Scenario Based MCQ Questions and Answers

Mastering Scenario Based is crucial for cloud certification success. This dedicated practice set features 506 Scenario Based MCQ questions and answers designed to mirror real exam scenarios across various AWS certifications.

📝 506 Questions⏱️ 90 min🎯 Pass: 70%

About Scenario Based Practice Questions

This detailed quiz focuses on Scenario Based, covering key concepts and scenarios often found in AWS exams.

  • Comprehensive coverage of Scenario Based features.
  • Scenario-based questions testing design and troubleshooting skills.
  • Detailed explanations to reinforce learning.

All 506 Scenario Based Questions

Browse through the complete list of questions and answers below. Use this resource to review specific concepts or check your understanding of Scenario Based.

1

You are building a photo-sharing application. You need a place to store millions of small JPEG files cheaply, and a way to automatically create a thumbnail when a new photo is uploaded. Which combination is best?

Amazon S3 and AWS Lambda
Amazon EBS and Amazon EC2
Amazon RDS and Amazon ElastiCache
Amazon Glacier and AWS Glue
View Explanation
✓ Correct Answer: Amazon S3 and AWS LambdaExplanation:S3 provides durable, low-cost object storage, and S3 events can trigger Lambda to process images.
2

An organization wants to move their on-premises Microsoft SQL Server database to AWS but wants to minimize the operational burden of patching and backups. What should they use?

Amazon RDS for SQL Server
Installing SQL Server on an Amazon EC2 instance
Amazon DynamoDB
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RDS for SQL ServerExplanation:RDS is a managed service that handles the 'undifferentiated heavy lifting' of database management.
3

A global company needs to ensure that their web application's users in Tokyo and New York experience the lowest possible latency for static assets (CSS/JS). What should they implement?

Amazon CloudFront
AWS Direct Connect in both cities
Increase the instance size of the web servers
Multi-Factor Authentication
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:CloudFront caches content at edge locations geographically closer to users.
4

An enterprise requires their AWS environment to be accessible only from their corporate office's IP address. Which VPC component is used to enforce this rule at the network level?

Security Groups and Network ACLs
AWS Shield
Internet Gateway
AWS Artifact
View Explanation
✓ Correct Answer: Security Groups and Network ACLsExplanation:Both SGs and NACLs can whitelist or blacklist specific CIDR ranges.
5

You need to run a high-performance computing (HPC) workload that requires high-speed, low-latency communication between EC2 instances. Which placement strategy should you choose?

Cluster Placement Group
Spread Placement Group
Partition Placement Group
Availability Zones
View Explanation
✓ Correct Answer: Cluster Placement GroupExplanation:Cluster placement groups keep instances physically close together on the same network substrate.
6

A healthcare startup needs to store patient records for 10 years to comply with regulations. The records are rarely accessed but must be available within a few hours if requested. What is the most cost-effective storage class?

S3 Glacier Flexible Retrieval
S3 Standard
Amazon EBS Cold HDD
Amazon S3 Intelligent-Tiering
View Explanation
✓ Correct Answer: S3 Glacier Flexible RetrievalExplanation:Glacier is designed for archival data with retrieval times that fit the 'few hours' requirement.
7

A university wants to provide virtual Linux desktops to its students so they can access educational software from their own laptops. Which AWS service is designed for this?

Amazon WorkSpaces
Amazon EC2
Amazon Connect
AWS Lambda
View Explanation
✓ Correct Answer: Amazon WorkSpacesExplanation:WorkSpaces provides a managed, secure Desktop-as-a-Service (DaaS).
8

To improve security, your team wants to rotate database passwords every 30 days automatically without manual intervention. Which service should you use?

AWS Secrets Manager
AWS Key Management Service (KMS)
AWS Identity and Access Management (IAM)
Amazon CloudWatch
View Explanation
✓ Correct Answer: AWS Secrets ManagerExplanation:Secrets Manager specializes in rotating, managing, and retrieving secrets like database credentials.
9

You are running a popular news website. During a major event, traffic spikes by 1,000%. How can you ensure the website remains available without paying for peak capacity 24/7?

Use EC2 Auto Scaling and Elastic Load Balancing
Buy more Reserved Instances
Manually add more servers when traffic increases
Move the website to a single large Dedicated Host
View Explanation
✓ Correct Answer: Use EC2 Auto Scaling and Elastic Load BalancingExplanation:Auto Scaling dynamically adjusts capacity based on load, while ELB balances that load.
10

A developer wants to quickly deploy a simple Node.js web application and have AWS manage the underlying capacity, load balancing, and health monitoring. Which service provides this 'Platform as a Service' experience?

AWS Elastic Beanstalk
AWS Lambda
Amazon EC2
AWS CodeDeploy
View Explanation
✓ Correct Answer: AWS Elastic BeanstalkExplanation:Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services.
11

Your company uses a mix of on-premises servers and AWS resources. You need a way to manage and patch all your servers from a single dashboard. Which service should you use?

AWS Systems Manager (SSM)
AWS CloudFormation
Amazon Route 53
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Systems Manager (SSM)Explanation:SSM provides a unified user interface so you can view operational data from multiple AWS services and automate tasks on your resources.
12

An e-commerce site wants to analyze customer behavior by processing clickstream data in real-time and feeding it into an ML model. Which service should be used for the real-time data ingestion?

Amazon Kinesis Data Streams
Amazon S3
Amazon RDS
AWS Snowball
View Explanation
✓ Correct Answer: Amazon Kinesis Data StreamsExplanation:Kinesis is designed for high-throughput, real-time data streaming and processing.
13

You want to receive a notification whenever your AWS monthly bill exceeds $1,000. Which tool should you use to set this up?

AWS Budgets
AWS Cost Explorer
AWS Pricing Calculator
Amazon CloudWatch
View Explanation
✓ Correct Answer: AWS BudgetsExplanation:AWS Budgets allows you to set custom budgets that track your cost or usage and trigger alerts.
14

A company is planning a massive data migration of 100 Petabytes from their data center to AWS. Their internet connection is slow and unreliable. What physical device should they order from AWS?

AWS Snowmobile
AWS Snowball Edge
AWS Storage Gateway
A very long Ethernet cable
View Explanation
✓ Correct Answer: AWS SnowmobileExplanation:Snowmobile is an exabyte-scale data transfer service used to move massive volumes of data.
15

You are designing a high-availability architecture for a web app. You want to ensure that if one AWS data center (collection of facilities) fails, your application remains online. What should you use?

Deploying across multiple Availability Zones
Deploying across multiple AWS Regions
Using a bigger EC2 instance
Enabling MFA
View Explanation
✓ Correct Answer: Deploying across multiple Availability ZonesExplanation:AZs are physically separated data centers within a region, providing isolation from failures.
16

Which AWS whitepaper or framework provides best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud?

AWS Well-Architected Framework
AWS Cloud Adoption Framework
The AWS Service Level Agreement (SLA)
The AWS Shared Responsibility Model
View Explanation
✓ Correct Answer: AWS Well-Architected FrameworkExplanation:The Well-Architected Framework is the gold standard for cloud architecture guidance.
17

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Elastic Load Balancing (ELB)
Spread Placement Groups
Cluster Placement or Proximity Placement Groups
Amazon VPC peering
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
18

A developer needs a simple, easy-to-use virtual private server (VPS) with a fixed monthly price for a personal blog. Which AWS service is tailored for this?

Amazon Lightsail
Amazon EC2
AWS Lambda
Amazon S3
View Explanation
✓ Correct Answer: Amazon LightsailExplanation:Lightsail provides a simplified experience for launching and managing virtual servers.
19

Your security team wants to be alerted if any user in the AWS account attempts to disable CloudTrail logging. Which service should they use for this monitoring?

Amazon EventBridge and Amazon SNS
AWS Shield
Amazon Route 53
AWS Cost Explorer
View Explanation
✓ Correct Answer: Amazon EventBridge and Amazon SNSExplanation:EventBridge can detect the specific CloudTrail event (StopLogging) and trigger an SNS notification.
20

A company wants to build a recommendation engine for their users. They have no machine learning expertise. Which AWS AI service provides personalized recommendations out-of-the-box?

Amazon Personalize
Amazon Lex
Amazon SageMaker
Amazon Rekognition
View Explanation
✓ Correct Answer: Amazon PersonalizeExplanation:Amazon Personalize allows you to create private, customized personalization recommendations for your apps.
21

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon RDS
Amazon EC2
Amazon EKS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
22

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon EC2
Amazon RDS
Amazon DynamoDB
Amazon S3
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
23

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon EBS
Amazon RDS
Amazon EC2 running a web server
Amazon S3 configured for static website hosting
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
24

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon VPC
Amazon Route 53
Elastic Load Balancing (ELB)
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
25

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

Amazon VPC
AWS Shield
AWS IAM
AWS KMS
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
26

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS WAF
AWS KMS
Amazon S3
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
27

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon RDS
Amazon DynamoDB
Amazon Redshift
Amazon EFS
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
28

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon DynamoDB (or Stream service)
AWS Lambda
Amazon S3 Glacier
Amazon RDS
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
29

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CloudFormation
AWS CodeBuild
AWS CodeCommit
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
30

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS Lambda
AWS CodeBuild
AWS CodeCommit
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
31

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Rekognition
Amazon Polly
Amazon Textract
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
32

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Rekognition
Amazon Textract
Amazon Lex
Amazon SageMaker
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
33

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Rekognition
Amazon SageMaker
Amazon Polly
Amazon Lex
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
34

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
35

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
36

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

AWS Lambda
Compute Optimized Amazon EC2 instances
Memory Optimized instances
General Purpose instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
37

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
Amazon VPC peering
Spread Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
38

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EBS
Amazon EFS
Amazon S3
Ephemeral/Instance Store
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
39

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon S3 versioning
Amazon RDS backups
Amazon EC2 Image/AMI
Amazon EBS Snapshots
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
40

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

AWS IAM
Elastic Load Balancing (ELB)
Security Groups
Amazon VPC
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
41

A company needs to migrate a high-performance compute (HPC) workload to AWS that requires low-latency, high-throughput communication between nodes. Which networking feature should be used?

Elastic Fabric Adapter (EFA)
VPC Peering
AWS Direct Connect
Global Accelerator
View Explanation
✓ Correct Answer: Elastic Fabric Adapter (EFA)Explanation:EFA is a network interface for Amazon EC2 instances that enables customers to run HPC applications requiring high levels of inter-node communication.
42

An organization wants to store backups in S3. The backups must be instantly retrievable if needed but should not incur costs for frequent access. Which S3 storage class is best?

S3 Standard-IA (Infrequent Access)
S3 Glacier Instant Retrieval
S3 Intelligent-Tiering
S3 One Zone-IA
View Explanation
✓ Correct Answer: S3 Glacier Instant RetrievalExplanation:Glacier Instant Retrieval is designed for long-lived data that is rarely accessed but requires millisecond retrieval when needed.
43

A company is launching a website that will have a high volume of traffic from users globally. They want to ensure high availability and protect against SQL injection. Which combination of services should be used?

CloudFront with AWS WAF
ALB with Security Groups
Global Accelerator with Shield Standard
S3 with Bucket Policies
View Explanation
✓ Correct Answer: CloudFront with AWS WAFExplanation:CloudFront provides global delivery and WAF provides the application-layer protection needed to block SQL injection and other web attacks.
44

Which AWS service would you use to create a 'Private Cloud' connection between your on-premises data center and AWS that does NOT go over the public internet?

AWS Direct Connect
AWS Site-to-Site VPN
AWS Transit Gateway
Amazon VPC Peering
View Explanation
✓ Correct Answer: AWS Direct ConnectExplanation:Direct Connect is a dedicated physical network connection from your premises to AWS, bypassing the internet for better performance and security.
45

You are hosting a static website on Amazon S3 and want to use a custom domain name (e.g., www.example.com). Which service should you use to manage your DNS records?

Amazon Route 53
AWS Certificate Manager
AWS CloudMap
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon Route 53Explanation:Route 53 is AWS's highly available and scalable Domain Name System (DNS) service.
46

A startup wants to quickly build a web application and doesn't want to manage any underlying infrastructure including servers, scaling, or load balancing. Which service is most appropriate?

AWS Amplify or AWS App Runner
Amazon EC2
Amazon EKS
AWS OpsWorks
View Explanation
✓ Correct Answer: AWS Amplify or AWS App RunnerExplanation:Amplify and App Runner are higher-level 'abstracted' services that handle the deployment and scaling of web apps automatically.
47

Which AWS service provides a searchable catalog of your data assets and can automatically discover the schema of your data stored in S3?

AWS Glue (Data Catalog/Crawlers)
Amazon Athena
Amazon Redshift
AWS Lake Formation
View Explanation
✓ Correct Answer: AWS Glue (Data Catalog/Crawlers)Explanation:AWS Glue Crawlers scan data in S3 and other sources to populate the Glue Data Catalog with metadata and schema information.
48

An architect is designing an application that requires highly available MySQL storage that can automatically scale its storage capacity up to 128 TiB. Which service should they choose?

Amazon Aurora
Amazon RDS for MySQL
Amazon DynamoDB
Amazon EBS with RAID 0
View Explanation
✓ Correct Answer: Amazon AuroraExplanation:Aurora automatically grows its storage in 10GB increments up to 128 TiB and provides 6 copies of data across 3 Availability Zones.
49

Your company needs to orchestrate a complex workflow of multiple Lambda functions and manual approval steps. Which service is designed for this?

AWS Step Functions
AWS Lambda Destinations
Amazon SQS
AWS Glue
View Explanation
✓ Correct Answer: AWS Step FunctionsExplanation:Step Functions is a serverless state machine that allows you to coordinate multiple AWS services into serverless workflows.
50

An application consists of multiple EC2 instances in an Auto Scaling group. The architect wants to ensure that the application remains available even if an entire AWS Region fails. What is the best strategy?

Multi-Region Architecture with Route 53 Failover Routing
Multi-AZ Architecture within a single region
Using a bigger EC2 instance size
Enabling EBS Cross-Region Replication
View Explanation
✓ Correct Answer: Multi-Region Architecture with Route 53 Failover RoutingExplanation:For regional resilience, you must deploy the application in at least two regions and use DNS-based failover.
51

Which AWS service is used to create and manage 'Golden Images' of Amazon EC2 instances through an automated pipeline?

EC2 Image Builder
AWS CloudFormation
AWS Systems Manager (SSM)
Amazon Machine Image (AMI) console
View Explanation
✓ Correct Answer: EC2 Image BuilderExplanation:EC2 Image Builder automates the creation, management, and deployment of up-to-date and secure server images.
52

A company wants to identify which of their thousands of S3 buckets are public or have sensitive data like PII. Which service should they use?

Amazon Macie
Amazon GuardDuty
AWS Security Hub
IAM Access Analyzer
View Explanation
✓ Correct Answer: Amazon MacieExplanation:Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in S3.
53

An architect is designing a decoupling strategy for an application where messages must be processed exactly once and in the order they are received. Which SQS queue type should be used?

SQS FIFO Queue
SQS Standard Queue
Dead-Letter Queue
Delay Queue
View Explanation
✓ Correct Answer: SQS FIFO QueueExplanation:FIFO (First-In-First-Out) queues guarantee that messages are processed once and in the exact order they are sent.
54

Which AWS service provides cost-optimization recommendations by analyzing your historical resource usage and finding idle or underutilized resources?

AWS Compute Optimizer or AWS Trusted Advisor
AWS Budgets
AWS Cost Explorer
Amazon CloudWatch
View Explanation
✓ Correct Answer: AWS Compute Optimizer or AWS Trusted AdvisorExplanation:Compute Optimizer uses machine learning to recommend optimal AWS resources for your workloads to reduce costs and improve performance.
55

An organization needs to migrate an on-premises NFS file share to AWS. The file share is accessed by multiple Linux instances. Which service provides a managed NFS mount in the cloud?

Amazon Elastic File System (EFS)
Amazon EBS
Amazon S3
Amazon FSx for Windows File Server
View Explanation
✓ Correct Answer: Amazon Elastic File System (EFS)Explanation:EFS is a serverless, fully managed NFS file system that can be shared across thousands of EC2 instances.
56

Which AWS tool can be used to visualize and analyze the dependencies and costs of your AWS resources across multiple accounts and regions?

AWS Application Cost Profiler or AWS Organizations
AWS IAM
Amazon QuickSight
AWS Resource Groups
View Explanation
✓ Correct Answer: AWS Application Cost Profiler or AWS OrganizationsExplanation:The Application Cost Profiler helps you understand the cost of shared AWS resources used by software applications.
57

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Spread Placement Groups
Elastic Load Balancing (ELB)
Amazon VPC peering
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
58

Your company has a regulatory requirement to keep all infrastructure changes recorded in a log for at least 7 years. Which service records every API call made in your AWS account?

AWS CloudTrail
AWS Config
Amazon CloudWatch
Amazon Inspector
View Explanation
✓ Correct Answer: AWS CloudTrailExplanation:CloudTrail provides a history of AWS API calls for your account, enabling security analysis, resource tracking, and compliance auditing.
59

An architect is designing an application that requires a database with flexible schema and the ability to handle millisecond response times at massive scale. Which service is the best fit?

Amazon DynamoDB
Amazon Redshift
Amazon Aurora
Amazon DocumentDB
View Explanation
✓ Correct Answer: Amazon DynamoDBExplanation:DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale.
60

A team wants to run their Docker-based application on AWS without managing any EC2 instances or clusters. Which 'serverless compute' service for containers should they use?

