Home/Directory/solutions architect professional

solutions architect professional Practice Questions

Page 1 of 3 (240 total questions)

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?
View Question & Answer ➔
A large enterprise is migrating to AWS and wants to implement a centralized governance model across 100+ AWS accounts. They need to enforce a policy that prevents any account from disabling CloudTrail or deleting S3 buckets that store audit logs. Which solution is most appropriate?
View Question & Answer ➔
Which AWS service provides an automated way to detect that an EC2 instance in a public subnet has been compromised and is communicating with an known malicious command-and-control server?
View Question & Answer ➔
An enterprise wants to enforce a rule that all EC2 instances must be launched with a specific set of tags for cost allocation. How can they implement this 'Tagging Enforcement' to prevent non-compliant resources from even being created?
View Question & Answer ➔
An enterprise wants to migrate its on-premises Microsoft Active Directory to AWS. They want a managed solution that integrates with Amazon RDS for SQL Server and allows them to use their existing AD tools. Which service should they choose?
View Question & Answer ➔
To improve the security of your AWS environment, you want to identify any IAM roles that have not been used in the last 90 days across all your accounts. Which AWS feature provides this information?
View Question & Answer ➔
An enterprise wants to enable 'Workload Identity' for their Amazon EKS clusters so that pods can assume specific IAM roles without needing to manage static AWS credentials inside the cluster. Which feature provides this?
View Question & Answer ➔
Which AWS service provides a unified view of security alerts and compliance status across multiple AWS accounts and security services like GuardDuty, Inspector, and IAM Access Analyzer?
View Question & Answer ➔
A financial firm needs to ensure that their database is compliant with data residency requirements specifying that data must never leave a specific AWS region. How can they enforce this at the organization level?
View Question & Answer ➔
An enterprise wants to ensure that all their AWS accounts follow a strict security baseline. They want to automate the setup of new accounts with pre-configured VPCs, IAM roles, and logging. Which AWS service is specifically designed to orchestrate this multi-account environment setup?
View Question & Answer ➔
You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?
View Question & Answer ➔
You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?
View Question & Answer ➔
An organization is migrating a 2 PB data archive from an on-premises Hadoop cluster to Amazon S3. They have a 1 Gbps internet connection and a 100 Mbps direct link. Bandwidth is limited and they need the migration to finish within 4 weeks. What is the most feasible way to migrate ?
View Question & Answer ➔
A fintech startup wants to ensure that no developer can accidentally grant public access to S3 buckets containing sensitive customer data. They want an automated way to detect AND automatically remediate this at the organization level. How should they implement this?
View Question & Answer ➔
Your application uses Amazon S3 to store millions of small objects. You find that the costs for 'GET' and 'PUT' requests are higher than the storage costs. What is the most effective way to reduce the overall request costs for these small objects?
View Question & Answer ➔
A large biotech firm needs to move 500 TB of genomic data to S3. They want to ensure they don't exceed their 1 Gbps Direct Connect limit during business hours but want the transfer to be as fast as possible at night. Which tool integrates this scheduling and bandwidth control natively?
View Question & Answer ➔
A team of data analysts is using Amazon Athena to query data in S3. You notice that query costs are rising rapidly because they are performing 'full scans' of large CSV files. What is the most effective architectural change to reduce query costs and improve performance?
View Question & Answer ➔
An organization wants to optimize their S3 storage costs for a bucket with millions of objects where the access patterns are unknown and constantly changing. They want a solution that automatically moves data between frequent and infrequent access tiers without any performance impact or operational overhead. Which S3 storage class is best?
View Question & Answer ➔
A financial services client requires their data in S3 to be redundant across two different geographical regions. They also need to ensure that any object deleted in the source bucket is NOT deleted in the destination bucket to protect against accidental mass deletion. How should they configure S3 Replication?
View Question & Answer ➔
A manufacturing company needs to store petabytes of sensor data. The data is rarely accessed but must be available within minutes if a request is made. Which S3 storage class provides the best balance of cost and retrieval speed for this use case?
View Question & Answer ➔
A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?
View Question & Answer ➔
You are designing a disaster recovery solution for a mission-critical SQL Server database running on Amazon RDS. The business requirements specify a Recovery Time Objective (RTO) of 30 minutes and a Recovery Point Objective (RPO) of 5 minutes. Which RDS feature should you use?
View Question & Answer ➔
You are designing a high-availability multi-tier web application. You want to ensure that if an entire Availability Zone (AZ) fails, your application automatically recovers with zero data loss for the database. Which RDS configuration should you use?
View Question & Answer ➔
A global gaming company needs a database that can handle multi-region writes with strong consistency and sub-second failover in the event of a regional outage. Which RDS-based service provides this capability?
