Amazon Exam Practice Questions - Page 32

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company hosts a data lake on Amazon S3. The data lake ingests data in Apache Parquet format from various data sources. The company uses multiple transformation steps to prepare the ingested data. The steps include filtering of anomalies, normalizing of data to standard date and time values, and generation of aggregates for analyses. The company must store the transformed data in S3 buckets that data analysts access. The company needs a prebuilt solution for data transformation that does not ...

To meet the company's requirements of data transformation with no coding involved, data lineage, data profiling, and the ability to share transformation steps with employees, let's analyze the options based on these key factors. Option A: Configure an AWS Glue Studio visual canvas to transform the data. Share the transformation steps with employees by using AWS Glue jobs. - Pros: AWS Glue Studio offers a visual interface for building ETL (extract, transform, load) workflows without writing code. It supports transformations like filtering, normalization, and aggregation. You can also share the transformation steps using AWS Glue jobs. AWS Glue provides data lineage, which is important for understanding the flow and transformation of the data. - Cons: Although AWS Glue Studio can handle transformations without code, it's more focused on backend ETL pipelines, and its primary use case is for larger, more complex workflows. It requires more configuration and might not be as intuitive for non-technical users. - Rejected: This solution works but may not meet the simplicity and usability required for non-technical employees to easily follow and understand the transformations. Option B: Configure Amazon EMR Serverless to transform the data. Share the transformation steps with employees by using EMR Serverless jobs. - Pros: Amazon EMR Serverless is a managed service that abstracts the infrastructure of big data workloads. It can handle large-scale transformations and processing using frameworks like Apache Spark. - Cons: EMR Serverless requires writing code (Spark SQL or PySpark) to transform the data, which contradicts the requirement for a prebuilt solution with no code. Additionally, sharing transformation steps through EMR jobs requires more technical knowledge, making it less suitable for non-technical users. - Rejected: Not a no-code solution, and not as user-friendly for non-technical employees to share transformation steps...

Author: Oliver · Last updated Apr 16, 2026

A solutions architect runs a web application on multiple Amazon EC2 instances that are in individual target groups behind an Application Load Balancer (ALB). Users can reach the application through a public website. The solutions architect wants to allow engineers to use a development version of the website to access one specific development EC2 instance to test new features for the application. The solutions architect wants to use an Amazon Route 53 hosted zone to give th...

The goal is to allow engineers to access a development version of the website that routes to a specific development EC2 instance, even if that instance is replaced, and use a Route 53 hosted zone for easy access. The solution must be resilient, ensuring that the correct EC2 instance is accessed even if it is replaced. Option A: Create an A Record for the development website that has the value set to the ALB. Create a listener rule on the ALB that forwards requests for the development website to the target group that contains the development instance. - Pros: This solution uses the Application Load Balancer (ALB) to forward requests to a target group that contains the development instance. The target group is dynamic, meaning if the development EC2 instance is replaced, the target group will automatically route traffic to the new instance without needing additional configuration. - Recommended: This solution is robust, scalable, and dynamic. Using a target group ensures that even if the development EC2 instance is replaced, it will still be included in the routing automatically, without any manual updates to DNS records. Option B: Recreate the development instance with a public IP address. Create an A Record for the development website that has the value set to the public IP address of the development instance. - Cons: This solution relies on the public IP address of the development EC2 instance. If the instance is replaced, its public IP address would change, which would break the DNS resolution. This solution does not meet the requirement of automatically handling instance replacements without manual intervention. - Rejected: It is not scalable and requires manual updates every time the development instance is replaced. Option...

Author: Aarav · Last updated Apr 16, 2026

A company runs a container application on a Kubernetes cluster in the company's data center. The application uses Advanced Message Queuing Protocol (AMQP) to communicate with a message queue. The data center cannot scale fast enough to meet the company's expanding business needs. The compa...

To meet the company's requirements of migrating the container application to AWS with the least operational overhead while using AMQP for communication with the message queue, let's evaluate the options: Option A: Migrate the container application to Amazon Elastic Container Service (Amazon ECS). Use Amazon Simple Queue Service (Amazon SQS) to retrieve the messages. - Pros: Amazon ECS is a managed service for running containers, so it reduces operational overhead compared to managing containers on EC2. Amazon SQS is a fully managed message queue service, but it does not support AMQP natively, as it uses a different messaging protocol (RESTful). This means that modifying the application to use SQS would require code changes, which increases the operational overhead and complexity. - Cons: The primary issue here is that SQS does not support AMQP directly. The company would need to modify its application to use SQS’s native APIs, which introduces development effort. - Rejected: This solution doesn't meet the requirement to continue using AMQP without substantial changes to the application. Option B: Migrate the container application to Amazon Elastic Kubernetes Service (Amazon EKS). Use Amazon MQ to retrieve the messages. - Pros: Amazon EKS is a managed Kubernetes service, and it supports containerized applications with minimal operational overhead. Amazon MQ is a fully managed message broker that supports multiple messaging protocols, including AMQP, making it a natural choice for the company's needs. The company can migrate its existing AMQP-based application without requiring significant changes. - Recommended: This solution provides a fully managed Kubernetes environment, integrates well with the application’s AMQP communication, and reduces operational overhead compared to managing a Kubernetes cluster on EC2. Using Amazon MQ allows the application to retain its use of AMQP, meeting the company's messaging requirements. Option C: U...

Author: Grace · Last updated Apr 16, 2026

An online gaming company hosts its platform on Amazon EC2 instances behind Network Load Balancers (NLBs) across multiple AWS Regions. The NLBs can route requests to targets over the internet. The company wants to improve the customer playing experience b...

To improve the end-to-end load time for global customers and optimize the gaming platform's performance across multiple AWS Regions, the goal is to reduce latency by routing traffic efficiently to the closest available resources. Let's evaluate the options based on the requirements: Option A: Create Application Load Balancers (ALBs) in each Region to replace the existing NLBs. Register the existing EC2 instances as targets for the ALBs in each Region. - Pros: ALBs provide advanced routing capabilities, including HTTP/HTTPS-specific features, such as content-based routing and WebSocket support. However, the primary challenge is that ALBs are more suited for HTTP/HTTPS traffic, whereas the NLBs are generally better for non-HTTP(S) or lower-latency workloads (like gaming). - Cons: Replacing NLBs with ALBs does not directly address the need to reduce latency for global traffic. ALBs are region-specific, and while they provide more flexible routing, they do not improve latency for globally distributed users. - Rejected: This solution is not optimal for improving global traffic performance or reducing end-to-end latency. Option B: Configure Amazon Route 53 to route equally weighted traffic to the NLBs in each Region. - Pros: Using Amazon Route 53 for DNS-based routing to multiple regions can help direct traffic to the NLBs based on geographic proximity or latency. This allows users to be routed to the closest region, which can improve latency and response time. - Cons: While this approach helps route traffic based on region, it relies solely on DNS and doesn't dynamically optimize routing based on real-time health or performance metrics. Additionally, Route 53 doesn't provide the same low-latency global routing as a dedicated service like AWS Global Accelerator. - Rejected: This approach lacks the dynamic routing and performance optimization features that wou...

Author: Sophia Clark · Last updated Apr 16, 2026

A company has an on-premises application that uses SFTP to collect financial data from multiple vendors. The company is migrating to the AWS Cloud. The company has created an application that uses Amazon S3 APIs to upload files from vendors. Some vendors run their systems on legacy applications that do not support S3 APIs. The vendors want to continue to use SFTP-based applications to upload data. The com...

Let's evaluate the provided options based on the requirements: Key Requirements: 1. SFTP support: The vendors are using legacy applications that require SFTP. 2. Managed services: The company wants to minimize operational overhead. 3. Upload to S3: Files need to be uploaded to Amazon S3. Evaluation of Options: A) Create an AWS Database Migration Service (AWS DMS) instance to replicate data from the storage of the vendors that use legacy applications to Amazon S3. - Why it's not a good option: AWS DMS is designed for database migration and replication, not for handling file uploads. It is not intended for use with SFTP file transfers. Additionally, DMS would involve unnecessary complexity and overhead in setting up a database replication process for simple file uploads. This option does not align with the need for direct SFTP-based file uploads into S3. - Operational Overhead: High operational overhead due to the complexity of setting up and managing database migration tasks. - Rejected. B) Create an AWS Transfer Family endpoint for vendors that use legacy applications. - Why it's a good option: AWS Transfer Family is a fully managed service that provides secure file transfer over SFTP, FTPS, and FTP, directly to Amazon S3. It supports SFTP, which the vendors need, and integrates seamlessly with Amazon S3, allowing the legacy vendors to continue using their existing SFTP applications while sending data directly to S3. - Operational Overhead: Very low. AWS manages the SFTP server, so no manual infrastructure management is required. - ...

Author: Lucas · Last updated Apr 16, 2026

A marketing team wants to build a campaign for an upcoming multi-sport event. The team has news reports from the past five years in PDF format. The team needs a solution to extract insights about the content and the sentiment of the news reports. The solution must use Amazon T...

Key Requirements: 1. Amazon Textract: The solution must use Amazon Textract to process the PDF reports. 2. Extract insights and sentiment: The team needs to extract insights and analyze the sentiment of the content. 3. Least operational overhead: The solution should minimize the need for manual maintenance and operations. Evaluation of Options: A) Provide the extracted insights to Amazon Athena for analysis. Store the extracted insights and analysis in an Amazon S3 bucket. - Why it's not ideal: Athena is designed for querying data stored in Amazon S3, but it requires structured data (such as CSV or Parquet) and would require you to preprocess and structure the extracted insights. It’s more complex than some of the other options that directly address sentiment analysis and content extraction. - Operational Overhead: Moderate. You would need to transform and store the data in a queryable format, then use SQL queries to analyze it. This involves more manual effort. - Rejected. B) Store the extracted insights in an Amazon DynamoDB table. Use Amazon SageMaker to build a sentiment model. - Why it's not ideal: DynamoDB is a NoSQL database, and while it can store extracted insights, building a custom sentiment model in SageMaker adds significant complexity. You’d need to manually train and maintain the model, which adds to operational overhead. Additionally, SageMaker requires data preparation and training, which is more hands-on. - Operational Overhead: High. You must build, train, and deploy a sentiment analysis model, which can be resource-intensive and requires ongoing ...

Author: Kunal · Last updated Apr 16, 2026

A company's application runs on Amazon EC2 instances that are in multiple Availability Zones. The application needs to ingest real-time data from third-party applications. The company needs a data ingestion solution that pl...

Key Requirements: 1. Real-time data ingestion: The solution should allow real-time ingestion of data. 2. Data storage in Amazon S3: The raw data must be placed in an S3 bucket. 3. Scalability and high availability: Since the application runs in multiple Availability Zones, the solution must be resilient and scalable. Evaluation of Options: A) Create Amazon Kinesis data streams for data ingestion. Create Amazon Kinesis Data Firehose delivery streams to consume the Kinesis data streams. Specify the S3 bucket as the destination of the delivery streams. - Why it's a good option: Amazon Kinesis is a fully managed service designed for real-time data ingestion. Kinesis Data Streams can collect and process large streams of real-time data from various sources. Kinesis Data Firehose can then deliver that data directly into Amazon S3, which meets the requirement of placing the raw data in an S3 bucket. This solution is highly scalable and integrates well with Amazon S3, with minimal operational overhead. - Operational Overhead: Very low. Kinesis Data Firehose is a fully managed service, meaning it handles data ingestion and delivery without much manual intervention. - Selected Option: This solution fits perfectly with the requirements of real-time data ingestion and storing it in Amazon S3, and it is easy to scale as needed. B) Create database migration tasks in AWS Database Migration Service (AWS DMS). Specify replication instances of the EC2 instances as the source endpoints. Specify the S3 bucket as the target endpoint. Set the migration type to migrate existing data and replicate ongoing changes. - Why it's not ideal: AWS DMS is primarily used for database migrations and continuous data replication between databases, rather than for real-time data ingestion from third-party applications. It’s not optimized for non-database data ingestion from external sources and would not provide the required real-time data transfer. - Operational Overhead: Moderate to high, especially for non-database use cases, and it does not match the real-time data ingestion requirement. - Rejected: DMS is not suitable for the real-time...