AWS Fargate
Amazon EC2 with Docker
Amazon EKS
AWS App Runner
View Explanation
✓ Correct Answer: AWS FargateExplanation:Fargate is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS.
61

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon EC2
Amazon RDS
Amazon EKS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
62

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon RDS
Amazon DynamoDB
Amazon EC2
Amazon S3
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
63

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon S3 configured for static website hosting
Amazon EBS
Amazon RDS
Amazon EC2 running a web server
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
64

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon CloudFront
Elastic Load Balancing (ELB)
Amazon Route 53
Amazon VPC
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
65

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS Shield
AWS IAM
AWS KMS
Amazon VPC
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
66

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

Amazon S3
AWS IAM
AWS WAF
AWS KMS
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
67

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon Redshift
Amazon RDS
Amazon DynamoDB
Amazon EFS
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
68

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

AWS Lambda
Amazon RDS
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
69

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CodeBuild
AWS CloudFormation
Amazon EC2
AWS CodeCommit
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
70

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CodeBuild
AWS CodeCommit
AWS Lambda
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
71

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Textract
Amazon Polly
Amazon Rekognition
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
72

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon SageMaker
Amazon Rekognition
Amazon Textract
Amazon Lex
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
73

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon SageMaker
Amazon Rekognition
Amazon Lex
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
74

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
75

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
AWS IAM Roles with cross-account access
Share access keys between accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
76

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

Memory Optimized instances
Compute Optimized Amazon EC2 instances
General Purpose instances
AWS Lambda
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
77

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Spread Placement Groups
Amazon VPC peering
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
78

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Ephemeral/Instance Store
Amazon S3
Amazon EFS
Amazon EBS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
79

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon S3 versioning
Amazon EC2 Image/AMI
Amazon RDS backups
Amazon EBS Snapshots
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
80

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Elastic Load Balancing (ELB)
Security Groups
Amazon VPC
AWS IAM
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
81

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon RDS
Amazon EC2
Amazon EKS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
82

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon DynamoDB
Amazon S3
Amazon RDS
Amazon EC2
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
83

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon RDS
Amazon EBS
Amazon EC2 running a web server
Amazon S3 configured for static website hosting
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
84

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon VPC
Amazon Route 53
Elastic Load Balancing (ELB)
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
85

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS Shield
AWS IAM
Amazon VPC
AWS KMS
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
86

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS KMS
AWS WAF
AWS IAM
Amazon S3
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
87

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon Redshift
Amazon EFS
Amazon RDS
Amazon DynamoDB
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
88

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon DynamoDB (or Stream service)
Amazon S3 Glacier
Amazon RDS
AWS Lambda
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
89

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CloudFormation
AWS CodeBuild
AWS CodeCommit
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
90

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CodeBuild
AWS CodeCommit
AWS CloudFormation
AWS Lambda
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
91

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Lex
Amazon Textract
Amazon Rekognition
Amazon Polly
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
92

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Lex
Amazon Rekognition
Amazon Textract
Amazon SageMaker
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
93

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon SageMaker
Amazon Rekognition
Amazon Polly
Amazon Lex
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
94

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
95

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
96

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

Compute Optimized Amazon EC2 instances
Memory Optimized instances
General Purpose instances
AWS Lambda
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
97

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Amazon VPC peering
Spread Placement Groups
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
98

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EFS
Amazon S3
Ephemeral/Instance Store
Amazon EBS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
99

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon S3 versioning
Amazon EBS Snapshots
Amazon RDS backups
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
100

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Amazon VPC
AWS IAM
Security Groups
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
101

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon EC2
Amazon EKS
Amazon RDS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
102

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon RDS
Amazon DynamoDB
Amazon EC2
Amazon S3
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
103

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon S3 configured for static website hosting
Amazon EC2 running a web server
Amazon RDS
Amazon EBS
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
104

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon VPC
Amazon Route 53
Elastic Load Balancing (ELB)
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
105

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS Shield
AWS KMS
Amazon VPC
AWS IAM
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
106

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

Amazon S3
AWS KMS
AWS WAF
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
107

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon RDS
Amazon DynamoDB
Amazon EFS
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
108

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

AWS Lambda
Amazon RDS
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
109

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CloudFormation
AWS CodeBuild
AWS CodeCommit
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
110

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CodeBuild
AWS CodeCommit
AWS CloudFormation
AWS Lambda
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
111

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Rekognition
Amazon Polly
Amazon Textract
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
112

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Rekognition
Amazon Textract
Amazon SageMaker
Amazon Lex
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
113

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon SageMaker
Amazon Rekognition
Amazon Lex
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
114

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
115

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Roles with cross-account access
Share access keys between accounts
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
116

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

Compute Optimized Amazon EC2 instances
Memory Optimized instances
AWS Lambda
General Purpose instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
117

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Amazon VPC peering
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
118

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EBS
Ephemeral/Instance Store
Amazon S3
Amazon EFS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
119

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon RDS backups
Amazon EBS Snapshots
Amazon S3 versioning
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
120

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Amazon VPC
Security Groups
Elastic Load Balancing (ELB)
AWS IAM
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
121

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon EC2
Amazon EKS
Amazon RDS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
122

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon RDS
Amazon DynamoDB
Amazon S3
Amazon EC2
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
123

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon EBS
Amazon S3 configured for static website hosting
Amazon RDS
Amazon EC2 running a web server
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
124

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon Route 53
Elastic Load Balancing (ELB)
Amazon VPC
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
125

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS KMS
AWS IAM
AWS Shield
Amazon VPC
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
126

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS WAF
AWS IAM
AWS KMS
Amazon S3
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
127

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon EFS
Amazon DynamoDB
Amazon RDS
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
128

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon RDS
AWS Lambda
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
129

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CodeCommit
AWS CodeBuild
AWS CloudFormation
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
130

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CodeBuild
AWS CodeCommit
AWS CloudFormation
AWS Lambda
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
131

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Lex
Amazon Textract
Amazon Polly
Amazon Rekognition
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
132

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Lex
Amazon Rekognition
Amazon SageMaker
Amazon Textract
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
133

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Lex
Amazon Rekognition
Amazon SageMaker
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
134

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
135

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
136

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

AWS Lambda
General Purpose instances
Compute Optimized Amazon EC2 instances
Memory Optimized instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
137

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
Amazon VPC peering
Spread Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
138

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Ephemeral/Instance Store
Amazon S3
Amazon EBS
Amazon EFS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
139

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon RDS backups
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
140

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

AWS IAM
Elastic Load Balancing (ELB)
Security Groups
Amazon VPC
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
141

Scenario: A global social media company wants to ensure that user-uploaded photos are available immediately even if an entire AWS Region goes offline. Solution ?

S3 Cross-Region Replication (CRR) and a Global Route 53 CNAME record
Multi-Region CloudFront
Using S3 Intelligent Tiering
Regional Load Balancing
View Explanation
✓ Correct Answer: S3 Cross-Region Replication (CRR) and a Global Route 53 CNAME recordExplanation:S3 CRR ensures the data is physically present in two regions. Combining this with Route 53 allows for failover and high availability during regional outages.
142

Scenario: You are migrating a legacy Java application to AWS. You want to modernize it into microservices but have limited time. Which platform allows you to quickly containerize and deploy with minimal infrastructure management?

AWS Fargate (via Amazon ECS/EKS)
EC2 instances with manual Docker installation
Amazon EMR
AWS Elastic Beanstalk (Web Tier)
View Explanation
✓ Correct Answer: AWS Fargate (via Amazon ECS/EKS)Explanation:AWS Fargate is a serverless compute engine for containers that eliminates the need to manage EC2 instances while still providing the scale and flexibility of Docker.
143

Scenario: You are migrating a mission-critical web application to AWS. You need to ensure that the application can handle a complete regional outage with an RTO of 15 minutes. Solution ?

CloudFormation templates for infrastructure in a secondary region and S3/RDS regional replication
Multi-AZ in the primary region
Daily backups to S3
Using one large instance
View Explanation
✓ Correct Answer: CloudFormation templates for infrastructure in a secondary region and S3/RDS regional replicationExplanation:For regional DR, you need replicas (for RPO) and automated infrastructure deployment (for RTO) such as 'Infrastructure as Code' ready in the target region.
144

Scenario: You are designing a high-scale data analytics platform. You need a way to orchestrate multiple AWS Glue jobs and Lambda functions into a single workflow with error handling and retries. Solution ?

AWS Step Functions
AWS CloudFormation
AWS CodePipeline
Amazon EventBridge
View Explanation
✓ Correct Answer: AWS Step FunctionsExplanation:Step Functions is the primary orchestration service in AWS for serverless workflows.
145

Scenario: To reduce the cost of an idle development environment, you want to automatically shut down all EC2 instances at 6 PM and restart them at 8 AM. Solution ?

AWS Instance Scheduler
AWS Auto Scaling with dynamic policies
Manual scripts in Cron
AWS Budgets
View Explanation
✓ Correct Answer: AWS Instance SchedulerExplanation:AWS Instance Scheduler is a managed solution that uses CloudWatch and Lambda to automate the starting and stopping of EC2 and RDS instances based on custom schedules.
146

You are building a serverless application that needs to coordinate several Lambda functions in a specific order, with conditional logic and error retries. Which service is best for this orchestration?

AWS Step Functions
Amazon EventBridge
AWS Lambda Destinations
AWS CodePipeline
View Explanation
✓ Correct Answer: AWS Step FunctionsExplanation:Step Functions is a state machine based orchestration service that is resilient and supports complex workflows.
147

Scenario: To secure an Amazon EKS cluster for a PCI-DSS compliant workload, an architect wants to ensure that every administrative action (e.g., creating a pod) is logged and stored. Which tool is essential?

Amazon EKS Control Plane Logging (integrated with CloudWatch)
Amazon GuardDuty
AWS Config
VPC Flow Logs
View Explanation
✓ Correct Answer: Amazon EKS Control Plane Logging (integrated with CloudWatch)Explanation:EKS can be configured to export Audit and API server logs directly to CloudWatch, providing the necessary trail for compliance.
148

You are designing a high-scale data ingestion system using AWS Lambda. You want to ensure that if a function fails, the message is not lost and can be retried later. Which pattern should you use?

Use an SQS queue as a trigger with a dead-letter queue (DLQ) configured
Use an HTTP trigger with a 10-second timeout
Store the message in a local file on the Lambda instance
Use RDS as a buffer
View Explanation
✓ Correct Answer: Use an SQS queue as a trigger with a dead-letter queue (DLQ) configuredExplanation:SQS provides the necessary durability and retry logic for serverless applications, ensuring messages are handled even in case of transient failures.
149

Scenario: You are deploying a mission-critical application and want to minimize the risk of a single human making a catastrophic change. Solution?

Implement 'Multi-Party Approval' using AWS CodePipeline with manual approval stages and strict IAM roles
Use 'AdministratorAccess' for everyone
Use one shared account
Delete the AWS console access
View Explanation
✓ Correct Answer: Implement 'Multi-Party Approval' using AWS CodePipeline with manual approval stages and strict IAM rolesExplanation:Formalizing the release process with CodePipeline ensures that changes are reviewed and approved by multiple stakeholders before reaching production.
150

Scenario: To lower the cost of a high-end AI training workload in AWS, you want to use instances that can be reclaimed by AWS with a 2-minute notice. What should you use?

Amazon EC2 Spot Instances
On-Demand instances
Reserved Instances
Dedicated Hosts
View Explanation
✓ Correct Answer: Amazon EC2 Spot InstancesExplanation:Spot Instances offer massive discounts for fault-tolerant workloads that can be interrupted with a short notice period.
151

Scenario: To lower the cost of a data processing workload that runs for 4 hours every night, you want to use EC2 instances that provide a fixed discount in exchange for a 1-year commitment. You expect the instance types to change as the software evolves. Solution ?

Compute Savings Plans
Standard Reserved Instances
Spot Instances
On-Demand
View Explanation
✓ Correct Answer: Compute Savings PlansExplanation:Compute Savings Plans provide flexibility across instance families and regions, unlike traditional Reserved Instances, while still offering significant discounts (up to 66%) for committed usage.
152

Scenario: You are designing a data lake and want to move objects from a standard S3 bucket to S3 Glacier Deep Archive after 180 days of no access to save costs. Solution ?

S3 Lifecycle Management rule (Transition to Deep Archive after 180 days)
Manual migration script
S3 Intelligent-Tiering
Amazon DataSync
View Explanation
✓ Correct Answer: S3 Lifecycle Management rule (Transition to Deep Archive after 180 days)Explanation:Lifecycle rules are the native and most cost-effective way to manage the data lifecycle in S3.
153

Scenario: To minimize the blast radius of a potential insider threat, you want to ensure that no single IAM user can delete a critical production database without a multi-step approval process involving another team. Solution ?

Remove 'RDS:DeleteDBInstance' from all users; use a Step Functions workflow with manual approvals to perform the action
Use a shared password
Use a single administrator account
Disable the RDS API
View Explanation
✓ Correct Answer: Remove 'RDS:DeleteDBInstance' from all users; use a Step Functions workflow with manual approvals to perform the actionExplanation:Formalizing destructive actions behind a serverless workflow with multiple approvals is a key security pattern for critical production systems.
154

An enterprise is using a complex serverless architecture with hundreds of Lambda functions. They want a way to share common code and libraries (like business logic or security frameworks) across all these functions without duplicating the code in every deployment package. What is the AWS-recommended solution?

Lambda Layers
Lambda Extensions
S3 bucket with common files
Environment variables
View Explanation
✓ Correct Answer: Lambda LayersExplanation:Lambda Layers allow you to package libraries and other dependencies separately from your function code, making it easier to share and manage common code at scale.
155

Scenario: To lower the RTO of your disaster recovery plan, you want a 'Pilot Light' environment where your database is always running and in-sync, but your application servers (EC2) only launch when a disaster occurs. Solution ?

RDS Multi-AZ across regions and pre-configured AMIs for EC2
Keeping a full copy of production running 24/7
Daily S3 backups
Using one large reserved instance
View Explanation
✓ Correct Answer: RDS Multi-AZ across regions and pre-configured AMIs for EC2Explanation:A Pilot Light maintains core, live data (the 'flame') in a secondary region, with templates/AMIs ready to rapidly scale out the compute tier (the 'furnace') if needed.
156

An organization wants to run a serverless data processing pipeline that triggers a Lambda function every time a new row is added to a DynamoDB table. They want to ensure that the messages are processed in the exact order they were received and that no messages are lost if the Lambda function fails. Which feature should they use?

DynamoDB Streams with Lambda trigger and an 'On-failure' destination (DLQ)
Standard SQS queue
SNS
CloudWatch Logs
View Explanation
✓ Correct Answer: DynamoDB Streams with Lambda trigger and an 'On-failure' destination (DLQ)Explanation:DynamoDB Streams capture the sequence of item-level changes. Integrating it with Lambda ensures ordered, durable processing of database events.
157

Scenario: To minimize the latency for users in Europe accessing an application hosted in us-east-1, you decide to deploy a second set of resources in eu-central-1. What is the most architectural way to route users to the closest healthy region?

Amazon Route 53 with 'Latency-based' routing policies
Coutering on IP addresses
Route 53 with Geolocation routing
Using many public load balancers
View Explanation
✓ Correct Answer: Amazon Route 53 with 'Latency-based' routing policiesExplanation:Latency-based routing is specifically designed to route traffic to the AWS region that provides the lowest latency for a particular user.
158

An organization wants to run a serverless workflow that process images. Every time an image is uploaded to S3, they want to resize it, check for NSFW content using AI, and then store the metadata in DynamoDB. Which service should coordinate these independent steps?

AWS Step Functions
AWS Glue
AWS CodePipeline
Amazon EventBridge
View Explanation
✓ Correct Answer: AWS Step FunctionsExplanation:Step Functions is designed for precisely this kind of complex, multi-step orchestration of serverless tasks.
159

Scenario: You are designing a high-scale data analytics platform. You need to ingest millions of events from user devices and want to ensure that the data is automatically partitioned by 'event_type' as it is being stored in S3 for optimal querying in Athena. Which service is best?

Amazon Kinesis Data Firehose (with Dynamic Partitioning)
Amazon S3 directly
Amazon MSK
AWS DataSync
View Explanation
✓ Correct Answer: Amazon Kinesis Data Firehose (with Dynamic Partitioning)Explanation:Kinesis Firehose recent 'Dynamic Partitioning' feature allows it to parse the incoming data and route it to specific S3 folders based on keys within the data itself.
160

An organization wants to implement 'Infrastructure as Code' (IaC) to manage their complex AWS environments. They want to use a tool that is cloud-neutral and allows them to version control their infrastructure alongside their application code. Which tool is industry-standard for this?

Terraform
AWS CloudFormation
AWS CDK
Ansible
View Explanation
✓ Correct Answer: TerraformExplanation:Terraform is the most popular, cross-provider IaC tool, supported by a massive community and comprehensive AWS providers.
161

Scenario: You want to ensure that if a developer launches an EC2 instance without an encrypted EBS volume, the instance is automatically terminated and the developer is notified. Solution ?

AWS Config with a custom Lambda remediation and SNS for notification
IAM roles only
VPC Security Groups
CloudWatch Alarms
View Explanation
✓ Correct Answer: AWS Config with a custom Lambda remediation and SNS for notificationExplanation:Config provides the 'near-real-time' detection, and Lambda provides the logic to terminate the non-compliant resource and send a message.
162

You are hosting a globally distributed application that requires a single static anycast IP address to route users to the closest healthy region. The application uses UDP for high-performance data transfer. Solution ?

AWS Global Accelerator
Amazon CloudFront
Route 53 Geoproximity routing
Multi-region ELB
View Explanation
✓ Correct Answer: AWS Global AcceleratorExplanation:Global Accelerator provides two static IP addresses and uses BGP anycast to route traffic (including non-HTTP UDP/TCP traffic) over the AWS global network.
163

Scenario: You are designing a data lake and want to ensure that all data is automatically encrypted with AWS KMS keys, and you want an audit log that shows every time an analyst decrypts a specific file. Solution ?

Amazon S3 server-side encryption with KMS (SSE-KMS) and CloudTrail data events enabled
Standard S3 encryption
VPC Flow Logs
IAM roles only
View Explanation
✓ Correct Answer: Amazon S3 server-side encryption with KMS (SSE-KMS) and CloudTrail data events enabledExplanation:SSE-KMS provides the encryption and the audit trail, as KMS log events are naturally captured in CloudTrail, identifying the user and the resource accessed.
164

Which AWS service provides a way to 'Replay' archived events from your Amazon EventBridge bus to test how a new application would have behaved using real past data?

EventBridge Event Replay (and Archiving)
CloudTrail
Kinesis Replay
CloudWatch Logs
View Explanation
✓ Correct Answer: EventBridge Event Replay (and Archiving)Explanation:EventBridge Archiving allows you to store events, and Replay lets you 'resend' those events to a specific target for testing or recovery.
165

To protect against an entire regional outage, an architect decides to maintain a 'Multi-Region Active-Active' architecture for their web application. Which service is essential for globally distributing and load-balancing traffic across regions?

Global Load Balancer (or Route 53 with Traffic Flow)
CloudFront
Direct Connect
VPC Peering
View Explanation
✓ Correct Answer: Global Load Balancer (or Route 53 with Traffic Flow)Explanation:Route 53 with Traffic Flow (and multi-region routing policies like Latency or Geoproximity) is the standard for distributing traffic between active regions.
166

Scenario: To minimize the latency of a critical database for users globally, you want to use a NoSQL database that automatically replicates data across multiple regions with a 'Multi-Region Write' capability. Solution ?

Amazon DynamoDB Global Tables
Amazon Aurora Global Database
Amazon RDS PostgreSQL
Amazon DocumentDB
View Explanation
✓ Correct Answer: Amazon DynamoDB Global TablesExplanation:DynamoDB Global Tables support multi-region write replication with conflict resolution, ensuring low latency for worldwide user bases.
167

You are migrating a monolithic application to microservices and want to use a tool that allows you to route traffic to the new microservices incrementally while the rest of the monolith remains on-premises or in EC2. Which AWS service simplifies this 'Strangler Fig' pattern?

AWS Migration Hub Refactor Spaces
AWS Transit Gateway
Application Load Balancer
AWS App Mesh
View Explanation
✓ Correct Answer: AWS Migration Hub Refactor SpacesExplanation:Refactor Spaces provides the infrastructure for incremental refactoring, including a cross-account proxy to route traffic between the monolith and new services.
168

Scenario: You are designing a data lake and want to ensure that if sensitive PII data (like Social Security numbers) is discovered in an S3 bucket, it is automatically 'masked' or redacted before it's processed. Solution ?

Use AWS Glue with Amazon Cloud DLP (Sensitive Data Protection) integration
Manual redaction
S3 Lifecycle policies
IAM roles only
View Explanation
✓ Correct Answer: Use AWS Glue with Amazon Cloud DLP (Sensitive Data Protection) integrationExplanation:Glue can integrate with DLP to automatically detect and redact sensitive info during the ETL process, moving only clean data to the downstream analytics layers.
169

Scenario: You are designing a data lake and want to move objects from a standard S3 bucket to S3 Glacier Deep Archive after 1 year of no access. Solution ?

S3 Lifecycle Management rule (Transition action after 365 days)
Manual migration script
S3 Intelligent-Tiering
AWS DataSync
View Explanation
✓ Correct Answer: S3 Lifecycle Management rule (Transition action after 365 days)Explanation:Lifecycle rules are the standard, automated mechanism for managing object transitions in S3.
170

Scenario: To minimize the latency for users worldwide, you decide to use a database that provides 'Single-digit millisecond' performance for both reads and writes with global replication. Solution ?

Amazon DynamoDB with Global Tables
Amazon Aurora Global
RDS with replicas
ElastiCache
View Explanation
✓ Correct Answer: Amazon DynamoDB with Global TablesExplanation:DynamoDB is designed for consistent low latency and handles massive scale automatically.
171

Scenario: You are designing a globally distributed application and want to ensure that traffic is routed only to healthy regions. If a region's health check fails, users should be automatically redirected. Solution ?