View Question & Answer ➔
You are designing a high-traffic API that uses AWS Lambda. You want to ensure that your database (Amazon RDS) is not overwhelmed by too many concurrent connections during traffic spikes. What is the most architectural way to handle this?
View Question & Answer ➔
A travel website experiences unpredictable traffic spikes. They use an Amazon Aurora database. How can they ensure that the database tier scales automatically for both read and write workloads without manual intervention?
View Question & Answer ➔
An organization wants to migrate their legacy Oracle database to Amazon Aurora PostgreSQL. They want a tool that can automatically convert the schema and stored procedures. Which tool should they use?
View Question & Answer ➔
An organization is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. They need to perform a near-zero downtime migration and require a tool that can handle continuous data replication during the cutover. Which service should they use?
View Question & Answer ➔
In Amazon Aurora, what is the primary purpose of 'Global Database' for an organization with a global user base?
View Question & Answer ➔
To increase the availability of your Amazon RDS database across multiple geographical regions, what feature should you use?
View Question & Answer ➔
Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?
View Question & Answer ➔
A global conglomerate wants to analyze their AWS spend across multiple business units. They want to create custom 'Cost Categories' based on tags, accounts, and services to better attribute costs to specific projects. Which tool provides this capability?
View Question & Answer ➔
An organization wants to analyze their VPC Flow Logs and CloudTrail logs to identify the 'Blast Radius' of a potential security breach. They need a tool that can visualize the relationships between their resources and security events. Which service should they use?
View Question & Answer ➔
An organization following the 'Least Privilege' principle wants to restrict all developers from creating new S3 buckets that do not have encryption enabled. How should they implement this organizational control?
View Question & Answer ➔
An organization wants to implement 'Zero Trust' networking and wants to ensure that access to their internal web apps is denied unless the user's device is compliant with corporate patches. Which AWS service provides this context-aware access?
View Question & Answer ➔
To protect your AWS accounts from unauthorized administrative actions, you want to require that any change to a specific set of critical IAM roles requires approval from two different security administrators (Two-Person Control). How can you implement this securely?
View Question & Answer ➔
Which AWS service provides a consolidated way to view compliance-ready reports (like SOC 1/2, PCI-DSS, ISO) for the global AWS infrastructure?
View Question & Answer ➔
An organization wants to analyze their organization-wide CloudTrail logs for threat detection. They want to use a tool that can automatically detect API patterns that indicate a hacker is attempting to exfiltrate data from an S3 bucket. Which service is best?
View Question & Answer ➔
An enterprise wants to improve the security of their AWS environment by automatically identifying and remediating any public S3 buckets. Which AWS service provides a library of pre-built auto-remediation actions for common compliance issues?
View Question & Answer ➔
An organization wants to move their legacy on-premises Windows-based applications to AWS with minimal changes. They want a managed platform that handles patching, auto-scaling, and provides a 'Zero Trust' access experience for their employees. Which AWS service should they use?
View Question & Answer ➔
You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?
View Question & Answer ➔
An organization wants to analyze petabytes of historical transaction data stored in S3 using SQL. The analysis must be fast and the costs must be predictable for hundreds of analysts. Which service should they use?
View Question & Answer ➔
Your organization is running a data warehouse on Amazon Redshift. They want to store their cold data on S3 to reduce costs but still be able to query it using the same SQL interface alongside their hot data. Which feature should they use?
View Question & Answer ➔
An organization is migrating their 500 TB of data to Amazon Redshift. They want to ensure they don't go over budget and want a deterministic price for their analytical workload. What is the most effective approach?
View Question & Answer ➔
You are hosting a very large dataset in Amazon Redshift. You want to minimize the amount of data scanned for common queries that filter by 'date'. What should you define in your table schema?
View Question & Answer ➔
Which AWS security service allows you to centrally manage and deploy firewall rules across your entire organization, including WAF rules, Shield Advanced protection, and Network Firewall policies?
View Question & Answer ➔
Your organization wants to implement a centralized way to manage and deploy configuration best practices across 100+ AWS accounts. They want to ensure that if a resource becomes non-compliant (e.g., an S3 bucket becomes public), it is automatically remediated without manual intervention. Which AWS service and feature provides this?
View Question & Answer ➔
To reduce the 'Blast Radius' of a potential compromise in a multi-tenant application, you want to ensure that each customer's data is stored in a separate DynamoDB table and that the application code can only access the specific table of the currently logged-in user. Which feature enables this dynamic, fine-grained access control?
View Question & Answer ➔
To improve the security of an Amazon ECR (Elastic Container Registry), an enterprise wants to ensure that any container image with a 'Critical' vulnerability is automatically prevented from being pulled or deployed to their EKS clusters. Which tool combination handles this enforcement?
