CCNA Continuous Improvement Questions

53 of 428 questions · Page 6/6 · Continuous Improvement topic · Answers revealed

376
MCQhard

A company is running a stateful web application on EC2 instances in an Auto Scaling group behind an ALB. The application stores session data locally on the instance. The company notices that users are frequently logged out and lose session data during scaling events. What is the MOST operationally efficient way to preserve session state?

A.Migrate session data to ElastiCache for Redis and modify the application to use it.
B.Create a custom AMI that pre-populates session data from Amazon S3.
C.Increase the Auto Scaling group's cooldown period to 600 seconds.
D.Enable sticky sessions (session affinity) on the ALB.
AnswerA

Externalizing session state ensures data persists across instance replacements.

Why this answer

Option A is correct because migrating session state to ElastiCache for Redis provides a centralized, external, and highly available session store that persists independently of EC2 instance lifecycles. This ensures that when instances are terminated or added during Auto Scaling events, session data remains intact and accessible from any instance, eliminating user logouts and data loss. It is operationally efficient as it requires minimal application code changes and leverages a fully managed, in-memory data store optimized for low-latency access.

Exam trap

The trap here is that candidates often choose sticky sessions (Option D) thinking it solves session persistence, but they overlook that sticky sessions only route traffic to the same instance and do not protect against data loss when that instance is terminated during scaling events.

How to eliminate wrong answers

Option B is wrong because pre-populating a custom AMI with session data from S3 is impractical and inefficient: session data is dynamic and changes constantly, so a static AMI cannot reflect real-time session states, and this approach would require frequent AMI rebuilds and complex synchronization. Option C is wrong because increasing the cooldown period to 600 seconds only delays scaling events but does not prevent session loss when instances are eventually terminated; it also reduces the Auto Scaling group's ability to respond to load changes, potentially impacting availability. Option D is wrong because enabling sticky sessions (session affinity) on the ALB only binds a user's session to a specific instance, but if that instance is terminated during a scale-in event, the session data is still lost; it does not provide a durable, shared session store.

377
MCQmedium

A company uses Amazon S3 to store sensitive data. The security team requires that all S3 buckets be encrypted at rest using SSE-KMS. The company has thousands of existing buckets, some of which are not encrypted. Which approach will enforce encryption on all buckets with minimal effort?

A.Use S3 default encryption to automatically encrypt new objects.
B.Use an AWS Config rule to check for encryption and automatically remediate by enabling SSE-S3.
C.Use an SCP to deny creation of buckets without SSE-KMS and use an AWS Config rule with remediation to enable SSE-KMS on existing buckets.
D.Create an AWS Lambda function that scans all buckets and enables encryption.
AnswerC

SCP prevents new non-compliant buckets, Config remediates existing ones.

Why this answer

Option D is correct because an SCP can deny creation of unencrypted buckets and AWS Config can remediate existing buckets. Option A is wrong because a Lambda function is reactive, not proactive. Option B is wrong because S3 default encryption is not applied retroactively.

Option C is wrong because SSE-S3 does not meet the KMS requirement.

378
MCQmedium

A company is using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application has a health check endpoint at /health. Recently, the ALB is marking instances as unhealthy even though the application is running. The health check settings are: interval 30 seconds, timeout 5 seconds, unhealthy threshold 2. What is the most likely cause?

A.The health check interval of 30 seconds is too long.
B.The unhealthy threshold of 2 is too high.
C.The health check timeout of 5 seconds is too short for the application to respond.
D.The health check path /health is not accessible from the ALB.
AnswerC

A short timeout can cause false unhealthy markings.

Why this answer

Option A is correct because if the health check timeout is too short, the ALB may not receive a response in time. Option B is wrong because the interval is standard. Option C is wrong because the unhealthy threshold is not too high.

Option D is wrong because the path is correct.

379
Multi-Selecthard

A company has a production AWS account with multiple VPCs connected via a Transit Gateway. The security team wants to centrally inspect all traffic between VPCs using a third-party firewall appliance. The firewall must be able to process traffic, and the solution must be highly available. Which THREE steps should the company take?

Select 3 answers
A.Attach Elastic Network Interfaces (ENIs) of the firewall instances to the inspection VPC subnets.
B.Configure the Transit Gateway to propagate routes directly between VPCs.
C.Deploy the firewall appliance as an EC2 instance in each AZ, with auto scaling groups.
D.Use a single route table in the Transit Gateway for all VPC attachments.
E.Create a dedicated inspection VPC with firewall instances in different Availability Zones.
AnswersA, C, E

ENIs are required for traffic to pass through the firewall.

Why this answer

Options A, B, and D are correct: A creates an inspection VPC, B places instances across AZs for HA, and D uses ENIs in each subnet. Option C is wrong because a single route table limits HA. Option E is wrong because it bypasses inspection.

380
Multi-Selectmedium

A company runs a stateless web application on EC2 instances in an Auto Scaling group. The application experiences high latency during peak hours. The operations team suspects that the instances are overloaded. Which TWO actions should the team take to improve performance and scalability? (Choose two.)

Select 2 answers
A.Increase the Auto Scaling group's desired capacity to a higher fixed value.
B.Configure an Application Load Balancer in front of the Auto Scaling group.
C.Switch to a different Amazon Machine Image (AMI) with optimized performance.
D.Launch the Auto Scaling group in multiple Availability Zones.
E.Increase the instance size to a larger type.
AnswersB, D

ALB distributes traffic evenly across instances.

Why this answer

Option B is correct because adding an ALB distributes traffic across instances. Option D is correct because launching instances across multiple AZs improves availability and scalability. Option A is wrong because larger instances may not help if the issue is concurrency.

Option C is wrong because increasing desired capacity without a load balancer may cause uneven distribution. Option E is wrong because changing the AMI does not directly improve performance.

381
MCQmedium

A company runs a stateful web application on EC2 instances in an Auto Scaling group. The application uses a shared EFS file system for persistent data. The operations team notices that during scale-in events, some requests fail because the instance is terminated while still processing. What is the BEST way to prevent request failures during scale-in?

A.Use a Network Load Balancer with connection draining enabled
B.Increase the cooldown period for the Auto Scaling group
C.Decrease the scale-in threshold to reduce the frequency of termination
D.Use lifecycle hooks to put the instance in a 'terminating:wait' state and complete request processing
AnswerD

Lifecycle hooks allow graceful shutdown.

Why this answer

Option C is correct because lifecycle hooks allow the Auto Scaling group to wait for a custom action (e.g., drain connections) before terminating an instance. Option A (increase cooldown) delays scaling but does not prevent interruption. Option B (decrease scale-in threshold) reduces the chance but not the issue.

Option D (use a Network Load Balancer) does not help with instance termination.