Author: MysticJaguar44 · Last updated Apr 16, 2026

A company's application is receiving data from multiple data sources. The size of the data varies and is expected to increase over time. The current maximum size is 700 KB. The data volume and data size continue to grow as more data sources are added. The company decides to use Amazon DynamoDB as the primary database for the application. A solutions archit...

Key Requirements: 1. Handling large data sizes: The data is growing over time and is currently up to 700 KB, but it is expected to increase. DynamoDB has a maximum item size limit of 400 KB. 2. Operational efficiency: The solution should be efficient in terms of both performance and operational overhead. Evaluation of Options: A) Create an AWS Lambda function to filter the data that exceeds DynamoDB item size limits. Store the larger data in an Amazon DocumentDB (with MongoDB compatibility) database. - Why it's not ideal: While this approach separates large data by using Amazon DocumentDB for larger objects, it introduces additional complexity. You would need to manage and synchronize data between DynamoDB and DocumentDB, adding operational overhead. DocumentDB is not specifically designed for integration with DynamoDB in this way. - Operational Overhead: High. Managing two different databases and ensuring synchronization introduces unnecessary complexity. - Rejected: The solution introduces operational complexity due to the management of two different databases. B) Store the large data as objects in an Amazon S3 bucket. In a DynamoDB table, create an item that has an attribute that points to the S3 URL of the data. - Why it's a good option: This solution makes use of Amazon S3 to store large objects (as S3 can handle objects of virtually unlimited size) while using DynamoDB to store metadata, such as the S3 URL of the object. DynamoDB is fast for metadata lookups, and S3 is highly scalable for large data storage. This approach is widely used for scenarios where large data cannot be stored directly in DynamoDB due to item size limits. - Operational Overhead: Very low. You simply need to store the data in S3 and keep references in DynamoDB. S3 handles large files, while DynamoDB provides fast lookups for the metadata. - Selected Option: This solution is operationally efficient and leverages the strengths of both DynamoDB and S3 for scalable data storage and fast metadata retrieval....

Author: Noah Williams · Last updated Apr 16, 2026

A company is migrating a legacy application from an on-premises data center to AWS. The application relies on hundreds of cron jobs that run between 1 and 20 minutes on different recurring schedules throughout the day. The company wants a solution to schedule and run the cron jobs on AWS with minimal refactoring...

Key Requirements: 1. Minimal refactoring: The solution should require minimal changes to the existing cron jobs. 2. Event-driven execution: The cron jobs need to be triggered in response to a future event or scheduled at specific intervals. 3. Scalability and efficiency: The solution must efficiently handle a large number of cron jobs with varying schedules. 4. AWS services: The solution must leverage AWS managed services for scalability, reliability, and minimal operational overhead. Evaluation of Options: A) Create a container image for the cron jobs. Use Amazon EventBridge Scheduler to create a recurring schedule. Run the cron job tasks as AWS Lambda functions. - Why it's not ideal: AWS Lambda is excellent for short-running, stateless functions, but it has a maximum execution time of 15 minutes. Since some cron jobs run between 1 and 20 minutes, this is problematic because Lambda would not be able to handle tasks that run longer than 15 minutes. While Lambda can handle simple tasks and is highly scalable, it does not meet the requirements for all cron jobs. - Operational Overhead: Low for short-running jobs, but Lambda's execution time limit makes it unsuitable for jobs that exceed 15 minutes. - Rejected: Not all cron jobs can be executed with Lambda due to its 15-minute runtime limitation. B) Create a container image for the cron jobs. Use AWS Batch on Amazon Elastic Container Service (Amazon ECS) with a scheduling policy to run the cron jobs. - Why it's not ideal: While AWS Batch is designed for running batch jobs and ECS is great for containerized workloads, this option introduces more complexity and operational overhead. AWS Batch is more suitable for long-running or resource-intensive jobs, but it might be overkill for relatively simple cron jobs with recurring schedules. It also requires additional configuration and management compared to simpler event-driven solutions. - Operational Overhead: Higher compared to other options, as Batch requires managing job queues, computing environments, and scheduling policies. - Rejected: More complex than necessary for simple cron job scheduling, especially when EventBridg...

Author: Olivia · Last updated Apr 16, 2026

A company uses Salesforce. The company needs to load existing data and ongoing data changes from Salesforce to Amazon Redshift for analysis. The company does not want the data to travel over the public int...

When determining the best solution for loading existing data and ongoing data changes from Salesforce to Amazon Redshift without using the public internet, we need to consider several key factors: 1. Private Connectivity: Since the company does not want the data to travel over the public internet, we need to ensure private connectivity between Salesforce and AWS. 2. Ease of Setup and Development Effort: We are looking for a solution that minimizes development effort. The more managed and out-of-the-box the solution is, the better. 3. Data Transfer Mechanism: The solution should facilitate data transfer in a way that supports both ongoing data changes and initial data load efficiently. Evaluating Each Option: A) Establish a VPN connection from the VPC to Salesforce. Use AWS Glue DataBrew to transfer data. - VPN offers a private connection but still uses public internet in some way (encrypted tunnel over the internet), which is not the best choice for ensuring truly private connectivity. This option does not fully meet the requirement for private connectivity. - AWS Glue DataBrew is more of a data preparation tool, and while it can help process data, it’s not ideally suited for continuous data transfer from Salesforce to Redshift. - Rejection Reason: VPN is not the best for fully private connectivity. Additionally, Glue DataBrew isn't designed for continuous data transfers. B) Establish an AWS Direct Connect connection from the VPC to Salesforce. Use AWS Glue DataBrew to transfer data. - Direct Connect provides a private, dedicated connection between AWS and Salesforce, ensuring no data traverses the public internet. This is a solid option for private connectivity. - However, AWS Glue DataBrew is not designed for ongoing, real-time data synchronization between Salesforce and Redshift. It’s a data preparation tool...

Author: SolarFalcon11 · Last updated Apr 16, 2026

A company recently migrated its application to AWS. The application runs on Amazon EC2 Linux instances in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon Elastic File System (Amazon EFS) file system that uses EFS Standard-Infrequent Access storage. The application indexes the company's files. The index is stored in an Amazon RDS data...

To optimize storage costs effectively, we need to evaluate the best solution based on the company’s existing architecture, the cost-efficiency of different storage options, and the required changes to the application. Let's break down each option: Key Factors in Evaluation: 1. Cost Efficiency: The main goal is to reduce storage costs, so solutions that involve cheaper storage tiers, like Amazon S3 or optimized file systems, will be considered. 2. Application Compatibility: The solution must align with the existing application, requiring minimal changes in the architecture or the application itself. 3. Ease of Transition: The change should not introduce major disruptions or complex configurations. Evaluating Each Option: A) Create an Amazon S3 bucket that uses an Intelligent-Tiering lifecycle policy. Copy all files to the S3 bucket. Update the application to use Amazon S3 API to store and retrieve files. - Amazon S3 Intelligent-Tiering automatically moves data between two access tiers (frequent and infrequent access) based on usage, helping to optimize costs based on access patterns. This would be very cost-effective for optimizing storage costs. - Application Changes: The application would need to be updated to use the Amazon S3 API instead of EFS, which involves modifying how the application interacts with the file system. While this requires application changes, it offers significant storage cost savings due to the pricing of S3 versus EFS. - Cost Efficiency: Using S3 is likely to be much cheaper than using Amazon EFS Standard-Infrequent Access (EFS Standard-IA). The intelligent-tiering policy helps automatically optimize storage costs based on usage. - Why Other Options Are Rejected: S3 offers a much lower cost and more flexible solution for storing files than other file systems or services. The update to the S3 API is a manageable change for significant cost savings. B) Deploy Amazon FSx for Windows File Server file shares. Update the application to use CIFS protocol to store and retrieve files. - Amazon FSx for Windows File Server is a managed Windows file system. It uses the CIFS protocol, which is Windows-specific. While this might work for Windows-based applications, it requires significant changes to the application and a shift to a different protocol (CIFS). - Cost Consideration: FSx for Windows File Server is generally more expensive than S3, and its storage is not optimized for infrequent access in the way that S3 Glaci...

Author: Vivaan · Last updated Apr 16, 2026

A robotics company is designing a solution for medical surgery. The robots will use advanced sensors, cameras, and AI algorithms to perceive their environment and to complete surgeries. The company needs a public load balancer in the AWS Cloud that will ensure seamless communication with backend services. The load balancer must be capable of rou...

Key Requirements Breakdown: 1. Public Load Balancer: The solution needs to be a load balancer that handles traffic from the public internet. 2. Routing Based on Query Strings: The load balancer must be able to route traffic based on query parameters. 3. Traffic Encryption: The traffic must be encrypted, implying that SSL/TLS termination is needed. Evaluating Each Option: A) Use a Network Load Balancer with a certificate attached from AWS Certificate Manager (ACM). Use query parameter-based routing. - Network Load Balancer (NLB) is typically used for TCP/UDP traffic and is optimized for handling high-throughput, low-latency traffic. It operates at Layer 4 (Transport Layer) of the OSI model. - Query Parameter-Based Routing: NLB does not support HTTP-level routing based on query parameters or path-based routing. It can only perform routing based on IP addresses and ports. - Encryption: While you can attach an SSL/TLS certificate to an NLB, this is typically for terminating TLS at the transport layer, and the lack of HTTP-based routing is a significant limitation for query parameter-based routing. - Rejection Reason: NLB cannot handle query parameter-based routing, so it doesn’t meet the core requirement. B) Use a Gateway Load Balancer. Import a generated certificate in AWS Identity and Access Management (IAM). Attach the certificate to the load balancer. Use HTTP path-based routing. - Gateway Load Balancer (GLB) is designed for routing traffic to virtual appliances, such as firewalls or intrusion detection systems, and operates at Layer 3 (Network Layer). - Path-Based Routing: While GLB can handle path-based routing, it does not support query parameter-based routing, which is a key requirement here. - Encryption: Importing a certificate through IAM is not the standard way for handling SSL/TLS encryption with a Gateway Load Balancer. It typically works with external appliances for managing traffic, which is not optimal for the given use case....

Author: Kai · Last updated Apr 16, 2026

A company has an application that runs on a single Amazon EC2 instance. The application uses a MySQL database that runs on the same EC2 instance. The company needs a highly available and automatically scala...

To meet the requirements of high availability and automatic scalability, we need to ensure that both the application layer (running on EC2 instances) and the database layer (running MySQL) are scalable and fault-tolerant. Let's evaluate each solution based on key factors: Key Factors: 1. High Availability: The solution must ensure that the application and the database remain available during failures or increased traffic. 2. Automatic Scalability: The solution must handle traffic spikes automatically by scaling resources (e.g., EC2 instances or database capacity). 3. Cost Efficiency: The solution should be scalable but also cost-effective, considering the need for automatic scaling and database management. Evaluating Each Option: A) Deploy the application to EC2 instances that run in an Auto Scaling group behind an Application Load Balancer. Create an Amazon Redshift cluster that has multiple MySQL-compatible nodes. - EC2 with Auto Scaling and Application Load Balancer: This configuration addresses the scalability and high availability for the application tier. Auto Scaling ensures that the number of EC2 instances automatically adjusts based on traffic. - Amazon Redshift: Redshift is a data warehouse service designed for large-scale analytics, not transactional applications. It is not a MySQL-compatible solution for handling transactional database workloads. - Rejection Reason: Redshift is not designed for transactional databases, so it's inappropriate for the MySQL database layer in this case. B) Deploy the application to EC2 instances that are configured as a target group behind an Application Load Balancer. Create an Amazon RDS for MySQL cluster that has multiple instances. - EC2 with Auto Scaling and Application Load Balancer: This part of the solution is suitable for automatic scaling and high availability of the application. - Amazon RDS for MySQL: Amazon RDS provides high availability with the option of a Multi-AZ deployment, where a standby database instance is automatically maintained. It supports automatic scaling in terms of storage and replication for increased traffic, which makes it highly available and scalable. - Selected Solution: This solution meets the requirements for scalability and high availability for both the application and the database. - Why other options are rejected: This option addresses both the application and the datab...