View Question & Answer ➔
How can you securely provide temporary access to a specific AWS account for a 3rd-party auditor without creating a permanent IAM user or sharing passwords?
View Question & Answer ➔
Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?
View Question & Answer ➔
A global news website experiences massive spikes in traffic during major events. They want to serve static content with the lowest possible latency and protect their backend from L7 DDoS attacks while reducing the load on their ALB. Which combination of services should they use?
View Question & Answer ➔
A media company is streaming high-definition video globally. They want to ensure that users in Australia experience low latency when accessing content originally hosted on an S3 bucket in the us-east-1 region. Which AWS service is required?
View Question & Answer ➔
A media company is using Amazon CloudFront to serve high-value video content. They want to ensure that only authorized viewers can access the content, and the authorization should be checked for every single request at the edge. Which solution is most appropriate?
View Question & Answer ➔
You are hosting a static website on S3. You want to serve content via HTTPS with a custom domain name (e.g., example.com). What is the AWS-recommended architecture?
View Question & Answer ➔
A media company is using Amazon CloudFront. They want to prevent 'Bot' traffic from scraping their website and consuming expensive resources. Which service provides specialized bot protection for CloudFront?
View Question & Answer ➔
To protect a mission-critical web application from common web exploits (like SQL injection) and bot-driven scraping, which service should you integrate with your Application Load Balancer?
View Question & Answer ➔
Which AWS security service uses machine learning to automatically protect your web applications from 'account takeover' (ATO) attacks and credential stuffing?
View Question & Answer ➔
To protect your Application Load Balancer from a sophisticated L7 DDoS attack that uses a massive number of varied IP addresses to mimic real users (Layer 7 flooding), which AWS service should you use?
View Question & Answer ➔
A media company is using Amazon CloudFront. They want to ensure that their premium video content can only be viewed by users who have a valid authentication cookie issued by their web portal. Which feature should they use?
View Question & Answer ➔
Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?
View Question & Answer ➔
An enterprise wants to ensure that all their employees can access their internal AWS dashboards only while they are connected to the corporate office network via VPN. Which AWS tool can enforce this IP-based restriction at the portal level?
View Question & Answer ➔
Your organization wants to implement 'Attribute-based Access Control' (ABAC) to simplify IAM management. They want to ensure that developers can only start/stop EC2 instances that have a 'Project' tag matching the 'Project' tag on the developer's IAM user. Which IAM policy element is used to achieve this comparison?
View Question & Answer ➔
An enterprise wants to be alerted immediately if their daily AWS spend exceeds their historical average by more than 20%, which could indicate a security breach or a misconfigured resource. Which AWS service provides this machine-learning based detection?
View Question & Answer ➔
Whcih AWS service provides 'Managed Threat Intelligence' to protect your S3 buckets from malicious actors by checking data access events against a database of known suspicious IP addresses and domains?
View Question & Answer ➔
How can you analyze the 'Blast Radius' of a potential IAM user compromise by identifying exactly which resources that user has permission to access across your entire AWS Organization?
View Question & Answer ➔
Which AWS service provides a managed way to run 'Service Quota' analysis across multiple accounts and automatically request increases before you hit the limit?
View Question & Answer ➔
Which AWS security service allows you to centrally manage and automate security configuration checks for your enterprise using a set of best-practice 'Conformance Packs'?
View Question & Answer ➔
Which AWS service provides an automated way to detect if an IAM role has been granted permissions that it hasn't used in 90 days, helping you move towards a model of 'Least Privilege'?
View Question & Answer ➔
Scenario: To minimize the blast radius of a potential credential theft, you want to ensure that your developers can only access the production AWS account during business hours. Solution ?
View Question & Answer ➔
Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?
View Question & Answer ➔
You are designing a solution for an audit firm that needs to store encrypted data in S3 for 10 years. They require that the encryption keys are rotated annually and that no one, including AWS, can access the cleartext keys. Which AWS KMS key type and rotation should you use?
View Question & Answer ➔
An organization wants to centralize the management of their secrets (API keys, DB passwords, etc.) across 50 AWS accounts. They want to ensure they can rotate passwords without downtime and audit who accessed the secrets. Which service is appropriate?
View Question & Answer ➔
An organization is using Amazon S3 to store patient records. They must ensure that the records are encrypted at rest with keys that they rotate every 90 days and that AWS itself cannot access. Which KMS key configuration meets this requirement?
View Question & Answer ➔
Which AWS security service allows you to automatically rotate your database passwords every 30 days and provides a managed way to inject these secrets into your Lambda functions without human intervention?
View Question & Answer ➔
