Amazon Exam Practice Questions - Page 64

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A developer needs to deploy an application in three AWS Regions by using AWS CloudFormation. Each Region will use an AWS Elastic Beanstalk environment with an Application Load Balancer (ALB). The developer wants to use AWS Certificate ...

To address the requirements of deploying SSL certificates with Elastic Beanstalk environments and Application Load Balancers (ALBs) in multiple AWS Regions using AWS CloudFormation, let's evaluate each option: A) Create a certificate in ACM in any one of the Regions. Import the certificate into the ALB that is in each Region. - Analysis: AWS Certificate Manager (ACM) certificates are region-specific, and certificates created in one region cannot be directly imported to other regions. You would need to manually import certificates to each ALB in different regions. This method does not align with the requirement of automatically deploying certificates across multiple regions using CloudFormation. - Why rejected: This approach is not efficient for managing certificates across multiple regions and requires manual intervention, which is against the goal of automation and simplicity. B) Create a global certificate in ACM. Update the CloudFormation template to deploy the global certificate to each ALB. - Analysis: ACM does not support global certificates for ALBs. Certificates created in ACM are tied to a specific region. A "global certificate" doesn’t exist in the context of ACM for this use case, and certificates cannot be directly used across multiple regions in the way suggested here. - Why rejected: This approach is incorrect as ACM certificates cannot span across multiple regions and there is no concept of "global certificates" in this scenario. C) Create a certificate in ACM in each Region. Import the certificate into the ALB for each Region. - Analysis: This ...

Author: SilverBear · Last updated May 18, 2026

A company needs to deploy all its cloud resources by using AWS CloudFormation templates. A developer must create an Amazon Simple Notification Service (Amazon SNS) automatic notification to help enforce this rule. The developer creates an SNS topic and subscribes the email address of the company's security team to the SNS topic. The security t...

To meet the requirement of notifying the security team whenever an IAM role is created outside of CloudFormation, we need an automated and efficient way to detect the event and trigger the notification. Let’s evaluate each option: A) Create an AWS Lambda function to filter events from CloudTrail if a role was created without CloudFormation. Configure the Lambda function to publish to the SNS topic. Create an Amazon EventBridge schedule to invoke the Lambda function every 15 minutes. - Analysis: This option involves using Lambda to filter CloudTrail events, which is a valid solution for detecting IAM role creation outside CloudFormation. However, using EventBridge with a schedule to invoke Lambda every 15 minutes would not provide real-time notifications. This is because the events need to be checked periodically, which means a delay in receiving notifications. - Why rejected: While this approach is functional, it introduces a delay in notifications due to the polling mechanism, which doesn’t align with the requirement of immediate notifications. B) Create an AWS Fargate task in Amazon Elastic Container Service (Amazon ECS) to filter events from CloudTrail if a role was created without CloudFormation. Configure the Fargate task to publish to the SNS topic. Create an Amazon EventBridge schedule to run the Fargate task every 15 minutes. - Analysis: This solution uses ECS with Fargate, which involves setting up a more complex infrastructure and a task to filter CloudTrail events. Like Option A, this approach uses a schedule to periodically check for events, resulting in a delay in notifications. - Why rejected: While functional, this solution is unnecessarily complex, requires managing ECS tasks, and still introduces a delay in notifications. This also leads to higher operational overhead compared to the simpler solution using E...

Author: Ming · Last updated May 18, 2026

A company is adopting serverless computing for some of its new services. A development team needs to create a serverless infrastructure by using AWS Serverless Application Model (AWS SAM). All infrastructure must be deployed by us...

To meet the requirements of adopting serverless computing with AWS Serverless Application Model (AWS SAM) and deploying the infrastructure using AWS CloudFormation, let’s evaluate each option. A) Add a Resources section to the CloudFormation templates that contains AWS::Lambda::Function resources. - Analysis: This option is focused on creating specific Lambda resources within a CloudFormation template. While Lambda functions are a core component of serverless applications, it does not directly address the use of AWS SAM, which provides higher-level abstractions for defining serverless components like Lambda, APIs, and more. - Why rejected: While this is a valid approach for defining Lambda functions, it doesn't take advantage of the AWS SAM framework and syntax, which is designed to simplify serverless application deployment by abstracting away repetitive boilerplate code. B) Add a Mappings section to the CloudFormation templates that contains AWS::Serverless::Function and AWS::Serverless::API. - Analysis: The Mappings section in CloudFormation templates is typically used to define key-value pairs for region-specific or environment-specific values, not for defining AWS SAM resources like `AWS::Serverless::Function` or `AWS::Serverless::API`. This would not be an appropriate way to define serverless resources in a CloudFormation template. - Why rejected: The Mappings section is not intended for the declaration of serverless resources. Instead, the AWS SAM framework provides a special syntax to simplify defining these resources. Using Mappings for serverless resources is not correct. C) Add a Transform section to the CloudFormation templates. Use ...

Author: Vikram · Last updated May 18, 2026

A developer is building an application that invokes AWS Lambda functions asynchronously to process events. The developer notices that a Lambda function fails to process some events at random times. The developer needs to investigate the failed events and...

To meet the requirement of capturing failed events when an AWS Lambda function fails to process them asynchronously, let’s review each option: A) Add an Amazon EventBridge rule for the Lambda function. Configure the EventBridge rule to react to failed events and to store the events in an Amazon DynamoDB table. - Analysis: EventBridge can capture a variety of events, including Lambda function failures. However, configuring EventBridge directly to capture failed Lambda events is not the most straightforward or recommended solution for this use case. DynamoDB would also not be ideal for this scenario since it is designed for key-value storage, and managing failure logs in it could require extra effort and unnecessary complexity. - Why rejected: While EventBridge can capture events, using it for logging Lambda failures in DynamoDB adds unnecessary complexity and isn't the typical use case for Lambda failures. There is a more suitable solution for handling Lambda function failures with minimal setup. B) Configure the Lambda function with a dead-letter queue based in Amazon Kinesis. Update the Lambda function's execution role with the required permissions. - Analysis: While Kinesis can be used to stream data, it is not the most appropriate service for a dead-letter queue (DLQ) in this context. A dead-letter queue is typically used to store failed messages, and SQS is a more straightforward and appropriate choice for this purpose. Kinesis is more suited for continuous streaming and processing of large volumes of data, not specifically for handling Lambda failures. - Why rejected: Kinesis is over-complicated for this use case, and using it as a DLQ introduces unnecessary complexity compared to using a simpler, dedicated service like SQS. C) Configure the Lambda function with an Amazon Simple Queue Ser...

Author: Emily · Last updated May 18, 2026

A company has built a serverless application for its ecommerce website. The application includes a REST API in Amazon API Gateway that invokes an AWS Lambda function. The Lambda function processes data and stores the data in Amazon DynamoDB table. The Lambda function calls a third-party stock application API to process the order. After the ordered is processed, the Lambda function returns an HTTP 200 status code with no body to the client. During peak usage when the API calls exceeds a certain threshold, the third-par...

To address the scenario, we need to design a solution that avoids overwhelming the third-party stock application, especially during peak usage. This implies that we need to introduce an approach that can handle backpressure and allow for throttling of requests to the stock application without losing any data. Let’s evaluate each option and consider which one best fits the use case: Option A: Configure the REST API in API Gateway to write the requests directly into DynamoDB. Configure a DynamoDB intrinsic function to perform the transformation. Set up a DynamoDB stream to call the third-party stock application API with each new row. Delete the Lambda function. - Pros: DynamoDB streams are useful for triggering actions based on changes to DynamoDB tables. This approach allows for some asynchronous processing, where the Lambda function can be triggered by changes in the database. - Cons: This approach does not help with throttling or limiting requests to the third-party stock application. It may still lead to overwhelming the stock API during peak times since there is no mechanism in place to control the rate of requests being made. - Best Use Case: This approach could be useful if DynamoDB was the main source of truth for data and if the goal was simply to process data changes asynchronously, but it is not ideal for handling traffic spikes to a third-party API. Option B: Configure the REST API in API Gateway to write the requests directly into an Amazon Simple Queue Service (Amazon SQS) queue. Configure the Lambda function with a reserved concurrency equal to the third-party stock application's threshold. Set Lambda function to process the messages from the SQS queue. - Pros: SQS is a reliable message queue that can buffer requests, allowing them to be processed at a manageable rate. The Lambda function can be configured with reserved concurrency to limit the number of concurrent invocations, which prevents overwhelming the stock API. This solution ensures that the third-party stock application is not bombarded with requests beyond its capacity. - Cons: Requires setting up the queue, Lambda function, and managing concurrency, but these are manageable tasks. No major drawbacks, as it fits the requirement of rate-limiting requests. - Best Use Case: This is a perfect use case for preventing overloading of a third-party service by using backpressure and controlled processing. It’s also ideal for decoupling the API calls from the Lambda function’s execution. Op...