Author: Isabella1 · Last updated Apr 16, 2026

A company is planning to migrate data to an Amazon S3 bucket. The data must be encrypted at rest within the S3 bucket. The encryption key must be rotated automatically every year. W...

Key Requirements: 1. Data Encryption at Rest: The data in the S3 bucket must be encrypted while stored. 2. Automatic Key Rotation: The encryption key must be rotated automatically every year. 3. Least Operational Overhead: The solution should minimize the need for manual intervention or continuous management of encryption and key rotation. Evaluating Each Option: A) Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys. - Encryption: SSE-S3 uses Amazon S3's default encryption mechanism, with Amazon S3 managing the keys internally. - Automatic Key Rotation: SSE-S3 automatically rotates its encryption keys, so no manual key management is required. - Operational Overhead: This option provides zero operational overhead since Amazon S3 handles the encryption and key rotation. - Limitation: SSE-S3 uses Amazon's managed keys, which means you don’t have control over the key. However, for most cases where key rotation and simplicity are the primary requirements, this should be sufficient. - Why Rejected: While SSE-S3 is an excellent solution for automatic key rotation, it may not meet certain regulatory or compliance requirements that demand more control over key management, such as using custom customer-managed keys. B) Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket's default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket. - Encryption: Using a KMS customer-managed key (CMK) provides greater control over the key, including the ability to define policies, audit usage, and have more compliance-related features. - Automatic Key Rotation: KMS allows you to enable automatic key rotation every year. This meets the key rotation requirement with minimal overhead. - Operational Overhead: KMS manages the key lifecycle, and automatic key rotation every year is enabled by default. This provides automatic rotation without manual intervention. - Selected Solution: This solution offers control over key management (via KMS) while meeting the requirement for automatic key rotation and minim...

Author: Sofia2021 · Last updated Apr 16, 2026

A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally. The company's security team needs a single sign-on solution across all the company's AWS account...

In this scenario, the company needs a single sign-on (SSO) solution that integrates with their existing on-premises Microsoft Active Directory and works across multiple AWS accounts, leveraging AWS Organizations. Let's evaluate each option based on the key requirements. A) Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft Active Directory. Configure the Active Directory to be the identity source for AWS IAM Identity Center. - Reasoning: This option would create a new Active Directory in AWS, but the requirement specifies that the company wants to continue managing users and groups in the on-premises Active Directory. By setting up AWS Directory Service, it would be a new and separate directory, which doesn't address the need to continue managing the existing on-premises Active Directory. - Rejection Reason: The company needs to maintain its existing on-premises Active Directory for user management, so this solution does not meet the requirements. B) Enable AWS IAM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with IAM Identity Center by using AWS Directory Service for Microsoft Active Directory. - Reasoning: This option creates a trust relationship between the self-managed on-premises Active Directory and AWS IAM Identity Center using AWS Directory Service. This allows IAM Identity Center to authenticate users and groups from the on-premises Active Directory, fulfilling the SSO requirement. IAM Identity Center also supports centralized management for AWS accounts, which fits the use of AWS Organizations. - Justification: The key benefit of this option is that it maintains the on-premises Active Directory as the identity source and provides a centralized SSO solution using IAM Identity Center, making it a very suitable solution for the scenario. C) Use AWS Directory Service and create a two-way trust...

Author: Amira99 · Last updated Apr 16, 2026

A company is planning to deploy its application on an Amazon Aurora PostgreSQL Serverless v2 cluster. The application will receive large amounts of traffic. The company wants to optimize the storage performance of the cluster as the lo...

To determine the most cost-effective solution for optimizing storage performance for an Amazon Aurora PostgreSQL Serverless v2 cluster under heavy traffic, let's evaluate the options based on the application’s needs and the expected performance requirements. A) Configure the cluster to use the Aurora Standard storage configuration. - Reasoning: The Aurora Standard storage configuration is designed to handle typical workloads but may not be optimized for heavy or unpredictable traffic loads. Aurora Standard is typically less expensive and might not provide the best performance for high traffic or workloads with large amounts of I/O. - Rejection Reason: While cost-effective, this option might not deliver the storage performance necessary to efficiently handle high and fluctuating traffic loads, potentially leading to performance degradation during periods of high I/O demand. B) Configure the cluster storage type as Provisioned IOPS. - Reasoning: Provisioned IOPS (Input/Output Operations Per Second) offers high and consistent performance by delivering a fixed number of IOPS, but it can be significantly more expensive than other storage types. This configuration is ideal for applications with high-performance database requirements or consistent and predictable I/O demands. - Rejection Reason: While Provisioned IOPS can offer superior performance, it is typically more costly than other storage configurations. Since the company is looking for a cost-effective solution, this option may not meet the need for high performance at a reasonable cost for typical workloads. Additionally, Aurora Serverless already has automatic scaling features that make it unnecessary to provision fixed IOPS for most workloads. C) Configure the cluster storage type as General Purpose. - Reasoning: General Purpose storage provides a balance between cost and performance for most workloads. It is designed to automaticall...

Author: Arjun · Last updated Apr 16, 2026

A financial services company that runs on AWS has designed its security controls to meet industry standards. The industry standards include the National Institute of Standards and Technology (NIST) and the Payment Card Industry Data Security Standard (PCI DSS). The company's third-party auditors need proof that the designed controls have been implemented and are functioning correctly. The company has hundreds of AWS a...

To meet the company's requirements of proving the implementation and functionality of security controls across hundreds of AWS accounts in a single AWS Organization, the company needs a solution that can continuously monitor the state of security controls and demonstrate compliance with NIST and PCI DSS standards. Let’s evaluate each option based on these needs: A) Designate one account as the Amazon Inspector delegated administrator account from the Organizations management account. Integrate Inspector with Organizations to discover and scan resources across all AWS accounts. Enable Inspector industry standards for NIST and PCI DSS. - Reasoning: Amazon Inspector is a vulnerability management service that automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Inspector focuses on security assessments, vulnerability scanning, and compliance checks for EC2 instances and container-based workloads. - Rejection Reason: While Amazon Inspector can scan resources for vulnerabilities, it is not specifically designed for monitoring the broader scope of security controls required by NIST and PCI DSS, nor does it provide a holistic view of security compliance across accounts. It is not the best choice for continuously tracking the implementation of security controls across multiple accounts at an organizational level. B) Designate one account as the Amazon GuardDuty delegated administrator account from the Organizations management account. In the designated GuardDuty administrator account, enable GuardDuty to protect all member accounts. Enable GuardDuty industry standards for NIST and PCI DSS. - Reasoning: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts. While GuardDuty can provide valuable security monitoring by detecting potential threats, it is focused on monitoring network activity and detecting anomalies rather than ensuring compliance with standards like NIST or PCI DSS. - Rejection Reason: GuardDuty focuses on detecting malicious activities, not on verifying that all security controls are implemented and functioning correctly. While it can be part of an overall security strategy, it is not a comprehensive solution for demonstrating compliance with NIST and PCI DSS standards. C) Configure an AWS CloudTrail organization trail in the Organizations manageme...

Author: Rahul · Last updated Apr 16, 2026

A company uses an Amazon S3 bucket as its data lake storage platform. The S3 bucket contains a massive amount of data that is accessed randomly by multiple teams and hundreds of applications. The company wants to reduce the S3 storage costs and provide immediate availabilit...

Given the requirements, the company needs a solution that reduces Amazon S3 storage costs while ensuring immediate availability for frequently accessed objects. Let's evaluate each option based on these factors: reducing costs, ensuring operational efficiency, and providing quick access to frequently accessed data. A) Create an S3 Lifecycle rule to transition objects to the S3 Intelligent-Tiering storage class. - Reasoning: The S3 Intelligent-Tiering storage class is designed for automatic cost savings by moving data between two access tiers (frequent and infrequent) based on access patterns. This storage class offers immediate availability for frequently accessed objects, making it a great fit for workloads with unpredictable access patterns. - Justification: The S3 Intelligent-Tiering class provides the most operationally efficient solution because it automatically moves objects between tiers based on access patterns without requiring manual intervention. It also ensures that frequently accessed data remains in the frequent access tier while infrequently accessed data is moved to the infrequent access tier, reducing costs. - Why Selected: This option fully meets the requirement for reducing storage costs, and it automatically adapts to changing access patterns without needing additional complexity (like Lambda functions or additional lifecycle rules). It's also highly operationally efficient since there is no need to manually intervene. B) Store objects in Amazon S3 Glacier. Use S3 Select to provide applications with access to the data. - Reasoning: S3 Glacier is a cold storage class designed for archival data that is accessed infrequently. While it offers low storage costs, retrieving data from S3 Glacier can take minutes to hours, which makes it unsuitable for applications that require immediate availability of data. - Rejection Reason: This option is not appropriate for scenarios where immediate availability is required. S3 Glacier is intended for long-term archival storage, not for frequently accessed data that needs quick retrieval. C) Use data from S3 storage class analysis to create S3 Lifecycle rules to automatically t...

Author: Olivia Johnson · Last updated Apr 16, 2026

A company has 5 TB of datasets. The datasets consist of 1 million user profiles and 10 million connections. The user profiles have connections as many-to-many relationships. The company needs a performance efficient way...

To determine the best solution for efficiently finding mutual connections up to five levels in the given dataset, we need to evaluate options based on performance, scalability, and the nature of the data (many-to-many relationships between user profiles). Let's analyze each option: A) Use an Amazon S3 bucket to store the datasets. Use Amazon Athena to perform SQL JOIN queries to find connections. - Reasoning: Amazon S3 provides highly scalable storage, and Amazon Athena allows SQL-like querying on data stored in S3. However, performing SQL JOINs for many-to-many relationships, especially with a large number of records (1 million user profiles and 10 million connections), can be inefficient and slow. Athena is optimized for ad-hoc querying and data exploration, but it is not the most suitable for graph traversal or querying complex many-to-many relationships. - Rejection Reason: While this approach may work for simple querying, Athena is not designed for graph-based queries or recursive lookups, which are necessary for finding mutual connections up to five levels. It would not scale well or perform efficiently for this use case, especially for deeper levels of connection searching. B) Use Amazon Neptune to store the datasets with edges and vertices. Query the data to find connections. - Reasoning: Amazon Neptune is a fully managed graph database designed for handling highly connected data, such as relationships between user profiles and connections. Neptune supports graph query languages like Gremlin and SPARQL, which are specifically designed for efficiently querying relationships, including many-to-many and recursive connections. This makes Neptune ideal for querying mutual connections up to five levels, as it can quickly traverse graph data and compute the required connections. - Justification: Graph databases like Neptune are optimized for handling complex relationships and can provide high performance for querying multiple levels of connections. For this scenario, where you need to find mutual connections in a graph-like structure (user profiles and connections), Neptune is the most efficient and scala...

