Question 41 (Multi-answer)
You need to design a highly available architecture for an application that stores session state data. Which of the following AWS services can be used to store session state in a scalable and fault-tolerant way? (Choose TWO)
A. Amazon RDS Multi-AZ
B. Amazon DynamoDB
C. Amazon ElastiCache (Redis)
D. Amazon S3
E. Amazon EFS
Answer: B, C
Explanation:
- DynamoDB is a fully managed NoSQL database with single-digit millisecond latency and high availability.
- ElastiCache (Redis) supports fast, in-memory key-value storage ideal for session state.
- RDS Multi-AZ is relational and generally not preferred for fast session state management.
- S3 and EFS are not designed for fast, low-latency session state storage.
Reference: AWS Architecture Best Practices
Question 42
Which AWS service should be used to automatically detect security vulnerabilities and deviations in your EC2 instances?
A. AWS Inspector
B. AWS Trusted Advisor
C. AWS Config
D. AWS Shield
Answer: A
Explanation:
AWS Inspector performs automated security assessments of EC2 instances and identifies vulnerabilities.
Reference: AWS Inspector
Question 43 (Multi-answer)
A company wants to migrate a large on-premises data warehouse to AWS and needs to analyze petabytes of structured data efficiently. Which AWS services should be considered? (Choose TWO)
A. Amazon Redshift
B. Amazon Athena
C. Amazon RDS
D. Amazon DynamoDB
E. AWS Glue
Answer: A, E
Explanation:
- Amazon Redshift is a fully managed data warehouse ideal for petabyte-scale structured data.
- AWS Glue can be used to extract, transform, and load (ETL) data into Redshift.
- Athena is great for ad-hoc queries on S3 but less suited for large data warehouses.
Reference: Choosing a Data Warehouse
Question 44
Your company needs to provide users with temporary, limited access to upload files directly to an S3 bucket without exposing AWS credentials. What is the best approach?
A. Use pre-signed URLs for upload
B. Use IAM user credentials
C. Use bucket policies to allow public write access
D. Enable MFA delete on the bucket
Answer: A
Explanation:
Pre-signed URLs grant temporary, restricted access to perform specific S3 operations without sharing credentials.
Reference: Pre-signed URLs
Question 45 (Multi-answer)
You need to design a fault-tolerant and scalable microservices architecture. Which AWS services can help decouple components and ensure reliable message delivery? (Choose TWO)
A. Amazon SNS
B. Amazon SQS
C. AWS Lambda
D. Amazon EC2 Auto Scaling
E. AWS Elastic Beanstalk
Answer: A, B
Explanation:
- SNS provides pub/sub messaging for push-based communication.
- SQS provides message queuing for reliable, decoupled message handling.
- Lambda, Auto Scaling, and Elastic Beanstalk help with compute but not message decoupling.
Reference: Decoupling Microservices
Question 46
Which AWS feature allows centralized governance and policy enforcement across multiple AWS accounts?
A. AWS Organizations
B. AWS Config
C. AWS CloudTrail
D. AWS Systems Manager
Answer: A
Explanation:
AWS Organizations allows management of multiple AWS accounts under a single master account and policy enforcement.
Reference: AWS Organizations
Question 47
A company wants to track API calls made to AWS services for audit and compliance. Which service should be used?
A. AWS CloudTrail
B. Amazon CloudWatch
C. AWS Config
D. AWS Inspector
Answer: A
Explanation:
CloudTrail records AWS API calls and delivers log files for auditing.
Reference: AWS CloudTrail
Question 48 (Multi-answer)
A developer needs to deploy a serverless backend for a mobile app with minimal infrastructure management. Which AWS services could be used? (Choose TWO)
A. AWS Lambda
B. Amazon API Gateway
C. Amazon EC2
D. AWS Elastic Beanstalk
E. Amazon DynamoDB
Answer: A, B
Explanation:
Lambda runs code without servers; API Gateway provides RESTful API front-end for the Lambda functions.
Reference: Serverless Applications
Question 49
Your company needs a database with horizontal scaling that can handle millions of requests per second with low latency. Which AWS database service is best?
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon Redshift
D. Amazon Aurora
Answer: B
Explanation:
DynamoDB is designed for massive scale and low-latency NoSQL workloads.
Reference: DynamoDB Overview
Question 50
Which AWS service is designed for long-term archival storage with retrieval times in hours?
A. Amazon S3 Standard
B. Amazon S3 Glacier
C. Amazon EBS
D. Amazon S3 Intelligent-Tiering
Answer: B
Explanation:
S3 Glacier provides durable, low-cost archival storage with retrieval times ranging from minutes to hours.
Reference: S3 Glacier
Question 51 (Multi-answer)
A company wants to implement multi-factor authentication (MFA) for all AWS users and protect sensitive API calls. Which AWS services/features help with this? (Choose TWO)
A. AWS IAM MFA enforcement
B. AWS CloudTrail logs
C. AWS Config rules
D. AWS Organizations Service Control Policies (SCPs)
E. AWS KMS
Answer: A, D
Explanation:
- IAM MFA enforcement requires MFA for console/API access.
- SCPs in Organizations can restrict or enforce MFA usage across accounts.
Reference: Enforcing MFA
Question 52
You need to design a web application that stores user-uploaded images and delivers them with low latency globally. Which services should you use?
A. Amazon S3 with Amazon CloudFront
B. Amazon EBS with Elastic Load Balancer
C. Amazon EFS with AWS Global Accelerator
D. Amazon RDS with Read Replicas
Answer: A
Explanation:
S3 stores objects durably; CloudFront caches content at edge locations globally.