Author: Aria · Last updated May 18, 2026

A company hosts its application on AWS. The application runs on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The cluster runs behind an Application Load Balancer. The application stores data in an Amazon Aurora database. A developer encrypts and manages database credentials inside the application. The company wants to use a more s...

To address the company's requirement of securing database credentials with periodic rotation and minimizing operational overhead, let's evaluate each option based on its functionality, integration with other AWS services, and ease of use. Option A: Migrate the secret credentials to Amazon RDS parameter groups. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant AWS KMS permissions to access Amazon RDS. - Pros: Amazon RDS parameter groups are useful for setting configuration options for RDS instances, including database passwords. They can be encrypted with KMS and integrated with IAM policies. - Cons: RDS parameter groups are not designed for credential management or rotation. While they offer encryption with KMS, they do not provide built-in support for automatic credential rotation like AWS Secrets Manager. This means that manual rotation would be required, increasing operational overhead. - Best Use Case: This option would be suitable for managing RDS configuration settings but not for managing secure application credentials with automatic rotation. Option B: Migrate the credentials to AWS Systems Manager Parameter Store. Encrypt the parameter by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use IAM policies and roles to grant Amazon ECS Fargate permissions to access AWS Secrets Manager. - Pros: AWS Systems Manager Parameter Store is designed to store configuration and secrets securely. It supports encryption with KMS and is easy to integrate with ECS. - Cons: Parameter Store supports parameter versioning, but it does not have built-in automatic secret rotation like AWS Secrets Manager. Rotation would need to be managed separately. - Best Use Case: This option is useful for securely storing configuration data and credentials but would still require custom work for secret rotation, making it a bit more operationally intensive than using Secrets Manager. Option C: Migrate the credentials to ECS Fargate environment variables. Encrypt the credentials by using an AWS Key Management Service (AWS KMS) key. Turn on secret rotation. Use ...

Author: Vivaan · Last updated May 18, 2026

A company has a mobile app. The app includes an Amazon API Gateway REST API that invokes AWS Lambda functions. The Lambda functions process data from the app. The company needs to test updated Lambda functions that have new features. The company must conduct these tests with a subset of users before deployment. The...

Let's evaluate the options based on the requirements: testing updated Lambda functions with a subset of users before deployment, minimizing operational effort, and not affecting other users. Option A: Create a new version of each Lambda function with a weighted alias. Configure a weight value for each version of the Lambda function. Update the new weighted alias Amazon Resource Name (ARN) in the REST API. - Pros: Weighted aliases in AWS Lambda allow traffic to be split between different versions of a function. This allows for A/B testing or canary releases, where a certain percentage of traffic is routed to the updated version, and the rest goes to the stable version. This option is straightforward and integrates directly with API Gateway by specifying the version’s ARN. - Cons: It requires some setup of Lambda versions and aliases, but once set up, it provides an efficient way to test new Lambda versions with minimal operational overhead. No need for additional services or complex configuration. - Best Use Case: This is a perfect fit for testing new Lambda versions with minimal impact on other users. This solution allows for gradual deployment and testing without disrupting the entire user base. Option B: Create a new REST API in API Gateway. Set up a Lambda proxy integration to connect to multiple Lambda functions. Enable canary settings on the deployment stage. Specify a smaller percentage of API traffic to go to the new version of the Lambda function. - Pros: Canary deployments in API Gateway allow for testing new versions of the function with a subset of users, providing a controlled rollout. It can be set to route a specific percentage of traffic to the new version. - Cons: Creating an entirely new REST API might introduce unnecessary complexity and operational overhead. You’d need to manage a separate API and ensure traffic routing between old and new APIs. This increases complexity without adding much value compared to using aliases. - Best Use Case: Canary deployments are useful in this scenario, but creating a new API is unnecessary, and the added overhead makes it less ideal. Option C: Creat...

Author: Maya · Last updated May 18, 2026

A developer works for a company that only has a single pre-production AWS account with an AWS CloudFormation AWS Serverless Application Model (AWS SAM) stack. The developer made changes to an existing AWS Lambda function specified in the AWS SAM template and additional Amazon Simple Notification service (Amazon SNS) topics. The developer wants to do a one-time deploy of the changes to test if the changes are working. The developer does ...

The main objective here is to test changes to the AWS SAM stack, including the Lambda function and SNS topics, without impacting the existing pre-production environment. The solution must also be quick, temporary, and not interfere with ongoing application usage by other team members. Option A: Use the AWS SAM CLI to package and deploy the SAM application to the pre-production AWS account. Specify the debug parameter. - Pros: The AWS SAM CLI allows you to quickly package and deploy changes. The `debug` parameter provides insights into deployment issues. - Cons: Deploying directly to the pre-production account, even with debugging, can impact the existing application and other team members if the changes introduce conflicts or errors. This does not meet the requirement to avoid affecting the existing pre-production application. - Best Use Case: This option is useful for debugging deployments but is not ideal for testing changes without impacting production resources. Option B: Use the AWS SAM CLI to package and create a change set against the pre-production AWS account. Execute the change set in a new AWS account designated for a development environment. - Pros: Using a change set ensures that only the intended changes will be deployed. Executing the change set in a separate development account isolates the test environment from the pre-production environment. - Cons: This solution involves a bit more setup because it requires managing both the change set and a separate development AWS account. The additional step of creating and configuring a new account might introduce some overhead. - Best Use Case: This approach works well if you want to test changes in a new environment without affecting the existing environment. However, managing a new AWS account just for one-time testing may be overkill for this case. Option C: Use the AWS SAM CLI to package and deploy the SAM application to a new AWS ac...

Author: RadiantJaguar56 · Last updated May 18, 2026

A company built an online event platform. For each event, the company organizes quizzes and generates leaderboards that are based on the quiz scores. The company stores the leaderboard data in Amazon DynamoDB and retains the data for 30 days after an event is complete. The company then uses a scheduled job to delete the old leaderboard data. The DynamoDB table is configured with a fixed write capacity. During the months when many events occur, the DynamoDB write API requests ar...

To meet the requirements of optimizing write throughput while efficiently deleting old leaderboard data in DynamoDB, let's evaluate each of the options based on their suitability for solving the issue of throttling during scheduled deletions: Option A: Configure a TTL attribute for the leaderboard data. - Pros: DynamoDB's Time-to-Live (TTL) feature automatically deletes items after a specified expiration time. By setting a TTL attribute, the leaderboard data can be automatically deleted 30 days after an event ends, without requiring manual intervention or additional resources. This solution ensures that data is deleted automatically, reducing the operational overhead and write capacity burden during scheduled deletions. - Cons: There is a slight delay between the TTL expiration time and the actual deletion, depending on the internal process of DynamoDB. However, this delay is usually minimal and does not cause significant issues. - Best Use Case: This option is the most efficient for automatically managing data retention without requiring additional jobs or manual deletions. It optimizes write throughput by preventing the need for heavy delete operations during peak times. Option B: Use DynamoDB Streams to schedule and delete the leaderboard data. - Pros: DynamoDB Streams allows for real-time tracking of changes to a table, and it could potentially trigger a Lambda function to handle deletions or other actions. - Cons: While DynamoDB Streams is excellent for capturing changes to the table, using it to schedule and delete data introduces unnecessary complexity. It’s primarily designed for reacting to changes, not for automatic deletion of data after a fixed period. Additionally, managing deletes through streams would likely result in more operational overhead than simply using TTL, making it an overcomplicated solution. - Best Use Case: DynamoDB Streams is great for real-time data replication or change tracking, but it is not ideal for scheduled deletions of data based on age. Option ...

Author: VioletCheetah55 · Last updated May 18, 2026

A company uses an AWS Lambda function that reads messages from an Amazon Simple Queue Service (Amazon SQS) standard queue. The Lambda function makes an HTTP call to a third-party API for each message. The company wants to ensure that the Lambda function does not ove...