Amazon Route 53 with 'Latency-based' or 'Failover' routing policies and health checks
Manual DNS updates
Route 53 CNAMEs only
Using many public load balancers
View Explanation
✓ Correct Answer: Amazon Route 53 with 'Latency-based' or 'Failover' routing policies and health checksExplanation:Route 53's integration with health checks is the primary mechanism for global high availability and disaster recovery.
172

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Amazon VPC peering
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
173

Your team is using AWS CodePipeline to deploy a multi-account application. You want to ensure that a production deployment only occurs if a security scan (SAST) in the staging account passes. How can you implement this cross-account approval and gating mechanism?

Use a CodePipeline custom action that invokes an AWS Lambda function in the security account to verify results and then call 'PutApprovalResult'.
Use an IAM role with full admin access in both accounts.
Manual approval via the AWS Console in the production account.
VPC Peering between accounts.
View Explanation
✓ Correct Answer: Use a CodePipeline custom action that invokes an AWS Lambda function in the security account to verify results and then call 'PutApprovalResult'.Explanation:Custom actions and Lambda functions allow for complex cross-account logic and gating based on external metrics or scan results.
174

An organization wants to implement 'Blue/Green' deployments for their Application Load Balancer-based ECS service. They want to use AWS CodeDeploy to automate the traffic shifting. Which deployment configuration should they use for a zero-downtime, safe transition?

CodeDeployDefault.ECSCanary10Percent5Minutes
CodeDeployDefault.AllAtOnce
CodeDeployDefault.HalfAtATime
Manual traffic shifting in Route 53
View Explanation
✓ Correct Answer: CodeDeployDefault.ECSCanary10Percent5MinutesExplanation:Canary deployments allow for a small percentage of traffic to be shifted first, with validation before the full shift, minimizing risk.
175

To ensure that all CloudFormation templates deployed across an organization follow security best practices (e.g., no public S3 buckets), which feature of AWS CloudFormation should be used to intercept and validate resource creation?

CloudFormation Hooks
CloudFormation StackSets
CloudFormation Drift Detection
CloudWatch Events
View Explanation
✓ Correct Answer: CloudFormation HooksExplanation:CloudFormation Hooks allow you to run custom logic to inspect and potentially fail stack operations before resources are even created.
176

Your organization wants to automate the patching of thousands of EC2 instances across multiple regions and accounts. They want to ensure that if a patch fails on more than 10% of the fleet, the process stops immediately. Which AWS Systems Manager feature handles this?

Systems Manager Automation with 'Rate Control' and 'Error Threshold'
Systems Manager Run Command only
Systems Manager Patch Manager (manual triggers)
AWS Config
View Explanation
✓ Correct Answer: Systems Manager Automation with 'Rate Control' and 'Error Threshold'Explanation:Automation rate control and error thresholds allow for safe, phased execution of operational tasks across large fleets.
177

To implement a Canary deployment for an AWS Lambda function, you decide to use 'Lambda Aliases' and 'Traffic Shifting'. Which AWS service can automate this process and roll back if CloudWatch Alarms are triggered?

AWS CodeDeploy
AWS CloudFormation (WaitConditions)
AWS CodePipeline (manual gate)
AWS AppConfig
View Explanation
✓ Correct Answer: AWS CodeDeployExplanation:CodeDeploy is specifically designed to manage automated deployment health checks and traffic shifting for Lambda, ECS, and EC2.
178

An organization wants to centrally manage and share 'CloudFormation Templates' with their developers as 'Products' in a catalog, ensuring that only approved architectures are used. Which service provides this?

AWS Service Catalog
AWS CloudFormation StackSets
AWS Marketplace
AWS Systems Manager Document
View Explanation
✓ Correct Answer: AWS Service CatalogExplanation:Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.
179

Which AWS service allows you to record, audit, and evaluate the configurations of your AWS resources over time, and automatically trigger 'Remediation' actions if a resource becomes non-compliant?

AWS Config
AWS CloudTrail
AWS Trusted Advisor
AWS CloudWatch
View Explanation
✓ Correct Answer: AWS ConfigExplanation:AWS Config provides a detailed view of the configuration of AWS resources and evaluates them against desired configurations.
180

To monitor the health of a complex microservices application and identify performance bottlenecks across multiple AWS services (Lambda, DynamoDB, SQS), which distributed tracing service should you implement?

AWS X-Ray
AWS CloudWatch Logs
AWS CloudTrail
AWS Systems Manager OpsCenter
View Explanation
✓ Correct Answer: AWS X-RayExplanation:AWS X-Ray provides a complete view of requests as they travel through your application, helping developers debug and optimize microservices.
181

Your organization wants to implement 'Infrastructure as Code' for their multi-account AWS environment. They want to use a tool that allow them to deploy CloudFormation stacks into hundreds of accounts and across multiple regions with a single operation. Which feature should they use?

AWS CloudFormation StackSets
AWS CloudFormation Stack's
AWS Organizations SCPs
AWS Proton
View Explanation
✓ Correct Answer: AWS CloudFormation StackSetsExplanation:StackSets extend the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions.
182

Scenario: To minimize the downtime during a database schema update for a high-traffic application, you want to use a deployment strategy that creates a second, identical environment and swaps the DNS once the new version is verified. Solution ?

Blue/Green Deployment (using Route 53 or ALB traffic shifting)
Rolling Update
All-at-once deployment
A/B Testing
View Explanation
✓ Correct Answer: Blue/Green Deployment (using Route 53 or ALB traffic shifting)Explanation:Blue/Green deployments reduce risk by maintaining two environments and only switching traffic once the new environment is proven stable.
183

An organization wants to implement a 'GitOps' workflow where their Kubernetes cluster configurations (running in EKS) are automatically synchronized with a Git repository. Which AWS service (or integration) facilitates this continuous delivery for EKS?

Flux or ArgoCD (integrated via EKS add-ons or custom deployment)
AWS CodeDeploy only
AWS CodePipeline only
AWS CloudFormation
View Explanation
✓ Correct Answer: Flux or ArgoCD (integrated via EKS add-ons or custom deployment)Explanation:EKS integrates with CNCF tools like Flux and ArgoCD to enable GitOps patterns for Kubernetes management.
184

Which AWS Systems Manager feature allows you to securely store and manage sensitive information like database passwords and API keys, providing integration with CloudFormation and IAM for access control?

AWS Systems Manager Parameter Store
AWS Secrets Manager
AWS Key Management Service (KMS)
AWS Config
View Explanation
✓ Correct Answer: AWS Systems Manager Parameter StoreExplanation:Parameter Store is a central location to manage configuration data and secrets, though Secrets Manager is preferred for lifecycle management (rotation).
185

To implement a self-healing architecture for an EC2 fleet, you want to ensure that any instance failing a 'System Health Check' is automatically replaced. Which AWS feature handles this native recovery?

Amazon EC2 Auto Scaling (Health Checks)
AWS OpsWorks
AWS Managed Services
AWS CloudWatch Alarms only
View Explanation
✓ Correct Answer: Amazon EC2 Auto Scaling (Health Checks)Explanation:Auto Scaling monitors the health of instances and automatically terminates and replaces those that become unhealthy.
186

An organization following SRE (Site Reliability Engineering) principles wants to measure the 'Error Budget' of their application. They need to track the percentage of successful requests over a 30-day window. Which CloudWatch feature should they use?

CloudWatch ServiceLens or CloudWatch Metrics Insights
CloudWatch Logs
CloudWatch Events
CloudWatch Alarms
View Explanation
✓ Correct Answer: CloudWatch ServiceLens or CloudWatch Metrics InsightsExplanation:ServiceLens and Metric Insights provide the aggregagation and visualization needed to calculate Service Level Objectives (SLOs) and error budgets.
187

Which AWS service provides a managed 'Jenkins-like' build environment that scales automatically, supports custom Docker images, and scales down to zero when not in use?

AWS CodeBuild
AWS CodePipeline
AWS CodeDeploy
AWS App Runner
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
188

To protect a mission-critical web application from 'SQL Injection' and 'Cross-Site Scripting' (XSS) attacks in a CI/CD pipeline, where should AWS WAF rules be applied for the earliest detection?

Applied to an Application Load Balancer or CloudFront distribution, with testing integrated in the staging stage of CodePipeline
Applied to EC2 instances
Applied at the Database layer
Applied in CodeCommit
View Explanation
✓ Correct Answer: Applied to an Application Load Balancer or CloudFront distribution, with testing integrated in the staging stage of CodePipelineExplanation:WAF is best deployed at the entry point (ALB/CloudFront) and should be verified as part of the pipeline's integration tests.
189

Which AWS tool allows you to visually design and automate complex serverless workflows (e.g., image processing with multiple Lambda functions) using a drag-and-drop interface?

AWS Step Functions (Workflow Studio)
AWS CodePipeline
AWS AppFlow
AWS Data Pipeline
View Explanation
✓ Correct Answer: AWS Step Functions (Workflow Studio)Explanation:Step Functions is a serverless orchestration service that makes it easy to coordinate multiple AWS services into serverless workflows.
190

An organization wants to ensure that all their S3 buckets are 'Private' and encrypted. They want to receive an alert whenever a bucket is created that doesn't meet these requirements. Which AWS service provides these continuous compliance checks?

AWS Config (with Managed Rules)
AWS CloudTrail
AWS Trusted Advisor
AWS Security Hub
View Explanation
✓ Correct Answer: AWS Config (with Managed Rules)Explanation:AWS Config is the primary service for evaluating resource configurations and enforcing compliance.
191

Scenario: To minimize the risk of a misconfiguration during a CloudFormation deployment, you want to see exactly which resources will be created, modified, or deleted before you commit the changes. Solution ?

CloudFormation Change Sets
CloudFormation Drift Detection
CloudFormation StackSets
CloudWatch Logs
View Explanation
✓ Correct Answer: CloudFormation Change SetsExplanation:Change sets allow you to preview how proposed changes to a stack might impact your running resources.
192

An organization wants to automate the analysis of their application logs to detect 'Anomaly' patterns (e.g., sudden spike in 5XX errors) that might indicate a budding issue. Which CloudWatch feature provides this AI-based detection?

CloudWatch Anomaly Detection
CloudWatch Logs Insights
CloudWatch Metric Streams
CloudWatch Contributor Insights
View Explanation
✓ Correct Answer: CloudWatch Anomaly DetectionExplanation:Anomaly Detection uses machine learning to continuously analyze metric data and identify abnormal behavior.
193

Which AWS service allows you to centrally manage the 'Software Licenses' for your EC2 instances and on-premises servers to ensure compliance and avoid over-provisioning?

AWS License Manager
AWS Systems Manager (Inventory)
AWS Service Catalog
AWS Marketplace
View Explanation
✓ Correct Answer: AWS License ManagerExplanation:License Manager helps you stay compliant with licensing rules from vendors like Microsoft, SAP, and Oracle.
194

To implement a 'Secret Rotation' workflow for an Amazon RDS database password, which AWS service provides built-in templates and Lambda integration to automatically update the password every 30 days?

AWS Secrets Manager
AWS Systems Manager Parameter Store
AWS Key Management Service (KMS)
AWS Config
View Explanation
✓ Correct Answer: AWS Secrets ManagerExplanation:Secrets Manager can automatically rotate secrets for RDS, Redshift, and DocumentDB without user intervention.
195

An organization wants to run their massive Big Data analytics workload using Amazon EMR. They want to ensure that if a data node fails, it is automatically replaced without impacting the active Spark jobs. Which EMR feature handles this?

EMR Instance Fleets with 'On-spot' and 'On-demand' diversification
EMR Managed Scaling
EMR Auto Scaling
Standard EC2 Auto Scaling
View Explanation
✓ Correct Answer: EMR Instance Fleets with 'On-spot' and 'On-demand' diversificationExplanation:Instance Fleets provide the highest level of resilience by allowing EMR to pick from multiple instance types and purchasing models.
196

Which AWS tool provides a 'Developer Dashboard' that aggregates logs, metrics, and deployment status from multiple AWS services (Lambda, ECS, EKS) in a single unified view?

AWS CloudWatch Application Insights
AWS Resource Groups
AWS Systems Manager
AWS CodePipeline
View Explanation
✓ Correct Answer: AWS CloudWatch Application InsightsExplanation:Application Insights analyzes your application and its dependencies to detect and troubleshoot problems.
197

Scenario: To minimize the risk of a 'Deployment Failure' due to a script error, you want to ensure that your CodeDeploy deployment automatically rolls back if a specific CloudWatch alarm is triggered during the deployment. Solution ?

CodeDeploy 'Automatic Rollback' configuration with CloudWatch Alarms
Manual rollback via CLI
CodePipeline rollback
CloudFormation Rollback
View Explanation
✓ Correct Answer: CodeDeploy 'Automatic Rollback' configuration with CloudWatch AlarmsExplanation:CodeDeploy natively supports monitoring CloudWatch alarms and executing a rollback if they trigger during a deployment.
198

Which AWS networking service allows you to create a secure, high-performance 'Mirror' of your VPC traffic and send it to an IDS/IPS appliance for deep packet inspection without impacting the main traffic flow?

VPC Traffic Mirroring
VPC Flow Logs
AWS Network Firewall
Transit Gateway
View Explanation
✓ Correct Answer: VPC Traffic MirroringExplanation:Traffic Mirroring allows you to copy VPC traffic from an EC2 instance and send it to security and monitoring appliances.
199

An organization wants to implement 'Governance as Code' and wants to ensure that any new AWS account created under their organization automatically has a specific set of CloudWatch Alarms and IAM roles. Which feature handles this?

CloudFormation StackSets with 'Auto-deployment' enabled
AWS Organizations SCPs
AWS Control Tower
AWS Config
View Explanation
✓ Correct Answer: CloudFormation StackSets with 'Auto-deployment' enabledExplanation:StackSets with auto-deployment will automatically push stacks to new accounts added to an OU.
200

Which AWS service allows you to capture and analyze the HTTP(S) requests made to your web applications to debug performance bottlenecks and visualize the service dependencies in a 'Service Map'?

AWS X-Ray
AWS CloudWatch ServiceLens
AWS CloudTrail
AWS Systems Manager
View Explanation
✓ Correct Answer: AWS X-RayExplanation:X-Ray's Service Map feature provides a visual representation of how requests flow through your application and services.
201

An organization is using AWS CodePipeline to deploy their serverless application. They want to ensure that a 'Integration Test' stage runs against a temporary 'Prview' environment before deploying to production. Which service should they use to manage these ephemeral environments?

AWS CloudFormation (as part of a CodePipeline stage)
AWS Elastic Beanstalk
AWS OpsWorks
AWS Systems Manager OpsCenter
View Explanation
✓ Correct Answer: AWS CloudFormation (as part of a CodePipeline stage)Explanation:CloudFormation is the foundational service for creating repeatable and ephemeral environments for testing.
202

Scenario: To minimize the latency for users worldwide, you decide to use a managed 'API Gateway' that provides 'Edge-optimized' endpoints with built-in DDoS protection. Solution ?

Amazon API Gateway (Edge-optimized) integrated with CloudFront and AWS Shield
Regional API Gateway
Private API Gateway
Direct Connect
View Explanation
✓ Correct Answer: Amazon API Gateway (Edge-optimized) integrated with CloudFront and AWS ShieldExplanation:Edge-optimized endpoints use the CloudFront global network to reduce latency and provide comprehensive security.
203

Your team needs to provision a resource that is not natively supported by AWS CloudFormation (e.g., a 3rd-party SaaS configuration). Which CloudFormation feature allows you to write custom logic in a Lambda function to handle the creation, update, and deletion of this resource?

CloudFormation Custom Resources
CloudFormation Hooks
CloudFormation StackSets
AWS Cloud Control API
View Explanation
✓ Correct Answer: CloudFormation Custom ResourcesExplanation:Custom resources allow you to associate a Lambda function with a resource in a template, which CloudFormation invokes whenever the stack is created or updated.
204

An organization wants to ensure that all their EC2 instances have the latest security patches installed within 48 hours of release. They need a managed service that can scan, report, and automatically apply patches without manual intervention. Which AWS service fits?

AWS Systems Manager Patch Manager
AWS Inspector
AWS Config
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Systems Manager Patch ManagerExplanation:Patch Manager automates the process of patching managed instances with both security-related and other types of updates.
205

To monitor the deployment of a new application version in CodeDeploy, you want to ensure that if the '5XX Error' metric for your ALB exceeds 5% during the deployment, the process is aborted. How can you automate this?

Add a CloudWatch Alarm to the CodeDeploy Deployment Group for automatic rollback
Use a CodePipeline manual approval gate
Monitor logs manually in CloudWatch Logs
Use AWS Config to detect the error state
View Explanation
✓ Correct Answer: Add a CloudWatch Alarm to the CodeDeploy Deployment Group for automatic rollbackExplanation:CodeDeploy can be configured to monitor CloudWatch alarms and automatically roll back if the specified threshold is reached during deployment.
206

Your organization wants to transition from a manual 'Release Management' process to a fully automated CI/CD pipeline. They want to use an AWS service that provides a unified dashboard to visualize the entire workflow from source code change to production deployment. Which service should they use?

AWS CodePipeline
AWS CodeDeploy
AWS CodeBuild
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS CodePipelineExplanation:CodePipeline is an orchestration service that allows you to model and automate your software release process.
207

An organization following a 'Multi-account' strategy wants to ensure that all their CloudFormation templates use a specific version of a shared library (Lambda Layer). Which service should they use to share and govern these approved resources across accounts?

AWS Systems Manager Parameter Store or AWS Organizations
AWS RAM (Resource Access Manager)
AWS Service Catalog
AWS CloudFormation StackSets
View Explanation
✓ Correct Answer: AWS Systems Manager Parameter Store or AWS OrganizationsExplanation:Parameter Store can be used to store and share configuration data centrally, and CloudFormation can reference these parameters across accounts.
208

An organization wants to implement 'Zero-Downtime' updates for their Amazon RDS instances during maintenance windows. They want to ensure that the standby instance takes over with minimal interruption. Which RDS feature should they enable?

RDS Multi-AZ with readable standbys (Cluster)
RDS Read Replicas
RDS Proxy
Enhanced Monitoring
View Explanation
✓ Correct Answer: RDS Multi-AZ with readable standbys (Cluster)Explanation:Multi-AZ clusters provide three instances across three AZs, with faster failovers and readable standby instances.
209

Your team is using AWS CodePipeline to deploy their application. They want to ensure that a 'Integration Test' stage runs against a temporary 'Preview' environment before deploying to production. Which service should they use to manage these ephemeral environments?

AWS CloudFormation
AWS Elastic Beanstalk
AWS OpsWorks
AWS Systems Manager OpsCenter
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:CloudFormation is the foundational service for creating repeatable and ephemeral environments for testing.
210

An organization wants to analyze their AWS environment for security vulnerabilities like 'Open SSH ports' or 'Over-privileged IAM roles' and wants to receive a 'Security Score' with actionable recommendations. Which service provides this integrated assessment?

AWS Security Hub
AWS Trusted Advisor
AWS Config
AWS Shield
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub aggregates security findings from multiple AWS services (GuardDuty, Inspector, Macie) and provides a unified security posture view.
211

Your organization wants to use 'AWS Proton' to manage infrastructure for their serverless microservices. They want to ensure that when a developer updates a 'Service Template', it automatically triggers an update for all 'Service Instances'. How is this automated?

Proton automatically manages the sync and update process for service instances based on template versions
Manual update for each instance
Use CloudFormation StackSets manually
External Script
View Explanation
✓ Correct Answer: Proton automatically manages the sync and update process for service instances based on template versionsExplanation:Proton is designed to manage large-scale infrastructure deployments and template versioning automatically.
212

To improve the performance of a high-traffic web application, you want to use 'AWS Global Accelerator' to route traffic to the closest healthy endpoint. How does Global Accelerator handle health checks?