An organization wants to ensure that all their critical S3 buckets are encrypted with keys that only they physically possess in an on-premises HSM. Which KMS feature allows you to use your own HSM as the back-end for KMS encryption?
View Question & Answer ➔
Which AWS service provides an automated way to detect if a specific Amazon EC2 instance has a legacy software package installed that contains a known security vulnerability (CVE)?
View Question & Answer ➔
Your company has multiple VPCs across different regions and accounts. You need to enable a high-performance, many-to-many connectivity model while ensuring that you can centrally manage the routing and security between these VPCs and your on-premises data center via a 10 Gbps Direct Connect. What is the recommended architecture?
View Question & Answer ➔
A SaaS provider wants to offer their customers a way to privately access their backend API services hosted on AWS without using public IPs, VPNs, or VPC Peering. Which AWS feature enables this cross-account private connectivity?
View Question & Answer ➔
An organization wants to implement 'Zero Trust' networking for its developers to access internal admin panels hosted on EC2. They want to avoid a traditional VPN and instead use identity-based access with MFA. Which AWS service is best?
View Question & Answer ➔
A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?
View Question & Answer ➔
Which AWS networking feature allows you to physically connect your on-premises routers to an AWS edge location for a private, consistent experience, bypassing the public internet?
View Question & Answer ➔
To reduce the network latency for users in remote locations without deploying full infrastructure in those regions, which AWS service provides a global network of edge locations to terminate user TCP/UDP connections closer to them?
View Question & Answer ➔
An organization wants to analyze the network traffic across all their VPCs to identify unusual patterns or security threats. They need to see details like source/destination IP, ports, and protocols. What should they enable?
View Question & Answer ➔
Which AWS networking service allows you to create a secure, private connection between your on-premises data center and your AWS VPC without using a physical Direct Connect link?
View Question & Answer ➔
You are designing a high-end security architecture for a government agency. They need to inspect all incoming and outgoing North-South traffic as well as East-West traffic between VPCs using a centralized fleet of 3rd-party firewall appliances. Which AWS feature simplifies the deployment of these appliances?
View Question & Answer ➔
Which AWS networking service allows you to create a secure, private connection from your on-premises network to AWS over the internet with the ability to dynamically route traffic using BGP?
View Question & Answer ➔
Which AWS service allows you to create a secure, private connection between your AWS VPC and a 3rd-party SaaS provider (like Salesforce or Snowflake) without traversing the public internet?
View Question & Answer ➔
A security company wants to inspect all outgoing web traffic from their AWS VPC to ensure no sensitive data is being leaked. Which service allows them to implement a managed, stateful network firewall for their VPC?
View Question & Answer ➔
Which AWS service allows you to create a secure, private connection between your AWS VPC and on-premises sites using an IPSec tunnel over the internet with centralized management via a Hub-and-Spoke model?
View Question & Answer ➔
You are building a customer support chatbot that needs to understand natural language intent (e.g., 'book a flight'). Which service provides Natural Language Understanding (NLU) capabilities?
View Question & Answer ➔
An enterprise wants to interconnect 50 VPCs across multiple AWS accounts and regions. They also need to connect these VPCs to their on-premises data center using multiple VPNs and Direct Connect links. Which service acts as a 'Network Hub' to simplify this architecture?
View Question & Answer ➔
Which AWS networking service allows you to create a secure, high-bandwidth connection between your on-premises data center and Amazon S3 without traversing the public internet or using a VPN?
View Question & Answer ➔
Which AWS networking feature allows you to connect multiple VPCs in a 'Hub and Spoke' architecture while keeping all traffic on the private AWS network?
View Question & Answer ➔
An organization wants to analyze their VPC network traffic to identify which subnets and instances are 가장 많이 accessed from the internet. Which tool provides a visualization of this network topology?
View Question & Answer ➔
You are designing a high-performance network for a global application. You need a way to build, manage, and monitor a unified global network that connects your VPCs across different regions and your on-premises data centers. Which new AWS service simplifies this global wide-area network management?
View Question & Answer ➔
Which AWS networking service allows you to speed up the performance of your global users' connection to your site-to-site VPN by routing their traffic over the nearest AWS edge location instead of the public internet?
View Question & Answer ➔
An organization wants to analyze the network topology of their massive multi-region AWS environment. They want a visualization that shows how traffic is flowing between their VPCs, Transit Gateways, and on-premises sites. Which tool should they use?
View Question & Answer ➔
To improve the scalability and availability of an Application Load Balancer (ALB), you want to ensure that if a specific Availability Zone has a high error rate, traffic is automatically shifted away from the targets in that zone. Which feature enables this?
View Question & Answer ➔
Which AWS networking service allows you to create a secure, high-speed connection between your on-premises routers and an AWS edge location using an industry-standard 802.1q VLAN?
View Question & Answer ➔

