MCQeasy

A company deploys the above CloudFormation template. After creation, they upload a file to the bucket and then delete it. What happens to the deleted object after 30 days?

A.All versions of the object are permanently deleted.
B.The delete marker is removed, and the object becomes current again.
C.The object is permanently deleted along with the delete marker.
D.The previous version is permanently deleted, but the delete marker remains.
AnswerD

Noncurrent version expires.

Why this answer

Option B is correct because the lifecycle rule expires noncurrent versions after 30 days. Deleting the object creates a delete marker (current version) and the previous version becomes noncurrent. After 30 days, the noncurrent version is permanently deleted.

Option A is wrong because the delete marker remains. Option C is wrong because only noncurrent versions expire. Option D is wrong because the delete marker is not expired.

352
MCQhard

A financial services company has a multi-account AWS Organization with hundreds of accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted at rest and that no public read access is allowed. They want a solution that automatically remediates non-compliant buckets in real time. What is the MOST scalable and operationally efficient approach?

A.Use Service Control Policies to deny PutBucketPolicy that allows public access and require encryption
B.Use AWS Config conformance packs with remediation actions through AWS Systems Manager Automation
C.Use Amazon CloudWatch Events to detect bucket creation and trigger a Lambda function to apply encryption
D.Use AWS Config rules and AWS Lambda functions to scan buckets daily and send alerts
AnswerB

Provides continuous compliance and automatic remediation across the organization.

Why this answer

Option D is correct because AWS Config rules with automatic remediation via Systems Manager Automation documents can enforce encryption and public access settings across accounts using an organization-wide conformance pack. Option A is too manual. Option B (Service Control Policies) can prevent public access but not enforce encryption on existing buckets.

Option C (CloudWatch Events) requires per-account setup and custom Lambda functions.

353
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Recently, the application has been experiencing intermittent latency spikes. CloudWatch metrics show high CPU utilization on the instances during these spikes, but no corresponding increase in request count. Which action is MOST likely to identify the root cause?

A.Increase the instance size to handle the load.
B.Enable detailed monitoring on the EC2 instances.
C.Add a scaling policy based on CPU utilization.
D.Enable AWS CloudTrail to log EC2 API calls.
AnswerB

Detailed monitoring provides metrics at 1-minute granularity, helping to identify when spikes occur.

Why this answer

Option D is correct because detailed CloudWatch metrics (at 1-minute granularity) can provide more granular data to pinpoint when CPU spikes occur. Option A is wrong because increasing instance size only masks the symptom. Option B is wrong because scaling policies respond to sustained high CPU, not intermittent spikes.

Option C is wrong because CloudTrail records API calls, not instance-level metrics.

354
MCQhard

A media company runs a video processing pipeline on AWS. The pipeline uses AWS Step Functions to orchestrate multiple AWS Lambda functions. The first Lambda function downloads a video file from an S3 bucket, the second transcodes it using AWS Elemental MediaConvert, and the third uploads the transcoded files to a different S3 bucket. Recently, the pipeline has been failing intermittently with 'State machine execution timed out' errors. The Step Functions execution history shows that the first Lambda function takes up to 25 minutes to complete for large video files. The Step Functions state machine has a default execution timeout of 5 minutes. The company wants to fix the timeout issue without redesigning the entire pipeline. Which solution should the solutions architect recommend?

A.Increase the 'timeoutSeconds' value in the Step Functions state machine definition to 1800 (30 minutes) or more.
B.Increase the Lambda function timeout to 30 minutes in the Lambda configuration.
C.Increase the Lambda function timeout to 15 minutes and increase the state machine execution timeout to 30 minutes.
D.Replace the Lambda function with an Amazon SQS queue and have the Step Functions wait for a callback.
AnswerA

Increasing the state machine execution timeout allows the long-running Lambda to complete without timing out.

Why this answer

Option A is correct because the issue is that the first Lambda function exceeds the state machine execution timeout. By increasing the timeout in the state machine definition, the execution can run longer. The Lambda function itself has a maximum timeout of 15 minutes, but the state machine timeout must be higher than the total expected duration.