The goal is to ensure that the Lambda function does not overwhelm the third-party API with more than two concurrent requests. Let's analyze each option: A) Configure a provisioned concurrency of two on the Lambda function. Provisioned concurrency ensures that a set number of Lambda function instances are kept warm and ready to serve requests. While this ensures that Lambda can handle a set number of concurrent executions, it does not limit the concurrency of requests per Lambda invocation when processing messages from Amazon SQS. It only guarantees that two instances of the function are pre-initialized, not that only two concurrent API calls are made to the third-party service. Hence, this option would not directly meet the requirement. B) Configure a batch size of two on the Amazon SQS event source mapping for the Lambda function. Configuring a batch size of two means that Lambda will process two messages from the SQS queue at once per invocation. However, this could lead to up to two concurrent HTTP requests to the third-party API, which still meets the requirement of limiting the number of concurrent requests to two. However, if there is a situation where only one message is in the queue, only one HTTP request will be sent, so this is not as flexible as the next option. C) Configu...

Author: RadiantJaguar56 · Last updated May 18, 2026

A company is using Amazon API Gateway to develop an API for its application on AWS. A developer needs to test and generate API responses. Other teams are required to test the ...

To meet the requirements of testing and generating API responses quickly for other teams, let's analyze the options: A) Set up a mock integration request in API Gateway. Configure the method's integration request and integration response to associate a response with a given status code. This option is ideal for testing because a mock integration in API Gateway allows the developer to simulate responses for specific HTTP requests without needing to implement backend logic. The developer can define fixed responses, status codes, and body content, providing immediate feedback to the other teams for testing purposes. This solution meets the need for quick testing and response generation. B) Set up the request validators in the API's OpenAPI definition file. Import the OpenAPI definitions into API Gateway to test the API. Request validators are useful for validating incoming requests against defined models, but they are focused on ensuring that the request is well-formed. While important for input validation, they do not provide the functionality for generating mock responses or testing responses from the API, so they would not help in this scenario where the goal is to generate responses for testing. C) Set up a gateway response for the API in API Gateway. Configure response headers with hardcoded HTTP...

Author: Samuel · Last updated May 18, 2026

A company is releasing a new feature. Users can request early access to the new feature by using an application form. The company expects a surge of requests when the application form becomes available. Each request will be stored as an item in an Amazon DynamoDB table. Each item will contain the user's username, the submission date, and a validation status of UNVALIDATED. VALID, or NOT VALID. Each item also will contain the user's rating of the process on a scale of 1 to 5. Each user can ...

To ensure that the workload is well-distributed across DynamoDB partitions, it’s important to select a partition key that has high cardinality and randomness. Let's analyze each option: A) Username Using the `username` as the partition key could lead to uneven distribution if many users have similar usernames or if there are highly active users who repeatedly request access. This could result in "hot" partitions, where a disproportionate number of requests are stored in a few partitions, affecting performance. Therefore, using `username` alone would not effectively distribute the data across partitions. B) Submission date The `submission date` would result in poor partition distribution because it would likely cause many items to be grouped together by date. For instance, a surge of requests on the same day would end up in the same partition, causing hotspots. If a large number of requests are submitted within a short time frame, this could lead to throttling and performance degradation. C) Validation status Using `validation status` as a partition key would not work well either, as there are only three possible values: `UNVALIDATED`, `VALID`, and `NOT VALID`. This has low cardinality and could lead to skewed partitioni...

Author: Mia · Last updated May 18, 2026

A developer is creating a publicly accessible enterprise website consisting of only static assets. The developer is hosting the website in Amazon S3 and serving the website to users through an Amazon CloudFront distribution. The users of this application must not be able to access the application content directly f...

To ensure that users can only access the content through Amazon CloudFront and not directly from the S3 bucket, the solution needs to prevent public access to the S3 bucket while still allowing CloudFront to serve the content. Let’s analyze each option in detail: A) Create a new origin access control (OAC) in CloudFront. Configure the CloudFront distribution's origin to use the new OAC. Update the S3 bucket policy to allow CloudFront OAC with read and write access to access Amazon S3 as the origin. This solution is the most secure and best practice approach. Origin Access Control (OAC) provides fine-grained access control and is designed to securely allow CloudFront to access the S3 bucket while preventing direct access to the bucket from users. CloudFront uses OAC to authenticate and access the content, ensuring no direct S3 access. This approach prevents any public access and keeps content only accessible via CloudFront. This option meets the requirements securely. B) Update the S3 bucket settings. Enable the block all public access setting in Amazon S3. Configure the CloudFront distribution's with Amazon S3 as the origin. Update the S3 bucket policy to allow CloudFront write access. This approach would block all public access to the S3 bucket and configure CloudFront as the origin, which is a step in the right direction. However, allowing "write access" to CloudFront is unnecessary because CloudFront only needs read access to serve content. Moreover, this solution lacks explicit access control for CloudFront to securely access the S3 bucket. The approach could be made more secure by using OAC (Option A) rather than simply mo...

Author: Kai99 · Last updated May 18, 2026

A developer built an application that calls an external API to obtain data, processes the data, and saves the result to Amazon S3. The developer built a container image with all of the necessary dependencies to run the application as a container. The application runs locally and requires minimal CPU and RAM resources. The developer has created an Amazon ECS cluster. The developer needs to run the ap...

In this scenario, the goal is to run the containerized application hourly with the least amount of infrastructure management overhead. Let's evaluate the options: A) Add a capacity provider to manage instances. A capacity provider is used to manage the scaling of EC2 instances in an ECS cluster. However, this requires more management overhead compared to serverless options. The developer would need to manage EC2 instances, monitor scaling, and ensure that resources are appropriately allocated, which could increase the operational complexity. This is not the best option if minimal infrastructure management is desired. B) Add an Amazon EC2 instance that runs the application. Running the application on an EC2 instance means that the developer would need to manage the EC2 instance, including scaling, patching, and monitoring. This option introduces more infrastructure management overhead because the developer would need to ensure that the EC2 instance is always available and has sufficient resources to handle the application. This is not ideal for minimal infrastructure management. C) Define a task definition with an AWS Fargate launch type. AWS Fargate is a serverless compute engine for containers that automatically manages the underlying infrastr...

Author: Sofia · Last updated May 18, 2026

A company runs its website on AWS. The company posts daily polls on its website and publishes the poll results next day. The website stores user responses in an Amazon DynamoDB table. After the poll results are published, the company does not need to keep the user responses. A developer needs to implement a solution that will automatically remove old user responses from the DynamoDB table. The developer adds a new expiration_date at...

Let's break down each option to determine which one meets the requirements with the least development effort: Option A: Create an AWS Lambda function to delete old user responses based on the expiration_date attribute. Create an Amazon EventBridge schedule to run the Lambda function daily. - Pros: - Lambda is easy to set up and does not require infrastructure management. - EventBridge can trigger the Lambda function on a scheduled basis. - Highly customizable and flexible. - Cons: - Requires additional code to implement the deletion logic. - Involves managing a scheduled job via EventBridge. - When to use: This is a reasonable solution, but it requires more effort than other options since you need to write code for Lambda, handle scheduling with EventBridge, and potentially monitor the Lambda function for errors. Option B: Create an AWS Fargate task in Amazon Elastic Container Service (Amazon ECS) to delete old user responses based on the expiration_date attribute. Create an Amazon EventBridge schedule to run the Fargate task daily. - Pros: - Fargate abstracts away the infrastructure management. - Suitable for running containerized tasks. - Cons: - Overkill for a task that simply needs to delete old data from DynamoDB. - More complex setup (you would need to containerize the code, configure ECS, etc.). - Higher development and operational overhead compared to other options. - When to use: This approach is better suited for more complex, containerized workloads, but it’s unnecessary for this straightforward data deletion task. Option C: Create an AWS Glue job to delete old user respo...

Author: Sofia2021 · Last updated May 18, 2026

A developer is creating a simple proof-of-concept demo by using AWS CloudFormation and AWS Lambda functions. The demo will use a CloudFormation template to deploy an existing Lambda function. The Lambda function uses deployment packages and dependencies stored in Amazon S3. The developer defined an AWS::Lambda::Function resource in a CloudFormation template. The dev...