Page 1 of 3Next →

solutions architect professional Practice Questions

You are designing a serverless microservices architecture for a new startup. The application needs to handle unpredictable traffic spikes without managing any underlying infrastructure. Which compute service should you use?

A large enterprise is migrating to AWS and wants to implement a centralized governance model across 100+ AWS accounts. They need to enforce a policy that prevents any account from disabling CloudTrail or deleting S3 buckets that store audit logs. Which solution is most appropriate?

Which AWS service provides an automated way to detect that an EC2 instance in a public subnet has been compromised and is communicating with an known malicious command-and-control server?

An enterprise wants to enforce a rule that all EC2 instances must be launched with a specific set of tags for cost allocation. How can they implement this 'Tagging Enforcement' to prevent non-compliant resources from even being created?

An enterprise wants to migrate its on-premises Microsoft Active Directory to AWS. They want a managed solution that integrates with Amazon RDS for SQL Server and allows them to use their existing AD tools. Which service should they choose?

To improve the security of your AWS environment, you want to identify any IAM roles that have not been used in the last 90 days across all your accounts. Which AWS feature provides this information?

An enterprise wants to enable 'Workload Identity' for their Amazon EKS clusters so that pods can assume specific IAM roles without needing to manage static AWS credentials inside the cluster. Which feature provides this?