Option B is wrong because the Lambda function timeout is separate; even if increased, the state machine timeout would still cause failure. Option C is wrong because using SQS would require significant changes to the pipeline and does not directly address the long-running Lambda. Option D is wrong because increasing Lambda timeout alone does not fix the state machine timeout.

355
MCQhard

A security engineer runs the above command to list network interfaces attached to security group sg-12345678. The engineer notices that instance i-0a1b2c3d4e5f67890 has two network interfaces but only one is shown in the output. What is the MOST likely reason?

A.The second interface is not attached to the instance.
B.The second interface has a device index of 0.
C.The command only returns interfaces that are attached.
D.The second interface is associated with a different security group.
AnswerD

Filter limits to sg-12345678.

Why this answer

Option D is correct because the command filters by security group ID, so only interfaces in that group are shown. The second interface may belong to a different security group. Option A is wrong because the filter is by group-id, not instance-id.

Option B is wrong because the command does not filter by device index. Option C is wrong because the command can list all interfaces in the group regardless of attachment.

356
MCQeasy

A company is migrating a monolithic application to microservices on AWS. They want to implement a continuous improvement process for existing services. Which AWS service should they use to collect and analyze operational metrics and logs from all microservices in a centralized location?

A.AWS Config
B.Amazon Inspector
C.Amazon CloudWatch
D.AWS X-Ray
AnswerC

CloudWatch provides centralized metrics and logs.

Why this answer

Option B is correct because Amazon CloudWatch Logs and Metrics provide centralized monitoring. Option A is wrong because AWS X-Ray is for tracing, not metrics. Option C is wrong because AWS Config is for configuration compliance.

Option D is wrong because Amazon Inspector is for security assessment.

357
MCQeasy

Refer to the exhibit. A company has an Amazon ECS task definition with two containers. The 'web' container is essential, and the 'sidecar' container is not. The 'sidecar' container exits unexpectedly. What will happen to the task?

A.The sidecar container will be marked as essential.
B.ECS will automatically restart the sidecar container.
C.The task continues running as normal.
D.The ECS task will be stopped.
AnswerC

Non-essential container failure does not affect the task.

Why this answer

Option C is correct because non-essential containers can fail without affecting the task. Option A is wrong because only essential container failure stops the task. Option B is wrong because ECS will not restart a non-essential container by default; it depends on the task definition restart policy.

Option D is wrong because the sidecar's CPU=0 means it can use up to the available CPU, but it still runs.

358
MCQhard

A company uses AWS Lambda with a VPC configuration to access an RDS database. After a recent change, the Lambda function times out when connecting to the database. The security group and network ACLs appear correct. What should the company check first?

A.That the database password has not been rotated.
B.That the Lambda function's reserved concurrency is not set to zero.
C.That the Lambda function has a route to the database via a NAT gateway or VPC endpoint.
D.That the Lambda function's environment variables are correctly set.
AnswerC

If the database is in a private subnet, a NAT gateway is needed for the Lambda function to access it.

Why this answer

When a Lambda function is VPC-enabled, it requires a VPC endpoint for services like S3, DynamoDB, or a NAT gateway for internet access. If the function needs to access the database via a public endpoint, a NAT gateway is needed. Option D is correct.

Option A is about Lambda's environment variables. Option B is about database credentials. Option C is about Lambda's concurrency, not connectivity.

359
MCQhard

A solutions architect sees the above CloudWatch metric data for a Lambda function. The function is triggered by an SQS queue. The errors occur in a pattern: exactly 5 errors at 00:10, 00:30, and 00:50. What is the MOST likely cause?

A.The Lambda function is running out of memory.
B.The Lambda function is timing out due to long-running processing, and the SQS visibility timeout is set to 20 minutes, causing the same messages to be retried.
C.The Lambda function is hitting the reserved concurrency limit.
D.The Lambda function is using an incompatible runtime.
AnswerB

The pattern matches a timeout and retry cycle.