Author: FlamePhoenix2025 · Last updated Apr 16, 2026

A company needs a secure connection between its on-premises environment and AWS. This connection does not need high bandwidth and will handle a small amount of traffic. The connection should be set up q...

To establish a secure connection between the on-premises environment and AWS, given that the connection does not need high bandwidth and will handle a small amount of traffic, it is important to select the most cost-effective and quick-to-implement solution. Let's evaluate each option: A) Implement a client VPN - Reasoning: A client VPN is typically used for individual client devices to securely connect to AWS resources. It is not designed for an entire on-premises network and may require additional configuration for secure network-to-cloud communications. While it could technically provide a secure connection, it is more suited for remote access for individual users rather than a secure connection between the on-premises environment and AWS. - Rejected: This option is more relevant to individual users and not to on-premises-to-cloud connections. B) Implement AWS Direct Connect - Reasoning: AWS Direct Connect establishes a dedicated network connection between the on-premises data center and AWS, providing high throughput, low latency, and highly reliable connectivity. However, it requires setting up a physical dedicated connection, and it is a more complex and expensive solution that is best suited for high-bandwidth or critical applications where low latency is important. - Rejected: It is unnecessary for a low-traffic, small-bandwidth scenario as it comes with higher costs, longer setup times, and complexity that isn’t needed here. ...

Author: Aarav2020 · Last updated Apr 16, 2026

A company has an on-premises SFTP file transfer solution. The company is migrating to the AWS Cloud to scale the file transfer solution and to optimize costs by using Amazon S3. The company's employees will use their credentials for the on-premises Microsoft Active Directory (AD) to access the new solution. The company wants to k...

To meet the company's requirements of migrating to AWS, scaling the file transfer solution, optimizing costs with Amazon S3, and maintaining the use of on-premises Microsoft Active Directory (AD) credentials for authentication, let's evaluate the options based on operational overhead, ease of implementation, and cost-effectiveness. A) Configure an S3 File Gateway. Create SMB file shares on the file gateway that use the existing Active Directory to authenticate. - Reasoning: The S3 File Gateway provides an on-premises solution for file-based applications to access S3. However, it primarily supports NFS and SMB file shares and integrates with Active Directory for authentication. While this can be used to connect the on-premises environment with Amazon S3, the solution is more suited for hybrid environments, not entirely cloud-based scenarios. Additionally, managing file shares through the gateway adds extra operational overhead compared to fully cloud-native solutions. - Rejected: This option introduces more complexity and is not as well-suited for a full migration to AWS. B) Configure an Auto Scaling group with Amazon EC2 instances to run an SFTP solution. Configure the group to scale up at 60% CPU utilization. - Reasoning: This solution involves running a custom SFTP server on EC2 instances that auto-scale based on CPU utilization. While it can scale, this option requires significant manual management for EC2 instance configuration, scaling policies, and ensuring high availability. The operational overhead is higher because the company would need to manage EC2 instances, security, scaling, and SFTP configurations. - Rejected: This introduces a high level of operational overhead, which the company is looking to avoid, especially when simpler, managed solutions exist. C) Create an AWS Transfer Family server with SFTP endpoints. Choose the AWS Directory Service option as the identity provider. Use AD Connector to connect the on-premises Active Directory. - Re...

Author: Zain · Last updated Apr 16, 2026

A company is designing an event-driven order processing system. Each order requires multiple validation steps after the order is created. An idempotent AWS Lambda function performs each validation step. Each validation step is independent from the other validation steps. Individual validation steps need only a subset of the order event information. The company wants to ensure that each validation step Lambda function has access to only the information from th...

Evaluation of the Options: A) Create an Amazon Simple Queue Service (Amazon SQS) queue for each validation step. Create a new Lambda function to transform the order data to the format that each validation step requires and to publish the messages to the appropriate SQS queues. Subscribe each validation step Lambda function to its corresponding SQS queue. - Reasoning: This approach ensures that each validation step is decoupled by using separate SQS queues. The Lambda function that transforms the order data to the required format for each validation step adds complexity but allows each validation step to receive only the information it needs. However, the transformation Lambda function would need to perform the work of filtering and transforming the event before publishing it to the appropriate SQS queues. - Rejected: This solution introduces additional complexity due to the need for a transformation Lambda function and separate SQS queues. While it provides decoupling, it may not be the most efficient approach for this particular use case, especially considering that the validation steps are idempotent and independent. This also could lead to more operational overhead. B) Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the validation step Lambda functions to the SNS topic. Use message body filtering to send only the required data to each subscribed Lambda function. - Reasoning: Using SNS would allow easy distribution of the order event to multiple Lambda functions, and message body filtering can ensure that only relevant data is sent to each Lambda function. This meets the requirement of ensuring that each validation step Lambda function gets only the information it needs. - Strengths: SNS provides decoupling and the ability to filter messages at the subscription level, making it flexible and scalable. The filtering mechanism ensures that each Lambda function receives only the required data. - Rejected: While SNS is a good choice for decoupling, it introduces some complexities related to managing message filtering rules. Filtering is possible, but it may not be as granular and efficient as directly transforming the data via EventBridge or SQS. C) Create an Amazon EventBridge event bus. Create an event rule for each validation step. Configure the input transformer to send only the required data to ...

Author: Emily · Last updated Apr 16, 2026

A company is migrating a three-tier application to AWS. The application requires a MySQL database. In the past, the application users reported poor application performance when creating new entries. These performance issues were caused by users generating different real-time reports from th...

Evaluation of the Options: A) Import the data into an Amazon DynamoDB table with provisioned capacity. Refactor the application to use DynamoDB for reports. - Reasoning: DynamoDB is a NoSQL database, and while it can offer excellent performance for certain workloads (especially key-value lookups), it would require significant application changes. The application would need to be refactored to use DynamoDB instead of MySQL. Moreover, MySQL-specific features like JOINs, complex queries, and relational data would not translate directly to DynamoDB, making this a challenging and resource-intensive approach. - Rejected: This solution would require extensive refactoring of the application and is not a straightforward fit for an existing MySQL-based application. Additionally, using DynamoDB for reporting might not suit the company's existing relational database model, where SQL queries are integral to generating reports. B) Create the database on a compute-optimized Amazon EC2 instance. Ensure compute resources exceed the on-premises database. - Reasoning: This approach would provide more compute resources than the on-premises setup, but it doesn't address the issue of database scalability and load balancing, especially for real-time reporting and heavy read operations. Running the database on an EC2 instance is less efficient than using a managed database service like Amazon RDS or Amazon Aurora, as it requires manual database administration and scaling management. - Rejected: This option adds complexity and operational overhead because EC2 instances need to be managed, and it doesn't scale as efficiently as a managed service like Aurora. Additionally, it doesn't address the read-heavy workload caused by reporting. C) Create an Amazon Aurora MySQL Multi-AZ DB cluster with multiple read replicas. Configure the application to use the reader endpoint for reports. - Reasoning: Amazon Aurora MySQL offers high availability and scalability. By configuring a Multi-AZ setup wit...

Author: Kunal · Last updated Apr 16, 2026

A company is expanding a secure on-premises network to the AWS Cloud by using an AWS Direct Connect connection. The on-premises network has no direct internet access. An application that runs on the on-premises network needs ...

Evaluation of the Options: A) Create a public virtual interface (VIF). Route the AWS traffic over the public VIF. - Reasoning: A public virtual interface (VIF) on AWS Direct Connect is used to access public AWS services, such as Amazon S3, over a private connection. However, this approach would expose the on-premises network to the internet, even though the on-premises network has no direct internet access. It would not be an ideal solution, as routing traffic over a public VIF could compromise the security and architecture of the network. - Rejected: This option is not ideal since it exposes public internet access, which contradicts the requirement that the on-premises network has no direct internet access. B) Create a VPC and a NAT gateway. Route the AWS traffic from the on-premises network to the NAT gateway. - Reasoning: A NAT gateway would allow the on-premises network to access AWS services, but it involves additional complexity and cost, as the NAT gateway is used to route traffic from private subnets to the internet. This would not be the most cost-effective solution since the goal is to avoid unnecessary infrastructure and costs. - Rejected: This solution introduces additional components (VPC, NAT gateway) that increase cost and complexity, making it less efficient for accessing Amazon S3 from the on-premises network. C) Create a VPC and an Amazon S3 interface endpoint. Route the AWS traffic from the on-premises network to the S3 interface endpoint. - Reasoning: An S3 interface endpoint provides private connectivity to Amazon S3 within a VPC, ensuring that traffic from the on-premises network to Amazon S3 stays within the AWS network. This is a highly secure and c...

Author: Harper · Last updated Apr 16, 2026

A company serves its website by using an Auto Scaling group of Amazon EC2 instances in a single AWS Region. The website does not require a database. The company is expanding, and the company's engineering team deploys the website to a second Region. The company wants to distribute traffic across both Regions to accommodate growth and for disaster recovery purposes. The ...

To meet the requirements of distributing traffic across two Regions and ensuring that traffic is only routed to healthy instances, we need to focus on the ability to monitor health and perform intelligent routing across Regions. Let’s analyze the options: Option A: An Amazon Route 53 simple routing policy - Explanation: The Simple Routing Policy is used to route traffic to a single resource, such as a single EC2 instance or a single load balancer. It doesn’t support multiple resources or Regions, nor does it have a built-in health-check mechanism to monitor multiple Regions. - Reason for rejection: This option does not meet the requirement of distributing traffic across multiple Regions or monitoring the health of the website in both Regions. - Key factor: Simple routing is for a single endpoint, making it unsuitable for multi-Region traffic distribution. Option B: An Amazon Route 53 multivalue answer routing policy - Explanation: The Multivalue Answer routing policy allows Route 53 to return multiple IP addresses for a query, and it can also perform health checks on the resources. If an EC2 instance is unhealthy, it won't be returned in the DNS response. This is useful for distributing traffic across multiple resources, such as EC2 instances in different Regions. - Reason for selection: This option meets the requirement for distributing traffic across multiple Regions. It provides health checks and avoids sending traffic to unhealthy instances, making it ideal for disaster recovery scenarios. - Key factor: The multivalue routing policy with health checks ensures traffic is only routed to healthy resources. Option C: An Application Load Balancer i...

Author: Elijah · Last updated Apr 16, 2026

A company runs its applications on Amazon EC2 instances that are backed by Amazon Elastic Block Store (Amazon EBS). The EC2 instances run the most recent Amazon Linux release. The applications are experiencing availability issues when the company's employees store and retrieve files that are 25 GB or larger. The company needs a solution that does not require the company to transfer fil...

To meet the company's requirements of storing and retrieving large files (25 GB or larger), ensuring high availability across multiple EC2 instances and Availability Zones, and avoiding the need to transfer files between EC2 instances, we must consider solutions that offer centralized and scalable storage accessible by all EC2 instances in multiple Availability Zones. Option A: Migrate all the files to an Amazon S3 bucket. Instruct the employees to access the files from the S3 bucket. - Explanation: Amazon S3 is highly scalable and provides a durable, available, and cost-effective solution for storing large files. However, S3 is an object storage service, which may not be ideal for applications that require low-latency, file-system-like access to large files, especially in scenarios where frequent random access or small block-level operations are needed. - Reason for rejection: While S3 is a good solution for large file storage, it might not provide the necessary performance or semantics required for certain applications that rely on file-system-based access, especially when files are large (25 GB or more) and are frequently accessed in this manner. - Key factor: If the use case requires file system semantics (like random access to large files), S3 might not be the ideal choice. Option B: Take a snapshot of the existing EBS volume. Mount the snapshot as an EBS volume across the EC2 instances. Instruct the employees to access the files from the EC2 instances. - Explanation: EBS snapshots are designed for backup and disaster recovery, not for real-time file sharing between instances. Even though EBS snapshots can be created and restored across different EC2 instances, they do not allow direct mounting and concurrent access by multiple EC2 instances. EBS volumes are designed for attachment to a single EC2 instance at a time, with no built-in sharing capability between instances. - Reason for rejection: This option does not meet the requirement for sharing large files across multiple EC2 instances. EBS volumes cannot be directly shared across multiple instances, and using a snapshot in this way would not provide the required availability and scalability. - Key factor: EBS volumes cannot be mounted by multiple EC2 instances simultaneously in a way that allows them to access the same data. Option C: Mount an Amaz...