Reference: CloudFront and S3
Question 53
An application uses Amazon RDS MySQL and needs automatic failover and minimal downtime. What should you configure?
A. Multi-AZ deployment
B. Read replicas
C. Snapshots
D. Manual backups
Answer: A
Explanation:
Multi-AZ deployments create synchronous standby replicas for automatic failover.
Reference: RDS Multi-AZ
Question 54 (Multi-answer)
A company is designing an IoT solution requiring ingestion, processing, and storage of device data. Which AWS services should be part of the architecture? (Choose TWO)
A. AWS IoT Core
B. Amazon Kinesis Data Firehose
C. AWS Lambda
D. Amazon ElastiCache
E. AWS Direct Connect
Answer: A, B
Explanation:
- AWS IoT Core securely connects and manages IoT devices.
- Kinesis Data Firehose delivers streaming data to destinations like S3 or Redshift.
Reference: AWS IoT Architecture
Question 55
Which AWS service can you use to perform serverless ETL (extract, transform, load) workflows?
A. AWS Glue
B. AWS Data Pipeline
C. Amazon EMR
D. AWS Lambda
Answer: A
Explanation:
AWS Glue is a fully managed serverless ETL service.
Reference: AWS Glue
Question 56
You want to control and limit which AWS services users can access, and restrict actions by time of day. Which AWS feature should be used?
A. IAM policies with condition keys
B. AWS Organizations
C. AWS Config
D. AWS CloudTrail
Answer: A
Explanation:
IAM policies support condition keys that allow time-based or attribute-based access control.
Reference: IAM Policy Elements
Question 57 (Multi-answer)
You want to deploy an application with containers in a managed environment with minimal infrastructure management. Which AWS services can be used? (Choose TWO)
A. Amazon ECS with Fargate
B. Amazon EKS
C. AWS Lambda
D. Amazon EC2
E. AWS Elastic Beanstalk
Answer: A, B
Explanation:
- ECS with Fargate runs containers serverlessly.
- EKS is a managed Kubernetes service.
- Elastic Beanstalk can deploy containers but is more general PaaS.
Reference: Amazon ECS vs EKS
Question 58
A company wants to monitor CPU utilization and disk I/O of EC2 instances and receive alerts when thresholds are exceeded. Which AWS service should be used?
A. Amazon CloudWatch
B. AWS CloudTrail
C. AWS Config
D. AWS Systems Manager
Answer: A
Explanation:
CloudWatch collects metrics and allows creation of alarms on thresholds.
Reference: Amazon CloudWatch
Question 59
Which AWS service is best suited for managing and rotating database credentials automatically?
A. AWS Secrets Manager
B. AWS Systems Manager Parameter Store
C. AWS KMS
D. AWS CloudHSM
Answer: A
Explanation:
Secrets Manager can store, rotate, and audit secrets like DB credentials.
Reference: AWS Secrets Manager
Question 60 (Multi-answer)
Which AWS services can help implement centralized logging and monitoring for a multi-account AWS environment? (Choose TWO)
A. Amazon CloudWatch Logs
B. AWS CloudTrail
C. AWS Config
D. AWS Organizations
E. AWS Control Tower
Answer: A, B
Explanation:
- CloudWatch Logs can aggregate logs from multiple accounts.
- CloudTrail collects API activity logs from all accounts.
Reference: Centralized Logging
Question 61
Your application is deployed on EC2 instances behind an ALB with HTTPS listener. You want to ensure the security of traffic between the ALB and instances. What should you do?
A. Use HTTP between ALB and instances
B. Use HTTPS between ALB and instances with certificates on EC2
C. Use TCP listener on ALB
D. Use ALB without encryption internally
Answer: B
Explanation:
Using HTTPS between ALB and instances encrypts traffic end-to-end.
Reference: ALB HTTPS
Question 62
Which AWS service can provide serverless event-driven workflows for coordinating distributed components and microservices?
A. AWS Step Functions
B. Amazon SNS
C. AWS Lambda
D. Amazon MQ
Answer: A
Explanation:
Step Functions coordinate distributed applications with workflows and state management.
Reference: AWS Step Functions
Question 63 (Multi-answer)
Which features or services should be used to protect a public-facing web application against SQL injection and cross-site scripting attacks? (Choose TWO)
A. AWS WAF
B. AWS Shield Standard
C. AWS Config
D. Amazon Inspector
E. AWS Shield Advanced
Answer: A, E
Explanation:
- AWS WAF can block common web exploits like SQL injection and XSS.
- Shield Advanced adds DDoS protections and integration with WAF.
Reference: AWS WAF
Question 64
Your company needs to optimize cost for a development environment that only runs during business hours. Which AWS service can help automate starting and stopping EC2 instances?
A. AWS Lambda with CloudWatch Events
B. AWS Systems Manager
C. AWS Trusted Advisor
D. AWS Config
Answer: A
Explanation:
Lambda functions triggered by CloudWatch Events can automate EC2 instance scheduling.
Reference: Automate EC2 Start/Stop
Question 65
A company requires a secure method to connect its on-premises data center with AWS with consistent performance and private connectivity. Which service should they choose?
A. AWS Direct Connect
B. AWS VPN
C. AWS Transit Gateway
D. AWS CloudFront
Answer: A
Explanation:
AWS Direct Connect provides dedicated, private network connectivity with consistent bandwidth.
Reference: AWS Direct Connect