382
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. They have a stack that creates an Amazon RDS for MySQL database. The stack creation fails with the error 'The following resource(s) failed to create: [DBInstance]'. The solutions architect needs to troubleshoot the issue. Which approach should be taken first?

A.Review the CloudFormation stack events in the AWS Management Console.
B.Check the RDS console for any database events.
C.Delete the stack and deploy again with the same parameters.
D.Use AWS CloudTrail to view the CreateStack API call.
AnswerA

Stack events provide the specific failure reason.

Why this answer

Option B is correct because CloudFormation logs events that include detailed status reasons for resource failures. Option A is wrong because RDS events might not capture the specific CloudFormation-related failure. Option C is wrong because deleting the stack is premature without understanding the cause.

Option D is wrong because CloudTrail logs API calls, but the failure reason is in CloudFormation events.

383
MCQmedium

A company is running a web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes that cause increased latency. The company wants to implement a solution to automatically adjust capacity in anticipation of traffic changes. What should a solutions architect do?

A.Configure a simple scaling policy based on CPU utilization.
B.Configure a scheduled scaling policy to add instances during known peak hours.
C.Configure a target tracking scaling policy based on average CPU utilization.
D.Configure a predictive scaling policy using historical traffic patterns.
AnswerD

Predictive scaling uses machine learning to forecast traffic and proactively scale.

Why this answer

Predictive scaling uses historical traffic patterns to forecast future demand and proactively adjust capacity before traffic spikes occur, which directly addresses the requirement to anticipate changes. This approach reduces latency by ensuring sufficient resources are available ahead of time, unlike reactive policies that only respond after utilization increases.

Exam trap

The trap here is that candidates often confuse reactive scaling policies (simple, step, or target tracking) with proactive predictive scaling, assuming that maintaining a target metric like CPU utilization is sufficient to handle anticipated spikes, but only predictive scaling uses historical patterns to act before the load increases.

How to eliminate wrong answers

Option A is wrong because a simple scaling policy based on CPU utilization is reactive, only adjusting capacity after a threshold is breached, which cannot anticipate traffic spikes and may still cause latency during the scaling cooldown period. Option B is wrong because scheduled scaling assumes fixed peak hours, but the scenario describes periodic spikes that may not follow a strict schedule, making it inflexible and potentially wasteful or insufficient. Option C is wrong because target tracking scaling, while more sophisticated than simple scaling, is still reactive—it maintains a target metric (e.g., average CPU) but does not proactively forecast demand, so it cannot eliminate latency during sudden spikes.

384
MCQeasy

A company is using AWS Config to evaluate resource compliance. They want to receive notifications when a noncompliant resource is detected. Which AWS service should be used to send these notifications to an email endpoint?

A.Amazon Simple Queue Service (SQS)
B.Amazon Simple Notification Service (SNS)
C.Amazon CloudWatch Events
D.AWS Lambda
AnswerB

SNS can send email notifications directly.

Why this answer

Option A is correct because Amazon SNS can send email notifications when triggered by AWS Config rules. Option B is wrong because SQS is a queue, not for direct email. Option C is wrong because Lambda can process notifications but not directly send email to multiple recipients without SNS.

Option D is wrong because CloudWatch Events can trigger actions but not directly send email.

385
MCQhard

A company has a serverless application using AWS Lambda functions that process messages from an Amazon SQS queue. The queue receives a burst of messages daily. The Lambda function sometimes times out, causing messages to return to the queue and be reprocessed. How can the company improve the application to handle the burst without reprocessing failures?

A.Reduce the batch size in the Lambda event source mapping.
B.Increase the Lambda function's reserved concurrency and timeout.
C.Increase the SQS visibility timeout to 6 minutes.
D.Configure a dead-letter queue for the SQS queue.
AnswerB

More concurrency handles the burst; longer timeout prevents premature failures.

Why this answer

Option B is correct because increasing the reserved concurrency ensures Lambda can scale to handle the burst. Option A is wrong because it does not address the timeout. Option C is wrong because DLQ is for failed messages after retries, not for avoiding reprocessing.

Option D is wrong because batch size reduction may increase timeouts.

386
MCQhard

A company runs a critical application on Amazon ECS Fargate. The application uses an Application Load Balancer as the front end. Recently, the application experienced a spike in traffic, and many tasks were marked as unhealthy and replaced. The team wants to improve resilience to traffic spikes without over-provisioning. What should the team do?

A.Use a step scaling policy with a lower scale-out threshold and a larger adjustment
B.Increase the task memory allocation to improve performance
C.Increase the health check interval to reduce the number of tasks marked unhealthy
D.Use a target tracking scaling policy with a higher target value
AnswerA

Step scaling can add more tasks faster when CPU exceeds thresholds.

Why this answer

Option B is correct because step scaling policies respond more aggressively to larger deviations, helping to add capacity faster. Option A (increase memory) does not directly affect scaling. Option C (increase health check interval) would slow detection of unhealthy tasks.

Option D (use target tracking) is reactive and may not handle spikes well.

387
MCQhard

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS. The pipeline builds a Docker image, pushes it to Amazon ECR, and updates the ECS service. Recently, deployments have failed because insufficient IAM permissions cause the pipeline to fail when updating the ECS service. The development team wants to implement least privilege permissions. Which IAM policy statement should be added to the CodePipeline service role to allow it to update the ECS service?

A.{"Effect":"Allow","Action":["ecs:UpdateService"],"Resource":"*"}
B.{"Effect":"Allow","Action":["ecr:PutImage"],"Resource":"*"}
C.{"Effect":"Allow","Action":["ecs:RunTask"],"Resource":"*"}
D.{"Effect":"Allow","Action":["ecs:RegisterTaskDefinition"],"Resource":"*"}
AnswerA

UpdateService is the action needed to update the ECS service.

Why this answer

Option A is correct because the CodePipeline service role needs the ecs:UpdateService permission to trigger an ECS service update after a new Docker image is pushed to Amazon ECR. This action allows the pipeline to instruct ECS to redeploy the service using the updated task definition, which is the specific step that was failing due to insufficient permissions. The resource wildcard is acceptable here because the pipeline role is scoped by the pipeline's own trust policy and resource-based policies on the ECS service.

Exam trap

The trap here is that candidates confuse the permissions needed for different stages of the pipeline (e.g., pushing to ECR or registering a task definition) with the specific permission required to update the ECS service, leading them to select options that are valid for other actions but not for the failing step.

How to eliminate wrong answers

Option B is wrong because ecr:PutImage is used to push Docker images to an ECR repository, which is typically performed by the build stage (e.g., CodeBuild) rather than the CodePipeline service role that updates the ECS service. Option C is wrong because ecs:RunTask is used to run standalone tasks, not to update an existing ECS service; updating a service requires ecs:UpdateService. Option D is wrong because ecs:RegisterTaskDefinition is used to create a new task definition revision, which is usually done by the build or deploy stage, not by the pipeline service role when updating the service itself.