It continuously monitors the health of endpoints and automatically redirects traffic to healthy ones
It relies on Route 53 health checks only
It uses ELB health checks only
Manual failover
View Explanation
✓ Correct Answer: It continuously monitors the health of endpoints and automatically redirects traffic to healthy onesExplanation:Global Accelerator has its own health check mechanism that works in tandem with the global Anycast routing.
213

Which AWS security service can automatically detect 'Suspicious API calls' (e.g., from an unknown IP address or a known malicious source) by analyzing your account's CloudTrail logs?

Amazon GuardDuty
AWS WAF
Amazon Inspector
AWS Security Hub
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty uses machine learning and threat intelligence to identify malicious activity in CloudTrail and other logs.
214

Your team wants to implement 'Blue/Green' deployment for their Lambda functions. They want to shift 10% of traffic to the new version every 10 minutes. Which CodeDeploy deployment configuration should they use?

LambdaLinear10PercentEvery10Minutes
LambdaCanary10Percent10Minutes
LambdaAllAtOnce
LambdaLinear5PercentEvery1Minute
View Explanation
✓ Correct Answer: LambdaLinear10PercentEvery10MinutesExplanation:Linear deployment configurations shift traffic in equal increments over a specified period.
215

An organization following SRE principles wants to measure the 'Error Budget' of their application. They need to track the percentage of successful requests over a 30-day window. Which CloudWatch feature should they use?

CloudWatch ServiceLens or Metric Insights
CloudWatch Logs
CloudWatch Events
CloudWatch Alarms
View Explanation
✓ Correct Answer: CloudWatch ServiceLens or Metric InsightsExplanation:ServiceLens and Metric Insights provide the aggregation and visualization needed to calculate Service Level Objectives (SLOs) and error budgets.
216

To ensure that all EC2 instances launched in your AWS account have a specific 'Tag' (e.g., Owner) and an 'IAM Role' attached, which combination of services should you use to automate the audit and remediation?

AWS Config (Rule) + AWS Systems Manager (Remediation Document)
AWS CloudTrail only
AWS Trusted Advisor
Security Groups
View Explanation
✓ Correct Answer: AWS Config (Rule) + AWS Systems Manager (Remediation Document)Explanation:Config can monitor for resource compliance, and SSM Documents can perform the necessary actions to fix non-compliant resources.
217

To protect a mission-critical web application from 'Botnets' and 'L7 DDoS' attacks, you want to implement a solution that identifies sophisticated bot traffic patterns and blocks them before they reach your origin. Which service should you choose?

AWS WAF (with Bot Control managed rules)
AWS Shield Standard
Security Groups
Network ACLs
View Explanation
✓ Correct Answer: AWS WAF (with Bot Control managed rules)Explanation:AWS WAF's Bot Control identifies and manages common bot traffic using machine learning to detect patterns.
218

An organization wants to run their massive Big Data analytics workload using Amazon EMR. They want to ensure they don't over-pay for capacity during periods of low activity. Which EMR feature automatically adjusts the number of nodes in the cluster?

EMR Managed Scaling
Amazon EC2 Auto Scaling
Spot Fleets
Reserved Instances
View Explanation
✓ Correct Answer: EMR Managed ScalingExplanation:EMR Managed Scaling allows you to define the minimum and maximum capacity for your cluster and EMR handles the rest.
219

You are hosting a globally distributed application that requires a single static entry point to route users to the closest healthy region. The application uses HTTP/HTTPS traffic and requires SSL termination and WAF protection. Solution ?

Amazon CloudFront integrated with AWS WAF
Amazon Route 53 Traffic Flow
Application Load Balancer
Direct Connect
View Explanation
✓ Correct Answer: Amazon CloudFront integrated with AWS WAFExplanation:CloudFront provides a global CDN service that routes traffic to the nearest edge location and integrates with WAF for security.
220

Which AWS security service allows you to automatically rotate your database passwords every 30 days and provides a managed way to inject these secrets into your Lambda functions without human intervention?

AWS Secrets Manager
AWS Systems Manager Parameter Store
AWS KMS
AWS IAM
View Explanation
✓ Correct Answer: AWS Secrets ManagerExplanation:Secrets Manager can automatically rotate secrets and provides easy integration for applications to retrieve them.
221

An organization following 'Infrastructure as Code' principle wants to ensure that any change to the production environment's 'Config' settings requires an approval from a second administrator. Solution ?

Enforce a CI/CD pipeline for IaC with 'Manual Approval' stages in CodePipeline
Use a shared administrative account
Use IAM role directly
AWS Trusted Advisor
View Explanation
✓ Correct Answer: Enforce a CI/CD pipeline for IaC with 'Manual Approval' stages in CodePipelineExplanation:Modeling the release process in a pipeline with mandatory manual approvals is the standard way to enforce governance.
222

Which AWS monitoring tool allows you to perform complex, interactive analytics and SQL-based queries across millions of log records from various sources like CloudTrail, VPC Flow Logs, and application logs?

Amazon CloudWatch Logs Insights
Amazon Athena
CloudWatch Metric Explorer
AWS Trusted Advisor
View Explanation
✓ Correct Answer: Amazon CloudWatch Logs InsightsExplanation:CloudWatch Logs Insights is a fully integrated, interactive log analytics service for CloudWatch Logs.
223

An organization wants to implement 'Compliance as Code' and wants to ensure that any new EC2 instance created in their account is automatically checked for unauthorized open ports. Which service handles this automated setup?

AWS Config with 'Security-Groups-Specific-Ports-Check' rule
AWS Organizations SCPs
AWS Control Tower
AWS Shield
View Explanation
✓ Correct Answer: AWS Config with 'Security-Groups-Specific-Ports-Check' ruleExplanation:AWS Config rules provide a way to continuously monitor and assess the compliance of your AWS resource configurations.
224

To improve the performance of your web application for users worldwide, you decide to use a managed 'Service' that provides content caching at edge locations and can protect against DDoS attacks. Solution ?

Amazon CloudFront with AWS Shield Standard/Advanced
Elastic Load Balancing
Route 53
API Gateway
View Explanation
✓ Correct Answer: Amazon CloudFront with AWS Shield Standard/AdvancedExplanation:CloudFront provides global edge locations for caching and native integration with Shield for DDoS protection.
225

An organization is using AWS Systems Manager to collect logs from thousands of EC2 instances. They want to set up an alert that triggers whenever the 'CPU utilization' of any instance stays above 90% for more than 5 minutes. What type of alert should they create?

CloudWatch Metric Alarm
CloudWatch Logs Metric Filter
AWS Config Rule
Personal Health Dashboard alert
View Explanation
✓ Correct Answer: CloudWatch Metric AlarmExplanation:Metric alarms are the standard way to monitor performance metrics and trigger automated actions or notifications.
226

To protect your AWS resources from being accessed by unauthorized users from the internet, you want to implement a solution that requires 'Multi-Factor Authentication' (MFA) and restricts access based on the user's source IP address. Which identity feature should you use?

IAM Policy Conditions with 'aws:SourceIp' and 'aws:MultiFactorAuthPresent'
Security Groups
VPC Endpoint Policies
AWS Secrets Manager
View Explanation
✓ Correct Answer: IAM Policy Conditions with 'aws:SourceIp' and 'aws:MultiFactorAuthPresent'Explanation:IAM conditions allow you to enforce security requirements like MFA and IP-based restrictions at the policy level.
227

An organization wants to move their legacy .NET applications to AWS with minimal code changes. They want a managed platform that handles OS patching, scaling, and provides easy integration with active directory. Which service should they choose?

AWS Elastic Beanstalk (Windows Server tier)
AWS Lambda
Amazon ECS
Amazon EC2 with manual setup
View Explanation
✓ Correct Answer: AWS Elastic Beanstalk (Windows Server tier)Explanation:Elastic Beanstalk provides an easy way to deploy and scale applications on Windows Server without managing the underlying instances manually.
228

How can you securely store and retrieve database connection strings in AWS so they are not hardcoded in your application's source code or configuration files?

AWS Systems Manager Parameter Store or AWS Secrets Manager
S3 bucket with public access
Hardcoded in Environment variables
Encrypted text file on EC2
View Explanation
✓ Correct Answer: AWS Systems Manager Parameter Store or AWS Secrets ManagerExplanation:Parameter Store and Secrets Manager are specialized services for managing sensitive configuration data and secrets.
229

Your organization wants to optimize the cost of their dev/test environments. They want to ensure that all EC2 instances are automatically shut down at 6 PM and restarted at 8 AM daily. Which AWS Systems Manager feature handles this?

Systems Manager Quick Setup (Resource Scheduler)
Systems Manager Patch Manager
Systems Manager Distributor
AWS Config
View Explanation
✓ Correct Answer: Systems Manager Quick Setup (Resource Scheduler)Explanation:Resource Scheduler is a built-in feature of Systems Manager specifically for scheduling start and stop operations for EC2 and RDS.
230

An organization wants to analyze the network topology of their massive multi-account AWS environment. They want a visualization that shows how traffic is flowing between their VPCs, Transit Gateways, and Peering connections. Which tool should they use?

AWS Reachability Analyzer or Transit Gateway Network Manager
VPC Flow Logs mapping
AWS Trusted Advisor
CloudWatch Metrics
View Explanation
✓ Correct Answer: AWS Reachability Analyzer or Transit Gateway Network ManagerExplanation:Reachability Analyzer allows you to perform connectivity testing, and Network Manager provides global network visibility.
231

Which AWS security service uses machine learning to identify data exfiltration patterns or unauthorized logins by analyzing VPC Flow Logs, CloudTrail, and DNS logs across your entire AWS organization?

Amazon GuardDuty
Amazon Inspector
AWS WAF
AWS Shield
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
232

Scenario: To minimize the risk of a single engineer making a catastrophic change, you want to ensure that any change to the 'IAM Policies' in production requires an approval from a second administrator in a ticket management system. Solution ?

Integrate CodePipeline with an external approval system (e.g., Slack/SNS/Lambda) that verifies ticket status before progressing
Use a shared admin password
Manual checks by the manager
Disable IAM changes
View Explanation
✓ Correct Answer: Integrate CodePipeline with an external approval system (e.g., Slack/SNS/Lambda) that verifies ticket status before progressingExplanation:Automating binary 'Yes/No' gates in the pipeline based on external business logic is the most reliable way to enforce enterprise governance.
233

Your organization wants to automatically revert an AWS CloudFormation stack update if an 'HTTP 5xx' error spike is detected in the application's ELB metrics during the update. Which CloudFormation feature should be configured?

CloudFormation Rollback Configuration (Monitoring Time and CloudWatch Alarms)
CloudFormation Change Sets
CloudFormation StackSets
CloudFormation Hooks
View Explanation
✓ Correct Answer: CloudFormation Rollback Configuration (Monitoring Time and CloudWatch Alarms)Explanation:Rollback configuration allow you to specify CloudWatch Alarms that CloudFormation monitors during stack creation or update. If an alarm triggers, CloudFormation rolls back the stack.
234

An organization wants to implement 'Self-Healing' for their EC2 instances that are running in a private subnet. They want to ensure that if the 'StatusCheckFailed_System' metric triggers, the instance is automatically recovered with the same IP and metadata. Which service handles this?

Amazon EC2 Auto Recovery (CloudWatch Alarm action)
ASG Health Checks
AWS Systems Manager OpsCenter
AWS Config
View Explanation
✓ Correct Answer: Amazon EC2 Auto Recovery (CloudWatch Alarm action)Explanation:EC2 Auto Recovery can be triggered by a CloudWatch alarm on the system status check metric, facilitating hardware-level recovery.
235

In an SRE model, you want to track the 'Error Budget' for your microservices. Which tool provides the best aggregation of Service Level Indicators (SLIs) like latency and error rate to compute your SLO compliance?

CloudWatch ServiceLens
CloudWatch Logs Insights
AWS X-Ray
AWS Config
View Explanation
✓ Correct Answer: CloudWatch ServiceLensExplanation:ServiceLens integrates CloudWatch metrics and logs with X-Ray traces to provide a comprehensive view of service health and performance against SLOs.
236

Your organization wants to automate the response to an 'Unauthorized EC2 Instance Termination' event detected via CloudTrail. They want to receive a notification and automatically launch a replacement instance. Which AWS service is best for orchestrating this response?

Amazon EventBridge (triggering SNS for notification and Lambda for recovery)
AWS Config with remediation
CloudWatch Logs
AWS Systems Manager Document
View Explanation
✓ Correct Answer: Amazon EventBridge (triggering SNS for notification and Lambda for recovery)Explanation:EventBridge is the standard event bus for AWS, allowing you to react to lifecycle events in real-time with automated actions.
237

To minimize the 'Blast Radius' of a potential compromise in a CI/CD pipeline, an architect recommends using 'Dynamic Credentials' for the build environment (CodeBuild). How can this be implemented?

Assign an IAM Role to the CodeBuild project environment
Store access keys in Parameter Store
Hardcode credentials in the buildspec.yml
Use AWS Secrets Manager manually
View Explanation
✓ Correct Answer: Assign an IAM Role to the CodeBuild project environmentExplanation:CodeBuild environments support IAM roles, which provide temporary, automatically rotated credentials for accessing other AWS services.
238

Which AWS service allows you to centrally manage and evaluate the configurations of your AWS resources across multiple accounts and regions, providing a 'Compliance Timeline' for each resource?

AWS Config (Aggregator)
AWS CloudTrail
AWS Security Hub
AWS Systems Manager OpsCenter
View Explanation
✓ Correct Answer: AWS Config (Aggregator)Explanation:Config Aggregator collects configuration and compliance data from multiple accounts and regions into a single account.
239

Scenario: You are building a serverless data pipeline and want to ensure that if a Lambda function fails more than 3 times, the event is automatically sent to an SQS queue for manual investigation. Solution ?

Lambda Dead Letter Queue (DLQ) or On-Failure Destination
CloudWatch Logs metric filter
SNS Topic only
Step Functions Retry policy
View Explanation
✓ Correct Answer: Lambda Dead Letter Queue (DLQ) or On-Failure DestinationExplanation:Lambda natively supports Dead Letter Queues (DLQ) and Destinations to handle failed asynchronous invocations.
240

Which AWS security service can automatically detect 'Publicly Accessible' S3 buckets in your organization and trigger a Lambda function to immediately remove the public permission?

AWS Config with Custom Remediation (via Systems Manager or Lambda)
AWS GuardDuty
AWS Shield
Amazon Inspector
View Explanation
✓ Correct Answer: AWS Config with Custom Remediation (via Systems Manager or Lambda)Explanation:Config Rules with auto-remediation provide an automated way to enforce and fix compliance violations.
241

To improve the performance and cost of your application which has unpredictable traffic spikes, you want to use an Auto Scaling policy that proactively scales capacity based on historical patterns. Which feature of ASG should you choose?

Predictive Scaling
Dynamic Scaling (Step)
Scheduled Scaling
Manual Scaling
View Explanation
✓ Correct Answer: Predictive ScalingExplanation:Predictive scaling uses machine learning to forecast future traffic and scale capacity accordingly, reducing the need for reactive scaling.
242

Which AWS tool provides a 'No-Code' experience to identify and troubleshoot operational issues across all your AWS resources by aggregating alerts from CloudWatch, Config, and CloudTrail?

AWS Systems Manager OpsCenter
AWS Trusted Advisor
AWS Personal Health Dashboard
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Systems Manager OpsCenterExplanation:OpsCenter is a central place where operations engineers can view, investigate, and resolve operational issues (OpsItems).
243

An organization wants to analyze the performance of their SQL queries in Amazon Aurora to identify the slowest queries and see execution plans. Which feature of RDS provides this insight?

Amazon RDS Performance Insights
CloudWatch Logs
Enhanced Monitoring
VPC Flow Logs
View Explanation
✓ Correct Answer: Amazon RDS Performance InsightsExplanation:Performance Insights helps you analyze database load and identify when and where your DB is experiencing issues.
244

To protect against an entire regional outage, an architect decides to maintain a 'Pilot Light' DR strategy where the database is continuously replicated to a secondary region. Which AWS service facilitates this database replication for Amazon RDS?

Amazon RDS Cross-Region Read Replicas
AWS DMS (Database Migration Service)
S3 Cross-Region Replication
Daily manual backups
View Explanation
✓ Correct Answer: Amazon RDS Cross-Region Read ReplicasExplanation:Read replicas in a different region allow for a standby database that can be promoted quickly during a disaster.
245

Which AWS service allows you to centrally manage and automate security configuration checks for your enterprise using a set of best-practice 'Conformance Packs' and policies?

AWS Config
AWS Security Hub
AWS Systems Manager OpsCenter
AWS CloudTrail
View Explanation
✓ Correct Answer: AWS ConfigExplanation:Conformance packs are collections of AWS Config rules and remediation actions that help you manage compliance at scale.
246

To automate the creation of hundreds of AWS accounts for different departments, an organization wants to use a service that provides a 'Landing Zone' and automatically applies governance guardrails. Which service should they use?

AWS Control Tower
AWS Organizations (direct setup)
AWS CloudFormation StackSets
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Control TowerExplanation:Control Tower is an orchestration service that simplifies the setup of a secure and compliant multi-account AWS environment.
247

Scenario: You want to ensure that any change to a production stack in CloudFormation triggers a Slack notification to your SRE team. Solution ?

CloudFormation Stack SNS Notification -> AWS Lambda -> Slack Webhook
Manually check the console
Wait for a CloudWatch log entry
Weekly reports
View Explanation
✓ Correct Answer: CloudFormation Stack SNS Notification -> AWS Lambda -> Slack WebhookExplanation:CloudFormation can send notifications to an SNS topic on every stack event, which can then be processed by Lambda for external alerts.
248

Which AWS tool provides a 'Health Dashboard' that alerts you to AWS infrastructure issues that might affect your specifically deployed resources (e.g., an underlying hardware failure on a specific host)?

AWS Personal Health Dashboard
AWS Trusted Advisor
CloudWatch Service Status
Amazon Inspector
View Explanation
✓ Correct Answer: AWS Personal Health DashboardExplanation:Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.
249

An organization following SRE principles wants to implement 'Canary' monitoring for their web endpoints to track user-experience metrics like Page Load Time from different global locations. Which service provides this feature?

CloudWatch Synthetics
CloudWatch ServiceLens
AWS X-Ray
AWS Global Accelerator
View Explanation
✓ Correct Answer: CloudWatch SyntheticsExplanation:CloudWatch Synthetics can run 'canaries' (scripts) to monitor endpoints and APIs 24/7 and alert on issues.
250

To improve the security and performance of a large fleet of web servers which spend most of their time processing HTTP requests, an organization decides to switch to ARM64-based virtual machines. Which AWS VM series should they choose?

C7g or M7g (Graviton3 based)
C6i (Intel based)
M6a (AMD based)
T3
View Explanation
✓ Correct Answer: C7g or M7g (Graviton3 based)Explanation:AWS Graviton processors offer the best price-performance for many cloud-native and scale-out workloads.
251

Which AWS security service allows you to perform automated security assessment of your EC2 instances to identify 'Network Reachability' and 'Host Vulnerabilities' (CVEs)?

Amazon Inspector
AWS Shield
AWS WAF
AWS Security Hub
View Explanation
✓ Correct Answer: Amazon InspectorExplanation:Amazon Inspector is a vulnerability management service that scans workloads for vulnerabilities and unintended network exposure.
252

Scenario: To minimize the risk of a misconfiguration during a CloudFormation deployment, you want to ensure that a 'Stack Update' is automatically rolled back if a specific 'Wait Condition' is not met within 30 minutes. Solution ?