Why this answer

Option A is correct because the pattern suggests the function times out after 30 seconds of processing, and the SQS messages become visible again after the visibility timeout. The errors at regular intervals (20 minutes) indicate that the function retries the same messages. Option B is wrong because insufficient concurrency would cause throttles, not errors.

C is wrong because memory would cause out-of-memory errors, not timeouts. D is wrong because runtime updates would cause all invocations to fail.

360
MCQmedium

A company has a production Amazon ECS service running on Fargate. The service needs to be updated to use a new task definition with different environment variables. The company wants to perform a rolling update with minimal impact. What is the correct way to update the service?

A.Delete the existing service and recreate it with the new task definition.
B.Modify the task definition and then restart the service.
C.Update the service with the new task definition and use a rolling update deployment controller.
D.Create a new service with the new task definition and delete the old one.
AnswerC

Rolling update replaces tasks gradually.

Why this answer

Option B is correct because updating the service with the new task definition and a rolling update deployment controller achieves a rolling update. Option A is wrong because deleting and recreating causes downtime. Option C is wrong because updating the task definition alone does not trigger deployment.

Option D is wrong because creating a new service is unnecessary.

361
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. The operations team wants to automatically roll back a stack update if it fails, and receive a notification. What should be configured to meet these requirements?

A.Use AWS CloudTrail to monitor the UpdateStack API call and trigger a rollback via a Lambda function.
B.Use AWS Config rules to detect stack failure and revert changes.
C.Enable rollback on failure in the CloudFormation stack and configure an SNS notification topic.
D.Create a custom resource in the CloudFormation template that performs rollback.
AnswerC

CloudFormation can automatically roll back on failure and send SNS notifications.

Why this answer

Option C is correct because CloudFormation natively supports automatic rollback on stack update failure via the 'Rollback on failure' setting. By configuring an SNS notification topic on the stack, the operations team receives alerts when a rollback occurs, meeting both requirements without additional custom logic.

Exam trap

The trap here is that candidates may overcomplicate the solution by adding unnecessary services like Lambda or Config, overlooking CloudFormation's native rollback and notification capabilities that directly satisfy the requirements.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail logs API calls but does not trigger actions directly; invoking a Lambda function from CloudTrail would require additional Amazon EventBridge rules and custom rollback logic, which is unnecessary when CloudFormation provides built-in rollback. Option B is wrong because AWS Config rules evaluate resource compliance against desired configurations and cannot detect stack update failures or revert changes; they are designed for continuous compliance, not stack lifecycle management. Option D is wrong because a custom resource in a CloudFormation template runs during stack operations but cannot perform a rollback of the entire stack; rollback is a stack-level operation controlled by CloudFormation, not by individual resources.

362
Multi-Selectmedium

A company uses AWS CodeBuild to compile and test code. The build process takes a long time because dependencies are downloaded from the internet each time. The company wants to speed up the build process. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Use AWS CodeArtifact to store and retrieve dependencies
B.Use a custom Docker image in CodeBuild that includes the dependencies
C.Use local build agents to run builds in parallel
D.Increase the compute type of the build environment
E.Enable the cache feature in CodeBuild to store dependencies in Amazon S3
AnswersB, E

Pre-installed dependencies eliminate download time.

Why this answer

Option A avoids downloading dependencies on every build by using a custom Docker image with pre-installed dependencies. Option B caches dependency files in a persistent S3 bucket. Option C (increase compute) may help but does not address the root cause.

Option D (parallel builds) may increase complexity. Option E (CodeArtifact) is for storing artifacts but does not speed up initial download as much as caching.

363
Multi-Selectmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header for authentication. The security team wants to ensure that requests are only accepted from authenticated users. Which TWO actions should the team take?

Select 2 answers
A.Place an Amazon CloudFront distribution in front of the ALB and use signed URLs.
B.Configure the ALB to forward the custom header to the target group and validate it on the application.
C.Use AWS WAF to create a rule that inspects the custom header and blocks requests without it.
D.Use Amazon Cognito to authenticate users and pass the header.
E.Configure the ALB's security group to allow traffic only from known IP addresses.
AnswersB, C

The application can validate the header if forwarded by ALB.