388
Multi-Selectmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The application experiences high traffic during business hours and low traffic at night. The company wants to automatically scale the instances based on CPU utilization. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure a scheduled scaling policy to add instances during business hours.
B.Replace the ALB with a Network Load Balancer for better performance.
C.Create a dynamic scaling policy based on the average CPU utilization metric.
D.Create an Auto Scaling group and associate it with the ALB.
E.Create a CloudWatch alarm that sends an email when CPU exceeds 80%.
AnswersC, D

Scales based on CPU.

Why this answer

Options A and C are correct. An Auto Scaling group is needed to manage the instances, and a scaling policy based on CPU utilization is needed. Option B is wrong because a scheduled scaling policy is based on time, not CPU.

Option D is wrong because a Network Load Balancer is not required. Option E is wrong because CloudWatch alarm is part of the scaling policy but not the primary requirement; the policy itself is needed.

389
MCQmedium

A company runs a stateless web application on AWS Elastic Beanstalk. The application experiences periodic spikes in traffic that cause CPU utilization to reach 90% on the EC2 instances. The company wants to automatically scale the environment based on CPU usage. They also want to ensure that the scaling is proactive and can handle sudden traffic surges. What should they do?

A.Configure a simple scaling policy based on CPU utilization with a cooldown period.
B.Configure a predictive scaling policy using AWS Auto Scaling.
C.Manually increase the instance count when traffic spikes are expected.
D.Use scheduled scaling to add instances during known peak times.
AnswerB

Predictive scaling uses historical data to forecast and proactively add capacity before spikes.

Why this answer

Option D is correct. Using a predictive scaling policy with Elastic Beanstalk allows proactive scaling based on historical patterns. Option A: Simple scaling policies react to alarms but may lag.

Option B: Scheduled scaling is for predictable patterns, not sudden surges. Option C: Manual scaling is not automated.

390
Multi-Selecthard

A company is migrating a legacy application to AWS. The application requires a relational database with high I/O and low latency. The database size is 2 TB and growing. The Solutions Architect must choose a storage solution that provides the best price-performance. Which TWO solutions meet these requirements?

Select 2 answers
A.Use Amazon Aurora with I/O-Optimized cluster configuration.
B.Use Amazon RDS with Provisioned IOPS (io2) volumes.
C.Use Amazon DynamoDB with provisioned capacity.
D.Use Amazon Redshift with dense compute nodes.
E.Use Amazon RDS with gp3 storage.
AnswersA, B

Aurora I/O-Optimized is cost-effective for high I/O.

Why this answer

Options A and C are correct: RDS with Provisioned IOPS provides consistent low latency, and Aurora with I/O-Optimized provides high I/O at lower cost for high I/O workloads. Option B is wrong because gp3 is general purpose, not best for high I/O. Option D is wrong because DynamoDB is NoSQL.

Option E is wrong because Redshift is for analytics.

391
MCQmedium

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) in a production AWS account. Recently, the application has experienced intermittent timeouts. The operations team notices that the CPU utilization of the instances spikes to 100% for a few minutes during the timeouts. The Auto Scaling group is configured with a target tracking scaling policy based on average CPU utilization at 70%. What should a solutions architect do to improve the application's availability and reduce timeouts?

A.Increase the ALB idle timeout to 120 seconds.
B.Add a step scaling policy to scale out by 2 instances when CPU exceeds 80% for 1 minute.
C.Enable cross-zone load balancing on the ALB.
D.Reduce the target tracking scaling threshold to 50% average CPU.
AnswerB

Step scaling can add capacity quickly in response to high CPU, reducing timeouts.

Why this answer

Option B is correct because adding a step scaling policy that triggers at 80% CPU for 1 minute provides a faster, more aggressive scale-out response than the existing target tracking policy alone. This helps preempt the CPU spikes that reach 100% and cause timeouts, improving application availability by adding capacity before performance degrades.

Exam trap

The trap here is that candidates assume reducing the target tracking threshold (Option D) is sufficient, but they overlook that target tracking cannot react quickly enough to sudden spikes, whereas a step scaling policy provides the immediate, aggressive scale-out needed to prevent 100% CPU utilization and timeouts.

How to eliminate wrong answers

Option A is wrong because increasing the ALB idle timeout to 120 seconds does not address the root cause of CPU spikes; it only keeps connections open longer, which can mask timeouts but does not prevent them. Option C is wrong because cross-zone load balancing is already enabled by default on ALBs and does not affect CPU utilization or scaling behavior. Option D is wrong because reducing the target tracking threshold to 50% average CPU would cause the Auto Scaling group to maintain a lower average utilization, but it does not provide the rapid, proactive scaling needed to handle sudden spikes that reach 100% CPU.

392
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. Users report intermittent slowdowns. CloudWatch metrics show high CPU utilization on the instances. The company wants to improve performance with minimal architectural changes. What should a solutions architect do?

A.Use Amazon ElastiCache to offload database queries.
B.Configure an Auto Scaling group with a dynamic scaling policy based on CPU utilization.
C.Replace the EC2 instances with a larger instance type.
D.Enable Amazon CloudFront in front of the ALB to cache content.
AnswerB

Auto Scaling adds instances during high demand, distributing load and reducing CPU per instance.

Why this answer

Option C is correct because Auto Scaling with a dynamic scaling policy based on CPU utilization automatically adjusts capacity to handle load spikes. Option A is wrong because vertical scaling (larger instances) has an upper limit and may cause downtime during resizing. Option B is wrong because CloudFront caches content but doesn't reduce CPU load from dynamic requests.

Option D is wrong because ElastiCache adds a caching layer but may not address CPU bottlenecks from compute-intensive operations.

393
MCQmedium

A company's AWS CloudTrail logs are stored in an S3 bucket. A Solutions Architect needs to analyze the logs to identify API calls that created or modified IAM roles in the last 30 days. What is the MOST efficient way to perform this analysis?

A.Use Amazon CloudWatch Logs Insights to query the logs.
B.Use Amazon Athena to run SQL queries on the logs.
C.Use an AWS Lambda function to process the logs and export to Amazon Redshift.
D.Use S3 Select to filter the records.
AnswerB

Athena can directly query CloudTrail logs in S3 using SQL, making it efficient for this analysis.

Why this answer

Option C is correct because Amazon Athena can query CloudTrail logs stored in S3 using SQL, allowing efficient analysis without moving data. Option A is wrong because CloudWatch Logs Insights is for CloudWatch Logs, not S3. Option B is wrong because S3 Select can filter objects but is not designed for complex queries across multiple objects.

Option D is wrong because exporting to a different account is unnecessary and adds complexity.