Author: Sophia · Last updated Apr 16, 2026

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest. Which solution should a solutio...

To meet the compliance requirements of encrypting all Personally Identifiable Information (PII) at rest with the least amount of changes to the existing infrastructure, the solution must focus on minimal disruption and leveraging AWS services that are already integrated and designed for this type of encryption. Let’s analyze each option: Option A: Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database volume. - Explanation: AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, primarily for securing network communication (like HTTPS) rather than for encrypting data at rest. While ACM is great for managing certificates, it is not suitable for encrypting Amazon RDS database volumes or EBS volumes. - Reason for rejection: ACM is used for transport encryption (in transit) rather than data-at-rest encryption. It does not meet the requirement to encrypt data at rest. - Key factor: ACM is for encryption in transit, not for at-rest data encryption. Option B: Deploy AWS CloudHSM, generate encryption keys, and use the keys to encrypt database volumes. - Explanation: AWS CloudHSM provides hardware security modules (HSMs) to manage cryptographic keys. While CloudHSM is a valid solution for key management, it requires additional configuration and management, as well as modifying how encryption is handled for both EC2 instances and RDS databases. - Reason for rejection: This approach introduces more complexity by requiring the management of HSMs and manual integration with encryption mechanisms. It also requires significant changes to the infrastructure and processes, which contradicts the goal of minimizing changes. - Key factor: CloudHSM is more suited for scenarios that need specialized, highly controlled key management, and it adds complexity that is unnecessary when simpler solutions are available. Option C: Configure SSL encryption using AWS Key Ma...

Author: GlowingTiger · Last updated Apr 16, 2026

A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance. The Lambda function processes input data and saves its output as an object to Amazon S3. Intermittently, the Lambda function times out while trying to upload the object because of saturated traffi...

To address the issue where the AWS Lambda function times out when uploading objects to Amazon S3 due to traffic saturation on the NAT instance's network, the company needs a solution that allows the Lambda function to access Amazon S3 directly without routing traffic through the internet. Let's evaluate each option: Option A: Replace the EC2 NAT instance with an AWS managed NAT gateway. - Explanation: AWS NAT Gateway is a managed service designed to handle outbound internet traffic from private subnets. While a NAT Gateway offers scalability and higher throughput than an EC2 NAT instance, it still requires traffic to traverse the internet to access services like S3. - Reason for rejection: This solution doesn't resolve the issue of accessing Amazon S3 without traversing the internet, as the traffic would still route through the NAT Gateway, which is still subject to internet routing and congestion. - Key factor: The requirement is to avoid internet traffic to S3, and NAT Gateway still involves internet traffic routing. Option B: Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type. - Explanation: Increasing the size of the EC2 NAT instance can improve the network throughput and mitigate the current issue of traffic saturation. However, this still relies on the traffic traversing the internet and does not fully address the need to access S3 without internet involvement. - Reason for rejection: While this might reduce the likelihood of timeouts, it still doesn't meet the requirement of avoiding internet traffic for accessing Amazon S3. Scaling the NAT instance introduces operational complexity and additional costs. - Key factor: The core issue is the dependency on internet routing, which is not eliminated by simply scaling the NAT instance. Option C: Provision a gateway endpoint for Amazon S3 in the VPC. Update the route tables of the subnets accordingly. - Ex...

Author: Noah · Last updated Apr 16, 2026

A news company that has reporters all over the world is hosting its broadcast system on AWS. The reporters send live broadcasts to the broadcast system. The reporters use software on their phones to send live streams through the Real Time Messaging Protocol (RTMP). A solutions architect must design a solution that gives the reporters the ability to send the highest quality ...

To design a solution that allows reporters worldwide to send live broadcasts using RTMP while ensuring high-quality streams and accelerated TCP connections, let's evaluate the options based on the requirements: Option A: Amazon CloudFront - Explanation: Amazon CloudFront is a Content Delivery Network (CDN) that primarily serves static and dynamic content to users with low latency and high transfer speeds. It accelerates content delivery by caching content at edge locations worldwide. - Reason for rejection: CloudFront is typically used for caching content at edge locations, but it does not optimize TCP connections for live streaming or RTMP traffic. While CloudFront can be used to distribute content, it is not ideal for bidirectional communication like live streaming, which requires real-time, low-latency connectivity. - Key factor: CloudFront is designed for content delivery, not for real-time, high-quality live streaming with accelerated TCP connections. Option B: AWS Global Accelerator - Explanation: AWS Global Accelerator is designed to improve the performance of applications by routing traffic over the AWS global network and optimizing TCP/UDP connections. It uses global edge locations to provide low-latency, high-performance connections for applications, including real-time communications such as live streaming. - Reason for selection: Global Accelerator accelerates TCP traffic and routes it through the AWS global network, improving the performance and reliability of real-time traffic like RTMP streams. It provides an optimal path for data, reducing latency and packet loss, which is crucial for live broadcasting and streaming. - Key factor: Global Accelerator is purpose-built for accelerating global TCP connections, making it ideal for use with live s...

Author: Emma · Last updated Apr 16, 2026

A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) to run its self-managed database. The company has 350 TB of data spread across all EBS volumes. The company takes daily EBS snapshots and keeps the snapshots for 1 month. The daily change rate is 5% of the EBS volumes. Because of new regulations, the company needs to keep the monthly snapshots for 7 years. The company needs to change its backup s...

Analysis of Options: 1. A) Keep the daily snapshot in the EBS snapshot standard tier for 1 month. Copy the monthly snapshot to Amazon S3 Glacier Deep Archive with a 7-year retention period. - Pros: - Cost-effective for long-term retention since S3 Glacier Deep Archive is the cheapest storage option for infrequent access data. - Scalable and highly durable solution for long-term backup needs. - Automated lifecycle management can help transition snapshots to Glacier Deep Archive after 1 month. - Cons: - Daily snapshots remain in the EBS standard tier for 1 month, which might be more expensive than Glacier. - EBS snapshots are more expensive for long-term storage in the standard tier. - Glacier Deep Archive might not be as fast as EBS snapshots when restoring data. - Suitability: - Best for long-term, cost-effective storage when speed of access to backups is not a high priority. - Suitable for regulatory compliance requiring long retention periods. 2. B) Continue with the current EBS snapshot policy. Add a new policy to move the monthly snapshot to Amazon EBS Snapshots Archive with a 7-year retention period. - Pros: - EBS Snapshot Archive is designed for long-term retention with low retrieval costs, but faster than Glacier. - Easy management of EBS snapshots and lifecycle policies. - Cons: - EBS Snapshots Archive might be more expensive than S3 Glacier Deep Archive for storing backups for long periods. - Storage costs could accumulate due to the high volume (350 TB), particularly if the snapshots are retained for 7 years. - Does not leverage the cheapest storage option available, which is Glacier Deep Archive. - Suitability: - Good option if you prefer to stick with EBS snapshots but still need cost-effective long-term storage for regulatory compliance. - Not the most cost-efficient when considering price and performance. 3. C) Keep the daily snapshot in the EBS snapshot standard tier for 1 month. Keep the monthly snapshot in the standard tier for 7 years. Use incremental snapshots. - Pros: - Incremental snapshots reduce storage costs as only the changes are stored after the initial snapshot. - Simple solution for backups using EBS snapshots, keeping everything in the standard tier for long rete...

Author: Maya · Last updated Apr 16, 2026

A company runs an application on several Amazon EC2 instances that store persistent data on an Amazon Elastic File System (Amazon EFS) file system. The company needs to replicate the data to another AWS Region by using an AW...

Analysis of Options: 1. A) Use the EFS-to-EFS backup solution to replicate the data to an EFS file system in another Region. - Pros: - Fully managed solution by AWS, which makes it simple to implement with minimal administrative overhead. - EFS-to-EFS backup solution is designed specifically for the task of replicating data between Amazon EFS file systems in different Regions, ensuring consistency and reliability. - Cost-effective compared to other custom solutions like scripts or VPC peering, as it uses built-in AWS services optimized for this task. - Cons: - Limited to EFS as the target, so it's only suitable for specific use cases where data is stored in EFS. - Additional cost for replication, but still more cost-effective compared to custom scripts or complex solutions. - Suitability: - Best suited for replicating EFS data to another AWS Region using a managed AWS solution. 2. B) Run a nightly script to copy data from the EFS file system to an Amazon S3 bucket. Enable S3 Cross-Region Replication on the S3 bucket. - Pros: - S3 Cross-Region Replication is highly reliable and cost-effective for storing data in multiple regions. - S3 is highly durable and accessible with low-latency access for recovery. - Cons: - Manual effort required for creating and maintaining the nightly script to copy data from EFS to S3. - Not a native solution for EFS replication, which means managing the complexity of syncing files between EFS and S3. - Cross-Region replication of S3 can add latency and costs associated with replication and storage. - Suitability: - Not the most efficient for EFS-specific use cases, as it's a more generalized approach for file backup and replication across services. - Good if the application requires backup to S3, but not optimal for EFS-specific data replication. 3. C) Create a VPC in another Region. Establish a cross-Region VPC peer. Run a nightly rsync to copy data from the original Region to the new Region. - Pros: - Can be a custom solution for replicating EFS data between Regions. - Low-cost networking once the VPC peering is set up. - Cons: - Manual effort to set up and maintain the VPC peering and the rsync process. -...

Author: CrimsonViperX · Last updated Apr 16, 2026

An ecommerce company is migrating its on-premises workload to the AWS Cloud. The workload currently consists of a web application and a backend Microsoft SQL database for storage. The company expects a high volume of customers during a promotional event. The new infrastructure in the AWS Clou...

Analysis of Options: 1. A) Migrate the web application to two Amazon EC2 instances across two Availability Zones behind an Application Load Balancer. Migrate the database to Amazon RDS for Microsoft SQL Server with read replicas in both Availability Zones. - Pros: - Highly available web application with EC2 instances spread across two Availability Zones (AZs). - RDS for Microsoft SQL Server offers managed service benefits, including automatic backups, patching, and scaling. - Read replicas in different AZs help offload read-heavy database traffic, improving application performance during high traffic events. - Cons: - Read replicas in RDS are primarily for read-heavy workloads, and won't help for write scalability during heavy traffic. - RDS does not have automatic write replication across multiple AZs unless using Multi-AZ deployment, which this option does not specify for the database. - Suitability: - Suitable for read-heavy applications, but might not handle high-volume write traffic optimally without further configuration. 2. B) Migrate the web application to an Amazon EC2 instance that runs in an Auto Scaling group across two Availability Zones behind an Application Load Balancer. Migrate the database to two EC2 instances across separate AWS Regions with database replication. - Pros: - EC2 Auto Scaling with Application Load Balancer across AZs provides scalability for the web application. - Replication across Regions ensures geographic redundancy, improving global availability. - Cons: - Cross-Region replication introduces significant latency and higher cost for database replication. - Managing EC2 instances for the database adds complexity compared to using a managed service like Amazon RDS. - Higher administrative overhead for managing and maintaining EC2-based database instances. - Suitability: - Not the best choice for a workload requiring minimal administrative overhead, and the complexity of cross-region replication may not be necessary for most use cases. 3. C) Migrate the web application to Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones behind an Application Load Balancer. Migrate the database to Amazon RDS with Multi-AZ deployment. - Pros: - EC2 Auto Scaling with Application Load Balancer ensures scalability and availability for the web application. - Amazon RDS with Multi-AZ deployment automatically handles database failover and av...