Which AWS service provides a unified view of security alerts and compliance status across multiple AWS accounts and security services like GuardDuty, Inspector, and IAM Access Analyzer?

A financial firm needs to ensure that their database is compliant with data residency requirements specifying that data must never leave a specific AWS region. How can they enforce this at the organization level?

An enterprise wants to ensure that all their AWS accounts follow a strict security baseline. They want to automate the setup of new accounts with pre-configured VPCs, IAM roles, and logging. Which AWS service is specifically designed to orchestrate this multi-account environment setup?

You need to host a static website (HTML, CSS, JS) with the lowest possible cost and high durability. You do not need server-side processing. Which storage solution should you choose?

You need to grant developers read-only access to Amazon S3 buckets without giving them access to other services. What's the best approach using AWS IAM?

An organization is migrating a 2 PB data archive from an on-premises Hadoop cluster to Amazon S3. They have a 1 Gbps internet connection and a 100 Mbps direct link. Bandwidth is limited and they need the migration to finish within 4 weeks. What is the most feasible way to migrate ?

A fintech startup wants to ensure that no developer can accidentally grant public access to S3 buckets containing sensitive customer data. They want an automated way to detect AND automatically remediate this at the organization level. How should they implement this?

Your application uses Amazon S3 to store millions of small objects. You find that the costs for 'GET' and 'PUT' requests are higher than the storage costs. What is the most effective way to reduce the overall request costs for these small objects?

A large biotech firm needs to move 500 TB of genomic data to S3. They want to ensure they don't exceed their 1 Gbps Direct Connect limit during business hours but want the transfer to be as fast as possible at night. Which tool integrates this scheduling and bandwidth control natively?

A team of data analysts is using Amazon Athena to query data in S3. You notice that query costs are rising rapidly because they are performing 'full scans' of large CSV files. What is the most effective architectural change to reduce query costs and improve performance?

A manufacturing company needs to store petabytes of sensor data. The data is rarely accessed but must be available within minutes if a request is made. Which S3 storage class provides the best balance of cost and retrieval speed for this use case?

A financial application requires a relational database that supports high availability and automated backups. The database must be fully managed to reduce operational overhead. Which service fits these requirements?

You are designing a disaster recovery solution for a mission-critical SQL Server database running on Amazon RDS. The business requirements specify a Recovery Time Objective (RTO) of 30 minutes and a Recovery Point Objective (RPO) of 5 minutes. Which RDS feature should you use?

You are designing a high-availability multi-tier web application. You want to ensure that if an entire Availability Zone (AZ) fails, your application automatically recovers with zero data loss for the database. Which RDS configuration should you use?

A global gaming company needs a database that can handle multi-region writes with strong consistency and sub-second failover in the event of a regional outage. Which RDS-based service provides this capability?

You are designing a high-traffic API that uses AWS Lambda. You want to ensure that your database (Amazon RDS) is not overwhelmed by too many concurrent connections during traffic spikes. What is the most architectural way to handle this?

A travel website experiences unpredictable traffic spikes. They use an Amazon Aurora database. How can they ensure that the database tier scales automatically for both read and write workloads without manual intervention?

An organization wants to migrate their legacy Oracle database to Amazon Aurora PostgreSQL. They want a tool that can automatically convert the schema and stored procedures. Which tool should they use?

An organization is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. They need to perform a near-zero downtime migration and require a tool that can handle continuous data replication during the cutover. Which service should they use?

In Amazon Aurora, what is the primary purpose of 'Global Database' for an organization with a global user base?

To increase the availability of your Amazon RDS database across multiple geographical regions, what feature should you use?

Your application generates millions of clickstream events per second. You need a service to ingest and buffer this data in real-time before processing it. Which service fits this need?

A global conglomerate wants to analyze their AWS spend across multiple business units. They want to create custom 'Cost Categories' based on tags, accounts, and services to better attribute costs to specific projects. Which tool provides this capability?