394
MCQmedium

A company runs a stateful application on EC2 instances in an Auto Scaling group behind a Network Load Balancer (NLB). The application requires that client sessions are maintained to the same instance. The operations team notices that after scaling events, some clients lose their sessions. Which configuration change should the team implement to ensure session persistence?

A.Disable cross-zone load balancing on the NLB.
B.Enable cookie-based stickiness on the NLB listener.
C.Switch to an Application Load Balancer and enable cookie-based stickiness.
D.Enable source IP stickiness on the NLB target group.
AnswerD

NLB target groups support source IP stickiness for stateful applications.

Why this answer

Option B is correct because NLB supports target group stickiness based on the source IP address, which is the appropriate method for stateful applications. Option A is wrong because ALB is not used with NLB. Option C is wrong because the NLB itself does not support cookie-based stickiness; that is an ALB feature.

Option D is wrong because disabling cross-zone load balancing does not ensure stickiness.

395
MCQmedium

A company applies the above IAM policy to an S3 bucket. An IAM user attempts to upload an object without specifying encryption. Will the upload succeed?

A.Yes, because the user can override the policy with s3:PutObjectAcl.
B.Yes, because the bucket has default encryption enabled.
C.No, because the user needs additional permissions.
D.No, because the policy denies the request.
AnswerD

The policy explicitly denies PutObject without AES256 encryption.

Why this answer

Option B is correct because the policy denies PutObject if encryption is not AES256. Since no encryption header is specified, the condition matches (StringNotEquals is true because the header is absent), so the request is denied. Option A is wrong because even though bucket default encryption might apply, the policy evaluation happens before the default encryption is applied.

Options C and D are incorrect.

396
Multi-Selecthard

A company is migrating a monolithic application to microservices on Amazon ECS. They want to implement a service mesh for observability and traffic management. Which THREE AWS services should they consider?

Select 3 answers
A.Amazon Route 53
B.AWS X-Ray
C.Amazon CloudWatch
D.AWS App Mesh
E.AWS Step Functions
AnswersB, C, D

X-Ray provides distributed tracing.

Why this answer

Options B, C, and D are correct. AWS App Mesh is a service mesh that provides observability and traffic management. AWS X-Ray provides tracing for microservices.

Amazon CloudWatch provides monitoring and logs. Option A is wrong because AWS Step Functions is for orchestrating workflows, not service mesh. Option E is wrong because Amazon Route 53 is DNS, not a service mesh.

397
MCQeasy

A company uses AWS CodePipeline for CI/CD. The deployment stage uses AWS CodeDeploy to deploy to EC2 instances. The team wants to automatically test the application after deployment and roll back if tests fail. Which approach should the team use?

A.Create a separate CodePipeline for testing and use a cross-pipeline trigger to initiate rollback.
B.Add a manual approval step after deployment to run tests manually.
C.Use a CloudWatch alarm to monitor test results and trigger a rollback.
D.Add a test stage in CodePipeline after the deployment stage and configure CodeDeploy to automatically roll back on pipeline failure.
AnswerD

CodePipeline can automatically roll back on stage failure.

Why this answer

Option C is correct because CodePipeline can have a test stage after deployment, and CodeDeploy can trigger a rollback if the test stage fails. Option A is wrong because manual testing is not automatic. Option B is wrong because CloudWatch alarms are not for test results.

Option D is wrong because a separate pipeline adds complexity.

398
MCQeasy

A company uses Amazon RDS for PostgreSQL and needs to apply a minor version upgrade. They want to minimize downtime. Which approach should they use?

A.Apply the upgrade during the maintenance window
B.Create a read replica, upgrade it, and promote it
C.Use a Multi-AZ deployment and apply the upgrade
D.Modify the DB parameter group to set the version
AnswerC

Multi-AZ allows rolling upgrade with minimal downtime.

Why this answer

Option B is correct because Multi-AZ deployments can be upgraded with minimal downtime as the standby is upgraded first, then failover occurs. Option A is wrong because upgrades always require some downtime unless Multi-AZ. Option C is wrong because creating a read replica and promoting it is a manual process that can cause data loss if not careful.

Option D is wrong because modifying the DB parameter group does not upgrade the version.

399
Multi-Selectmedium

A company runs a web application on EC2 instances in an Auto Scaling group. The application stores session data in an Amazon ElastiCache for Redis cluster. The operations team reports that after scaling events, users lose their sessions. Which TWO actions should the Solutions Architect take to resolve this issue?

Select 2 answers
A.Use a Network Load Balancer instead of an Application Load Balancer.
B.Enable sticky sessions (session affinity) on the Application Load Balancer.
C.Move session data storage from ElastiCache to an external store that persists across instance termination.
D.Store session data in Amazon DynamoDB.
E.Enable replication in the ElastiCache cluster to handle failover.
AnswersB, C

Sticky sessions route user to same instance.

Why this answer

Options A and C are correct: Sticky sessions ensure requests from a user go to the same instance, and placing ElastiCache outside the ASG ensures it persists. Option B is unnecessary because Redis replication does not address session loss during scaling. Option D is wrong because session stickiness at ALB is already implied but not sufficient without persistent cache.

Option E is wrong because DynamoDB is not necessary.

400
Multi-Selectmedium

A company is running a critical application on Amazon EC2 instances in an Auto Scaling group. The application stores data on an Amazon EBS volume. To improve recovery time in the event of an AZ failure, which TWO actions should the company take? (Choose two.)

Select 2 answers
A.Create an Amazon Machine Image (AMI) from the instance.
B.Use EBS multi-attach to attach the volume to instances in another AZ.
C.Copy the EBS volume to another AZ using the AWS Management Console.
D.Take regular EBS snapshots and copy them to another region.
E.Configure the Auto Scaling group to launch instances in multiple AZs.
AnswersA, D

AMI can be used to launch instances in another AZ.

Why this answer

Options A and C are correct. Option A: Using an AMI from the instance ensures a quick launch in another AZ. Option C: EBS snapshots can be used to create volumes in another AZ.

Option B is wrong because EBS volumes are AZ-specific. Option D is wrong because EC2 instances are AZ-specific. Option E is wrong because EBS multi-attach is for specific use cases, not AZ recovery.

401
MCQhard

A company is migrating a legacy application to AWS. The application requires a fixed IP address for whitelisting by a third-party service. The application will run on EC2 instances behind an Application Load Balancer. The company needs a solution that provides a static IP address for outbound traffic. What should a solutions architect do?

A.Replace the ALB with a Network Load Balancer and assign Elastic IPs.
B.Assign an Elastic IP address to the Application Load Balancer.
C.Place the EC2 instances in a private subnet and route outbound traffic through a NAT Gateway with an Elastic IP.
D.Attach an Internet Gateway to the VPC and assign an Elastic IP to it.
AnswerC

NAT Gateway with Elastic IP provides a static source IP for outbound traffic.