Use CloudFormation 'WaitCondition' and 'WaitConditionHandle' in your template
Manual check
Wait for 30 minutes in the CI/CD pipeline
CloudWatch event rule
View Explanation
✓ Correct Answer: Use CloudFormation 'WaitCondition' and 'WaitConditionHandle' in your templateExplanation:Wait conditions allow you to pause the stack operation until an external signal is received, enabling validation during deployment.
253

Which AWS service allows you to centrally manage and distribute 'Docker Images' across your organization and provides built-in vulnerability scanning for these images?

Amazon Elastic Container Registry (ECR)
AWS CodeArtifact
Amazon EKS
AWS Marketplace
View Explanation
✓ Correct Answer: Amazon Elastic Container Registry (ECR)Explanation:ECR is a fully managed container registry that makes it easy for developers to share and deploy images safely.
254

To improve the performance and cost of a large fleet of virtual machines that are running MongoDB workloads, an organization decides to switch to 'NVMe-based' storage. Which EC2 instance series should they choose?

I4i or I3 (Storage Optimized)
C6g (Compute Optimized)
M6g (General Purpose)
T4g
View Explanation
✓ Correct Answer: I4i or I3 (Storage Optimized)Explanation:Storage-optimized instances are designed for high-performance databases that require low-latency, high-IOPS local storage.
255

Which AWS service provides a managed 'ETL' (Extract, Transform, Load) solution that can automatically discover and catalog metadata from your data lake in S3 and transform it for analysis?

AWS Glue
AWS Data Pipeline
Amazon Athena
AWS Step Functions
View Explanation
✓ Correct Answer: AWS GlueExplanation:AWS Glue is an integrated serverless data integration service for discovering, preparing, and combining data for analytics.
256

To automate the deployment of a serverless application consisting of dozens of Lambda functions and DynamoDB tables, which AWS CLI extension (or tool) should you use?

AWS SAM (Serverless Application Model)
AWS CloudFormation (direct CLI)
AWS OpsWorks CLI
AWS SDK
View Explanation
✓ Correct Answer: AWS SAM (Serverless Application Model)Explanation:SAM is an open-source framework for building serverless applications on AWS, simplifying the template syntax and deployment process.
257

An organization wants to track the 'Cost per Microservice' in their Kubernetes cluster running on Amazon EKS. Which feature or tool provides this granular cost visibility?

AWS Cost and Usage Reports (CUR) with Kubernetes Cost Allocation (enabled by AWS Cost Explorer)
CloudWatch Logs
Kubernetes Dashboard
AWS Pricing Calculator
View Explanation
✓ Correct Answer: AWS Cost and Usage Reports (CUR) with Kubernetes Cost Allocation (enabled by AWS Cost Explorer)Explanation:AWS recently introduced native EKS cost allocation to track costs down to the namespace and pod level.
258

Which AWS service provides a 'No-Code' experience to identify and troubleshoot operational issues across all your AWS resources by aggregating alerts from CloudWatch, Config, and CloudTrail?

AWS Systems Manager OpsCenter
AWS Trusted Advisor
AWS Personal Health Dashboard
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Systems Manager OpsCenterExplanation:OpsCenter is a central place where operations engineers can view, investigate, and resolve operational issues (OpsItems).
259

An organization wants to perform 'Stress Testing' on their EC2 fleet by simulating a network outage or instance failure to verify their system's resilience. Which AWS service provides these managed 'Fault Injection' capabilities?

AWS Fault Injection Simulator (FIS)
AWS CloudWatch
AWS Systems Manager
AWS Config
View Explanation
✓ Correct Answer: AWS Fault Injection Simulator (FIS)Explanation:FIS is a managed service for running fault injection experiments on AWS to improve application resilience.
260

To improve the performance of an application which has highly variable traffic, you want to scale your EC2 fleet based on a custom metric like 'Number of messages in SQS queue'. How should you configure this?

Auto Scaling Policy using 'Target Tracking' or 'Step Scaling' on the SQS metric
Manual scaling
Schedule scaling daily
CloudWatch Logs
View Explanation
✓ Correct Answer: Auto Scaling Policy using 'Target Tracking' or 'Step Scaling' on the SQS metricExplanation:Dynamic scaling allows you to respond to load changes in real-time based on specific business metrics.
261

Which AWS security service allows you to automatically detect 'Sensitive Data' (like PII or credit card numbers) in your S3 buckets at scale?

Amazon Macie
Amazon Inspector
AWS GuardDuty
AWS Config
View Explanation
✓ Correct Answer: Amazon MacieExplanation:Macie uses ML and pattern matching to discover and protect sensitive data in S3.
262

Scenario: To minimize the risk of a single point of failure in your global application, you want to route users to the healthiest and closest region using Anycast technology. Solution ?

AWS Global Accelerator
Amazon Route 53 Traffic Flow
Application Load Balancer
Direct Connect
View Explanation
✓ Correct Answer: AWS Global AcceleratorExplanation:Global Accelerator uses the AWS global network and Anycast to route requests to the nearest healthy endpoint, improving availability and performance.
263

Your organization wants to implement 'Attribute-based Access Control' (ABAC) in AWS to simplify permission management. They want to ensure that developers can only start/stop virtual machines that have a 'ProjectID' tag matching the 'ProjectID' tag on the developer's IAM user. Which IAM policy condition key enables this dynamic comparison?

aws:PrincipalTag/ProjectID and aws:ResourceTag/ProjectID
aws:SourceIp
aws:RequestedRegion
aws:MultiFactorAuthPresent
View Explanation
✓ Correct Answer: aws:PrincipalTag/ProjectID and aws:ResourceTag/ProjectIDExplanation:ABAC uses tags on both the identity (principal) and the resource. By comparing these tags in the IAM policy condition, you can grant access dynamically.
264

An enterprise wants to implement 'Service Control Policies' (SCPs) in AWS Organizations to prevent any user (including the root user) from deleting the 'CloudTrail' logs in any member account. How should this SCP be applied?

Apply an SCP with a 'Deny' effect for 'cloudtrail:DeleteTrail' at the Organization or OU level
Use an IAM policy on the root user
Configure CloudTrail to use a public S3 bucket
Use AWS Config remediation
View Explanation
✓ Correct Answer: Apply an SCP with a 'Deny' effect for 'cloudtrail:DeleteTrail' at the Organization or OU levelExplanation:SCPs are powerful guardrails that can restrict permissions for all accounts in an organization, including the root user.
265

To ensure that all data stored in Amazon S3 is encrypted using 'Customer-Managed Keys' (CMK) in AWS KMS, which AWS service can be used to automatically identify and block the creation of non-compliant buckets?

AWS Config with a custom rule and 'Deny' IAM policy
AWS Shield
Amazon Inspector
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Config with a custom rule and 'Deny' IAM policyExplanation:AWS Config can continuously monitor bucket configurations, and combined with organizational policies, can enforce encryption standards.
266

Your organization wants to automate the 'Rotation' of an IAM Access Key for a developer whose keys have not been changed in 90 days. Which combination of AWS services is best for this automation?

AWS Config (to detect old keys) -> Amazon EventBridge -> AWS Lambda (to rotate the key)
AWS IAM manual console
AWS Trusted Advisor only
Daily manual reports
View Explanation
✓ Correct Answer: AWS Config (to detect old keys) -> Amazon EventBridge -> AWS Lambda (to rotate the key)Explanation:Config can monitor the age of IAM keys, and EventBridge can trigger a Lambda function to perform the rotation logic.
267

An organization wants to centrally manage and evaluation findings from multiple security services (GuardDuty, Inspector, Macie) across hundreds of AWS accounts. Which service provides this unified dashboard?

AWS Security Hub
AWS Shield Advanced
AWS Artifact
AWS Resource Groups
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub aggregates and prioritizes security alerts and findings from various services into a single view.
268

To protect against a large-scale Ransomware attack that modifies or deletes objects in your S3 buckets, which feature should you enable to ensure that data remains immutable for a specified period?

S3 Object Lock (Compliance mode)
S3 Versioning only
MFA Delete
S3 Cross-Region Replication
View Explanation
✓ Correct Answer: S3 Object Lock (Compliance mode)Explanation:Object Lock prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely.
269

Scenario: To minimize the risk of data exfiltration, you want to ensure that all communication between your private subnet and S3 stays within the AWS network and does not use the public internet. Solution ?

VPC Gateway Endpoint for S3
VPC Peering
NAT Gateway
Internet Gateway
View Explanation
✓ Correct Answer: VPC Gateway Endpoint for S3Explanation:Gateway endpoints provide private connectivity to S3 without requiring an IGW or NAT device.
270

Which AWS service allows you to automatically audit and evaluate the IAM policies in your account to identify 'Over-privileged' roles and provide specific recommendations for downsizing permissions?

IAM Access Analyzer
AWS Config
AWS Trusted Advisor
Amazon GuardDuty
View Explanation
✓ Correct Answer: IAM Access AnalyzerExplanation:Access Analyzer helps you identify resources shared with external entities and provides policy validation and generation features.
271

To ensure that all AWS accounts created in your organization have a specific 'Security Admin' role with a trust relationship to your central security account, which feature of AWS Organizations should you use?

AWS Organizations 'Account Factory' or 'CloudFormation StackSets' with auto-deployment
SCPs (Service Control Policies)
AWS Config remediation
Manual IAM setup
View Explanation
✓ Correct Answer: AWS Organizations 'Account Factory' or 'CloudFormation StackSets' with auto-deploymentExplanation:StackSets combined with AWS Organizations allows for the automated provisioning of common resources into new accounts.
272

Scenario: To minimize the risk of an 'Insider Threat' accidentally deleting a production database, you want to require 'MFA' for any delete operation performed via the AWS CLI or SDK. How can you enforce this?

IAM Policy with a condition 'aws:MultiFactorAuthPresent: true' for the DeleteDBInstance action
Use a shared password
Disable the CLI
Wait for 10 minutes
View Explanation
✓ Correct Answer: IAM Policy with a condition 'aws:MultiFactorAuthPresent: true' for the DeleteDBInstance actionExplanation:IAM policy conditions can enforce that a user must have authenticated with MFA before performing sensitive actions.
273

Which AWS service provides a 'No-Code' experience to audit and evaluation your AWS environment against industry standards like 'NIST' or 'PCI DSS' and provides a detailed compliance report?

AWS Audit Manager
AWS Artifact
AWS Config
AWS Security Hub
View Explanation
✓ Correct Answer: AWS Audit ManagerExplanation:Audit Manager automates evidence collection to help you assess your environment for compliance.
274

To protect your application from 'DDoS' attacks that target the 'Transport' and 'Network' layers (L3/L4), which AWS service provides 'Automatic' mitigation as part of its standard offering?

AWS Shield Standard
AWS WAF
Amazon CloudFront
AWS Firewall Manager
View Explanation
✓ Correct Answer: AWS Shield StandardExplanation:Shield Standard provides automatic protection for all AWS customers from common L3/L4 DDoS attacks.
275

An organization following 'Infrastructure as Code' wants to ensure that any change to the production environment's 'Config' settings requires an approval from a second administrator. Solution ?

Enforce a CI/CD pipeline for IaC with 'Manual Approval' stages in CodePipeline
Use a shared administrative account
Daily reports
None
View Explanation
✓ Correct Answer: Enforce a CI/CD pipeline for IaC with 'Manual Approval' stages in CodePipelineExplanation:Pipelines with mandatory manual approvals are the standard for enterprise-grade IaC governance.
276

Which AWS security service allows you to automatically rotate your database passwords every 30 days and provides a managed way to inject these secrets into your application without human intervention?

AWS Secrets Manager
AWS Systems Manager Parameter Store
AWS KMS
AWS IAM
View Explanation
✓ Correct Answer: AWS Secrets ManagerExplanation:Secrets Manager can automatically rotate secrets and provides easy integration for applications to retrieve them.
277

Which AWS Systems Manager feature allows you to perform an interactive shell session on an EC2 instance without opening port 22 (SSH) or using an IGW?

Systems Manager Session Manager
Systems Manager Run Command
Systems Manager Patch Manager
AWS CloudShell
View Explanation
✓ Correct Answer: Systems Manager Session ManagerExplanation:Session Manager provides secure, one-click access to instances over a browser-based shell or CLI without needing SSH keys or open ports.
278

Your organization wants to implement 'CloudFormation Macros' to automatically inject common security groups into every template deployed in the account. Which AWS service is used to host the logic for these macros?

AWS Lambda
AWS CloudFormation StackSets
AWS Systems Manager
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS LambdaExplanation:CloudFormation Macros use Lambda functions to process templates and perform transformations before the stack is created or updated.
279

An organization wants to use 'CodeBuild Report Groups' to aggregate and visualize the results of their JUnit tests across multiple build projects. How do they specify the test files in the buildspec.yml?

Under the 'reports' section with the file path and type
Under the 'artifacts' section
Using a custom Lambda function
Using the CLI command 'codebuild-report'
View Explanation
✓ Correct Answer: Under the 'reports' section with the file path and typeExplanation:The 'reports' section in buildspec.yml allows you to define where test results are located so CodeBuild can process them into reports.
280

To reduce the cost of X-Ray tracing for a high-volume application while still capturing statistically significant data, which X-Ray feature should you use to adjust the data collection rate dynamically?

Sampling Rules
Annotations
Metadata
Filter Expressions
View Explanation
✓ Correct Answer: Sampling RulesExplanation:Sampling rules allow you to control the amount of data that you collect and can be modified without changing your application code.
281

To improve the performance profile of an application which has highly variable traffic, you want to scale your EC2 fleet based on a custom metric like 'Number of messages in SQS queue'. How should you configure this?

Auto Scaling Policy using 'Target Tracking' or 'Step Scaling' on the SQS metric
Manual scaling
Schedule scaling daily
CloudWatch Logs
View Explanation
✓ Correct Answer: Auto Scaling Policy using 'Target Tracking' or 'Step Scaling' on the SQS metricExplanation:Dynamic scaling allows you to respond to load changes in real-time based on specific business metrics.
282

Which ALERT service allows you to automatically detect 'Suspicious activity' in your AWS account by analyzing CloudTrail, VPC Flow Logs, and DNS logs across your entire AWS organization using AI?

Amazon GuardDuty
Amazon Inspector
AWS Shield
AWS WAF
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty is a continuous security monitoring service that analyzes massive amounts of data to detect malicious behavior.
283

An organization wants to implement 'Zero Trust' networking for their hybrid cloud environment and wants to ensure that all branch connectivity is centralized, encrypted, and monitored. Which AWS service fits?

AWS Transit Gateway (with Network Firewall integration)
AWS Direct Connect only
VPC Peering
None
View Explanation
✓ Correct Answer: AWS Transit Gateway (with Network Firewall integration)Explanation:Transit Gateway acts as a central hub, and integrated with Network Firewall, provides a secure global transit architecture.
284

Scenario: To minimize the risk of an admin accidentally deleting a production resource group (stack), you want to ensure that no one can perform a 'Delete' operation without first removing a specific 'Stack Policy' from the resource. Solution ?

CloudFormation Stack Policy with 'Deny' effect on 'Update:Delete'
RBAC only
IAM only
None
View Explanation
✓ Correct Answer: CloudFormation Stack Policy with 'Deny' effect on 'Update:Delete'Explanation:Stack policies prevent stack resources from being unintentionally updated or deleted during stack updates.
285

Which AWS security service allow you to automatically check if any IAM roles in your organization have been compromised by analyzing billions of signals daily to detect 'Impossible Travel' or 'Leaked Credentials'?

AWS GuardDuty
AWS Shield
AWS WAF
Amazon Macie
View Explanation
✓ Correct Answer: AWS GuardDutyExplanation:GuardDuty's threat intelligence can detect patterns associated with compromised credentials and malicious logins.
286

An organization following the 'Least Privilege' principle wants to ensure that developers can only provision EC2 instances if they apply a 'CostCenter' tag. How should they implement this organizational control?

IAM Policy with a Condition 'aws:RequestTag/CostCenter: true' for the RunInstances action
Weekly manual reports
Daily manual checks
None
View Explanation
✓ Correct Answer: IAM Policy with a Condition 'aws:RequestTag/CostCenter: true' for the RunInstances actionExplanation:Using IAM conditions is the most precise way to enforce tagging requirements during resource creation.
287

Which AWS tool provides a 'Developer Roadmap' to identify and troubleshoot issues in your application by correlating logs, traces, and metrics into a single unified dashboard?

AWS CloudWatch Application Insights
AWS Resource Groups
AWS CloudMap
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS CloudWatch Application InsightsExplanation:Application Insights is an AI-powered service that analyzes application health across your AWS resources.
288

To improve the performance of your global application, you want to maintain a 'Multi-Region Active-Active' architecture. Which AWS service is essential for globally distributing and load-balancing traffic across regions?

AWS Global Accelerator or Amazon Route 53 (Latency routing)
Elastic Load Balancing
VPC Peering
API Gateway
View Explanation
✓ Correct Answer: AWS Global Accelerator or Amazon Route 53 (Latency routing)Explanation:These services handle global routing and health-based failover to ensure high availability.
289

Which AWS security service allows you to automatically evaluate your AWS account against the 'CIS AWS Foundations Benchmark' and provide a detailed compliance report with remediation guidance?

AWS Security Hub
AWS Trusted Advisor
AWS Config
Amazon GuardDuty
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub supports multiple industry standards, including CIS benchmarks, and provides continuous monitoring.
290

An organization building a serverless data pipeline wants to ensure that all data stored in S3 is automatically encrypted at rest and that every 'Decrypt' operation by an engineer is logged for auditing. Solution ?

S3 Encryption with AWS KMS (CMK) and AWS CloudTrail logging enabled
S3 Encryption with S3-managed keys (SSE-S3)
NSG rules
Manual audits
View Explanation
✓ Correct Answer: S3 Encryption with AWS KMS (CMK) and AWS CloudTrail logging enabledExplanation:KMS provides the encryption key, and CloudTrail logs all API calls, including decryption requests for specific keys.
291

Scenario: To minimize the risk of a misconfiguration during a CloudFormation deployment, you decide to use a 'Stack Policy' that explicitly denies all update actions for your production RDS instances. Solution ?

CloudFormation Stack Policy with Deny for RDS resource types
RBAC only
Manual check
None
View Explanation
✓ Correct Answer: CloudFormation Stack Policy with Deny for RDS resource typesExplanation:Stack policies are an effective guardrail to prevent accidental updates or deletions of critical stack resources.
292

Which AWS service provides a 'No-Code' experience to identify and troubleshoot operational issues by aggregating alerts from CloudWatch, Config, and CloudTrail into a single 'Operational Hub'?

AWS Systems Manager OpsCenter
AWS Trusted Advisor
AWS Personal Health Dashboard
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Systems Manager OpsCenterExplanation:OpsCenter is specifically designed to provide a central location for managing operational issues.
293

Your organization wants to deploy an application across 50 AWS accounts using AWS CodePipeline. They want to ensure that a central 'Release' account manages the pipeline, and artifacts are stored in a central S3 bucket accessible by all member accounts. Which combination of S3 bucket policies and IAM roles is required?

Central S3 bucket policy allowing cross-account access and IAM roles in member accounts with KMS decryption permissions
Public S3 bucket
VPC Peering between all accounts
IAM full admin access only
View Explanation
✓ Correct Answer: Central S3 bucket policy allowing cross-account access and IAM roles in member accounts with KMS decryption permissionsExplanation:Cross-account pipelines require the target accounts to have permissions to the central artifact bucket and the specific KMS key used to encrypt the artifacts.
294

An organization wants to use AWS CodeDeploy to manage deployments to their on-premises Windows servers. They want to ensure that the deployment process is identical to their EC2 deployments. Which component must be installed on the on-premises servers?