Let's evaluate each option to determine which one meets the requirements with the least development effort: Option A: Add the function code in the CloudFormation template inline as the `code` property. - Pros: - Inline code is easy to include directly in the CloudFormation template. - Cons: - For larger Lambda functions or those with dependencies, this method is not practical. The code could become cumbersome to manage and difficult to maintain within the template. - The size of inline code in a CloudFormation template is limited (typically a few kilobytes), making this unsuitable for most production-level Lambda functions. - When to use: This approach could work for very small Lambda functions without dependencies, but it is not suitable for production scenarios where the code or dependencies are stored in Amazon S3. Option B: Add the function code in the CloudFormation template as the `ZipFile` property. - Pros: - Similar to Option A, this would allow you to include the code inline, using the `ZipFile` property. - Cons: - The `ZipFile` property allows inline code only, and similar to Option A, it is not practical for larger Lambda functions or when dependencies are stored externally, such as in Amazon S3. - For larger or production-grade Lambda functions, it’s better to reference external locations (like S3) for the function code. - When to use: This could be used for small Lambda functions, but it's still impractical when dealing with larger packages or dependenci...

Author: Zain · Last updated May 18, 2026

A developer is building a microservices-based application by using Python on AWS and several AWS services. The developer must use AWS X-Ray. The developer views the service map by using the console to view the service dependencies. During testing, the developer notices that some services...

Let's analyze each option to determine the best course of action for ensuring that all services appear in the X-Ray service map: Option A: Modify the X-Ray Python agent configuration in each service to increase the sampling rate. - Pros: - Increasing the sampling rate might result in more traces being captured, which could help provide more detailed insights into the services. - Cons: - Not directly related to missing services: While increasing the sampling rate can capture more traces, it does not necessarily address the issue of services being completely missing from the X-Ray service map. - Potential over-sampling: If the sampling rate is increased too much, it can result in unnecessary data, leading to higher costs and potentially noisy metrics. - When to use: This could be useful for ensuring that more traces are captured, but it won't directly solve the problem of services not appearing in the service map if they are not instrumented or integrated correctly. Option B: Instrument the application by using the X-Ray SDK for Python. Install the X-Ray SDK for all the services that the application uses. - Pros: - Correct approach: For services to appear in the X-Ray service map, they need to be properly instrumented with the X-Ray SDK. This ensures that the services can emit trace data to X-Ray. - Ensures all services are traced: By installing and using the X-Ray SDK in all the services, the developer will ensure that they send trace data to X-Ray, which will populate the service map. - Cons: - Development effort required: This option requires the developer to instrument all the services with the X-Ray SDK. However, this is a standard best practice when using AWS X-Ray to gain visibility into the application's behavior. - When to use: This is the most suitable sol...

Author: Sam · Last updated May 18, 2026

A developer is building a containerized application on AWS. The application communicates with a third-party service by using API keys. The developer needs a secure way to store the API keys and pass the API keys to ...

To securely store API keys and pass them to a containerized application, the solution must ensure that the API keys are kept secure while still being accessible to the application at runtime. Let's evaluate the options based on security, best practices, and usability. Option A: Store the API keys as a SecureString parameter in AWS Systems Manager Parameter Store. Grant the application access to retrieve the value from Parameter Store. - Why this is selected: AWS Systems Manager Parameter Store can store sensitive data like API keys securely as a SecureString. The parameter is encrypted using AWS KMS (Key Management Service), ensuring the keys are protected. By granting the application the appropriate IAM permissions to retrieve the value, this method allows the application to access the API keys securely at runtime. - Key factor: Parameter Store provides an easy and secure way to store sensitive data and allows controlled access using IAM policies, making it ideal for passing API keys to containerized applications. Option B: Store the API keys in AWS CloudFormation templates by using base64 encoding. Pass the API keys to the application through container definition environment variables. - Why this is rejected: Storing API keys directly in CloudFormation templates (even if base64 encoded) is not secure. CloudFormation templates are often stored in version control systems or shared environments, and base64 encoding does not provide real encryption, making the keys potentially exposed to unauthorized users. Environment variables can also be easily accessed if someone gains access to the container, adding security risks. - Key factor: Base64 encoding is not secure and does not provide proper encryption, so this is not recommended for sensitive information like API keys. Option C: Add a new AWS CloudFormation parameter to the CloudFormation template. Pass the API keys to the application by using the container definition environment variables. - Why this is rejected: Passing API keys directly in CloudFormation templates as parameters is a poor practice for security reasons. This method does not provide encryption for the k...

Author: Madison · Last updated May 18, 2026

A company runs an application on AWS. The application stores data in an Amazon DynamoDB table. Some queries are taking a long time to run. These slow queries involve an attribute that is not the table's partition key or sort key. The amount of data that the application stores in the DynamoDB table is expecte...

Let's evaluate each option to determine the best approach for improving query performance in DynamoDB. Option A: Increase the page size for each request by setting the Limit parameter to be higher than the default value. Configure the application to retry any request that exceeds the provisioned throughput. - Pros: - This option attempts to fetch more data per request. - Cons: - Does not optimize query performance: Increasing the page size will not necessarily speed up queries, especially if the underlying problem is inefficient access patterns (e.g., querying on non-indexed attributes). - Retry mechanism for throughput: While configuring retries might help in case of provisioned throughput limits, it doesn’t address slow queries on non-key attributes. - Worse performance: For slow queries, increasing the page size could actually result in longer response times as more data is fetched per request. - When to use: This is not a suitable solution for optimizing queries on non-key attributes. The core issue is inefficient query design, not page size. Option B: Create a global secondary index (GSI). Set the query attribute to be the partition key of the index. - Pros: - Optimizes for non-key attributes: A GSI allows you to create a secondary index on attributes that are not the primary partition key or sort key. By indexing the attribute involved in the slow queries, you can significantly speed up those queries. - Increased performance: Queries that use the GSI will be faster since they will only look at the index, not the entire table. - Cons: - Increased storage cost: GSIs consume additional storage and can increase costs, as they maintain a copy of the indexed data. - Writes may incur additional overhead: Adding a GSI can impact the performance of write operations, as DynamoDB must also update the index during writes. - When to use: This is a highly suitable solution for improving performance when querying non-key attributes. A GSI would allow the application to query more efficiently based on the attribute that is not the partition or sort key. Option C: Perform a parallel scan operation by issuing individual sc...

Author: Rahul · Last updated May 18, 2026

A company runs a payment application on Amazon EC2 instances behind an Application Load Balance. The EC2 instances run in an Auto Scaling group across multiple Availability Zones. The application needs to retrieve application secrets during the application startup and export the secrets as environment variables. These secrets m...

To address this requirement, let's evaluate each of the options based on the criteria provided: A) Save the secrets in a text file and store the text file in Amazon S3. Provision a customer-managed key. Use the key for secret encryption in Amazon S3. Read the contents of the text file and read and export as environment variables. Configure S3 Object Lambda to rotate the text file every month. Rejection Criteria: - Encryption and Rotation: While this approach can use a customer-managed key for encryption, S3 itself doesn’t provide seamless integration for rotating secrets. Using S3 Object Lambda to automate the rotation adds unnecessary complexity and introduces extra layers of management. - Development Effort: It requires manual management for the text file, encryption keys, and rotation automation via Lambda. This significantly increases the development overhead. - Security Risks: Managing secrets as plain text files in S3, even with encryption, can present challenges in ensuring security and fine-grained access control. B) Save the secrets as strings in AWS Systems Manager Parameter Store and use the default AWS KMS key. Configure an Amazon EC2 user data script to retrieve the secrets during the startup and export as environment variables. Configure an AWS Lambda function to rotate the secrets in Parameter Store every month. Rejection Criteria: - Rotation Automation: While AWS Systems Manager (SSM) Parameter Store is a good service for storing secrets with encryption, it doesn't provide automatic rotation out of the box. You would need to manually configure a Lambda function to handle the rotation, which adds development complexity. - Development Effort: The manual Lambda configuration for rotating secrets requires custom code, which may introduce unnecessary complexity in this use case. C) Save the secrets as base64 encoded environment variables in the application properties. Retrieve the secrets during the application startup....

Author: Joseph · Last updated May 18, 2026

A company is using Amazon API Gateway to invoke a new AWS Lambda function. The company has Lambda function versions in its PROD and DEV environments. In each environment, there is a Lambda function alias pointing to the corresponding Lambda function version. API Gateway has one stage that is configured to point at the PROD alias. The company wants to configure ...