Why this answer

Option D is correct because a NAT Gateway in a public subnet with an Elastic IP provides a static IP for outbound traffic from private instances. Option A is wrong because ALBs do not have Elastic IPs; they use dynamic IPs. Option B is wrong while an NLB can have static IPs, it is for inbound traffic, not outbound.

Option C is wrong because an Internet Gateway does not provide a static IP; it is a routing target.

402
MCQmedium

A company is running a web application on Amazon EC2 instances behind an Application Load Balancer. The application experiences high latency during peak hours. The company wants to improve performance by enabling HTTP/2. What is the simplest way to achieve this?

A.Configure the EC2 instances to support HTTP/2.
B.Place an Amazon CloudFront distribution in front of the ALB and enable HTTP/2.
C.Enable HTTP/2 on the Application Load Balancer's HTTPS listener.
D.Upgrade the load balancer to a Network Load Balancer.
AnswerC

ALB supports HTTP/2 directly.

Why this answer

Option B is correct because ALB natively supports HTTP/2 and can be enabled in the listener settings. Option A is wrong because upgrading to a Network Load Balancer does not support HTTP/2. Option C is wrong because CloudFront with HTTP/2 is more complex than directly enabling it on ALB.

Option D is wrong because configuring EC2 instances directly does not improve latency at the load balancer level.

403
MCQhard

A company uses AWS CodeBuild to run unit tests. The build process is taking longer than expected. The buildspec.yml file includes a pre-build phase that downloads dependencies from a public repository. What is the most effective way to reduce build time?

A.Configure the build project to use an S3 cache for dependencies.
B.Run the build in parallel across multiple build projects.
C.Increase the compute type of the build environment to use more vCPUs.
D.Reduce the build timeout setting to force faster execution.
AnswerA

Caching eliminates repeated downloads.

Why this answer

Option B is correct because caching dependencies in S3 avoids re-downloading them each build. Option A is wrong because increasing compute resources may not help if the bottleneck is network bandwidth. Option C is wrong because parallel builds are for multiple builds, not a single build.

Option D is wrong because CodeBuild doesn't have a build timeout setting that reduces build time; it's a limit.

404
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The team wants to ensure that all resources are tagged with a CostCenter tag. They want to automatically remediate any stack that creates resources without the required tag. Which approach is MOST effective?

A.Create a Lambda function that tags resources after creation.
B.Use IAM policies to require tagging on all resource creation.
C.Use a CloudFormation stack policy with a deny effect for resource creation without tags.
D.Use an AWS Config rule with auto-remediation via SSM Automation.
AnswerC

Stack policies can be applied to CloudFormation stacks to enforce tagging.

Why this answer

Option C is correct because CloudFormation stack policies can enforce tagging at the stack level by denying creation of resources without tags. Option A is wrong because AWS Config rules can detect but may not automatically remediate without additional setup. Option B is wrong because resource-level permissions would require modifying each service's policy.

Option D is wrong because a Lambda function would be reactive and may have a delay.

405
Multi-Selectmedium

A company uses an Amazon RDS for MySQL DB instance. The database is experiencing high read latency. The team wants to improve read performance with minimal application changes. Which TWO actions should the team take? (Choose two.)

Select 2 answers
A.Create one or more read replicas and direct read queries to them.
B.Enable Multi-AZ deployment for failover support.
C.Migrate the database to Amazon Aurora.
D.Increase the max_connections parameter.
E.Increase the DB instance size (e.g., from db.r5.large to db.r5.xlarge).
AnswersA, E

Read replicas offload read traffic, reducing latency.

Why this answer

Options A and C are correct. Option A: Read replicas offload read traffic from the primary instance, reducing latency. Option C: Increasing instance size (e.g., moving to a larger instance class) can improve I/O performance.

Option B is wrong because Multi-AZ is for high availability, not read performance. Option D is wrong because increasing max_connections does not improve read latency. Option E is wrong because switching to Aurora is a major change and may not be minimal.

406
MCQeasy

A company is using Amazon S3 to store critical data. The security team requires that all data at rest be encrypted using AWS KMS with automatic rotation of the customer master key (CMK) every year. What should a solutions architect do to meet this requirement?

A.Use SSE-S3 (Amazon S3-managed keys) and rely on S3's automatic key rotation.
B.Enable S3 default encryption with AWS KMS and enable automatic rotation of the KMS key.
C.Use SSE-C (customer-provided keys) and manage key rotation manually.
D.Use client-side encryption with a KMS CMK and upload the encrypted data.
AnswerB

This ensures all objects are encrypted at rest with a rotating KMS key.

Why this answer

Option A is correct because using S3 default encryption with an AWS KMS CMK and enabling automatic key rotation meets the requirement. Option B is wrong because SSE-S3 uses Amazon S3-managed keys, not KMS. Option C is wrong because SSE-C uses customer-provided keys, not KMS.

Option D is wrong because client-side encryption does not use S3 server-side encryption.

407
MCQhard

A company uses an AWS CodePipeline to deploy a serverless application. The pipeline includes a build stage that runs on AWS CodeBuild and a deploy stage that updates an AWS Lambda function. The company wants to add a manual approval step before the deploy stage. What is the most efficient way to implement this?

A.Add an AWS Lambda function that sends an email for approval.
B.Use an AWS CloudFormation stack with a wait condition.
C.Configure an Amazon SNS topic to notify approvers.
D.Add a manual approval action in the CodePipeline stage before deploy.
AnswerD

CodePipeline supports manual approval actions.

Why this answer

Option C is correct because CodePipeline has a built-in approval action that can be added to the pipeline. Option A is wrong because using a Lambda function for approval is unnecessary. Option B is wrong because SNS alone does not provide approval.

Option D is wrong because CloudFormation is not needed for a simple approval step.

408
MCQhard

A company has a web application behind an Application Load Balancer that uses sticky sessions. The application is deployed on EC2 instances in an Auto Scaling group. During a deployment, the team notices that users are experiencing errors after new instances are launched. What is the MOST likely cause?

A.The target group's deregistration delay is too short.
B.The stickiness duration is set too long, causing requests to be routed to terminated instances.
C.The Auto Scaling group's scale-in policy is terminating instances with active sessions.
D.The ALB health check is not configured for the new instances.
AnswerC

Stickiness ties sessions to instances; if an instance is terminated, users lose session data. The correct fix is to externalize session state.

Why this answer

Option A is correct because stickiness binds users to specific instances; new instances don't have session data, causing errors. Option B is wrong because deregistration delay helps drain connections. Option C is wrong because health checks would detect unhealthy instances.

Option D is wrong because scaling policies don't affect session stickiness.

409
MCQeasy

A company uses AWS Lambda functions to process messages from an Amazon SQS queue. The Lambda function is CPU-bound and takes close to the 15-minute timeout. The operations team notices that the function sometimes times out during peak hours. What is the SIMPLEST way to improve the function's performance?