CodeDeploy Agent (configured for on-premises instances)
AWS CLI only
AWS Systems Manager Agent only
Windows Update Agent
View Explanation
✓ Correct Answer: CodeDeploy Agent (configured for on-premises instances)Explanation:The CodeDeploy agent is required on all instances (EC2 or on-premises) to allow CodeDeploy to perform the deployment steps defined in the AppSpec file.
295

To implement a 'GitOps' workflow for a serverless application, you want a specific AWS CodeCommit branch to automatically trigger a CodePipeline only when a file matching the pattern 'infra/*.yml' is modified. How can you implement this filtering logic?

Use an Amazon EventBridge rule with a custom 'detail' filter for the specific commit patterns
Configure CodePipeline source stage filter
Use a CodeCommit trigger to SNS
Manual triggers only
View Explanation
✓ Correct Answer: Use an Amazon EventBridge rule with a custom 'detail' filter for the specific commit patternsExplanation:EventBridge provides the most granular level of event filtering for CodeCommit events, allowing you to trigger pipelines based on commit details.
296

Your organization wants to share 'IAM Roles' and 'CloudWatch Alarms' across 100 accounts in a specific Organizational Unit (OU). They want new accounts added to the OU to automatically receive these resources. Solution ?

CloudFormation StackSets with 'Service-managed' permissions and 'Auto-deployment' enabled
AWS Organizations SCPs
AWS Control Tower
Manual IAM setup
View Explanation
✓ Correct Answer: CloudFormation StackSets with 'Service-managed' permissions and 'Auto-deployment' enabledExplanation:StackSets with service-managed permissions integrate with AWS Organizations to automatically manage instances in the specified OU.
297

Which AWS service allows you to centrally manage and share 'SAML' and 'OIDC' identities (like Azure AD or Okta) across multiple AWS accounts, providing a unified single sign-on experience for developers?

AWS IAM Identity Center (Successor to AWS SSO)
AWS Directory Service
AWS Managed Microsoft AD
IAM Roles
View Explanation
✓ Correct Answer: AWS IAM Identity Center (Successor to AWS SSO)Explanation:IAM Identity Center allows you to assign users to accounts and groups, providing a seamless SSO experience across the organization.
298

Scenario: To minimize the risk of a 'Deployment Stagnation' (where a failed deployment leaves the environment in an inconsistent state), you want to ensure that CodeDeploy automatically rolls back to the last known healthy version if any life-cycle hook fails. Solution ?

Configure 'Rollback on failure' in the CodeDeploy Deployment Group
Use CloudWatch Alarms only
Manual rollback via CLI
None
View Explanation
✓ Correct Answer: Configure 'Rollback on failure' in the CodeDeploy Deployment GroupExplanation:CodeDeploy can be set to automatically roll back to the previously successful deployment if current one fails.
299

An organization wants to implement 'Infrastructure as Code' for their multi-region AWS environment. They want to use a tool that allow them to deploy CloudFormation stacks into hundreds of accounts across multiple regions with a single operation. Which feature should they use?

AWS CloudFormation StackSets
AWS CloudFormation Stacks
AWS Organizations SCPs
AWS Proton
View Explanation
✓ Correct Answer: AWS CloudFormation StackSetsExplanation:StackSets extend the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions.
300

Your team is using AWS CodeDeploy to update a 'Lambda' function. They want to ensure that a 'Validation' function runs after the traffic is fully shifted to the new version. Which AppSpec hook should they use?

PostTraffic
AfterAllowTraffic
BeforeAllowTraffic
AllowTraffic
View Explanation
✓ Correct Answer: PostTrafficExplanation:PostTraffic hook runs after all traffic has been shifted to the new version, ideal for cleanup or final verification.
301

An organization wants to use 'AWS Systems Manager Automation' to automatically fix 'Non-Compliant' S3 buckets detected by AWS Config. How do they pass the 'ResourceID' from Config to the Automation document?

Config automatically passes the ResourceID as an input parameter to the remediation action
Using an SNS topic
Using a Lambda function as an intermediary
Hardcoded in the document
View Explanation
✓ Correct Answer: Config automatically passes the ResourceID as an input parameter to the remediation actionExplanation:AWS Config remediation allows you to map resource properties (like ResourceID) to parameters in Systems Manager documents.
302

To implement 'Feature Flags' in an application running on EC2, you decide to use AWS AppConfig. You want to ensure that the application receives updates without polling a central API constantly. Which method should the application use?

AWS AppConfig Agent (sidecar or process) with local caching
Periodic S3 sync
SQS notifications
Websockets
View Explanation
✓ Correct Answer: AWS AppConfig Agent (sidecar or process) with local cachingExplanation:The AppConfig Agent handles retrieving, caching, and updating configuration data, reducing direct API calls and latency.
303

Which AWS service allows you to centrally manage 'SSH Keys' for your EC2 fleet and provides an audit log of who accessed which instance and when?

EC2 Instance Connect
IAM Roles
AWS Secrets Manager
AWS KMS
View Explanation
✓ Correct Answer: EC2 Instance ConnectExplanation:EC2 Instance Connect allows you to use IAM policies and CloudTrail to control and audit SSH access, replacing the need for long-lived SSH keys.
304

Scenario: You are using AWS OpsWorks for Chef to manage your application servers. You want to run a specific recipe only when a new instance 'Joins' the stack. Which lifecycle event should you use?

Setup
Configure
Deploy
Undeploy
View Explanation
✓ Correct Answer: SetupExplanation:The 'Setup' event occurs on new instances after they have booted and the agent has been installed.
305

An organization wants to use 'AWS CloudMap' to provide service discovery for their containerized microservices. How weight-based routing can be implemented for 'Blue/Green' deployments within CloudMap?

CloudMap doesn't support weighting; use Route 53 or ELB for traffic shifting
Using 'CustomAttributes' in the instance registration
Using a Lambda function
CloudMap native weights
View Explanation
✓ Correct Answer: CloudMap doesn't support weighting; use Route 53 or ELB for traffic shiftingExplanation:CloudMap handles discovery and health checks but delegates traffic management to services like Route 53 or App Mesh.
306

To monitor the performance of your 'Elastic Beanstalk' environment, you want to enable 'Enhanced Health Reporting'. Where do you configure the specific metrics to be collected?

In a configuration file (.ebextensions/health.config) or via the console
In the application code
In the VPC settings
In CloudWatch directly
View Explanation
✓ Correct Answer: In a configuration file (.ebextensions/health.config) or via the consoleExplanation:Enhanced health reporting allows you to customize the metrics collected by providing a configuration file in the .ebextensions directory.
307

Which AWS security service allows you to automatically assess your ECR container images for software vulnerabilities whenever they are pushed to the registry?

Amazon ECR Native Scanning (or Basic/Enhanced scanning with Inspector)
Amazon GuardDuty
AWS WAF
AWS Security Hub
View Explanation
✓ Correct Answer: Amazon ECR Native Scanning (or Basic/Enhanced scanning with Inspector)Explanation:ECR supports automated image scanning to identify vulnerabilities in your container images.
308

Scenario: You want to ensure that any change to a 'KMS Key Policy' requires an approval from a senior security engineer. Since KMS doesn't support approval rules directly, how can you implement this?

Manage KMS keys via CloudFormation in a CI/CD pipeline with a manual approval stage
Use a shared admin password
Disable KMS policy updates
Use SCPs only
View Explanation
✓ Correct Answer: Manage KMS keys via CloudFormation in a CI/CD pipeline with a manual approval stageExplanation:Modeling key management as code in a pipeline allows for mandatory human-in-the-loop gates.
309

An organization wants to implement 'Continuous Compliance' for their multi-account environment. They want a report that shows the compliance status of all accounts against the 'PCI DSS' standard. Which service provides this at scale?

AWS Security Hub (Compliance features)
AWS Config (Aggregator)
AWS Artifact
AWS Systems Manager
View Explanation
✓ Correct Answer: AWS Security Hub (Compliance features)Explanation:Security Hub supports standards-based compliance checks across multiple accounts and provides a unified score.
310

Which AWS tool provides a 'No-Code' experience to audit and evaluation your AWS environment against industry standards like 'NIST' or 'ISO' and provides a detailed compliance report?

AWS Audit Manager
AWS config
AWS Trusted Advisor
AWS Artifact
View Explanation
✓ Correct Answer: AWS Audit ManagerExplanation:Audit Manager automates evidence collection to help you assess your environment for compliance.
311

To protect your public-facing web applications from 'Session Hijacking' and other advanced attacks, you want to implement a solution that provides 'WAF' protection and integrates with 'Cognito' for user authentication. Solution ?

AWS WAF integrated with Application Load Balancer and Amazon Cognito
AWS Shield
VPC Endpoints
NAT Gateway
View Explanation
✓ Correct Answer: AWS WAF integrated with Application Load Balancer and Amazon CognitoExplanation:ALB supports native integration with Cognito for authentication, which can then be further protected by WAF rules.
312

An organization following SRE principles wants to implement 'Error Budgets' for their serverless microservices. They want to calculate the 'Success Rate' of their Lambda functions. Which CloudWatch feature facilitates this calculation across multiple services?

CloudWatch Metric Math or Metric Insights
CloudWatch Logs
CloudWatch Events
AWS X-Ray
View Explanation
✓ Correct Answer: CloudWatch Metric Math or Metric InsightsExplanation:Metric Math allows you to perform calculations (like percentage) on multiple metrics, while Metric Insights provides SQL-like querying for metrics.
313

Which AWS service allows you to centrally manage and evaluation your 'IAM' usage to identify 'Dormant' users and 'Unused' permissions across your entire organization?

IAM Access Analyzer
AWS Organizations
AWS Trusted Advisor
AWS Config
View Explanation
✓ Correct Answer: IAM Access AnalyzerExplanation:Access Analyzer includes features like 'last accessed' data to help you identify and remove redundant permissions.
314

To improve the performance of your high-traffic web application which has globally distributed users, you decide to use 'AWS Global Accelerator'. How does it differ from a standard CloudFront setup?

Global Accelerator uses Anycast at the Edge to route TCP/UDP traffic, while CloudFront is a CDN for HTTP(S) content
They are the same
Global Accelerator is only for static sites
CloudFront is for VPC only
View Explanation
✓ Correct Answer: Global Accelerator uses Anycast at the Edge to route TCP/UDP traffic, while CloudFront is a CDN for HTTP(S) contentExplanation:Global Accelerator optimizes the network path for any TCP/UDP traffic, whereas CloudFront focuses on content delivery and caching.
315

Which AWS security service can automatically identify 'Personally Identifiable Information' (PII) in your S3 buckets and provide a risk assessment of your data exposure?

Amazon Macie
Amazon Inspector
AWS GuardDuty
AWS Config
View Explanation
✓ Correct Answer: Amazon MacieExplanation:Macie is specifically designed for data privacy and security, identifying sensitive data like PII in S3 storage.
316

Scenario: To minimize the risk of 'Accidental Resource Deletion' during a CloudFormation stack deletion, you want to ensure that specific resources (like S3 buckets or RDS instances) are retained. Which attribute should you add to the resource definition?

DeletionPolicy: Retain
UpdatePolicy: Prevent
DependsOn: CloudTrail
Metadata: DoNotDelete
View Explanation
✓ Correct Answer: DeletionPolicy: RetainExplanation:The DeletionPolicy attribute allows you to retain or in some cases, backup a resource even when its stack is deleted.
317

Which AWS Systems Manager feature allows you to securely manage 'Patching' for your fleet of both Linux and Windows instances using a centralized policy and schedule?

Patch Manager
Automation
Run Command
Inventory
View Explanation
✓ Correct Answer: Patch ManagerExplanation:Patch Manager automates the process of patching managed instances with both security-related and other types of updates.
318

An organization wants to implement 'Canary' monitoring for their web endpoints. They want a script that simulates a user 'Logging In' and 'Adding a Product to Cart' every 5 minutes. Which service provides this feature?

CloudWatch Synthetics
CloudWatch Events
AWS Lambda
Route 53 Health Checks
View Explanation
✓ Correct Answer: CloudWatch SyntheticsExplanation:Synthetics allows you to create 'canaries' that run scripts on a schedule to monitor your endpoints and APIs.
319

To improve the performance of your serverless microservices architecture, you decide to use 'AWS X-Ray' for distributed tracing. How do you instrument your Lambda function code?

Enable 'Active Tracing' in Lambda settings and use the X-Ray SDK in your code
No code changes required
Upload a custom binary
Use CloudWatch agent
View Explanation
✓ Correct Answer: Enable 'Active Tracing' in Lambda settings and use the X-Ray SDK in your codeExplanation:Active tracing enables X-Ray to collect performance data from the Lambda service, but the SDK is needed to trace specific calls within your code.
320

Which AWS service provides a 'No-Code' experience to visualize and troubleshoot application performance by aggregating traces from X-Ray and metrics from CloudWatch into a single 'Service Map'?

CloudWatch ServiceLens
CloudWatch Logs Insights
AWS Trusted Advisor
AWS Systems Manager OpsCenter
View Explanation
✓ Correct Answer: CloudWatch ServiceLensExplanation:ServiceLens provides a comprehensive view of service health and dependencies by correlating metrics and traces.
321

Your organization wants to implement a 'Point-to-Point' integration between an Amazon SQS queue and an enrichment Lambda function without writing custom polling logic. Which AWS service provides this serverless integration with built-in filtering?

Amazon EventBridge Pipes
Amazon EventBridge Scheduler
AWS AppSync
AWS Step Functions
View Explanation
✓ Correct Answer: Amazon EventBridge PipesExplanation:EventBridge Pipes provides a simple, consistent, and cost-effective way to create point-to-point integrations between event producers and consumers.
322

An organization wants to schedule a recurring administrative task (e.g., triggering a Lambda every night at 2 AM) across thousands of different time zones globally. Which service is optimized for this high-scale scheduling?

Amazon EventBridge Scheduler
Amazon EventBridge (Classic Rules)
AWS Lambda (Schedules)
AWS Systems Manager Maintenance Windows
View Explanation
✓ Correct Answer: Amazon EventBridge SchedulerExplanation:EventBridge Scheduler is highly scalable and supports features like time-zone aware scheduling and millions of targets.
323

Your organization wants to stream CloudWatch metrics in real-time to a 3rd-party analytics platform with low latency. Which CloudWatch feature provides a managed, continuous stream of metric data to a destination like Kinesis Data Firehose?

CloudWatch Metric Streams
CloudWatch Metric Filters
CloudWatch Events
CloudWatch Logs Insights
View Explanation
✓ Correct Answer: CloudWatch Metric StreamsExplanation:Metric Streams allow you to continuously stream CloudWatch metrics to a destination of your choice with high throughput and low latency.
324

An organization wants to perform 'A/B Testing' and 'Feature Flagging' for their new web application. They want a managed AWS service that can automatically handle traffic shifting and provide statistical analysis of the performance of different versions. Which service fits?

Amazon CloudWatch Evidently
AWS AppConfig only
AWS CodeDeploy
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudWatch EvidentlyExplanation:CloudWatch Evidently allows developers to conduct experiments and manage feature flags to make data-driven decisions.
325

To monitor the real-world performance of a web application from the perspective of actual users (e.g., page load times, JavaScript errors), which CloudWatch feature should you implement?

CloudWatch RUM (Real User Monitoring)
CloudWatch Synthetics
CloudWatch ServiceLens
CloudWatch Logs
View Explanation
✓ Correct Answer: CloudWatch RUM (Real User Monitoring)Explanation:CloudWatch RUM provides client-side telemetry from your web application users to help you understand and improve their experience.
326

Your team is running a large microservices architecture on Amazon EKS. They want a managed solution to collect, aggregate, and visualize container-level metrics (CPU, memory, networking) without managing a Prometheus server. Which feature should they enable?

CloudWatch Container Insights
CloudWatch Lambda Insights
CloudWatch Logs Insights
Amazon Managed Service for Prometheus
View Explanation
✓ Correct Answer: CloudWatch Container InsightsExplanation:Container Insights provides automated dashboarding and observability for containerized applications on EKS, ECS, and Fargate.
327

An organization wants to analyze why their AWS Lambda functions are experiencing occasional 'Cold Starts' and high latency. They want a managed service that automatically detects and visualizes performance bottlenecks in their serverless code. Which feature should they enable?

CloudWatch Lambda Insights
CloudWatch Logs
AWS X-Ray
AWS Trusted Advisor
View Explanation
✓ Correct Answer: CloudWatch Lambda InsightsExplanation:Lambda Insights is a monitoring and troubleshooting service for serverless applications that provides deep visibility into function performance.
328

Scenario: To minimize the time to debug 'Dependency Failures' in a complex application, you want a visualization that correlates traces, metrics, and logs in a single unified view. Solution ?

CloudWatch ServiceLens
CloudWatch Logs Insights
AWS X-Ray
None
View Explanation
✓ Correct Answer: CloudWatch ServiceLensExplanation:ServiceLens integrates your traces, metrics, and logs so you can easily see the impact of a failure in a dependency on your application's health.
329

Which CloudWatch Logs feature allows you to perform SQL-like queries across log groups to identify the 'Top 10 IP addresses' causing 403 errors in your VPC Flow Logs?

CloudWatch Logs Insights
CloudWatch Metric Filters
CloudWatch Contributor Insights
CloudWatch Metric Streams
View Explanation
✓ Correct Answer: CloudWatch Logs InsightsExplanation:Logs Insights provides a powerful query language for interactive log analysis.
330

An organization wants to track the 'Top Talkers' in their network (e.g., which users are consuming the most bandwidth) in real-time. Which CloudWatch feature identifies these 'high-cardinality' contributors?

CloudWatch Contributor Insights
CloudWatch Metric Insights
CloudWatch Logs Insights
CloudWatch Alarms
View Explanation
✓ Correct Answer: CloudWatch Contributor InsightsExplanation:Contributor Insights is designed to identify and analyze the top contributors to any system's metrics.
331

To reduce the cost of storing millions of log lines that are rarely accessed, you want to automatically transition logs from 'Standard' storage to 'Infrequent Access' or 'Archive' in CloudWatch. How can you implement this?

Configure 'Log Class' (Standard vs. Infrequent Access) for your log groups
Use S3 lifecycle policy (implies exporting logs first)
Manual deletion
Transition not supported
View Explanation
✓ Correct Answer: Configure 'Log Class' (Standard vs. Infrequent Access) for your log groupsExplanation:CloudWatch Logs now offers a 'Log Class' setting where you can choose 'Infrequent Access' for logs you don't need to query frequently with full fidelity.
332

Scenario: To minimize the risk of a 'Partial Outage' going unnoticed, you want to set up an alarm that triggers only if the 'Error Rate' exceeds 1% AND the 'Request Volume' is at least 100 requests per minute (to avoid false positives with low traffic). Solution ?

CloudWatch Composite Alarm
CloudWatch Metric Math (within a single alarm)
Metric Insights query
Log Insights query
View Explanation
✓ Correct Answer: CloudWatch Composite AlarmExplanation:Composite alarms allow you to create alarms whose state is based on the states of multiple other alarms, combined with logical expressions.
333

To improve the observability of internet-facing applications, you want to monitor the internet traffic and identify performance issues caused by 'Internet Service Providers' (ISPs) between your users and AWS. Which service should you use?

Amazon CloudWatch Internet Monitor
Amazon CloudWatch RUM
AWS Global Accelerator
VPC Flow Logs
View Explanation
✓ Correct Answer: Amazon CloudWatch Internet MonitorExplanation:Internet Monitor provides visibility into how internet issues impact your application's performance and availability.
334

Your team wants to automate the creation of CI/CD pipelines for their serverless applications using 'SAM Pipelines'. Which command-line tool provides a guided experience to generate these pipeline configurations?

sam pipeline init
sam deploy --pipeline
aws codepipeline create
cdk bootstrap
View Explanation
✓ Correct Answer: sam pipeline initExplanation:The 'sam pipeline init' command guides you through creating a CI/CD pipeline for your SAM application using various providers like GitHub Actions or CodePipeline.
335

Which AWS service allows you to centrally manage and automate the deployment of 'Service Control Policies' (SCPs) across multiple AWS accounts in an organization, ensuring that only specific actions (e.g., no deleting S3 buckets) are allowed?