To meet the requirement of enabling both the PROD and DEV Lambda function versions to be available simultaneously and distinctly in API Gateway, let's evaluate the options based on the following considerations: A) Enable a Lambda authorizer for the Lambda function alias in API Gateway. Republish PROD and create a new stage for DEV. Create API Gateway stage variables for the PROD and DEV stages. Point each stage variable to the PROD Lambda authorizer to the DEV Lambda authorizer. Rejection Criteria: - Lambda Authorizer Focus: This option suggests using Lambda authorizers, which are used for controlling access to API Gateway endpoints based on the authorization logic. However, the core requirement is to route requests to distinct Lambda function versions in the PROD and DEV environments. The use of authorizers doesn't directly address the need to configure the Lambda function aliases for PROD and DEV. - Unnecessary Complexity: Introducing authorizers unnecessarily complicates the solution because the primary goal is to route traffic to different Lambda versions, not to manage authorization. B) Set up a gateway response in API Gateway for the Lambda function alias. Republish PROD and create a new stage for DEV. Create gateway responses in API Gateway for PROD and DEV Lambda aliases. Rejection Criteria: - Gateway Response Configuration: Gateway responses are typically used to manage HTTP responses (like error messages, success responses, etc.) from API Gateway, not to manage the Lambda function aliases or versions. This doesn't address the core requirement of directing API Gateway to different Lambda versions based on the environment (PROD vs. DEV). - Irrelevant Configuration: The gateway response configuration is not suitable for routing Lambda invocations to specific versions of the Lambda function. C) Use an environment variable for the Lambda function alias in API Gateway. Republish PROD and create ...

Author: Arjun · Last updated May 18, 2026

A developer is working on an ecommerce platform that communicates with several third-party payment processing APIs. The third-party payment services do not provide a test environment. The developer needs to validate the ecommerce platform's integration with the third-party payment processing APIs. The developer mus...

To address the developer's need for testing the ecommerce platform’s integration with third-party payment processing APIs without invoking the actual third-party APIs, we need a solution that simulates the behavior of these APIs. Let’s evaluate each option: A) Set up an Amazon API Gateway REST API with a gateway response configured for status code 200. Add response templates that contain sample responses captured from the real third-party API. Rejection Criteria: - Limited Integration Simulation: This approach involves setting up a custom API Gateway to return a static status code of 200, which would not provide the flexibility required to fully mock the behavior of the third-party API. - Basic Response: While it could return a "successful" response, it lacks the ability to simulate complex API responses, headers, and various API behaviors that are needed for comprehensive testing of the integration. - Inadequate Mocking for Testing: This would not allow testing various scenarios and error conditions that the real payment APIs might trigger. B) Set up an AWS AppSync GraphQL API with a data source configured for each third-party API. Specify an integration type of Mock. Configure integration responses by using sample responses captured from the real third-party API. Rejection Criteria: - GraphQL Context: AWS AppSync is designed for GraphQL APIs, which may not align well with the RESTful third-party payment APIs that the ecommerce platform uses. - Overcomplication: Using AppSync for this use case would introduce unnecessary complexity, as it is more suited for managing GraphQL data sources and not a simple mock integration scenario. - Irrelevant Technology Choice: It’s overkill to use a GraphQL API when the platform is working with REST APIs and only requires mocking the payment API responses. C) Create an AWS Lambda function for each third-party API. Embed respons...

Author: Aria · Last updated May 18, 2026

A developer is storing many objects in a single Amazon S3 bucket. The developer needs to optimize the S3 bucket for high request rates. How s...

To optimize an S3 bucket for high request rates, the developer needs to consider how S3 handles access to objects and how it can efficiently distribute requests across the available resources. Let's evaluate the options: A) Store the objects by using S3 Intelligent-Tiering. Rejection Criteria: - Not Related to Request Rate Optimization: S3 Intelligent-Tiering is a storage class designed to optimize costs by automatically moving objects between two access tiers based on access patterns. While it helps manage cost-efficiency, it does not specifically address the optimization of request rates. - Focus on Storage Costs: This option does not provide any particular benefit in terms of distributing requests across S3's infrastructure to handle high access rates. B) Store the objects at the root of the S3 bucket. Rejection Criteria: - Single Prefix Issue: Storing all objects at the root of the S3 bucket means they would share the same prefix (i.e., the root), which could lead to hot spots where a large number of requests target the same location. This could result in performance bottlenecks and inefficient distribution of requests across S3's infrastructure. - Limitations on High Request Rate Optimization: S3 is optimized for distributing requests across a large number of prefixes, and using a single prefix can limit this distribution, affecting performance under high request load. C) Store the obj...

Author: Sara · Last updated May 18, 2026

A company deploys a new application to AWS. The company is streaming application logs to Amazon CloudWatch Logs. The company's development team must receive notification by email when the word "ERROR" appears in any log lines. A developer sets up an Amazon Simple Notification Service (Amazo...

To meet the requirement of notifying the development team when the word "ERROR" appears in any log lines, let's evaluate each option in detail: A) Select the appropriate log group. Create a CloudWatch metric filter with "ERROR" as the search term. Create an alarm on this metric that notifies the SNS topic when the metric is 1 or higher. Selection Criteria: - Metric Filter and Alarm: A CloudWatch metric filter can be set up to search for the term "ERROR" in the log stream and convert it into a custom metric. Once this metric is created, an alarm can be set to trigger when the metric value is greater than or equal to 1, indicating that an "ERROR" has been logged. - Notification Integration: This option integrates the SNS topic with the CloudWatch alarm, so when the alarm triggers, it will notify the development team. - Scalable and Efficient: This approach efficiently meets the requirements, as it allows real-time monitoring and notification for each "ERROR" occurrence without needing to analyze the log lines manually. - Optimal for Alerting: This is the most effective method to automate the process of monitoring log data and sending notifications based on specific content (like the word "ERROR"). B) In CloudWatch Logs Insights, select the appropriate log group. Create a metric query to search for the term "ERROR" in the logs. Create an alarm on this metric that notifies the SNS topic when the metric is 1 or higher. Rejection Criteria: - CloudWatch Logs Insights: While CloudWatch Logs Insights is useful for querying logs and generating insights, it is more suited for ad-hoc querying and analyzing logs rather than continuous monitoring and triggering alerts. - Not Ideal for Continuous Monitoring: Logs Insights queries...

Author: MoonlitPantherX · Last updated May 18, 2026

A company uses Amazon Simple Queue Service (Amazon SQS) to decouple its microservices architecture. Some messages in an SQS queue contain sensitive information. A developer must implement a soluti...

To meet the requirement of encrypting all the data at rest for sensitive messages in Amazon SQS, let's analyze the provided options: A) Enable server-side encryption for the SQS queue by using an SQS managed encryption key (SSE-SQS). - Explanation: Enabling SSE-SQS encrypts the data at rest automatically using Amazon's managed encryption keys (SSE-SQS). This option ensures that all messages in the SQS queue are encrypted as they are stored, meeting the requirement of securing sensitive information. This is a native and automatic feature of Amazon SQS, requiring minimal setup. - Reasoning: This is the most direct and suitable solution for encrypting messages at rest in Amazon SQS, and it requires no additional manual steps. It leverages AWS-managed encryption keys, ensuring compliance and security without requiring further infrastructure management. - Conclusion: This is the best option to achieve encryption at rest for SQS messages. B) Use the aws:SecureTransport condition in the queue policy to ensure that only HTTPS (TLS) is used for all requests to the SQS queue. - Explanation: This option focuses on ensuring that data is transmitted securely over HTTPS. While using HTTPS ensures that the data is encrypted in transit, it does not address the requirement for encrypting data at rest in the SQS queue. The sensitive information still resides unencrypted in the queue. - Reasoning: This option protects data while it is in transit but does not meet the requirement of encrypting data when stored in SQS. It's a good practice for security in transit but doesn't solve the problem of encrypting the me...

Author: Elijah · Last updated May 18, 2026

A company recently deployed a new serverless user portal. Users have reported that part of the portal is slow. The initial analysis found a single Amazon API Gateway endpoint that is responsible for the performance issues. The endpoint integrates with an AWS Lambda function. However, the Lambda function interacts wit...