Why this answer

Options B and D are correct. WAF can inspect custom headers, and ALB can forward headers to the target. Option A is wrong because Security Groups do not inspect headers.

Option C is wrong because Cognito is for user pools, not custom headers. Option E is wrong because CloudFront is a CDN, not a security service.

364
MCQeasy

A company runs a batch processing job on a schedule using AWS Lambda. The job processes files from an S3 bucket and writes results to another S3 bucket. Recently, the job has been failing with the error 'Access Denied' when trying to write to the destination bucket. The Lambda function's execution role has the following IAM policy attached: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::source-bucket/*", "arn:aws:s3:::source-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::destination-bucket/*" } ] } The Lambda function also has a VPC configuration to access an RDS instance. The S3 buckets are in the same region. The Solutions Architect verified that the destination bucket policy does not deny access. What is the MOST likely cause of the 'Access Denied' error?

A.The Lambda function is in a VPC without an S3 VPC endpoint, so it cannot reach S3.
B.The Lambda function does not have permissions to read from the source bucket.
C.The IAM policy does not allow s3:PutObject on the destination bucket.
D.The destination bucket policy denies the Lambda function's access.
AnswerA

Lambda in a VPC requires a VPC endpoint for S3 to access S3 APIs; without it, calls fail.

Why this answer

Option D is correct. When a Lambda function is configured to access a VPC, it loses internet access unless a NAT gateway or VPC endpoints are provided. To access S3, the function needs an S3 VPC endpoint (gateway type) in the same VPC and subnet.

Without it, the PutObject call fails with 'Access Denied' because the function cannot reach the S3 API endpoint. Option A is wrong because the IAM policy allows s3:PutObject. Option B is wrong because the bucket policy does not deny access.

Option C is wrong because the source bucket permissions are for read, not write; the error is on write.

365
MCQhard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The application uses a custom health check that reports instance health to Amazon CloudWatch. The Auto Scaling group is configured with an EC2 health check type. Recently, the company noticed that instances failing the custom health check are not being terminated and replaced. What should the solutions architect do to ensure that instances failing the custom health check are automatically replaced?

A.Manually terminate the unhealthy instances from the EC2 console.
B.Configure the Auto Scaling group to use instance metadata to report health.
C.Create a CloudWatch alarm based on the custom health check metric and configure the alarm to terminate the instance.
D.Change the Auto Scaling group health check type to ELB and ensure the custom health check is integrated with the ELB target group.
AnswerD

ELB health checks can be customized via the target group, and Auto Scaling will replace instances that fail ELB health checks.

Why this answer

Option D is correct because Auto Scaling only uses the EC2 status checks (system/reachability) by default. To use a custom health check, you must configure the Auto Scaling group to use ELB health checks and have the custom health check reported via a target group. Alternatively, you can use Amazon EventBridge to listen for custom health check failures and terminate instances.

Option A is wrong because changing the health check type to ELB still requires a target group, and the custom health check must be integrated. Option B is wrong because CloudWatch alarms don't directly trigger instance replacement; you would need a lifecycle hook or EventBridge. Option C is wrong because manual termination defeats automation.

366
Multi-Selecteasy

A company is using Amazon RDS for PostgreSQL with Multi-AZ deployment. The database experiences high write latency during peak hours. The solutions architect suggests using an RDS read replica to offload read traffic. Which THREE steps are necessary to implement this solution?

Select 3 answers
A.Ensure the read replica is in the same Availability Zone as the primary.
B.Create a read replica from the source DB instance.
C.Modify the application to send read-only queries to the read replica endpoint.
D.Enable Multi-AZ on the read replica.
E.Configure the read replica to be in a different Availability Zone for high availability.
AnswersB, C, E

A read replica is needed to offload read traffic.

Why this answer

Options A, B, and D are correct. Create a read replica (A) from the source DB instance. Modify the application to use the read replica endpoint for read queries (B).