AWS Organizations
AWS Control Tower
AWS Identity and Access Management (IAM)
AWS Systems Manager
View Explanation
✓ Correct Answer: AWS OrganizationsExplanation:AWS Organizations is the primary service for management of SCPs across your organization's accounts.
336

To ensure that all new AWS accounts created in your organization follow a baseline 'Security Configuration' (e.g., CloudTrail enabled, GuardDuty enabled), which AWS service should you use to automate the account provisioning process?

AWS Control Tower (Account Factory)
AWS Organizations
AWS Service Catalog
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS Control Tower (Account Factory)Explanation:Control Tower's Account Factory automates the creation of accounts that are pre-configured with security guardrails.
337

An organization wants to implement 'Zero-Trust' security for their internal applications. They want to ensure that all traffic between their microservices is encrypted and authorized using mutually authenticated TLS (mTLS). Solution ?

AWS App Mesh (with mTLS enabled)
VPC Endpoints
Security Groups
IAM Policies
View Explanation
✓ Correct Answer: AWS App Mesh (with mTLS enabled)Explanation:App Mesh provides a service mesh that makes it easy to manage and secure communication between microservices, including mTLS support.
338

Which AWS tool provides a 'Low-Code' way to design and automate complex business logic workflows (e.g., processing insurance claims with multiple approval steps) using a visual designer?

AWS Step Functions (Workflow Studio)
AWS CodePipeline
AWS AppFlow
AWS Lambda
View Explanation
✓ Correct Answer: AWS Step Functions (Workflow Studio)Explanation:Workflow Studio is a visual designer for Step Functions that makes it easy to build and test complex workflows without writing much code.
339

Your organization wants to implement 'Approval Rules' for pull requests in AWS CodeCommit. They want to ensure that any change to the 'Production' branch requires at least two approvals from a specific IAM group. How can you automate this enforcement?

Create a CodeCommit Approval Rule Template and associate it with the repository
Use an IAM policy on the branch
Use a CodeCommit trigger to Lambda for validation
Manual checks only
View Explanation
✓ Correct Answer: Create a CodeCommit Approval Rule Template and associate it with the repositoryExplanation:Approval rule templates allow you to define and enforce approval requirements for pull requests automatically across one or more repositories.
340

An organization wants to monitor the health of their containerized microservices running on Amazon ECS (Fargate). They want to receive an alert if the 'CPU Utilization' of any service exceeds 80% for more than 3 consecutive minutes. Which CloudWatch feature should they use?

CloudWatch Metric Alarm (Service-level metric)
CloudWatch Container Insights
CloudWatch Logs
AWS Trusted Advisor
View Explanation
✓ Correct Answer: CloudWatch Metric Alarm (Service-level metric)Explanation:Metric alarms are the standard way to monitor performance metrics for ECS services and trigger notifications or scaling actions.
341

To improve the security of their CI/CD pipeline, an architect recommends using 'VPC Endpoints' for all AWS Code* services to ensure traffic never leaves the AWS global network. Which type of VPC endpoint is used for CodePipeline and CodeBuild?

Interface VPC Endpoints (AWS PrivateLink)
Gateway VPC Endpoints
VPC Peering
NAT Gateway
View Explanation
✓ Correct Answer: Interface VPC Endpoints (AWS PrivateLink)Explanation:Interface endpoints provide private connectivity to many AWS services using AWS PrivateLink.
342

Your team wants to implement 'Feature Toggles' for their application using AWS AppConfig. They want to ensure that a configuration change is rolled back automatically if it triggers a CloudWatch alarm during the deployment. Which AppConfig feature enables this?

Deployment Strategy with 'CloudWatch Alarm' monitors
AppConfig Versioning
AppConfig Environments
None
View Explanation
✓ Correct Answer: Deployment Strategy with 'CloudWatch Alarm' monitorsExplanation:AppConfig can monitor CloudWatch alarms during the deployment of a configuration and automatically roll back if an alarm is triggered.
343

An organization wants to perform 'Canary' testing for their web application. They want to route 5% of global traffic to a new experimental region for 2 hours before deciding whether to failover completely. Which AWS service facilitates this global traffic shifting?

AWS Global Accelerator (using endpoint weights)
Amazon Route 53 (Weighted routing)
Application Load Balancer
Amazon CloudFront
View Explanation
✓ Correct Answer: AWS Global Accelerator (using endpoint weights)Explanation:Global Accelerator allows you to adjust weights for endpoints across different regions to perform granular traffic shifting.
344

Which AWS Systems Manager feature allows you to centrally manage and evaluate findings from multiple security services (GuardDuty, Inspector, Macie) and provides a 'Compliance Score' for your resources?

AWS Security Hub
AWS Systems Manager OpsCenter
AWS Config
AWS Trusted Advisor
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub provides a comprehensive view of your security state and helps you check your environment against security industry standards.
345

Scenario: To minimize the risk of 'Configuration Drift' in your multi-account environment, you want a service that automatically scans your CloudFormation stacks and alerts you if any resources have been modified outside of CloudFormation. Solution ?

CloudFormation Drift Detection
AWS Config
AWS CloudTrail
None
View Explanation
✓ Correct Answer: CloudFormation Drift DetectionExplanation:Drift detection identifies stack resources that have been modified outside of CloudFormation management.
346

Which AWS security service allows you to automatically audit and evaluate the IAM policies in your account to identify 'Over-privileged' roles and provide specific recommendations for downsizing permissions?

IAM Access Analyzer
AWS Config
AWS Trusted Advisor
Amazon GuardDuty
View Explanation
✓ Correct Answer: IAM Access AnalyzerExplanation:Access Analyzer helps you identify resources shared with external entities and provides policy validation and generation features.
347

An organization wants to use 'AWS Proton' to manage infrastructure for their serverless microservices. They want to ensure that when a developer updates a 'Service Template', it automatically triggers an update for all 'Service Instances'. How is this automated?

Proton automatically manages the sync and update process for service instances based on template versions
Manual update for each instance
Use CloudFormation StackSets manually
External Script
View Explanation
✓ Correct Answer: Proton automatically manages the sync and update process for service instances based on template versionsExplanation:Proton is designed to manage large-scale infrastructure deployments and template versioning automatically.
348

Which AWS networking service allows you to create a secure, high-speed connection between your on-premises network and AWS over the internet with the ability to dynamically route traffic using BGP?

AWS Site-to-Site VPN with BGP enabled
AWS Direct Connect
VPC Peering
AWS Transit Gateway
View Explanation
✓ Correct Answer: AWS Site-to-Site VPN with BGP enabledExplanation:Site-to-Site VPN with BGP provides a dynamic hybrid connection over the public internet.
349

To improve the performance and cost of your web application for users worldwide, you decide to use a managed 'Service' that provides content caching at edge locations and can protect against DDoS attacks. Solution ?

Amazon CloudFront with AWS Shield Standard/Advanced
Elastic Load Balancing
Route 53
API Gateway
View Explanation
✓ Correct Answer: Amazon CloudFront with AWS Shield Standard/AdvancedExplanation:CloudFront provides global edge locations for caching and native integration with Shield for DDoS protection.
350

An organization following the 'Zero Trust' principle wants to ensure that all branch connectivity is centralized, encrypted, and monitored. Which AWS service fits?

AWS Transit Gateway (with Network Firewall integration)
AWS Direct Connect only
VPC Peering
None
View Explanation
✓ Correct Answer: AWS Transit Gateway (with Network Firewall integration)Explanation:Transit Gateway acts as a central hub for all network traffic and can be integrated with security services.
351

Scenario: To minimize the risk of an admin accidentally deleting a production stack, you want to ensure that no one can perform a 'Delete' operation without first removing a specific 'Stack Policy' from the resource. Solution ?

CloudFormation Stack Policy with Deny for Update:Delete action
RBAC only
IAM only
None
View Explanation
✓ Correct Answer: CloudFormation Stack Policy with Deny for Update:Delete actionExplanation:Stack policies are an effective guardrail to prevent accidental updates or deletions of critical stack resources.
352

Scenario: You want to monitor the 'End-to-End' performance of your web application from the perspective of real users globally. You want to see how long it takes for a page to load and identify any JavaScript errors on the client side. Solution ?

Amazon CloudWatch RUM (Real User Monitoring)
Amazon CloudWatch Synthetics
Amazon X-Ray
Amazon CloudFront
View Explanation
✓ Correct Answer: Amazon CloudWatch RUM (Real User Monitoring)Explanation:RUM collects data from real user sessions to provide insights into your application's client-side performance and availability.
353

Your organization wants to implement a 'Multi-Region' disaster recovery strategy for their DynamoDB-backed application. They require active-active replication with sub-second latency for global writes. Which feature should they use?

Amazon DynamoDB Global Tables
DynamoDB Streams with Lambda replication
S3 Cross-Region Replication
Periodic manual exports
View Explanation
✓ Correct Answer: Amazon DynamoDB Global TablesExplanation:Global Tables provide a fully managed, multi-region, and multi-active database that replicates data automatically across your choice of AWS Regions.
354

An organization wants to reduce the 'Warm-up' time for their Auto Scaling group during sudden traffic spikes. They want to maintain a pool of pre-initialized instances that are stopped but can be started quickly. Which ASG feature should they use?

Auto Scaling Warm Pools
Predictive Scaling
Step Scaling
Scheduled Scaling
View Explanation
✓ Correct Answer: Auto Scaling Warm PoolsExplanation:Warm pools allow you to decrease latency for applications that have long boot times by maintaining a pool of initialized instances.
355

To ensure that your CloudFront distribution remains available even if the primary S3 origin experiences a regional outage, how should you configure the origin settings?

Use 'CloudFront Origin Groups' with a primary and secondary origin and health-based failover
Use Route 53 with CNAME
S3 Replication
Manual update of origin
View Explanation
✓ Correct Answer: Use 'CloudFront Origin Groups' with a primary and secondary origin and health-based failoverExplanation:Origin failover in CloudFront allows you to automatically switch to a backup origin when the primary origin returns specific error codes.
356

Which AWS networking service uses Anycast technology to provide two static IP addresses that act as a fixed entry point to your application endpoints (ALB, NLB, EC2) in multiple regions, improving availability and performance?

AWS Global Accelerator
Amazon Route 53 Traffic Flow
Amazon CloudFront
AWS Transit Gateway
View Explanation
✓ Correct Answer: AWS Global AcceleratorExplanation:Global Accelerator uses the AWS global network to route traffic to the nearest healthy endpoint, improving availability and performance for non-HTTP traffic.
357

An organization wants to ensure that all their critical EC2 instances are spread across different physical hardware racks within an Availability Zone to minimize the impact of a single rack failure. Which placement strategy should they use?

Spread Placement Group
Cluster Placement Group
Partition Placement Group
None
View Explanation
✓ Correct Answer: Spread Placement GroupExplanation:Spread placement groups place each instance on distinct hardware to reduce correlated failures.
358

To implement a zero-downtime database migration from an on-premises Oracle database to Amazon Aurora, which service should you use to handle the continuous data replication?

AWS Database Migration Service (DMS) with Change Data Capture (CDC)
AWS Snowball
AWS DataSync
S3 Transfer Acceleration
View Explanation
✓ Correct Answer: AWS Database Migration Service (DMS) with Change Data Capture (CDC)Explanation:DMS supports both one-time migration and continuous replication (CDC) to keep databases in sync during the transition.
359

Which AWS security service allows you to centrally manage and automate security configuration checks for your enterprise using a set of best-practice 'Conformance Packs' and policies?

AWS Config
AWS Security Hub
AWS Systems Manager OpsCenter
AWS CloudTrail
View Explanation
✓ Correct Answer: AWS ConfigExplanation:Conformance packs are collections of AWS Config rules and remediation actions that help you manage compliance at scale.
360

To improve the 'Developer Experience' (DevEx), your organization wants to provide a self-service portal where developers can provision pre-approved 'Infrastructure' environments (e.g., a dev VPC with an EKS cluster). Which service fits?

AWS Service Catalog
AWS Control Tower
AWS Systems Manager OpsCenter
AWS CodePipeline
View Explanation
✓ Correct Answer: AWS Service CatalogExplanation:Service Catalog allows you to create and manage catalogs of IT services that are approved for use on AWS.
361

Which AWS security service can automatically detect 'Suspicious activity' in your AWS account (e.g., an EC2 instance communicating with a known command-and-control server) and provide detailed threat findings?

Amazon GuardDuty
Amazon Inspector
AWS Shield
AWS WAF
View Explanation
✓ Correct Answer: Amazon GuardDutyExplanation:GuardDuty is a continuous threat detection service that monitors your AWS environments and identifies potential security threats.
362

Your organization wants to optimize the cost of their S3 storage by automatically moving objects that are not accessed frequently to a 'Lower Cost' storage tier. Which S3 feature should তারা ব্যবহার করবে?

S3 Intelligent-Tiering
S3 Lifecycle Policies
S3 Storage Class Analysis
S3 Batch Operations
View Explanation
✓ Correct Answer: S3 Intelligent-TieringExplanation:Intelligent-Tiering automatically moves data between a frequent access tier and an infrequent access tier based on access patterns.
363

To ensure that your CI/CD pipeline can 'Roll Back' automatically if a deployment triggers a CloudWatch alarm, which CodeDeploy feature should you configure?

Deployment configuration with 'Alarm-based rollback' enabled
CodeDeploy Triggers
Custom Lambda validation
Manual rollback
View Explanation
✓ Correct Answer: Deployment configuration with 'Alarm-based rollback' enabledExplanation:CodeDeploy can monitor CloudWatch alarms during a deployment and automatically roll back if an alarm threshold is reached.
364

An organization wants to implement 'Compliance as Code' and wants to ensure that all their S3 buckets have 'Versioning' and 'Encryption' enabled. Which service provides these continuous compliance checks at scale?

AWS Config (with Managed Rules)
AWS CloudTrail
AWS Systems Manager OpsCenter
AWS Security Hub
View Explanation
✓ Correct Answer: AWS Config (with Managed Rules)Explanation:AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources and ensure compliance.
365

Your organization wants to automatically detect potential security vulnerabilities and code quality issues in their Java/Python code during the 'Review' phase of a CodeCommit pull request. Which AWS service provides these AI-powered scans?

Amazon CodeGuru Reviewer
Amazon Inspector
AWS CodeBuild (Linting)
AWS Security Hub
View Explanation
✓ Correct Answer: Amazon CodeGuru ReviewerExplanation:CodeGuru Reviewer uses machine learning to provide automated suggestions for improving code quality and security.
366

Your organization wants to implement a 'Multi-Region' disaster recovery strategy for their application running on Amazon EKS. They want to ensure that they can quickly failover to another region with minimal manual intervention. Which AWS service facilitates this global networking?

AWS Global Accelerator
Amazon Route 53 Traffic Flow
AWS Direct Connect
AWS Transit Gateway
View Explanation
✓ Correct Answer: AWS Global AcceleratorExplanation:Global Accelerator uses the AWS global network to route traffic to the best available region, providing fast failover and improved performance.
367

Which AWS development service provides a 'Cloud-Native' integrated development environment (IDE) that you can access from your browser and includes pre-configured tools for AWS development?

AWS Cloud9
AWS Artifact
AWS CodeCommit
Amazon AppStream 2.0
View Explanation
✓ Correct Answer: AWS Cloud9Explanation:Cloud9 is a cloud-based IDE that lets you write, run, and debug code with just a browser.
368

Scenario: You want to monitor the health of your 'Hybrid Cloud' environment and receive alerts if any of your on-premises servers or AWS resources become unavailable. Which combination of services provides this unified monitoring?

Amazon CloudWatch with CloudWatch Agent installed on on-premises systems
AWS CloudTrail only
AWS Organizations
VPC Flow Logs
View Explanation
✓ Correct Answer: Amazon CloudWatch with CloudWatch Agent installed on on-premises systemsExplanation:The CloudWatch agent can collect metrics and logs from both EC2 instances and on-premises servers, providing a centralized monitoring view.
369

To improve the performance of your 'Serverless' application, you want to use 'AWS X-Ray' to identify bottlenecks in your Lambda functions. HowWeight-based sampling can be configured in X-Ray?

Through Sampling Rules in the X-Ray console or API
In the Lambda function code
Using an IAM policy
None
View Explanation
✓ Correct Answer: Through Sampling Rules in the X-Ray console or APIExplanation:Sampling rules in X-Ray allow you to control the percentage of requests that are traced, helping you optimize data collection costs.
370

Which AWS security service allows you to automatically audit and evaluate your AWS account against the 'CIS AWS Foundations Benchmark' and provide a detailed compliance report with remediation guidance?

AWS Security Hub
AWS Trusted Advisor
AWS Config
Amazon GuardDuty
View Explanation
✓ Correct Answer: AWS Security HubExplanation:Security Hub provides a comprehensive view of your security posture across multiple AWS accounts and checks for compliance with industry standards.
371

Your organization wants to implement 'Canary' testing for their web application. They want to route 5% of traffic to a new experimental region for 2 hours before deciding whether to failover completely. Which AWS service facilitates this global traffic shifting?

AWS Global Accelerator (using endpoint weights)
Amazon Route 53 (Weighted routing)
Application Load Balancer
Amazon CloudFront
View Explanation
✓ Correct Answer: AWS Global Accelerator (using endpoint weights)Explanation:Global Accelerator allows you to adjust weights for endpoints across different regions to perform granular traffic shifting.
372

To identify the root cause of a security anomaly detected by GuardDuty (e.g., an EC2 instance making unusual API calls), you want a service that automatically correlates data from VPC Flow Logs, CloudTrail, and GuardDuty into a graph-based visualization. Which service should you use?

Amazon Detective
Amazon Inspector
AWS Security Hub
AWS Config
View Explanation
✓ Correct Answer: Amazon DetectiveExplanation:Detective makes it easy to investigate potential security issues by analyzing and visualizing traffic and account activity.
373

Your serverless application requires a specialized monitoring agent to run alongside your Lambda function code as a separate process. Which Lambda feature allows you to bundle and run these external processes without modifying your function's handler?

Lambda Extensions
Lambda Layers
Lambda Container Images
Lambda Runtime
View Explanation
✓ Correct Answer: Lambda ExtensionsExplanation:Lambda Extensions allow you to integrate Lambda with your favorite monitoring, observability, and security tools.
374

An organization wants to use 'AWS AppConfig' to manage their application configurations. They want to ensure that any new configuration version is validated against a 'JSON Schema' before it can be deployed. How Weight-based routing can be implemented for 'Blue/Green' deployments within CloudMap?

Configure 'Validators' in the AppConfig Configuration Profile (JSON Schema type)
In the Lambda function code
Using an IAM policy
None
View Explanation
✓ Correct Answer: Configure 'Validators' in the AppConfig Configuration Profile (JSON Schema type)Explanation:AppConfig validators allow you to verify your configuration data before it is made available to your applications.
375

An organization wants to monitor the performance of their 'Elastic Beanstalk' environment, you want to enable 'Enhanced Health Reporting'. Where do you configure the specific metrics to be collected?

In a configuration file (.ebextensions/health.config) or via the console
In the application code
In the VPC settings
In CloudWatch directly
View Explanation
✓ Correct Answer: In a configuration file (.ebextensions/health.config) or via the consoleExplanation:Enhanced health reporting allows you to customize the metrics collected by providing a configuration file in the .ebextensions directory.
376

To monitor the health of your 'Cross-Region' VPC Peering connections and receive alerts for high latency or packet loss, which CloudWatch feature provides a dedicated 'Network Roadmap' for your VPCs?