To diagnose the source of the increased response time in the serverless user portal, we need to identify the source of the delay in the Lambda function that integrates with multiple APIs and AWS services. Let's evaluate each option in terms of effectiveness and alignment with best operational practices: A) Update the Lambda function by adding logging statements with high-precision timestamps before and after each external request. Deploy the updated Lambda function. After accumulating enough usage data, examine the Amazon CloudWatch logs for the Lambda function to determine the likely sources for the increased response time. - Explanation: Adding high-precision timestamps and custom logging inside the Lambda function could provide detailed insights into the duration of each external request. While this approach can help identify where time is being spent, it requires manual updates to the code and may not be as efficient as using a built-in monitoring tool. - Reasoning: While logging is a helpful method for troubleshooting, it is less automated and doesn't provide a holistic, system-wide view. This could lead to more complexity and manual analysis, especially in serverless architectures where tracing end-to-end performance is critical. - Conclusion: This approach is rejected because it requires custom code updates and lacks a comprehensive view of performance. It’s less efficient compared to other options that are designed specifically for performance monitoring. B) Instrument the Lambda function with the AWS X-Ray SDK. Add HTTP and HTTPS interceptors and SDK client handlers. Deploy the updated Lambda function. Turn on X-Ray tracing. After accumulating enough usage data, use the X-Ray service map to examine the average response times to determine the likely sources. - Explanation: AWS X-Ray is a powerful service for tracing and analyzing the performance of serverless applications, especially Lambda functions. By instrumenting the Lambda function with X-Ray, you can automatically trace requests, visualize performance bottlenecks, and identify the exact sources of delays. X-Ray provides detailed service maps, traces, and insights into the execution flow across services (including the Lambda function and external APIs). - Reasoning: This is a highly effective and operationally efficient solution. AWS X-Ray provides an automatic and comprehensive way to trace requests, visualize latency, and drill ...

Author: Aarav2020 · Last updated May 18, 2026

A developer is building an event-driven application by using AWS Lambda and Amazon EventBridge. The Lambda function needs to push events to an EventBridge event bus. The developer uses an SDK to run the PutEvents EventBridge action and specifies no credentials in the code. After deploying the Lambda function, the developer ...

To resolve the AccessDeniedException error when the Lambda function is trying to push events to EventBridge, let's evaluate each option and its effectiveness: A) Configure a VPC peering connection between the Lambda function and EventBridge. - Explanation: VPC peering connects two Virtual Private Clouds (VPCs) so they can communicate. However, Amazon EventBridge is a fully managed service that is accessible over the public AWS infrastructure and does not require a VPC peering connection for communication. The issue here is related to permissions, not network connectivity. - Reasoning: Since EventBridge doesn't need a VPC connection to be accessed by Lambda, this solution doesn't address the permission issue. - Conclusion: This option is rejected because VPC peering is not necessary for accessing EventBridge, and it does not solve the permission-related issue. B) Modify their AWS credentials to include permissions for the PutEvents EventBridge action. - Explanation: AWS Lambda functions use an execution role (IAM role) that is assigned when the function is created or updated. The credentials for this role must grant sufficient permissions to access services like EventBridge. Modifying personal AWS credentials (such as those for the developer or their environment) would not address the permissions for the Lambda function itself. - Reasoning: This option would only apply if the developer was invoking EventBridge from their personal credentials, which is not the case here. The issue is with the Lambda execution role, not the developer's credentials. - Conclusion: This option is rejected because the credentials that need to be modified are those associated with the Lambda execution role, not the developer's AWS cred...

Author: CrimsonViperX · Last updated May 18, 2026

A company's application has an AWS Lambda function that processes messages from IoT devices. The company wants to monitor the Lambda function to ensure that the Lambda function is meeting its required service level agreement (SLA). A developer must implement a solution to determine the application's throughput in near real time. The throughput must be based on the number of messages that the Lambda function receives and processes in a given ti...

To meet the requirements of monitoring the Lambda function's throughput based on the number of messages it processes, while excluding the initialization and post-processing steps, let's evaluate the options: A) Use the Lambda function's ConcurrentExecutions metric in Amazon CloudWatch to measure the throughput. - Explanation: The `ConcurrentExecutions` metric measures the number of Lambda instances that are running at the same time, but it does not directly provide throughput based on the number of messages processed. It primarily helps with understanding resource usage, not throughput in terms of the number of messages processed. - Reasoning: While `ConcurrentExecutions` is useful for monitoring Lambda concurrency, it doesn’t directly correlate to the number of messages processed. It’s not a valid metric for measuring throughput in the context of this scenario. - Conclusion: This option is rejected because it does not measure the number of messages processed, which is the key metric for throughput. B) Modify the application to log the calculated throughput to Amazon CloudWatch Logs. Use Amazon EventBridge to invoke a separate Lambda function to process the logs on a schedule. - Explanation: While this approach could allow the developer to calculate throughput by analyzing logs, it introduces complexity and delays. Logs are not real-time metrics, and using EventBridge to invoke another Lambda function on a schedule adds unnecessary overhead and complexity, especially for a near-real-time requirement. - Reasoning: This approach involves multiple services and steps, creating potential delays. It also doesn’t directly provide throughput metrics, and it requires additional resource management and scheduled processing. - Conclusion: This option is rejected because it complicates the process and doesn't provide an efficient, real-time th...

Author: Zara · Last updated May 18, 2026

A developer is using an AWS CodePipeline pipeline to provide continuous integration and continuous delivery (CI/CD) support for a Java application. The developer needs to update the pipeline to support the introduction of a new application dependency .jar file. The pipeline mu...

To meet the requirement of starting a build in AWS CodePipeline when a new version of a dependency `.jar` file becomes available, let's evaluate each option: A) Create an Amazon S3 bucket to store the dependency .jar file. Publish the dependency .jar file to the S3 bucket. Use an Amazon Simple Notification Service (Amazon SNS) notification to start a CodePipeline pipeline build. - Explanation: Storing the `.jar` file in an S3 bucket is a good option for versioning dependencies. Using an SNS notification when the file is updated in S3 can trigger the pipeline. However, SNS integration with CodePipeline is not as seamless as direct integration with AWS services like CodeCommit, ECR, or EventBridge. It requires setting up SNS notifications to trigger actions, which can add complexity. - Reasoning: While this solution is feasible, it's not the most direct or optimal. It adds extra steps, as the SNS notification needs to trigger the pipeline. Additionally, managing file updates and versioning with SNS is less automated than other options. - Conclusion: This option is rejected due to the additional complexity of SNS integration and lack of more native solutions for this scenario. B) Create an Amazon Elastic Container Registry (Amazon ECR) private repository. Publish the dependency .jar file to the repository. Use an ECR source action to start a CodePipeline pipeline build. - Explanation: Amazon ECR is optimized for container images and container-based workflows. While ECR supports storing Docker images, it is not designed for managing generic files such as `.jar` files. Therefore, using ECR for managing `.jar` dependencies is not appropriate because it's overkill and not its intended purpose. - Reasoning: Using ECR for this scenario would be unnecessary and inefficient, as ECR is tailored for Docker images rather than files like `.jar` files. - Conclusion: This option is rejected because ECR is not the right service for managin...

Author: VenomousSerpent42 · Last updated May 18, 2026

A company with multiple branch locations has an analytics and reporting application. Each branch office pushes a sales report to a shared Amazon S3 bucket at a predefined time each day. The company has developed an AWS Lambda function that analyzes the reports from all branch offices in a single pass. The Lambda function stores the results in a datab...

To meet the company's requirement of analyzing sales reports at a specific time each day, let's evaluate the options based on cost-effectiveness, ease of implementation, and how well they meet the need for scheduling: Option A: Configure an S3 event notification to invoke the Lambda function when a branch office uploads a sales report. - Pros: This method ensures that the Lambda function runs immediately when a report is uploaded to the S3 bucket, providing real-time processing. - Cons: The issue here is that the Lambda function will run each time a report is uploaded, which could be multiple times a day. This does not align with the requirement of triggering the analysis once per day at a specific time. It could lead to unnecessary Lambda executions and costs, which is not ideal. - Rejected: This option would not meet the requirement of a daily, scheduled analysis. Option B: Create an AWS Step Functions state machine that invokes the Lambda function once each day at the predefined time. - Pros: AWS Step Functions could be used to orchestrate tasks, but setting it up to trigger the Lambda function on a daily schedule might add more complexity than necessary. It allows for more complex workflows if the process requires additional steps. - Cons: Step Functions would incur additional costs, as you would be paying for the state machine executions, which may not be the most cost-effective approach if the requirement is just to run the Lambda function at a specific time each day. - Rejected: While it is a powerful solution, it is more complex and le...

Author: Julian · Last updated May 18, 2026

A developer has an application that asynchronously invokes an AWS Lambda function. The developer wants to store messages that resulted in failed invocations of the Lambda function so that the application can retry the call la...