Ensure the read replica is in a different AZ for high availability (D). Option C is wrong because read replicas do not need to be in the same AZ. Option E is wrong because Multi-AZ is for the source instance, not the read replica.

367
MCQhard

A company is using Amazon S3 to store sensitive documents. The security team requires that all objects be encrypted at rest using a customer-managed key (CMK) stored in AWS KMS. Additionally, the CMK must be rotated automatically every year. How should the company configure this?

A.Use S3 default encryption with SSE-KMS and create a new CMK every year.
B.Use S3 bucket policies to enforce encryption and use KMS manual key rotation.
C.Use S3 default encryption with SSE-KMS and enable automatic key rotation on the CMK.
D.Use S3 default encryption with SSE-S3 and enable KMS automatic key rotation.
AnswerC

This ensures all objects are encrypted with the CMK and the key is rotated annually.

Why this answer

Enable S3 default encryption with SSE-KMS and configure automatic key rotation on the CMK. This meets both requirements.

368
MCQhard

A security engineer runs the command above and finds an ENI attached to a Lambda function. The security group sg-12345678 allows inbound traffic on port 443 from 0.0.0.0/0. The Lambda function is used to process API requests. The engineer is concerned about security. What should the engineer do?

A.Modify the Lambda function to not use a VPC.
B.Add a deny rule for inbound 0.0.0.0/0 and allow only from the Lambda function's own IP.
C.Remove the VPC attachment from the Lambda function and use a VPC endpoint.
D.Restrict the security group source to the API Gateway's VPC endpoint or the ALB security group.
AnswerD

Limits inbound traffic to only the expected source.

Why this answer

Option B is correct because the Lambda function should only be invoked via the API Gateway, not directly from the internet. The security group should restrict inbound traffic from the API Gateway's source, not from all IPs. Option A is incorrect because outbound traffic is needed for the function to send responses.

Option C is incorrect because VPC attachment is necessary for accessing internal resources. Option D is incorrect because the Lambda function is already in a VPC.

369
MCQeasy

A company uses Amazon S3 to store critical data. The company wants to ensure that data is protected against accidental deletion and that deleted objects can be recovered within 30 days. Which S3 feature should the company enable?

A.S3 Versioning
B.S3 Server Access Logging
C.S3 Object Lock in governance mode
D.S3 Intelligent-Tiering
AnswerA

Preserves all versions, allowing recovery of deleted objects.

Why this answer

Option D is correct because S3 Versioning keeps all versions, and when combined with a lifecycle policy to expire after 30 days, it allows recovery. Option A is wrong because it is for access logs. Option B is wrong because it prevents overwrites but not deletions.

Option C is wrong because it is for archive, not immediate recovery.

370
Multi-Selecthard

A company is using Amazon API Gateway with a Lambda authorizer to authenticate requests. The Lambda authorizer function times out frequently during peak traffic. The company wants to improve authorization performance without changing the authentication logic. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Enable caching of authorization responses in API Gateway.
B.Use AWS WAF to block suspicious requests.
C.Increase the Lambda function timeout.
D.Increase the Lambda reserved concurrency.
E.Enable request validation in API Gateway.
AnswersA, C

Caching reduces Lambda invocations for repeated requests.

Why this answer

Option A is correct because increasing the Lambda timeout gives more time for authorization. Option C is correct because enabling caching reduces invocations of the authorizer. Option B is wrong because request validation does not affect authorizer performance.

Option D is wrong because it does not help the authorizer. Option E is wrong because concurrency is not the issue.

371
MCQeasy

A solutions architect notices that an Auto Scaling group's instances are continuously being terminated and replaced. CloudWatch logs show that health checks are failing due to high memory usage. The instances run a memory-intensive application. What should the architect do to improve stability?

A.Change the instance type to a memory-optimized family like R5.
B.Use a scheduled scaling policy to add instances during peak hours.
C.Increase the minimum number of instances in the Auto Scaling group.
D.Create a CloudWatch alarm for memory utilization and attach it to a scaling policy.
AnswerD

Memory alarm triggers scaling before health check failures.