A.Increase the reserved concurrency of the Lambda function.
B.Increase the batch size in the SQS event source mapping.
C.Use a Lambda function URL instead of SQS invocation.
D.Increase the memory (and CPU) allocation for the Lambda function.
E.Migrate the Lambda function to run on Amazon ECS with Fargate using a larger task size.
AnswerD

Lambda allocates CPU proportionally to memory, so more memory speeds up CPU-bound tasks.

Why this answer

Option C is correct because increasing the Lambda function's memory also increases CPU allocation, which can speed up processing. Option A is wrong because concurrency limit reduces parallelism, making timeouts worse. Option B is wrong because increasing the batch size may cause the function to process more messages per invocation, increasing the chance of timeout.

Option D is wrong because reserving concurrency does not affect per-invocation performance. Option E is wrong because using a larger instance type is not applicable to Lambda.

410
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?

A.Define an IAM task role with S3 access policies and reference it in the ECS task definition.
B.Attach an IAM role to the underlying EC2 instance.
C.Assign an IAM role to the ECS service using the ECS service-linked role.
D.Store AWS credentials in the container environment variables.
AnswerA

The task role grants permissions to the container application.

Why this answer

Option A is correct because an IAM task role is the recommended mechanism for granting least-privilege permissions to ECS tasks using the Fargate launch type. The task role is defined in the ECS task definition and assumed by the container runtime, allowing the application to securely access the S3 bucket without embedding credentials. This approach follows AWS best practices by scoping permissions to the specific task rather than the underlying infrastructure.

Exam trap

The trap here is that candidates may confuse the ECS service-linked role (used for ECS service management) with the IAM task role (used for granting permissions to the containerized application), or incorrectly assume that Fargate tasks require an underlying EC2 instance role.

How to eliminate wrong answers

Option B is wrong because Fargate does not use underlying EC2 instances; the infrastructure is fully managed by AWS, so attaching an IAM role to an EC2 instance is irrelevant and violates the principle of least privilege by granting permissions to all tasks on that instance. Option C is wrong because the ECS service-linked role (AWSServiceRoleForECS) is used by the ECS service itself to manage resources, not by the containers to access S3; assigning it to the service does not grant permissions to the application code. Option D is wrong because storing AWS credentials in container environment variables is insecure, violates the principle of least privilege, and is unnecessary when IAM task roles provide automatic credential rotation via the AWS STS endpoint.

411
MCQmedium

A company is running a stateful web application on Amazon EC2 instances in an Auto Scaling group. The instances store session data in an Amazon ElastiCache for Redis cluster. The company wants to improve the application's fault tolerance and ensure that session data is not lost if an Availability Zone fails. What should the solutions architect do?

A.Enable Cluster Mode on the ElastiCache for Redis cluster and configure Multi-AZ.
B.Configure the ElastiCache for Redis cluster to have multiple read replicas in the same region.
C.Increase the instance size of the EC2 instances to handle more load.
D.Migrate from ElastiCache for Redis to ElastiCache for Memcached.
AnswerA

Cluster Mode with Multi-AZ provides replication and automatic failover across AZs, protecting against AZ failure.

Why this answer

Option B is correct because ElastiCache for Redis with Cluster Mode enabled automatically shards data across multiple nodes and provides Multi-AZ with automatic failover, ensuring high availability and data durability. Option A is wrong because increasing instance size does not protect against AZ failure. Option C is wrong because a single-node cluster has no replication; if the node fails, data is lost.

Option D is wrong because ElastiCache for Memcached does not support persistence or replication; data loss occurs on node failure.

412
MCQeasy

A company runs a batch processing job on Amazon EC2 instances that are part of an Auto Scaling group. The job runs every night and takes approximately 2 hours. The instances are launched using a launch template with a Spot Instance request. Recently, the job has been failing because Spot Instances are being reclaimed before the job completes. The company wants a cost-effective solution that ensures the job completes reliably. The job can handle interruptions by checkpointing. Which solution should the company implement?

A.Increase the instance size to complete the job faster.
B.Use a mixed instances policy with a percentage of On-Demand Instances as a fallback.
C.Switch to On-Demand Instances only.
D.Use Reserved Instances for the batch job.
AnswerB

This balances cost and reliability, with checkpointing handling interruptions.

Why this answer

Using Spot Instances with a termination notice and checkpointing allows the job to save progress and resume if interrupted. Mixed Instances policy can use On-Demand as a fallback.

413
Multi-Selecthard

A company is using AWS CodePipeline to deploy a web application. The pipeline includes a build stage and a deploy stage. The company wants to add a test stage that runs automated integration tests after the build stage and before the deploy stage. Which THREE actions should the company take? (Choose three.)

Select 3 answers
A.Configure AWS CodeBuild to run the integration tests as part of the test stage.
B.Use AWS CloudFormation to create a test environment.
C.Add a test stage in the CodePipeline between build and deploy.
D.Use an AWS Lambda function to run the integration tests.
E.Set up a manual approval step after the test stage.
AnswersA, C, E

CodeBuild can run test scripts.

Why this answer

Options B, C, and D are correct. Option B: Adding a test stage in CodePipeline. Option C: Using CodeBuild for test execution.

Option D: Adding a manual approval step for safety. Option A is wrong because Lambda is not suitable for running tests directly. Option E is wrong because CloudFormation is for infrastructure, not testing.

414
Multi-Selecteasy

A company wants to implement a centralized logging solution for multiple AWS accounts. Which TWO services should be used together?

Select 2 answers
A.Amazon S3
B.AWS CloudTrail
C.Amazon RDS
D.Amazon Athena
E.AWS Config
AnswersA, D

S3 is a durable and cost-effective storage for logs.

Why this answer

Amazon S3 serves as a central log repository, and Amazon Athena allows querying logs directly in S3.

415
MCQeasy

A company has a production AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally capture all VPC flow logs for analysis in Amazon Athena. What is the MOST cost-effective way to store the flow logs?

A.Publish VPC Flow Logs to an Amazon S3 bucket with S3 Intelligent-Tiering enabled.
B.Publish VPC Flow Logs to both CloudWatch Logs and S3 for redundancy.
C.Use Amazon Kinesis Data Firehose to stream flow logs to an S3 bucket.
D.Publish VPC Flow Logs to Amazon CloudWatch Logs and export them to S3 after 30 days.
AnswerA

S3 is cost-effective for log storage, and Intelligent-Tiering automatically moves data to lower-cost tiers.

Why this answer

Option A is correct because VPC Flow Logs can be published directly to S3, and using S3 Intelligent-Tiering optimizes costs for logs that may be accessed infrequently. Option B is wrong because CloudWatch Logs is more expensive for long-term storage. Option C is wrong because Kinesis Data Firehose adds cost and complexity.