Author: Sofia · Last updated Apr 16, 2026

A company has an on-premises business application that generates hundreds of files each day. These files are stored on an SMB file share and require a low-latency connection to the application servers. A new company policy states all application-generated files must be copied to AWS. There is already a VPN connection to AWS. The application development team does not have time to make...

Analysis of Options: 1. A) Amazon Elastic File System (Amazon EFS) - Pros: - Managed file storage that is scalable and designed for cloud-native applications. - Supports NFS protocol, which is suitable for Linux-based workloads and scalable file storage. - Cons: - SMB support is not natively available in Amazon EFS; it uses NFS, which means the existing SMB-based application would not easily interact with EFS without a code change. - Latency concerns: EFS is designed to be scalable and accessible over the internet but may introduce higher latency for applications requiring low-latency connections. - Suitability: - Not the best fit for an SMB-based application since EFS does not natively support SMB protocol, and would require application changes. 2. B) Amazon FSx for Windows File Server - Pros: - Fully managed Windows file system that supports SMB protocol, making it an ideal solution for applications that use SMB file shares. - Provides low-latency access to file data and integrates seamlessly with Windows-based applications. - Cons: - Not as scalable as Amazon EFS in terms of cloud-native workloads, although still highly suitable for SMB-based file storage. - Suitability: - This is the most appropriate solution because it allows the on-premises application to continue using the SMB protocol without modification. It provides low-latency access to files while also offering scalability and availability in the AWS cloud. 3. C) AWS Snowball - Pros: - A physical device that helps to transfer large amounts of data from on-premises to AWS, especially when network bandwidth is insufficient for online transfers. - Cons: - Not a real-time solution. Snowball is a data transfer service rather than a file storage service. ...

Author: Elijah · Last updated Apr 16, 2026

A company has 15 employees. The company stores employee start dates in an Amazon DynamoDB table. The company wants to send an email message to each employee on the day of the employee's work anniversar...

Analysis of Options: 1. A) Create a script that scans the DynamoDB table and uses Amazon Simple Notification Service (Amazon SNS) to send email messages to employees when necessary. Use a cron job to run this script every day on an Amazon EC2 instance. - Pros: - Amazon SNS is a fully managed service for sending notifications, so sending emails would be straightforward. - Cons: - Operational overhead: Running a cron job on an EC2 instance requires managing the EC2 instance, including monitoring, patching, and ensuring it runs reliably. - Scalability concerns: If the number of employees grows, scaling the EC2 instance and the cron job to handle the increased load can become challenging. - Inefficient resource use: EC2 instances are typically underused for such a small task and would introduce unnecessary costs. - Suitability: While it meets the requirements, this solution involves managing infrastructure (EC2 instance), making it less operationally efficient. 2. B) Create a script that scans the DynamoDB table and uses Amazon Simple Queue Service (Amazon SQS) to send email messages to employees when necessary. Use a cron job to run this script every day on an Amazon EC2 instance. - Pros: - Amazon SQS can handle message queuing, which could be useful for decoupling the email sending process. - Cons: - Similar to Option A, the cron job on EC2 introduces unnecessary operational overhead. - SQS requires additional steps (like a consumer) to actually send the email notifications, adding complexity. - Inefficient use of EC2 for this task, as managing infrastructure and queues adds complexity without significant benefit. - Suitability: Overcomplicates the solution with the use of SQS and EC2 when simpler solutions are available. 3. C) Create an AWS Lambda function that scans the DynamoDB table and uses Amazon Simple Notification Service (Amazon SNS) to send email messages to employees when necessary. Schedule this Lambda function to run every day. - Pros: - AWS Lambda is serverless, so there is no need to manage or scale infrastructure. It automatically scales wit...

Author: Ethan · Last updated Apr 16, 2026

A company's application is running on Amazon EC2 instances within an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Based on the application's history, the company anticipates a spike in traffic during a holiday each year. A solutions architect must design a strategy to ensure that the Auto Scaling ...

To design a strategy that ensures the Auto Scaling group proactively increases capacity to minimize performance impact during the anticipated traffic spike, we need to assess each option and its suitability for the problem at hand. Here are the key factors in the reasoning: 1. Traffic Spike Prediction: The application is expected to have an annual, predictable traffic spike during a holiday. This means we can anticipate when the demand will increase. 2. Proactive Scaling: We are interested in proactively scaling the Auto Scaling group in anticipation of the traffic spike, rather than reacting after performance degradation has already occurred. Let's analyze each option: A) Create an Amazon CloudWatch alarm to scale up the EC2 instances when CPU utilization exceeds 90%. - Analysis: This option relies on detecting high CPU utilization to trigger scaling actions. While this might work in a reactive scenario, it is not proactive. By the time the CPU utilization exceeds 90%, the application might already experience performance degradation. - Rejection: Since we want to proactively scale to avoid performance issues, this option is not ideal for the use case where traffic spikes are predictable. B) Create a recurring scheduled action to scale up the Auto Scaling group before the expected period of peak demand. - Analysis: This option leverages scheduled actions, which allow for proactive scaling based on a predictable time. Since the traffic spike is anticipated around a certain holiday, a scheduled action can be set to increase the capacity of the Auto Scaling group ahead of time to handle the increased traffic. This would ensure the application is ready to handle th...

Author: StarlightBear · Last updated Apr 16, 2026

A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solu...

To implement password rotation for Amazon RDS for PostgreSQL databases with the least operational overhead, let’s analyze each option based on factors like ease of implementation, automation, and scalability: A) Store the password in AWS Secrets Manager. Enable automatic rotation on the secret. - Analysis: AWS Secrets Manager is designed specifically for managing sensitive information like database credentials, API keys, and other secrets. It offers built-in support for automatic password rotation, including integration with RDS to rotate the database password automatically. Secrets Manager can securely store and rotate passwords without the need for additional custom code or manual intervention. It provides seamless integration with RDS and automates both password management and rotation. - Selection: This is the most optimal solution because it provides built-in automation and security with the least amount of manual effort, fully managing password rotation for the database. B) Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter. - Analysis: While AWS Systems Manager Parameter Store can be used to store passwords, it doesn’t natively support automatic password rotation for RDS. It requires custom configuration or additional solutions to rotate the password. Without native integration for RDS password rotation, it increases the complexity and operational overhead compared to Secrets Manager, which offers out-of-the-box rotation. - Rejection: This option requires additional custom configurations and does not provide built-in password rotation, making it less efficient than Secrets Manager. C) Store the password in AWS S...

Author: NightmareDragon2025 · Last updated Apr 16, 2026

A company runs its application on Oracle Database Enterprise Edition. The company needs to migrate the application and the database to AWS. The company can use the Bring Your Own License (BYOL) model while migrating to AWS. The application uses third-party database features that require privileged access. A solu...

To determine the most cost-effective solution for migrating the application and Oracle Database to AWS while maintaining support for third-party database features that require privileged access, let’s assess each option: A) Migrate the database to Amazon RDS for Oracle by using native tools. Replace the third-party features with AWS Lambda. - Analysis: While migrating to Amazon RDS for Oracle may seem like a feasible option, Amazon RDS for Oracle has limitations regarding privileged access, which is required for the third-party features. Replacing those third-party features with AWS Lambda is not a direct replacement, as Lambda would not integrate seamlessly with the Oracle Database to handle the database-specific features. This would require significant changes to the application logic, adding to the complexity and cost. - Rejection: This approach would require significant modifications to the application, making it more expensive and complex. Additionally, Lambda does not provide the same level of integration and support for privileged access, which is essential for the third-party features. B) Migrate the database to Amazon RDS Custom for Oracle by using native tools. Customize the new database settings to support the third-party features. - Analysis: Amazon RDS Custom for Oracle is a good fit because it allows more control over the underlying database, including support for privileged access and customization. This would enable the third-party features that require privileged access to function as needed. RDS Custom provides a balance between managed service benefits and the flexibility needed for these customizations. - Selection: This option is cost-effective because it offers the flexibility needed to support third-party features, allows the use of the BYOL model, and still benefits from the managed services aspect of RDS (without the complexities of managing the database infrastructure directly). It's the best fit given the requirements. C) Migrate the database to Amazon DynamoDB by using AWS Database Migration Service (AWS DMS). Customize the new d...

Author: Oliver · Last updated Apr 16, 2026

A large international university has deployed all of its compute services in the AWS Cloud. These services include Amazon EC2, Amazon RDS, and Amazon DynamoDB. The university currently relies on many custom scripts to back up its infrastructure. However, the university wants to centralize manage...

To meet the university's goal of centralizing and automating data backups for its AWS services (Amazon EC2, Amazon RDS, and Amazon DynamoDB), we need to assess each option based on factors like ease of management, integration with AWS services, and automation. Let’s analyze the options: A) Use third-party backup software with an AWS Storage Gateway tape gateway virtual tape library. - Analysis: While third-party backup software and AWS Storage Gateway can be used to backup data, this solution introduces complexity and potential operational overhead. It requires managing third-party software alongside AWS services, which does not align with the university’s goal of centralizing and automating backups using AWS native options. Additionally, AWS Storage Gateway's tape gateway is designed primarily for hybrid cloud environments and not specifically for native AWS services like EC2, RDS, or DynamoDB. - Rejection: This option is not the best fit because it introduces complexity and relies on third-party software, which contradicts the goal of leveraging AWS native services for backup automation. B) Use AWS Backup to configure and monitor all backups for the services in use. - Analysis: AWS Backup is a fully managed backup service that integrates with many AWS services, including Amazon EC2, Amazon RDS, and Amazon DynamoDB. It allows you to centralize backup management, automate backup schedules, and ensure consistent backup policies across AWS resources. AWS Backup also supports backup monitoring and auditing, which is essential for compliance and operational oversight. It is a native AWS solution, which aligns perfectly with the university’s goal of automating and centralizing backup management. - Selection: This is the most suitable option. AWS Backup is purpose-built for centralized backup management across multiple AWS services, offering automation and integration with a wide variety of AWS services. It meets the university’s requirements effectively with minimal operational overhead....

Author: Leo · Last updated Apr 16, 2026

A company wants to build a map of its IT infrastructure to identify and enforce policies on resources that pose security risks. The company's security team must be able to query data in the IT infrastructure map and quickly identify...

To meet the company's requirement of building a map of its IT infrastructure, identifying security risks, and querying the data with minimal operational overhead, we need to analyze each option based on the following factors: 1. Operational Overhead: How much management and maintenance is required for the solution. 2. Suitability for Graph-Based Data: The IT infrastructure map is essentially a graph of resources, so we need a database that can efficiently store and query graph-like data (e.g., relationships between resources). 3. Querying Complexity: The solution should allow efficient and easy querying, particularly to identify security risks in the infrastructure. A) Use Amazon RDS to store the data. Use SQL to query the data to identify security risks. - Analysis: Amazon RDS is a relational database service, which is optimized for structured data in tables. While it can store data in a structured format and support SQL queries, it is not ideal for graph-based data where relationships between resources need to be represented and queried efficiently. SQL can handle basic relationships, but it's not optimized for querying complex relationships like those found in an infrastructure map. - Rejection: This option may work in some scenarios but would result in more complex queries and less efficient querying of relationships between resources. It's not the best fit for graph-like data in infrastructure mapping. B) Use Amazon Neptune to store the data. Use SPARQL to query the data to identify security risks. - Analysis: Amazon Neptune is a fully managed graph database that supports both the Property Graph and RDF (Resource Description Framework) models. It is designed specifically for storing and querying graph data, making it an ideal choice for mapping IT infrastructure and identifying relationships between resources. It supports SPARQL (for RDF data) and Gremlin (for Property Graph), both of which are optimized for querying graph relationships. This makes querying the infrastructure map for security risks highly efficient. - Selection: This option is the most suitable for the...