Amazon CloudWatch Network Monitor
Amazon CloudWatch Internet Monitor
VPC Flow Logs
AWS Transit Gateway
View Explanation
✓ Correct Answer: Amazon CloudWatch Network MonitorExplanation:Network Monitor provides visibility into the network performance between your AWS-hosted applications and on-premises or cross-region environments.
377

Which AWS development service allows you to create 'Development Environments' that can be automatically paused when not in use to save cost, while preserving the state of your workspace and open files?

AWS Cloud9 (with auto-hibernate enabled)
Amazon AppStream 2.0
AWS Artifact
AWS CodeStar
View Explanation
✓ Correct Answer: AWS Cloud9 (with auto-hibernate enabled)Explanation:Cloud9 environments can automatically stop (hibernate) after a period of inactivity to minimize costs.
378

Scenario: You want to ensure that all 'CloudFormation StackSets' deployments in your organization are restricted to specific 'AWS Regions' only. Which service and feature should you use to enforce this organizational guardrail?

AWS Organizations Service Control Policies (SCPs) with 'RequestedRegion' condition
CloudFormation Stack Policy
IAM Role on StackSet
Route 53
View Explanation
✓ Correct Answer: AWS Organizations Service Control Policies (SCPs) with 'RequestedRegion' conditionExplanation:SCPs allow you to restrict the AWS regions where services can be used across your entire organization.
379

Which AWS security service allows you to automatically audit your S3 buckets for 'Sensitive Data' like Credit Card numbers and provides a managed way to classify and protect this data at scale?

Amazon Macie
Amazon Inspector
AWS Shield
AWS Security Hub
View Explanation
✓ Correct Answer: Amazon MacieExplanation:Macie is machine learning-powered security service to help you discover and protect sensitive data at scale.
380

To improve the performance of your high-volume 'SQS' message processing, you want to implement 'Long Polling'. What configuration parameter should you adjust in the SQS queue?

ReceiveMessageWaitTimeSeconds (set to > 0)
VisibilityTimeout
DelaySeconds
MessageRetentionPeriod
View Explanation
✓ Correct Answer: ReceiveMessageWaitTimeSeconds (set to > 0)Explanation:Long polling reduces the number of empty responses and can lower your overall SQS costs.
381

Which AWS service provides a managed 'Airflow' environment for orchestrating complex data pipelines using Python-based DAGs without managing the underlying infrastructure?

Amazon Managed Workflows for Apache Airflow (MWAA)
AWS Step Functions
AWS Glue Workflows
AWS Data Pipeline
View Explanation
✓ Correct Answer: Amazon Managed Workflows for Apache Airflow (MWAA)Explanation:MWAA is a managed orchestration service for Apache Airflow that makes it easy to set up and operate end-to-end data pipelines.
382

Scenario: You want to monitor the 'API Calls' made by a specific IAM user over the last 24 hours to troubleshoot an unauthorized access error. Which service and feature should you primarily use?

AWS CloudTrail (Event history or CloudTrail Lake)
AWS Config
CloudWatch Logs
IAM Access Analyzer
View Explanation
✓ Correct Answer: AWS CloudTrail (Event history or CloudTrail Lake)Explanation:CloudTrail provides a record of actions taken by a user, role, or an AWS service.
383

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Amazon VPC peering
Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
384

An organization wants to implement 'Auto-Remediation' for their AWS resources. They want to ensure that if a public S3 bucket is detected, a Lambda function is immediately triggered to make it private. Which combination of services provides this native integration?

AWS Config (Rule) + Amazon EventBridge + AWS Lambda
AWS CloudTrail only
AWS Security Hub only
None
View Explanation
✓ Correct Answer: AWS Config (Rule) + Amazon EventBridge + AWS LambdaExplanation:This pattern allows for near-real-time detection and response to security configuration changes.
385

Which AWS tool provides a 'No-Code' experience to identify and troubleshoot operational issues by aggregating alerts from CloudWatch, Config, and CloudTrail into a single 'Operational Hub'?

AWS Systems Manager OpsCenter
AWS Trusted Advisor
AWS Personal Health Dashboard
AWS Service Catalog
View Explanation
✓ Correct Answer: AWS Systems Manager OpsCenterExplanation:OpsCenter provides a central location for engineers to manage operational work items (OpsItems) across different sources.
386

To improve the security profile of your VPC, you want to block traffic from 'Known Malicious IP addresses' at the network level using a managed list. Which service and feature provides this?

AWS Network Firewall (with managed rule groups)
Security Groups
VPC NACLs
AWS WAF
View Explanation
✓ Correct Answer: AWS Network Firewall (with managed rule groups)Explanation:Managed rule groups in Network Firewall provide a collection of pre-defined rules to protect against common threats.
387

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

Amazon EKS
Amazon RDS
Amazon EC2
AWS Lambda
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
388

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon EC2
Amazon S3
Amazon DynamoDB
Amazon RDS
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
389

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon S3 configured for static website hosting
Amazon EC2 running a web server
Amazon EBS
Amazon RDS
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
390

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Elastic Load Balancing (ELB)
Amazon CloudFront
Amazon VPC
Amazon Route 53
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
391

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS IAM
AWS Shield
AWS KMS
Amazon VPC
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
392

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS KMS
Amazon S3
AWS WAF
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
393

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon EFS
Amazon DynamoDB
Amazon RDS
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
394

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon RDS
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
AWS Lambda
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
395

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

Amazon EC2
AWS CodeCommit
AWS CodeBuild
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
396

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS Lambda
AWS CodeCommit
AWS CloudFormation
AWS CodeBuild
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
397

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Lex
Amazon Rekognition
Amazon Polly
Amazon Textract
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
398

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon SageMaker
Amazon Rekognition
Amazon Textract
Amazon Lex
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
399

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Polly
Amazon Lex
Amazon Rekognition
Amazon SageMaker
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
400

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
401

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
402

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

Compute Optimized Amazon EC2 instances
Memory Optimized instances
General Purpose instances
AWS Lambda
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
403

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
Amazon VPC peering
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
404

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Ephemeral/Instance Store
Amazon EBS
Amazon S3
Amazon EFS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
405

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon EC2 Image/AMI
Amazon RDS backups
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
406

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

AWS IAM
Elastic Load Balancing (ELB)
Security Groups
Amazon VPC
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
407

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

Amazon EC2
Amazon RDS
AWS Lambda
Amazon EKS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
408

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon DynamoDB
Amazon S3
Amazon RDS
Amazon EC2
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
409

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon EBS
Amazon RDS
Amazon EC2 running a web server
Amazon S3 configured for static website hosting
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
410

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon Route 53
Amazon VPC
Amazon CloudFront
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
411

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS KMS
Amazon VPC
AWS IAM
AWS Shield
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
412

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS WAF
Amazon S3
AWS KMS
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
413

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon DynamoDB
Amazon EFS
Amazon RDS
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
414

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

AWS Lambda
Amazon RDS
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
415

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CloudFormation
AWS CodeBuild
AWS CodeCommit
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
416

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS Lambda
AWS CloudFormation
AWS CodeCommit
AWS CodeBuild
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
417

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Textract
Amazon Polly
Amazon Rekognition
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
418

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Rekognition
Amazon Lex
Amazon SageMaker
Amazon Textract
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
419

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Polly
Amazon Lex
Amazon Rekognition
Amazon SageMaker
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
420

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
421

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
422

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

Compute Optimized Amazon EC2 instances
Memory Optimized instances
General Purpose instances
AWS Lambda
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
423

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
Amazon VPC peering
Spread Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
424

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon S3
Amazon EFS
Amazon EBS
Ephemeral/Instance Store
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
425

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon RDS backups
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
426

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Amazon VPC
AWS IAM
Security Groups
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
427

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

Amazon EKS
Amazon EC2
Amazon RDS
AWS Lambda
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
428

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon RDS
Amazon DynamoDB
Amazon EC2
Amazon S3
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
429

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon S3 configured for static website hosting
Amazon EBS
Amazon EC2 running a web server
Amazon RDS
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
430

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon CloudFront
Amazon VPC
Elastic Load Balancing (ELB)
Amazon Route 53
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
431

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

Amazon VPC
AWS KMS
AWS IAM
AWS Shield
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
432

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

Amazon S3
AWS KMS
AWS WAF
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
433

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon Redshift
Amazon RDS
Amazon DynamoDB
Amazon EFS
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
434

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
AWS Lambda
Amazon RDS
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
435

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CodeCommit
AWS CloudFormation
AWS CodeBuild
Amazon EC2
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
436

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS Lambda
AWS CloudFormation
AWS CodeCommit
AWS CodeBuild
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
437

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Textract
Amazon Polly
Amazon Rekognition
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
438

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Textract
Amazon SageMaker
Amazon Rekognition
Amazon Lex
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
439

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Rekognition
Amazon SageMaker
Amazon Polly
Amazon Lex
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
440

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Use Amazon EC2 instance profiles
Share full administrative credentials
Create long-term access keys for each developer
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
441

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
442

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

AWS Lambda
Compute Optimized Amazon EC2 instances
Memory Optimized instances
General Purpose instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
443

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Amazon VPC peering
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
444

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EFS
Amazon S3
Ephemeral/Instance Store
Amazon EBS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
445

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon RDS backups
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
446

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

AWS IAM
Elastic Load Balancing (ELB)
Security Groups
Amazon VPC
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
447

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon EC2
Amazon EKS
Amazon RDS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
448

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon EC2
Amazon RDS
Amazon DynamoDB
Amazon S3
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
449

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon EC2 running a web server
Amazon RDS
Amazon S3 configured for static website hosting
Amazon EBS
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
450

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon VPC
Elastic Load Balancing (ELB)
Amazon CloudFront
Amazon Route 53
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
451

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS IAM
AWS KMS
Amazon VPC
AWS Shield
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
452

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS KMS
Amazon S3
AWS IAM
AWS WAF
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
453

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon DynamoDB
Amazon RDS
Amazon EFS
Amazon Redshift
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
454

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon RDS
AWS Lambda
Amazon S3 Glacier
Amazon DynamoDB (or Stream service)
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
455

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

Amazon EC2
AWS CloudFormation
AWS CodeBuild
AWS CodeCommit
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
456

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CloudFormation
AWS Lambda
AWS CodeCommit
AWS CodeBuild
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
457

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Lex
Amazon Rekognition
Amazon Polly
Amazon Textract
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
458

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Textract
Amazon SageMaker
Amazon Rekognition
Amazon Lex
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
459

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Rekognition
Amazon Lex
Amazon SageMaker
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
460

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create long-term access keys for each developer
Share full administrative credentials
Use Amazon EC2 instance profiles
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
461

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
AWS IAM Users with Multi-Factor Authentication
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
462

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

AWS Lambda
Memory Optimized instances
General Purpose instances
Compute Optimized Amazon EC2 instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
463

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Spread Placement Groups
Amazon VPC peering
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
464

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EFS
Amazon S3
Ephemeral/Instance Store
Amazon EBS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
465

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon RDS backups
Amazon EC2 Image/AMI
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
466

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Security Groups
Amazon VPC
Elastic Load Balancing (ELB)
AWS IAM
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
467

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

Amazon RDS
AWS Lambda
Amazon EC2
Amazon EKS
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
468

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon S3
Amazon EC2
Amazon DynamoDB
Amazon RDS
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
469

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon S3 configured for static website hosting
Amazon EC2 running a web server
Amazon RDS
Amazon EBS
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
470

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Elastic Load Balancing (ELB)
Amazon CloudFront
Amazon VPC
Amazon Route 53
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
471

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

AWS IAM
Amazon VPC
AWS Shield
AWS KMS
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
472

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS KMS
Amazon S3
AWS WAF
AWS IAM
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
473

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon RDS
Amazon DynamoDB
Amazon Redshift
Amazon EFS
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
474

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon DynamoDB (or Stream service)
Amazon S3 Glacier
Amazon RDS
AWS Lambda
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
475

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

Amazon EC2
AWS CodeCommit
AWS CodeBuild
AWS CloudFormation
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
476

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS CodeBuild
AWS CodeCommit
AWS CloudFormation
AWS Lambda
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
477

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Polly
Amazon Textract
Amazon Lex
Amazon Rekognition
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
478

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Lex
Amazon Textract
Amazon SageMaker
Amazon Rekognition
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
479

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Lex
Amazon Rekognition
Amazon SageMaker
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
480

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Use Amazon EC2 instance profiles
Create long-term access keys for each developer
Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
481

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

Share access keys between accounts
AWS IAM Users with Multi-Factor Authentication
AWS IAM Roles with cross-account access
Create duplicate users in both accounts
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
482

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

General Purpose instances
Compute Optimized Amazon EC2 instances
AWS Lambda
Memory Optimized instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
483

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Amazon VPC peering
Spread Placement Groups
Elastic Load Balancing (ELB)
Cluster Placement or Proximity Placement Groups
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
484

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon EBS
Ephemeral/Instance Store
Amazon S3
Amazon EFS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
485

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EC2 Image/AMI
Amazon S3 versioning
Amazon EBS Snapshots
Amazon RDS backups
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
486

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

Elastic Load Balancing (ELB)
AWS IAM
Security Groups
Amazon VPC
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.
487

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

AWS Lambda
Amazon RDS
Amazon EKS
Amazon EC2
View Explanation
✓ Correct Answer: AWS LambdaExplanation:AWS Lambda is a serverless compute service that automatically scales with demand, making it ideal for unpredictable traffic without infrastructure management.
488

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

Amazon DynamoDB
Amazon S3
Amazon EC2
Amazon RDS
View Explanation
✓ Correct Answer: Amazon RDSExplanation:Amazon RDS is a fully managed relational database service that supports high availability and automated backups out of the box.
489

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

Amazon EBS
Amazon RDS
Amazon EC2 running a web server
Amazon S3 configured for static website hosting
View Explanation
✓ Correct Answer: Amazon S3 configured for static website hostingExplanation:Amazon S3 supports static website hosting directly, offering high durability and low cost compared to running a VM.
490

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

Amazon CloudFront
Elastic Load Balancing (ELB)
Amazon Route 53
Amazon VPC
View Explanation
✓ Correct Answer: Amazon CloudFrontExplanation:Amazon CloudFront caches content at edge locations around the world, significantly reducing latency for global users.
491

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

Amazon VPC
AWS KMS
AWS IAM
AWS Shield
View Explanation
✓ Correct Answer: AWS ShieldExplanation:AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency during a DDoS attack.
492

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

AWS KMS
AWS IAM
AWS WAF
Amazon S3
View Explanation
✓ Correct Answer: AWS KMSExplanation:AWS KMS is a managed service that makes it easy to create and control the cryptographic keys used to encrypt your data.
493

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

Amazon Redshift
Amazon RDS
Amazon EFS
Amazon DynamoDB
View Explanation
✓ Correct Answer: Amazon RedshiftExplanation:Amazon Redshift is designed for large-scale data warehousing and analytics, allowing you to run SQL queries on petabytes of data.
494

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

Amazon RDS
Amazon DynamoDB (or Stream service)
AWS Lambda
Amazon S3 Glacier
View Explanation
✓ Correct Answer: Amazon DynamoDB (or Stream service)Explanation:High-throughput ingestion is a core use case for scalable services like Amazon DynamoDB or dedicated streaming services.
495

Your team wants to automate the provisioning of infrastructure to ensure consistency across environments. You need to define your infrastructure as code (IaC) using declarative templates. Which service should you use?

AWS CloudFormation
Amazon EC2
AWS CodeBuild
AWS CodeCommit
View Explanation
✓ Correct Answer: AWS CloudFormationExplanation:AWS CloudFormation allows you to model and provision all your cloud infrastructure resources through code templates.
496

You are designing a CI/CD pipeline. You need a service to compile source code, run tests, and produce software packages that are ready to deploy. Which service handles the build phase?

AWS Lambda
AWS CloudFormation
AWS CodeCommit
AWS CodeBuild
View Explanation
✓ Correct Answer: AWS CodeBuildExplanation:AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages.
497

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Amazon Rekognition
Amazon Polly
Amazon Textract
Amazon Lex
View Explanation
✓ Correct Answer: Amazon TextractExplanation:Amazon Textract uses machine learning to extract text, handwriting, and data from scanned documents.
498

You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?

Amazon Rekognition
Amazon Textract
Amazon Lex
Amazon SageMaker
View Explanation
✓ Correct Answer: Amazon LexExplanation:Amazon Lex provides conversational AI capabilities to build interfaces like chatbots that understand natural language.
499

Your data science team needs a fully managed environment to build, train, and deploy custom machine learning models using TensorFlow. Which platform provides these end-to-end MLOps capabilities?

Amazon Lex
Amazon Rekognition
Amazon SageMaker
Amazon Polly
View Explanation
✓ Correct Answer: Amazon SageMakerExplanation:Amazon SageMaker is the comprehensive platform for the entire machine learning lifecycle, from building models to deployment.
500

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

Create an AWS IAM policy with Amazon S3 read permissions and attach it to a group
Share full administrative credentials
Create long-term access keys for each developer
Use Amazon EC2 instance profiles
View Explanation
✓ Correct Answer: Create an AWS IAM policy with Amazon S3 read permissions and attach it to a groupExplanation:AWS IAM allows you to define granular permissions. Attaching policies to groups follows the principle of least privilege and simplifies management.
501

Your organization has multiple cloud accounts. Users in Account A need temporary access to resources in Account B. What AWS IAM feature should you use?

AWS IAM Users with Multi-Factor Authentication
Create duplicate users in both accounts
Share access keys between accounts
AWS IAM Roles with cross-account access
View Explanation
✓ Correct Answer: AWS IAM Roles with cross-account accessExplanation:AWS IAM Roles allow secure cross-account access without sharing long term credentials. Users can assume roles temporarily.
502

Your application requires high CPU performance for compute-intensive workloads like video encoding. Which Amazon EC2 instance type is optimized for this?

General Purpose instances
Memory Optimized instances
AWS Lambda
Compute Optimized Amazon EC2 instances
View Explanation
✓ Correct Answer: Compute Optimized Amazon EC2 instancesExplanation:Compute Optimized Amazon EC2 instances provide high-performance processors ideal for compute-intensive applications.
503

Your High Performance Computing (HPC) workload requires low network latency between Amazon EC2 instances. What feature should you use?

Cluster Placement or Proximity Placement Groups
Elastic Load Balancing (ELB)
Spread Placement Groups
Amazon VPC peering
View Explanation
✓ Correct Answer: Cluster Placement or Proximity Placement GroupsExplanation:Placement groups pack instances close together in a single availability zone or data center for low-latency, high-throughput networking.
504

Your application requires persistent block storage that survives Amazon EC2 instance termination. Which service should you use?

Amazon S3
Ephemeral/Instance Store
Amazon EFS
Amazon EBS
View Explanation
✓ Correct Answer: Amazon EBSExplanation:Amazon EBS volumes persist independently from virtual machine instances and can be attached/detached as needed.
505

You need to create a backup of your Amazon EBS volume for disaster recovery. What feature should you use?

Amazon EBS Snapshots
Amazon S3 versioning
Amazon EC2 Image/AMI
Amazon RDS backups
View Explanation
✓ Correct Answer: Amazon EBS SnapshotsExplanation:Amazon EBS Snapshots are incremental backups typically stored in Amazon S3, providing point-in-time recovery.
506

You need to create a logically isolated section of your cloud environment where you can launch resources in a virtual network that you define. Which service provides this?

AWS IAM
Security Groups
Amazon VPC
Elastic Load Balancing (ELB)
View Explanation
✓ Correct Answer: Amazon VPCExplanation:Amazon VPC enables you to launch cloud resources in a logically isolated virtual network with full control over IP addressing, subnets, and routing.