Option D is wrong because it duplicates storage.

416
MCQeasy

A company has deployed a web application on Amazon ECS with Fargate. The application needs to access an Amazon RDS database. The security team mandates that the database must not be publicly accessible. What is the best way to securely connect the ECS tasks to the RDS database?

A.Use a NAT gateway to route traffic from ECS tasks to RDS.
B.Attach an internet gateway to the VPC and route through it.
C.Enable public accessibility on the RDS instance and restrict access to the ECS task public IP.
D.Place the ECS tasks and RDS instance in the same VPC, and configure security groups to allow traffic on the database port.
AnswerD

This ensures traffic stays within the VPC.

Why this answer

Option A is correct because placing ECS tasks and RDS in the same VPC allows private communication via security groups. Option B is incorrect because NAT gateway is for outbound internet access. Option C is incorrect because a public endpoint would violate the security requirement.

Option D is incorrect because an internet gateway is not needed for private communication.

417
Multi-Selecthard

A company runs a critical application on Amazon RDS for MySQL. They want to implement a disaster recovery (DR) strategy across AWS Regions with a Recovery Point Objective (RPO) of 1 second and Recovery Time Objective (RTO) of 1 minute. Which TWO strategies meet these requirements? (Choose TWO.)

Select 2 answers
A.Use Amazon RDS Multi-AZ deployment in the primary Region with a standby in another Region.
B.Take manual snapshots of the RDS instance every hour and copy them to another Region.
C.Use Amazon Aurora Global Database with a primary in one Region and a secondary in another Region.
D.Use AWS Database Migration Service (DMS) for continuous replication to another Region.
E.Configure cross-Region read replicas for RDS MySQL.
AnswersA, C

Multi-AZ with cross-Region standby provides automatic failover with RTO of 1-2 minutes and synchronous replication with RPO of 1 second (for Aurora). Note: For RDS MySQL, cross-Region Multi-AZ is not supported; but Aurora Global Database is the correct service.

Why this answer

Option A is correct because a Global Database with standby in another Region provides near-zero RPO and automatic failover. Option D is correct because Multi-Region Aurora Global Database also meets RPO and RTO. Option B is wrong because cross-Region read replicas have RTO > 1 minute (manual promotion).

Option C is wrong because RTO is too long. Option E is wrong because RPO is too high.

418
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all new accounts created through the organization automatically have a specific AWS Config rule enabled that requires S3 buckets to be encrypted. Which TWO actions should the team take?

Select 2 answers
A.Use AWS CloudFormation StackSets to deploy the Config rule to all accounts.
B.Create a Service Control Policy (SCP) that denies PutBucketEncryption actions.
C.Create a conformance pack in the management account and deploy it to the organization.
D.Create an AWS Config rule in the management account that applies to all accounts via AWS Organizations.
E.Enable AWS Config in every account of the organization.
AnswersC, E

Conformance packs can be deployed to all accounts, including new ones.

Why this answer

Option A and Option D are correct. Option A (Enable AWS Config in all accounts) is necessary for rules to work. Option D (Use a conformance pack deployed to the organization) automatically applies rules to all accounts.

Option B (Service Control Policy) can deny non-encrypted buckets but does not enable the Config rule. Option C (AWS CloudFormation StackSets) can deploy Config rules but requires manual setup per account. Option E (Organization Config rule) is not a feature; Config rules are per account.

419
MCQhard

A media company runs a video processing pipeline on AWS. Videos are uploaded to an S3 bucket (input-bucket), which triggers an AWS Lambda function that starts an AWS Glue job. The Glue job processes the video metadata and stores results in a DynamoDB table. Then, a second Lambda function triggers an Amazon ECS Fargate task to transcode the video into multiple formats. The transcoded videos are stored in another S3 bucket (output-bucket). Recently, the company started receiving complaints about delays in video availability. The operations team notices that CloudWatch Logs show no errors, but the ECS tasks often take longer than expected. They also see that the DynamoDB table has a high number of throttled write events. The video upload rate has increased by 50% in the last month. The team needs to improve the pipeline's performance and reduce delays. What should they do?

A.Enable DynamoDB auto scaling on the table with a target utilization of 70%.
B.Increase the Lambda function timeout for both functions to 15 minutes.
C.Introduce an Amazon SQS queue between the second Lambda and ECS to buffer requests.
D.Set reserved concurrency on the first Lambda function to 10 to control throttling.
AnswerA

Auto scaling will dynamically adjust write capacity to handle increased traffic, reducing throttling.

Why this answer

Option D is correct. The primary bottleneck is DynamoDB throttling due to increased write load. Enabling DynamoDB auto scaling will adjust capacity dynamically to handle the increased traffic.

Option A: Increasing Lambda timeout does not address DynamoDB throttling. Option B: Using SQS between Lambda and ECS helps decouple but the immediate issue is DynamoDB throttling. Option C: Using reserved concurrency limits Lambda concurrency, which may worsen the problem.

420
MCQhard

A company uses AWS CodePipeline to deploy a web application to Amazon ECS. The deployment often fails because the ECS service's desired count is not met during the update. The company wants to implement a blue/green deployment with automated rollback on failure. What is the MOST effective approach?

A.Use CodePipeline with a Lambda function to swap target groups and monitor health.
B.Use CodeDeploy with an in-place deployment configuration and a manual approval step.
C.Use CodePipeline with ECS rolling update and CloudWatch alarms to trigger rollback.
D.Use CodePipeline with CodeDeploy to perform a blue/green deployment on ECS and configure automatic rollback.
AnswerD

CodeDeploy natively supports blue/green deployments on ECS with traffic shifting and automatic rollback based on CloudWatch alarms.

Why this answer

Option D is correct because CodeDeploy with ECS blue/green deployment provides built-in traffic shifting and automated rollback. Option A is wrong because it lacks traffic shifting. Option B is wrong because it does not support blue/green.

Option C is wrong because it lacks automated rollback.

421
MCQeasy

A company is using AWS CloudFormation to deploy infrastructure. The security team requires that all Amazon S3 buckets created by CloudFormation must be encrypted at rest. What should a solutions architect do to enforce this requirement?

A.Enable default encryption on each bucket using SSE-S3.
B.Add an S3 bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.
C.Require that all buckets use AWS KMS managed keys for encryption.
D.Use a CloudFormation stack policy to prevent modification of bucket encryption settings.
AnswerB

The bucket policy rejects unencrypted uploads.

Why this answer

Option B is correct because an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header enforces encryption at rest for all objects uploaded to the bucket. This policy condition works regardless of how the bucket is created, including via CloudFormation, and ensures that any PutObject operation without the required encryption header is rejected, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse default encryption (which passively encrypts objects but does not enforce encryption) with a bucket policy that actively denies unencrypted uploads, leading them to choose Option A instead of the correct enforcement mechanism.