Author: Leah · Last updated Apr 16, 2026

A large company wants to provide its globally located developers separate, limited size, managed PostgreSQL databases for development purposes. The databases will be low volume. The developers need the databases only when ...

Let's analyze each option for this scenario: A) Give the developers the ability to launch separate Amazon Aurora instances. Set up a process to shut down Aurora instances at the end of the workday and to start Aurora instances at the beginning of the next workday. - Pros: Aurora is a fully managed service, and developers can launch separate instances, which ensures they can have independent environments. - Cons: Managing the startup and shutdown process is manual and introduces overhead. Aurora instances are relatively expensive compared to other PostgreSQL solutions, especially if you have to run them all the time, even though they're low volume. - Why rejected: The need for manual or automated processes to start and stop instances adds complexity and doesn't inherently reduce costs since Aurora is designed for high availability and can incur significant operational costs even when idle. This will not meet the "cost-effectiveness" requirement. B) Develop an AWS Service Catalog product that enforces size restrictions for launching Amazon Aurora instances. Give the developers access to launch the product when they need a development database. - Pros: Service Catalog can enforce size restrictions, ensuring that the database instances are within the required capacity for low-volume usage. - Cons: Like option A, this still involves using Amazon Aurora, which is not the most cost-effective for low-volume databases. While size restrictions can limit costs, it's still an overkill for simple development purposes. - Why rejected: It still involves the complexity and cost of running Aurora instances, which might be over-provisioned for the low-volume development needs. C) Create an Amazon Aurora Serverless cluster. Develop an AWS Service Catalog product to launch databases in the cluster with the default capacity settings. Grant the developers access to the product. - Pros: Aurora Serverless adjusts capacity dynamically, ...

Author: NebulaEagle11 · Last updated Apr 16, 2026

A company is building a web application that serves a content management system. The content management system runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances run in an Auto Scaling group across multiple Availability Zones. Users are constantly adding and updating files, blogs, and other website assets in the content management system. A solutions archi...

Let's analyze each option for this scenario: A) Update the EC2 user data in the Auto Scaling group lifecycle policy to copy the website assets from the EC2 instance that was launched most recently. Configure the ALB to make changes to the website assets only in the newest EC2 instance. - Pros: EC2 instances would be updated with the latest assets based on the most recently launched instance, which might seem efficient. - Cons: This introduces complexity as only the most recent EC2 instance is used to update the website assets. This method can create potential race conditions or lag between instances, and doesn't provide a consistent and immediate way to share assets across all instances. This approach could cause inconsistent content if different instances have different versions of assets. - Why rejected: It is not ideal for shared content updates because it’s dependent on the launch order of EC2 instances and doesn’t ensure that all EC2 instances are immediately up-to-date with the website content. B) Copy the website assets to an Amazon Elastic File System (Amazon EFS) file system. Configure each EC2 instance to mount the EFS file system locally. Configure the website hosting application to reference the website assets that are stored in the EFS file system. - Pros: Amazon EFS provides a shared file system across all EC2 instances. EFS is highly available, scalable, and supports multiple EC2 instances accessing the same files concurrently, which is ideal for scenarios where you need to share content among multiple instances. It ensures that all EC2 instances access the most up-to-date version of the website assets. - Cons: EFS is an additional service, and while it’s easy to set up and manage, it may introduce higher costs compared to other solutions like S3 or EBS. However, for shared, low-latency access to website assets across multiple EC2 instances, EFS is highly efficient. - Why selected: EFS is designed for scenarios where multiple EC2 instances need to access a shared file system. It guarantees that all instances have up-to-date content with minimal lag, making it the best choice in this case. C) Copy the website assets to an Amazon S3 bucket. Ensure that each EC2 instance downloads ...

Author: Ella · Last updated Apr 16, 2026

A company's web application consists of multiple Amazon EC2 instances that run behind an Application Load Balancer in a VPC. An Amazon RDS for MySQL DB instance contains the data. The company needs the ability to automatically detect and respond to suspicious or unexpected behavior in its AWS environment....

Let's evaluate each option based on the requirements of automatic detection and response to suspicious or unexpected behavior: A) Use Amazon GuardDuty to perform threat detection. Configure Amazon EventBridge to filter for GuardDuty findings and to invoke an AWS Lambda function to adjust the AWS WAF rules. - Pros: Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior. It integrates well with EventBridge to automatically respond to findings. The Lambda function can adjust the AWS WAF rules in real time based on GuardDuty's findings. GuardDuty provides a comprehensive detection solution, identifying threats like anomalous API calls, unusual network traffic, and compromised EC2 instances. - Cons: There are no significant cons for this scenario, as GuardDuty is well-suited for detecting suspicious activities and integrates seamlessly with AWS services such as WAF and Lambda. - Why selected: This solution provides continuous threat detection with automatic responses through EventBridge and Lambda. It complements the existing AWS WAF integration and offers a proactive, automated approach to detecting and responding to threats, making it the best choice for the company’s needs. B) Use AWS Firewall Manager to perform threat detection. Configure Amazon EventBridge to filter for Firewall Manager findings and to invoke an AWS Lambda function to adjust the AWS WAF web ACL. - Pros: AWS Firewall Manager is a service that simplifies managing firewall rules across multiple accounts and resources. It integrates well with AWS WAF, but it is primarily used to manage and enforce security policies rather than detecting specific threats. - Cons: Firewall Manager is not specifically designed for threat detection; rather, it's a management tool. It works with WAF but does not perform real-time threat detection like GuardDuty. Therefore, it's less ideal for responding to unexpected or suspicious behavior as required in this scenario. - Why rejected: Firewall Manager is more focused on managing security configurations, not on detecting threats or anomalies. GuardDuty is the better option for act...

Author: Ravi Patel · Last updated Apr 16, 2026

A company is planning to run a group of Amazon EC2 instances that connect to an Amazon Aurora database. The company has built an AWS CloudFormation template to deploy the EC2 instances and the Aurora DB cluster. The company wants to allow the instances to authenticate to the database in a secure way. The compan...

Let's analyze each option in terms of meeting the requirements for secure database authentication and minimizing operational effort: A) Create a database user with a user name and password. Add parameters for the database user name and password to the CloudFormation template. Pass the parameters to the EC2 instances when the instances are launched. - Pros: This approach would allow the EC2 instances to authenticate using a username and password. - Cons: The main issue with this approach is that it still involves static credentials (username and password), which is against the goal of not maintaining static database credentials. The credentials would need to be stored somewhere, either in the CloudFormation template or passed in as parameters, which could be a security risk. Additionally, if credentials change, the entire template would need to be updated and redeployed. - Why rejected: This option involves managing static credentials, which the company is trying to avoid, and it adds overhead in maintaining and updating credentials securely. B) Create a database user with a user name and password. Store the user name and password in AWS Systems Manager Parameter Store. Configure the EC2 instances to retrieve the database credentials from Parameter Store. - Pros: Storing credentials in AWS Systems Manager Parameter Store is more secure than directly hardcoding them in the CloudFormation template. Parameter Store can be encrypted, and access can be controlled using IAM roles. This approach reduces the operational overhead of managing static credentials manually. - Cons: While this approach secures the credentials, it still involves managing static credentials (username and password). If credentials change, the EC2 instances would need to retrieve the updated credentials, which could add complexity. It also still requires the manual management of usernames and passwords. - Why rejected: While it improves security compared to storing credentials directly in CloudFormation, it still relies on static database credentials, which is not the most secure solution. C) Configure the DB cluster to use IAM ...

Author: Benjamin · Last updated Apr 16, 2026

A company wants to configure its Amazon CloudFront distribution to use SSL/TLS certificates. The company does not want to use the default domain name for the distribution. Instead, the company wants to use a different domain name for t...

Let's evaluate each option in terms of the requirements of using SSL/TLS certificates with CloudFront and avoiding additional costs: A) Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-east-1 Region. - Pros: Private certificates can be issued by ACM for internal use or for private resources, which are typically not for public-facing use. - Cons: CloudFront requires the certificate to be a public certificate to serve content to the internet. Private certificates are not suitable for use with CloudFront for public-facing domain names. - Why rejected: A private certificate is not appropriate for CloudFront, which requires a public certificate to serve SSL/TLS traffic to users on the internet. B) Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-west-1 Region. - Pros: This option would allow for a private certificate to be issued, potentially useful for internal applications. - Cons: As with Option A, private certificates are not compatible with CloudFront for serving public SSL/TLS traffic. - Why rejected: A private certificate is not usable with CloudFront for public SSL/TLS encryption, so this option does not meet the requirement. C) Request an Amazon issued public certificate from AWS Certificate Manager (ACM) in the us-east-1 Region. - Pros: A public certificate fr...

Author: GlowingTiger · Last updated Apr 16, 2026

A company creates operations data and stores the data in an Amazon S3 bucket. For the company's annual audit, an external consultant needs to access an annual report that is stored in the S3 bucket. The external consultant needs to access the report for 7 days. The company must implement a solution to allow ...

Let's evaluate each option based on the requirements: Option A: Create a new S3 bucket that is configured to host a public static website. Migrate the operations data to the new S3 bucket. Share the S3 website URL with the external consultant. - Drawbacks: - This option involves moving the data to a new S3 bucket, which introduces unnecessary overhead and additional complexity for a one-time audit. - Hosting the S3 bucket as a public website increases the security risk, as it makes all the content within that bucket publicly accessible unless you implement additional access control mechanisms. - This option does not restrict the external consultant's access to just the report and could expose more data than necessary. - Use case: This approach is not ideal for this scenario because of the operational inefficiencies and potential security concerns. Option B: Enable public access to the S3 bucket for 7 days. Remove access to the S3 bucket when the external consultant completes the audit. - Drawbacks: - Enabling public access to the entire S3 bucket can expose sensitive data to the internet, which could create security risks. The requirement is to give the consultant access only to a single report, not to everything in the bucket. - The need to manually remove public access after 7 days introduces operational overhead and potential for human error. - Use case: This approach is not secure and introduces unnecessary complexity. It's not recommended for temporary access to a single file. Option C: Create a new IAM user that has access to the report in the S3 bucket. Provide the access keys to t...

Author: Kai99 · Last updated Apr 16, 2026

A company plans to run a high performance computing (HPC) workload on Amazon EC2 Instances. The workload requires low-latency network performance and high network throughput with tightly co...

Let's evaluate each option based on the requirements: Option A: Configure the EC2 instances to be part of a cluster placement group. - Benefits: - A cluster placement group is designed specifically for workloads that require low-latency and high throughput between instances. - Instances in a cluster placement group are placed physically close to each other within a single Availability Zone, minimizing network latency and maximizing network performance. - This configuration is perfect for high-performance computing (HPC) workloads that involve tight node-to-node communication. - Use case: This is the ideal option for workloads that require low-latency network performance and high throughput, such as HPC applications. The instances in the cluster can communicate with minimal network delay, making this the best choice for the given requirements. Option B: Launch the EC2 instances with Dedicated Instance type. - Drawbacks: - Dedicated Instances are instances that run on hardware dedicated to a single customer, but they don't offer the low-latency or high throughput capabilities required for tightly coupled communication. - While Dedicated Instances ensure physical isolation, they do not improve network performance or enable the tight coupling between instances that are needed for HPC workloads. - Use case: Dedicated Instances are better suited for workloads that require hardware isolation for compliance or licensing reasons, but they are not optimal for high-performance computing with tight node-to-node communication. Option C: Launch the EC2 instances as Spot Instances. - Drawbacks: - Spot Instances can be interrupted by AWS with little no...