Let's evaluate each option based on the goal of storing failed invocation messages and enabling the application to retry the Lambda function with minimal operational overhead. Option A: Set up Amazon CloudWatch Logs log groups to filter and store the messages in an Amazon S3 bucket. Import the messages in Lambda. Run the Lambda function again. - Pros: CloudWatch Logs can capture logs from Lambda executions, and S3 can be used for storing messages. - Cons: This approach would require manual intervention or custom code to import messages from S3 back into Lambda for retries. It adds unnecessary operational overhead because of the need for filtering, storing, and re-importing messages. It’s not an automated solution for retrying failed Lambda invocations. - Rejected: This approach is more manual and involves significant operational complexity with custom logic for retries, which is not ideal for minimizing operational overhead. Option B: Configure Amazon EventBridge to send the messages to Amazon Simple Notification Service (Amazon SNS) to initiate the Lambda function again. - Pros: EventBridge and SNS can be used to handle events and trigger Lambda. - Cons: While EventBridge can detect failed invocations, SNS alone does not handle message persistence for retries. It could be used to notify or alert on failures, but it doesn’t store failed messages in a way that supports retrying them efficiently. It would require further setup or manual intervention to store failed messages. - Rejected: This approach is not focused on storing messages for retry later, as SNS is primarily used for notificat...

Author: Grace · Last updated May 18, 2026

A company is using AWS CloudFormation templates to deploy AWS resources. The company needs to update one of its AWS CloudFormation stacks. What can the company do...

Let's evaluate each option to determine the most effective way to find out how the changes will impact the resources that are running: Option A: Investigate the change sets. - Pros: CloudFormation Change Sets allow you to preview the changes that will be applied to your stack before executing the update. A change set provides a detailed view of the resources that will be added, modified, or deleted, and helps to understand how the update might impact your current resources. - Cons: There are no significant cons because this is the intended way to preview changes in CloudFormation before applying them. - Selected: This is the best option because it allows you to assess the impact of changes before making any updates to the resources. Option B: Investigate the stack policies. - Pros: Stack policies protect resources from unintentional updates during a stack update by defining what changes are allowed for certain resources. - Cons: While stack policies are useful for preventing certain changes from being applied, they do not provide a direct way to preview what changes will be made to resources in a stack. Stack policies only govern what CloudFormation is allowed to modify. - Re...

Author: NightmareDragon2025 · Last updated May 18, 2026

A company stores all personally identifiable information (PII) in an Amazon DynamoDB table named PII in Account A. Developers are working on an application that is running on Amazon EC2 instances in Account B. The application in Account B requires access to the PII table. An administrator in Account A creates an IAM role named AccessPII that has permission to access the PII table. The administrator also creates a trust policy that speci...

To allow the application in Account B to access the PII table in Account A, we need to focus on how to properly set up permissions and ensure that the EC2 instances in Account B can assume the role in Account A to access the DynamoDB table. Option A: Allow the EC2 IAM role the permission to assume the AccessPII role. - Pros: This is required because the IAM role `AccessPII` in Account A needs to be assumed by the EC2 instances in Account B. The EC2 instances in Account B must be granted permission to assume the role in Account A. - Cons: There are no significant cons. This step is necessary for the role assumption process to work properly. - Selected: This step is essential for enabling the EC2 instances in Account B to assume the `AccessPII` role in Account A. Option B: Allow the EC2 IAM role the permission to access the PII table. - Pros: The EC2 instance in Account B needs permissions to access DynamoDB. This is necessary, but the real access to DynamoDB is granted once the EC2 role assumes the `AccessPII` role in Account A. - Cons: This option is not sufficient on its own because the EC2 instance in Account B cannot directly access DynamoDB without assuming the `AccessPII` role first. Permissions to access the table must come from the assumed role, not directly from the EC2 IAM role. - Rejected: This step is not needed because the actual permissions to access the DynamoDB table are granted via the role assumption from Account A, not directly by the EC2 IAM role in Account B. Option C: Include the AWS API in the application code logic to obtain temporary credentials from the EC2 IAM role to access the PII table. - Pros: The EC2 instance will automatically use the credentials associated wit...

Author: VioletCheetah55 · Last updated May 18, 2026

A gaming website gives users the ability to trade game items with each other on the platform. The platform requires both users' records to be updated and persisted in one transaction. If any update fails, the transaction must roll back. Whic...

To meet the requirements of atomic, transactional operations, where both users' records need to be updated and persisted in one transaction, and the transaction should roll back if any part fails, we need to look for solutions that support transactions and rollback capabilities. Option A: Amazon DynamoDB with operations made with the ConsistentRead parameter set to true - Pros: DynamoDB supports strong consistency with `ConsistentRead`, ensuring that you read the most recent data. However, this option is about ensuring strong consistency in reads, not transactional writes with rollback functionality. - Cons: DynamoDB does not natively support complex transactional operations with automatic rollback in the context described. While it supports conditional writes and atomic counters, it doesn't support full transactions for multi-item operations in the same way as relational databases or systems with explicit transaction support. - Rejected: This does not fulfill the requirement of multi-record transactional operations with rollback capabilities across two users’ records in a trade scenario. Option B: Amazon ElastiCache for Memcached with operations made within a transaction block - Pros: ElastiCache is a distributed in-memory cache designed for fast read/write operations. It can support various caching patterns. - Cons: ElastiCache does not provide transactional consistency or rollback capabilities for complex updates. It is primarily designed for caching, not transactional persistence. The idea of "transaction blocks" in ElastiCache doesn’t apply as it doesn't support atomic multi-key operations or rollback across operations in the way that a database system does. - Rejected: ElastiCache is not suitable for transactional operations where rollback is needed for multiple updates. Option C: Amazon DynamoDB with reads and writes made by using Transact operations - Pros: DynamoDB's Transact operations (like `TransactWriteItems`) allow for multi-item, multi-table transactional writes. This feature ensures that all items in the transaction are either committed together or rolled back in the case of failure. This is highly suitable for the scenario where mult...

Author: Zara · Last updated May 18, 2026

A developer is deploying an application in the AWS Cloud by using AWS CloudFormation. The application will connect to an existing Amazon RDS database. The hostname of the RDS database is stored in AWS Systems Manager Parameter Store as a plaintext value. The developer needs to incorporate the database hostname into the CloudFormation templat...

In this scenario, the developer needs to reference the plaintext value of a database hostname stored in AWS Systems Manager Parameter Store within an AWS CloudFormation template. Let's evaluate each option: A) Use the ssm dynamic reference - Explanation: The `ssm` dynamic reference is used to reference parameters stored in the Systems Manager Parameter Store in a CloudFormation template. The `ssm` reference allows you to directly reference a parameter value, which can be plaintext or secure, using the parameter name. - Suitability: This option is suitable because the database hostname is stored as a plaintext value in the Parameter Store, and using `ssm` dynamic references allows for the seamless retrieval of that parameter. B) Use the Ref intrinsic function - Explanation: The `Ref` intrinsic function is used to return the value of a resource or a parameter within a CloudFormation template. However, this function does not support direct access to parameter store values. - Suitability: This option is not appropriate for accessing parameter store values. `Ref` is more suited for referring to CloudFormation resources like EC2 instances, se...

Author: Lucas Carter · Last updated May 18, 2026

A company uses an AWS Lambda function to call a third-party service. The third-party service has a limit of requests each minute. If the number of requests exceeds the limit, the third-party service returns rate-limiting errors. A developer needs to configure the Lambda functi...

To meet the requirement of avoiding rate-limiting errors from a third-party service when calling it via an AWS Lambda function, the solution should control the rate at which the Lambda function makes requests to the third-party service. Let's evaluate the options: A) Set the reserved concurrency on the Lambda function to match the number of concurrent requests that the third-party service allows. - Explanation: Reserved concurrency defines the maximum number of instances of the Lambda function that can run concurrently. By setting this value to match the number of requests that the third-party service can handle per minute, you can limit the number of concurrent invocations of the Lambda function, thus reducing the likelihood of exceeding the rate limit. However, this solution might not be ideal because it doesn't directly control the rate of requests over time (e.g., per minute). It only limits concurrent execution. - Suitability: This could help to an extent but doesn't fully control the frequency of requests, and you might still hit rate limits if the Lambda invocations happen too rapidly within the minute. B) Decrease the memory that is allocated to the Lambda function. - Explanation: Memory allocation in Lambda impacts performance, such as CPU allocation and the function's execution speed. However, decreasing memory does not affect the rate of requests or how frequently the Lambda function is invoked. It would likely degrade the Lambda’s performance. - Suitability: This option is irrelevant to controlling the request rate and is not helpful in addressing rate-limiting errors from the third-party service. C) Set the provisioned concurrency on the Lambda function to match the number of concurrent requests that the third-part...