An organization wants to analyze their VPC Flow Logs and CloudTrail logs to identify the 'Blast Radius' of a potential security breach. They need a tool that can visualize the relationships between their resources and security events. Which service should they use?

An organization following the 'Least Privilege' principle wants to restrict all developers from creating new S3 buckets that do not have encryption enabled. How should they implement this organizational control?

An organization wants to implement 'Zero Trust' networking and wants to ensure that access to their internal web apps is denied unless the user's device is compliant with corporate patches. Which AWS service provides this context-aware access?

To protect your AWS accounts from unauthorized administrative actions, you want to require that any change to a specific set of critical IAM roles requires approval from two different security administrators (Two-Person Control). How can you implement this securely?

Which AWS service provides a consolidated way to view compliance-ready reports (like SOC 1/2, PCI-DSS, ISO) for the global AWS infrastructure?

An organization wants to analyze their organization-wide CloudTrail logs for threat detection. They want to use a tool that can automatically detect API patterns that indicate a hacker is attempting to exfiltrate data from an S3 bucket. Which service is best?

An enterprise wants to improve the security of their AWS environment by automatically identifying and remediating any public S3 buckets. Which AWS service provides a library of pre-built auto-remediation actions for common compliance issues?

An organization wants to move their legacy on-premises Windows-based applications to AWS with minimal changes. They want a managed platform that handles patching, auto-scaling, and provides a 'Zero Trust' access experience for their employees. Which AWS service should they use?

You are analyzing petabytes of data for business intelligence reports. You need a fully managed, serverless enterprise data warehouse that supports SQL queries. Which service is best suited for this task?

An organization wants to analyze petabytes of historical transaction data stored in S3 using SQL. The analysis must be fast and the costs must be predictable for hundreds of analysts. Which service should they use?

Your organization is running a data warehouse on Amazon Redshift. They want to store their cold data on S3 to reduce costs but still be able to query it using the same SQL interface alongside their hot data. Which feature should they use?

An organization is migrating their 500 TB of data to Amazon Redshift. They want to ensure they don't go over budget and want a deterministic price for their analytical workload. What is the most effective approach?

You are hosting a very large dataset in Amazon Redshift. You want to minimize the amount of data scanned for common queries that filter by 'date'. What should you define in your table schema?

Which AWS security service allows you to centrally manage and deploy firewall rules across your entire organization, including WAF rules, Shield Advanced protection, and Network Firewall policies?

To improve the security of an Amazon ECR (Elastic Container Registry), an enterprise wants to ensure that any container image with a 'Critical' vulnerability is automatically prevented from being pulled or deployed to their EKS clusters. Which tool combination handles this enforcement?

How can you securely provide temporary access to a specific AWS account for a 3rd-party auditor without creating a permanent IAM user or sharing passwords?

Your media company streams video content to users globally. Users in different regions are experiencing high latency. You need to improve performance by caching content closer to the users. Which service should you implement?

A global news website experiences massive spikes in traffic during major events. They want to serve static content with the lowest possible latency and protect their backend from L7 DDoS attacks while reducing the load on their ALB. Which combination of services should they use?

A media company is streaming high-definition video globally. They want to ensure that users in Australia experience low latency when accessing content originally hosted on an S3 bucket in the us-east-1 region. Which AWS service is required?

A media company is using Amazon CloudFront to serve high-value video content. They want to ensure that only authorized viewers can access the content, and the authorization should be checked for every single request at the edge. Which solution is most appropriate?

You are hosting a static website on S3. You want to serve content via HTTPS with a custom domain name (e.g., example.com). What is the AWS-recommended architecture?

A media company is using Amazon CloudFront. They want to prevent 'Bot' traffic from scraping their website and consuming expensive resources. Which service provides specialized bot protection for CloudFront?

To protect a mission-critical web application from common web exploits (like SQL injection) and bot-driven scraping, which service should you integrate with your Application Load Balancer?

Which AWS security service uses machine learning to automatically protect your web applications from 'account takeover' (ATO) attacks and credential stuffing?