Author: Sofia2021 · Last updated Apr 16, 2026

A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload. A soluti...

Let's evaluate each option based on the requirements of high availability, resiliency, and security for the network connection between the data centers and AWS. Option A: Two AWS Direct Connect connections from the primary data center terminating at two Direct Connect locations on two separate devices - Benefits: - This setup involves two separate devices for Direct Connect at two different locations. - It provides resiliency by ensuring that if one Direct Connect device or location fails, traffic can be rerouted to the other one. - However, it lacks full geographic redundancy, as both connections are coming from the same data center (the primary data center). If the primary data center experiences an issue, both connections might go down, making this solution vulnerable to a single point of failure in that location. - Drawbacks: - Although this offers redundancy in terms of the devices and locations within the primary data center, it does not provide full geographic resilience between the primary and secondary data centers, which is critical for a mission-critical workload. - Use case: This might be suitable in situations where the primary data center is expected to handle all traffic and any failure will be mitigated within that data center. However, for true resilience across geographically separated data centers, this option is not optimal. Option B: A single AWS Direct Connect connection from each of the primary and secondary data centers terminating at one Direct Connect location on the same device - Drawbacks: - This setup creates a single point of failure at the Direct Connect location and device. If the device or location fails, all traffic from both data centers would be disrupted. - There is no redundancy in either the data center or the device, and there is no geographic diversity to prevent service disruptions in case of a failure at either data center or the Direct Connect location. - Use case: This is not an ideal solution for a mission-critical workload because it does not offer resiliency, particularly given the reliance on a single device and locatio...

Author: Isabella · Last updated Apr 16, 2026

A company runs several Amazon RDS for Oracle On-Demand DB instances that have high utilization. The RDS DB instances run in member accounts that are in an organization in AWS Organizations. The company's finance team has access to the organization's management account and member accounts. The finance team wants...

Let's evaluate each option to determine which will help the finance team optimize costs for their Amazon RDS for Oracle On-Demand DB instances: Option A: Use the Trusted Advisor recommendations in the management account. - Benefits: - The management account in AWS Organizations has access to AWS Trusted Advisor for all linked accounts in the organization. - You can view Trusted Advisor recommendations across the entire organization from the management account, which provides a unified view of all accounts’ resources and optimizations. - Use case: This option is highly suitable because the finance team can access all recommendations from a single point (the management account) and optimize costs across the organization's accounts, including the ones with high utilization. Option B: Use the Trusted Advisor recommendations in the member accounts where the RDS DB instances are running. - Drawbacks: - Trusted Advisor checks in individual member accounts are typically restricted to that account's resources. To optimize costs for RDS DB instances across the organization, accessing Trusted Advisor through the management account (which aggregates recommendations for all accounts) is a more efficient option. - If you use individual member accounts, you would need to check each member account individually for recommendations, which can be inefficient. - Use case: This option might be helpful if the finance team only wants to optimize costs in a specific member account, but for organization-wide optimization, it is more practical to use the management account (Option A). Option C: Review the Trusted Advisor checks for Amazon RDS Reserved Instance Optimization. - Benefits: - The RDS Reserved Instance Optimization check in Trusted Advisor specifically helps identify opportunities for optimizing costs related to RDS Reserved Instances. - It checks if there are underutilized Reserved Instances or if instances could be converted to Reserved Instances for cost savings. - Use case: This option is directly relevant because the company i...

Author: Arjun · Last updated Apr 16, 2026

A solutions architect is creating an application. The application will run on Amazon EC2 instances in private subnets across multiple Availability Zones in a VPC. The EC2 instances will frequently access large files that contain confidential information. These files are stored in Amazon S3 buckets for processing. The solutions archite...

Let's evaluate the options based on the requirement to optimize network architecture and minimize data transfer costs for EC2 instances accessing large files in S3, while keeping the instances in private subnets. Option A: Create a gateway endpoint for Amazon S3 in the VPC. In the route tables for the private subnets, add an entry for the gateway endpoint. - Benefits: - A gateway endpoint is a private connection between the VPC and Amazon S3 that allows traffic to flow directly from the private subnets to S3 without traversing the public internet. - This eliminates data transfer charges associated with traffic leaving the VPC to access Amazon S3 via the internet (e.g., through a NAT gateway). - It is highly cost-effective because the data stays within the AWS network, and there is no charge for data transfer between VPCs and S3 if the traffic stays within the same region. - Best practice for private subnet architectures where EC2 instances need to access S3 securely without the need for public IPs or NAT gateways. - Use case: This is the most optimal solution as it directly addresses the requirement to minimize data transfer costs and is designed to work within private subnets. It avoids using the internet or NAT for accessing S3, which would incur unnecessary data transfer fees. Option B: Create a single NAT gateway in a public subnet. In the route tables for the private subnets, add a default route that points to the NAT gateway. - Drawbacks: - A NAT gateway allows instances in private subnets to access the internet for things like software updates, external API calls, or S3 access. However, using a NAT gateway for accessing S3 would incur additional data transfer costs, as traffic to and from S3 would go over the internet (even if it's within the same region). - Data transfer costs are higher when traffic goes through a NAT gateway because it's routing traffic out of the private subnet to the internet, then back into AWS. This solution is less optimal in terms of cost optimization. - Use case: While this solution allows access to S3, it increases data transfer costs and is not the ...

Author: NightmareDragon2025 · Last updated Apr 16, 2026

A company wants to relocate its on-premises MySQL database to AWS. The database accepts regular imports from a client-facing application, which causes a high volume of write operations. The company is concerned that the amount of traffic might be causing ...

When designing the architecture for relocating an on-premises MySQL database to AWS, the goal is to improve performance and reduce the impact of high write operations from the client-facing application. Below, we'll analyze each option to determine which is most appropriate. A) Provision an Amazon RDS for MySQL DB instance with Provisioned IOPS SSD storage. Monitor write operation metrics by using Amazon CloudWatch. Adjust the provisioned IOPS if necessary. - Why this option might work: Amazon RDS with Provisioned IOPS (SSD) provides high-performance storage for database workloads with a focus on low-latency, high-throughput performance for read and write operations. This option is particularly suited to workloads with high write traffic because it ensures faster and more consistent performance during heavy I/O operations. - Why this might not be ideal: While provisioning IOPS SSD can help handle heavy write operations, it doesn't specifically address traffic bottlenecks related to reads. If the write operations are consistently heavy, this solution might still cause latency in the application if not properly managed. B) Provision an Amazon RDS for MySQL DB instance with General Purpose SSD storage. Place an Amazon ElastiCache cluster in front of the DB instance. Configure the application to query ElastiCache instead. - Why this option might work: This setup could help offload read-heavy traffic from the MySQL database to ElastiCache (in-memory caching), which would reduce the load on the MySQL instance and improve performance. This is particularly beneficial if the application has read-heavy patterns but still needs to handle the writes in MySQL. ElastiCache is great for caching frequent queries and can significantly improve response time by reducing the load on the database. - Why this might not be ideal: Since the issue described in the problem is a high volume of write operations, using ElastiCache would only help with the read load and won't directly address the issue of write operations. For a solution focused specifically on handling high write traffic, the addition of ElastiCache may not fully mitigate the performance issues related to high write operations. C) Provision an Amazon DocumentDB (with MongoDB compatibility) instance with a memory-optimized instance type. Monitor Amazon CloudWatch f...

Author: Emily · Last updated Apr 16, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company runs a container application on a Kubernetes cluster in the company's data center. The application uses Advanced Message Queuing Protocol (AMQP) to communicate with a message queue. The data center cannot scale fast enough to meet the company's expanding business needs. The compa...

An online gaming company hosts its platform on Amazon EC2 instances behind Network Load Balancers (NLBs) across multiple AWS Regions. The NLBs can route requests to targets over the internet. The company wants to improve the customer playing experience b...

A marketing team wants to build a campaign for an upcoming multi-sport event. The team has news reports from the past five years in PDF format. The team needs a solution to extract insights about the content and the sentiment of the news reports. The solution must use Amazon T...

A company's application runs on Amazon EC2 instances that are in multiple Availability Zones. The application needs to ingest real-time data from third-party applications. The company needs a data ingestion solution that pl...

A company uses Salesforce. The company needs to load existing data and ongoing data changes from Salesforce to Amazon Redshift for analysis. The company does not want the data to travel over the public int...

A company has an application that runs on a single Amazon EC2 instance. The application uses a MySQL database that runs on the same EC2 instance. The company needs a highly available and automatically scala...

A company is planning to migrate data to an Amazon S3 bucket. The data must be encrypted at rest within the S3 bucket. The encryption key must be rotated automatically every year. W...

A company is planning to deploy its application on an Amazon Aurora PostgreSQL Serverless v2 cluster. The application will receive large amounts of traffic. The company wants to optimize the storage performance of the cluster as the lo...

A company uses an Amazon S3 bucket as its data lake storage platform. The S3 bucket contains a massive amount of data that is accessed randomly by multiple teams and hundreds of applications. The company wants to reduce the S3 storage costs and provide immediate availabilit...

A company has 5 TB of datasets. The datasets consist of 1 million user profiles and 10 million connections. The user profiles have connections as many-to-many relationships. The company needs a performance efficient way...

A company needs a secure connection between its on-premises environment and AWS. This connection does not need high bandwidth and will handle a small amount of traffic. The connection should be set up q...

A company is migrating a three-tier application to AWS. The application requires a MySQL database. In the past, the application users reported poor application performance when creating new entries. These performance issues were caused by users generating different real-time reports from th...

A company is expanding a secure on-premises network to the AWS Cloud by using an AWS Direct Connect connection. The on-premises network has no direct internet access. An application that runs on the on-premises network needs ...

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest. Which solution should a solutio...

A company runs an application on several Amazon EC2 instances that store persistent data on an Amazon Elastic File System (Amazon EFS) file system. The company needs to replicate the data to another AWS Region by using an AW...

An ecommerce company is migrating its on-premises workload to the AWS Cloud. The workload currently consists of a web application and a backend Microsoft SQL database for storage. The company expects a high volume of customers during a promotional event. The new infrastructure in the AWS Clou...

A company has 15 employees. The company stores employee start dates in an Amazon DynamoDB table. The company wants to send an email message to each employee on the day of the employee's work anniversar...

A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solu...

A large international university has deployed all of its compute services in the AWS Cloud. These services include Amazon EC2, Amazon RDS, and Amazon DynamoDB. The university currently relies on many custom scripts to back up its infrastructure. However, the university wants to centralize manage...

A company wants to build a map of its IT infrastructure to identify and enforce policies on resources that pose security risks. The company's security team must be able to query data in the IT infrastructure map and quickly identify...

A large company wants to provide its globally located developers separate, limited size, managed PostgreSQL databases for development purposes. The databases will be low volume. The developers need the databases only when ...

A company wants to configure its Amazon CloudFront distribution to use SSL/TLS certificates. The company does not want to use the default domain name for the distribution. Instead, the company wants to use a different domain name for t...

A company plans to run a high performance computing (HPC) workload on Amazon EC2 Instances. The workload requires low-latency network performance and high network throughput with tightly co...

A company has primary and secondary data centers that are 500 miles (804.7 km) apart and interconnected with high-speed fiber-optic cable. The company needs a highly available and secure network connection between its data centers and a VPC on AWS for a mission-critical workload. A soluti...

A company wants to relocate its on-premises MySQL database to AWS. The database accepts regular imports from a client-facing application, which causes a high volume of write operations. The company is concerned that the amount of traffic might be causing ...