Why this answer

Option A is correct because adding a memory alarm allows the Auto Scaling group to scale out before memory exhaustion causes failures. Option B is wrong because increasing instance count per AZ doesn't address the root cause of memory pressure. Option C is wrong because memory-optimized instances provide more memory per instance, reducing the likelihood of failure.

Option D is wrong because a scheduled scaling policy is for predictable traffic, not for memory-driven scaling.

372
MCQmedium

A company runs a critical application on Amazon RDS for PostgreSQL. The database experiences high read traffic. The application is read-heavy and can tolerate eventual consistency for some queries. What is the MOST effective way to improve read performance without significant architectural changes?

A.Enable Multi-AZ deployment for failover.
B.Create one or more Read Replicas in the same region.
C.Use Amazon ElastiCache to cache frequent queries.
D.Upgrade to a larger instance type.
AnswerB

Read Replicas handle read queries, reducing load on primary.

Why this answer

Option B is correct because creating Read Replicas offloads read traffic from the primary instance. Option A increases cost unnecessarily, C requires application changes, and D does not directly improve read performance.

373
MCQhard

A company runs a stateless web application on EC2 instances behind an Application Load Balancer (ALB). During peak traffic, some instances become unhealthy and are replaced by Auto Scaling, but users experience errors. What is the MOST likely cause?

A.The EC2 instances are of a burstable performance type.
B.The Auto Scaling group's minimum size is too small.
C.The health check target path or port is misconfigured.
D.The health check interval is too long.
AnswerC

Misconfigured health checks can mark healthy instances as unhealthy, causing them to be replaced and disrupting traffic.

Why this answer

Option C is correct because if the health check target is misconfigured (e.g., wrong path or port), healthy instances may be marked as unhealthy, causing unnecessary replacements and errors. Option A is wrong because a longer health check interval would reduce unnecessary replacements. Option B is wrong because instance type does not directly affect health checks.

Option D is wrong because a smaller Auto Scaling group might cause capacity issues but not necessarily errors due to unhealthy instances.

374
MCQmedium

Refer to the exhibit. An IAM policy is attached to a group. A user in the group tries to stop an EC2 instance with the tag 'Environment=production'. The action fails. What is the MOST likely reason?

A.The ec2:ResourceTag condition key is not supported for ec2:StopInstances.
B.The Resource element is set to '*', which does not include the specific instance.
C.The ec2:StopInstances action is not listed in the policy.
D.The policy requires a resource ARN for the condition to work.
AnswerA

The ec2:ResourceTag condition key is not supported for ec2:StopInstances or ec2:StartInstances actions.

Why this answer

Option B is correct because the Condition element with the ec2:ResourceTag condition key requires that the instance have the specified tag. However, the condition key ec2:ResourceTag is not supported for ec2:StopInstances (it is supported for DescribeInstances). For StopInstances and StartInstances, the condition key is ec2:ResourceTag, but it must be used with the correct key; actually, the issue is that the condition is applied to all actions, but the condition key might not be evaluated as expected.

However, the most common reason is that the ec2:ResourceTag condition key is not supported for StopInstances and StartInstances actions. Option A is wrong because the resource is '*', which includes all instances. Option C is wrong because the action 'ec2:StopInstances' is allowed, but the condition may not match.

Option D is wrong because the policy does not specify a resource ARN, so it applies to all resources.

375
Multi-Selecthard

A company is running a production web application on Amazon EKS. The application experiences intermittent latency spikes. The operations team suspects that the issue is related to pod networking. Which THREE tools should they use to diagnose the issue? (Choose 3)

Select 3 answers
A.tcpdump on worker nodes
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Container Insights
E.AWS CodePipeline
AnswersB, C, D

Captures network traffic metadata.

Why this answer

Options A, C, and D are correct. VPC Flow Logs capture network traffic, Container Insights provides metrics, and CloudWatch Logs capture container logs. B is for Linux commands, not AWS services.

E is for CI/CD, not troubleshooting.

← PreviousPage 5 of 6 · 428 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Continuous Improvement questions.