To protect your Application Load Balancer from a sophisticated L7 DDoS attack that uses a massive number of varied IP addresses to mimic real users (Layer 7 flooding), which AWS service should you use?

A media company is using Amazon CloudFront. They want to ensure that their premium video content can only be viewed by users who have a valid authentication cookie issued by their web portal. Which feature should they use?

Your public-facing web application is under a Distributed Denial of Service (DDoS) attack. You need a managed service to detect and mitigate these attacks automatically. What should you enable?

An enterprise wants to ensure that all their employees can access their internal AWS dashboards only while they are connected to the corporate office network via VPN. Which AWS tool can enforce this IP-based restriction at the portal level?

An enterprise wants to be alerted immediately if their daily AWS spend exceeds their historical average by more than 20%, which could indicate a security breach or a misconfigured resource. Which AWS service provides this machine-learning based detection?

Whcih AWS service provides 'Managed Threat Intelligence' to protect your S3 buckets from malicious actors by checking data access events against a database of known suspicious IP addresses and domains?

How can you analyze the 'Blast Radius' of a potential IAM user compromise by identifying exactly which resources that user has permission to access across your entire AWS Organization?

Which AWS service provides a managed way to run 'Service Quota' analysis across multiple accounts and automatically request increases before you hit the limit?

Which AWS security service allows you to centrally manage and automate security configuration checks for your enterprise using a set of best-practice 'Conformance Packs'?

Which AWS service provides an automated way to detect if an IAM role has been granted permissions that it hasn't used in 90 days, helping you move towards a model of 'Least Privilege'?

Scenario: To minimize the blast radius of a potential credential theft, you want to ensure that your developers can only access the production AWS account during business hours. Solution ?

Company policy requires that all database encryption keys be managed centrally and rotated annually. You need a secure, durable service to store and manage these cryptographic keys. Which service should you use?

You are designing a solution for an audit firm that needs to store encrypted data in S3 for 10 years. They require that the encryption keys are rotated annually and that no one, including AWS, can access the cleartext keys. Which AWS KMS key type and rotation should you use?

An organization wants to centralize the management of their secrets (API keys, DB passwords, etc.) across 50 AWS accounts. They want to ensure they can rotate passwords without downtime and audit who accessed the secrets. Which service is appropriate?

An organization is using Amazon S3 to store patient records. They must ensure that the records are encrypted at rest with keys that they rotate every 90 days and that AWS itself cannot access. Which KMS key configuration meets this requirement?

Which AWS security service allows you to automatically rotate your database passwords every 30 days and provides a managed way to inject these secrets into your Lambda functions without human intervention?

An organization wants to ensure that all their critical S3 buckets are encrypted with keys that only they physically possess in an on-premises HSM. Which KMS feature allows you to use your own HSM as the back-end for KMS encryption?

Which AWS service provides an automated way to detect if a specific Amazon EC2 instance has a legacy software package installed that contains a known security vulnerability (CVE)?

A SaaS provider wants to offer their customers a way to privately access their backend API services hosted on AWS without using public IPs, VPNs, or VPC Peering. Which AWS feature enables this cross-account private connectivity?

An organization wants to implement 'Zero Trust' networking for its developers to access internal admin panels hosted on EC2. They want to avoid a traditional VPN and instead use identity-based access with MFA. Which AWS service is best?

A law firm wants to digitize millions of scanned contracts. You need an AI service to extract text, forms, and tables from these PDF documents automatically. Which service is designed for this?

Which AWS networking feature allows you to physically connect your on-premises routers to an AWS edge location for a private, consistent experience, bypassing the public internet?

To reduce the network latency for users in remote locations without deploying full infrastructure in those regions, which AWS service provides a global network of edge locations to terminate user TCP/UDP connections closer to them?

An organization wants to analyze the network traffic across all their VPCs to identify unusual patterns or security threats. They need to see details like source/destination IP, ports, and protocols. What should they enable?

Which AWS networking service allows you to create a secure, private connection between your on-premises data center and your AWS VPC without using a physical Direct Connect link?