How to eliminate wrong answers

Option A is wrong because enabling default encryption on each bucket only applies encryption to objects that are uploaded without specifying encryption headers; it does not prevent unencrypted uploads, as a user could still override the default by explicitly omitting encryption headers. Option C is wrong because requiring AWS KMS managed keys is a specific encryption type, not a mechanism to enforce encryption; it does not block unencrypted uploads and may introduce additional cost and complexity without addressing the enforcement requirement. Option D is wrong because a CloudFormation stack policy prevents modifications to stack resources after deployment but does not enforce encryption on S3 buckets; it cannot block unencrypted PutObject requests at the bucket level.

422
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent 503 errors. The ALB target group health checks are failing. Which step is MOST likely to resolve the issue?

A.Change the health check protocol from HTTP to HTTPS.
B.Use a Network Load Balancer instead of ALB.
C.Increase the number of instances in the target group.
D.Increase the health check timeout and decrease the unhealthy threshold.
AnswerD

Gives instances more time to respond and reduces sensitivity to transient failures.

Why this answer

Option C is correct because increasing the timeout for health checks can prevent false negatives due to transient delays. Option A is wrong because it does not address health check failures. Option B is wrong because it reduces the chance of healthy instances being marked unhealthy.

Option D is wrong because it does not change health check behavior.

423
MCQmedium

A Solutions Architect runs the above AWS CLI command and gets the output shown. The instance is 'running' but the application is not accessible. What should the Solutions Architect check next?

A.Check if the instance is terminated.
B.Check if the instance ID is correct.
C.Check the instance status checks.
D.Check the security group rules for the instance.
AnswerD

Security groups act as a virtual firewall.

Why this answer

Option C is correct because security group rules control inbound traffic. Option A is wrong because the instance is running. Option B is wrong because the status checks show health, not network access.

Option D is wrong because the instance ID is correct.

424
MCQeasy

A company stores sensitive data in Amazon S3. They need to ensure that data is encrypted at rest using a key managed by the company's on-premises hardware security module (HSM). Which S3 encryption option should they use?

A.Server-Side Encryption with Customer-Provided Keys (SSE-C).
B.Client-Side Encryption using the company's own encryption library.
C.Server-Side Encryption with AWS KMS (SSE-KMS).
D.Server-Side Encryption with S3-Managed Keys (SSE-S3).
AnswerB

Client-side encryption allows the company to encrypt data with their own key before uploading to S3.

Why this answer

Option D is correct because S3 client-side encryption allows the company to encrypt data before uploading using their own key from the on-premises HSM. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS, not the company's own HSM.

Option C is wrong because SSE-C uses a customer-provided key, but the key must be provided with each request and is not stored in an on-premises HSM.

425
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. A recent change to a stack failed because an IAM role name already exists. The company wants to avoid this issue in the future. What should a solutions architect do?

A.Enable termination protection on the stack.
B.Use a DeletionPolicy of Retain on the IAM role resource.
C.Create a custom resource with an AWS Lambda function to generate a random role name.
D.Use the Fn::Sub function with a reference to the AWS::StackName in the IAM role name.
AnswerD

This ensures unique role names across stacks.

Why this answer

Option B is correct because using the Fn::Sub function with !Ref AWS::StackName makes the role name unique per stack. Option A is wrong because the AWS::IAM::Role resource does not have a DeletionPolicy attribute that recreates roles. Option C is wrong while EnableTerminationProtection prevents accidental deletion but does not help with naming conflicts.

Option D is wrong because a custom resource with a Lambda function is overkill and adds complexity.

426
MCQeasy

A company uses AWS CloudFormation to manage infrastructure as code. They have a production stack that includes an EC2 instance, an RDS database, and an S3 bucket. Recently, an engineer manually terminated the EC2 instance from the console. The CloudFormation stack status shows UPDATE_ROLLBACK_FAILED. The company wants to recover the stack to a consistent state. What should they do?

A.Manually recreate the EC2 instance with the same configuration, then tell CloudFormation to continue the update rollback.
B.Create a change set to update the stack to ignore the EC2 instance.
C.Update the stack with a new template that removes the EC2 instance.
D.Delete the stack and recreate it using a new template.
AnswerA

Fixing the drift allows CloudFormation to continue the rollback and reach a consistent state.

Why this answer

Option B is correct. Manually terminating a resource causes drift. You can manually fix the drift (e.g., recreate the instance) and then continue the update rollback.

Option A: Deleting the stack loses all resources. Option C: Creating a change set doesn't fix the rollback failure. Option D: Updating the stack without fixing drift may fail.

427
Multi-Selecthard

A company uses AWS Lambda to process messages from an Amazon SQS queue. The Lambda function is idempotent and processes each message in about 30 seconds. The SQS queue has a visibility timeout of 60 seconds. Recently, the team notices that the same messages are being processed multiple times. Which TWO actions should the team take to prevent duplicate processing?

Select 2 answers
A.Increase the SQS queue's visibility timeout to 6 minutes.
B.Set the Lambda function's reserved concurrency to 1.
C.Switch to a FIFO SQS queue and enable content-based deduplication.
D.Reduce the SQS batch size to 1.
E.Configure a dead-letter queue for the SQS queue.
AnswersA, C

Longer visibility timeout ensures messages are not reprocessed while being handled.

Why this answer

Options B and D are correct. Increasing the visibility timeout to 6 minutes prevents the message from becoming visible again before processing completes. Enabling FIFO queues with deduplication ensures exactly-once processing.

Option A is wrong because Lambda does not support reserved concurrency for SQS triggers in a way that prevents duplicates. Option C is wrong because a dead-letter queue handles failures, not duplicates. Option E is wrong because reducing batch size does not prevent duplicates.

428
MCQhard

A company has a multi-region architecture using DynamoDB global tables. They notice that write conflicts are occurring frequently between regions. What is the MOST likely cause and how should they resolve it?

A.The application is using strongly consistent reads.
B.The DynamoDB write capacity is insufficient.
C.The application is updating the same item in multiple regions concurrently, and the last-writer-wins conflict resolution is causing data loss.
D.The DynamoDB global tables are not properly configured with conflict resolution.
AnswerC

Concurrent updates cause conflicts; LWW may overwrite data.

Why this answer

Option B is correct because DynamoDB global tables use last-writer-wins (LWW) conflict resolution, and if the same item is updated in multiple regions concurrently, conflicts occur. Using conditional writes and application-level conflict resolution can help. Option A is wrong because strong consistency is not supported for global tables.

C is wrong because auto scaling does not affect conflicts. D is wrong because conflict resolution is automatic with LWW.

← PreviousPage 6 of 6 · 428 questions total

Ready to test yourself?

Try a timed practice session using only Continuous Improvement questions.