Author: Nathan · Last updated May 18, 2026

A developer is building a new containerized application by using AWS Copilot. The developer uses the AWS Copilot command line interface (CLI) to deploy the application during development. The developer committed the application code to a new AWS CodeCommit repository. The developer must create an automated deployment process before ...

To automate the deployment process for the containerized application, the developer needs an efficient way to integrate the deployment steps (source, build, and deployment) while keeping operational overhead minimal. Let's evaluate each option: A) Create a buildspec file that invokes the AWS Copilot CLI commands to build and deploy the application. Use the AWS Copilot CLI to create an AWS CodePipeline that uses the CodeCommit repository in the source stage and AWS CodeBuild in the build stage. - Explanation: A `buildspec` file is typically used to define how CodeBuild should build and deploy an application. Using the Copilot CLI within CodeBuild can invoke the commands to build and deploy the application. However, this solution requires manually creating the CodePipeline and integrating it with CodeBuild. While this is functional, it adds complexity because the developer needs to manage the buildspec and the pipeline configuration manually. - Suitability: This solution is feasible but not the most operationally efficient because it involves additional manual setup (e.g., buildspec) and custom configuration for pipeline creation. B) Use the AWS Serverless Application Model (AWS SAM) CLI to bootstrap and initialize an AWS CodePipeline configuration. Use the CodeCommit repository as the source. Invoke the AWS Copilot CLI to build and deploy the application. - Explanation: AWS SAM is typically used for serverless applications, particularly for AWS Lambda and API Gateway. While SAM could bootstrap a CodePipeline, it is not designed for containerized applications like those built with AWS Copilot. Integrating AWS SAM CLI with AWS Copilot is not the ideal combination, as it doesn't align with containerized workflows, which are better supported directly by Copilot. - Suitability: This approach is not ideal because AWS SAM is not intended for containerized applications and wo...

Author: StarryEagle42 · Last updated May 18, 2026

A developer is creating a new application for a pet store. The application will manage customer rewards points. The developer will use Amazon DynamoDB to store the data for the application. The developer needs to optimize query performance and limit partition overload before...

To optimize query performance and avoid partition overload in Amazon DynamoDB, the developer must choose a partition key that will help distribute the data evenly across partitions. This is crucial for ensuring that no single partition is overwhelmed by requests, leading to hot spots and degraded performance. Let’s analyze each option: A) A randomly generated universally unique identifier (UUID) - Explanation: A UUID is a random string, and when used as a partition key, it ensures that the data is evenly distributed across DynamoDB partitions. Since the UUID values are unique, it avoids data skew and helps prevent any single partition from becoming overloaded. - Suitability: This option is highly effective for distributing traffic evenly, ensuring that there is no skew or hot spots on any specific partition. Using a UUID as a partition key guarantees even load distribution, which is ideal for optimizing performance and avoiding partition overload before performance analysis. B) The customer's full name - Explanation: Using the full name of the customer as the partition key could result in uneven distribution of data, especially if certain names are common (e.g., "John Smith"). This could lead to some partitions being overburdened, while others remain underutilized, causing performance bottlenecks. - Suitability: This option is not ideal because it could cause skew in the distribution of data across p...

Author: ShadowWolf101 · Last updated May 18, 2026

A developer uses AWS IAM Identity Center (AWS Single Sign-On) to interact with the AWS CLI and AWS SDKs on a local workstation. API calls to AWS services were working when the SSO access was first configured. However, the developer is now receiving Access Denied errors. The developer has not changed any configurat...

In this scenario, the developer is receiving "Access Denied" errors after using AWS IAM Identity Center (AWS SSO) to interact with AWS services through the AWS CLI and SDKs. Since the configuration files or scripts have not changed, let's analyze each option to identify the most likely cause: A) The access permissions to the developer's AWS CLI binary file have changed. - Explanation: The permissions on the AWS CLI binary itself are unlikely to cause "Access Denied" errors when interacting with AWS services. If the binary had permission issues, the AWS CLI wouldn't work at all (e.g., the developer wouldn't be able to execute `aws` commands). The problem seems related to the AWS SSO authentication or the permissions associated with it, not the CLI binary file. - Suitability: This is unlikely to be the cause of the issue. The developer is able to make API calls, but those calls are being denied, which points to an authentication or permission issue rather than a problem with the AWS CLI binary. B) The permission set that is assumed by IAM Identity Center does not have the necessary permissions to complete the API call. - Explanation: If the permission set assigned through AWS IAM Identity Center has been altered or doesn't include the necessary permissions to access the AWS services the developer is trying to use, it could result in "Access Denied" errors. However, if there has been no change to the permission set, this would not be the primary cause. - Suitability: This option could be a potential cause if the IAM Identity Center permission set has been modified. However, if no changes were made...

Author: Emily · Last updated May 18, 2026

A company is building a serverless application. The application uses an API key to authenticate with a third-party application. The company wants to store the external API key as a part of an AWS Lambda configuration. The company needs to have full control over the AWS Key Management Service (AWS KMS) ke...

To meet the requirements of securely storing the API key with full control over the AWS Key Management Service (AWS KMS) keys and making it visible only to authorized entities, let's analyze each option: A) Store the API key in AWS Systems Manager Parameter Store as a string parameter. Use the default AWS KMS key that AWS provides to encrypt the API key. - Reasoning: While AWS Systems Manager Parameter Store is a secure service for storing sensitive information like API keys, using the default AWS KMS key limits the ability to fully control the encryption. The company would not have full control over the KMS key because the default KMS key is managed by AWS. This would not meet the requirement for full control over the KMS keys. - Rejected because the company requires full control over the KMS key, which is not achieved when using the default AWS-managed key. B) Store the API key in AWS Lambda environment variables. Create an AWS KMS customer-managed key to encrypt the API key. - Reasoning: Storing the API key in Lambda environment variables is a good choice for serverless applications. By using a customer-managed KMS key, the company retains full control over the encryption and can restrict access to the API key as needed. This option gives full control over the KMS keys and is highly secure. Lambda also integrates well with KMS to encrypt environment variables. - Selected option because it satisfies all the requireme...

Author: Samuel · Last updated May 18, 2026

A developer is writing an application to analyze the traffic to a fleet of Amazon EC2 instances. The EC2 instances run behind a public Application Load Balancer (ALB). An HTTP server runs on each of the EC2 instances, logging all requests to a log file. The developer wants to capture the client public IP addresses. The developer analyzes...

To solve the problem of capturing the client public IP addresses in the log files on the EC2 instances, let's evaluate each option: A) Add a Host header to the HTTP server log configuration file. - Reasoning: The Host header in HTTP requests contains the domain name of the server that is being accessed. However, the Host header does not contain any information about the client's IP address. It is unrelated to logging the client's IP. - Rejected because it does not help in capturing the client’s public IP address; it’s only useful for specifying the domain in a request. B) Install the Amazon CloudWatch Logs agent on each EC2 instance. Configure the agent to write to the log file. - Reasoning: Installing the CloudWatch Logs agent allows for centralized logging, but it doesn't inherently solve the issue of capturing the client IP. The CloudWatch Logs agent will log files, but without modifying how the client IP is captured, it will still log the IP address of the ALB (the proxy). This doesn't address the problem directly. - Rejected because it does not resolve the issue of capturing the client’s public IP address from the ALB. C) Install the AWS X-Ray daemon on each EC2 instance. Configure the daemon to write to the log file. - Reasoning: AWS X-Ray is a distributed tracing service that can be used to ...

Author: Emma · Last updated May 18, 2026

A company is developing a serverless application by using AWS Lambda functions. One of the Lambda functions needs to access an Amazon RDS DB instance. The DB instance is in a private subnet inside a VPC. The company creates a role that includes the necessary permissions to access the DB instance. The company then assigns the role to the Lambda function. ...

To provide the AWS Lambda function with access to an Amazon RDS DB instance that resides in a private subnet within a VPC, the developer needs to ensure that the Lambda function is correctly configured to access resources within the VPC and that appropriate security controls are in place. A) Assign a public IP address to the DB instance. Modify the security group of the DB instance to allow inbound traffic from the IP address of the Lambda function. - Reasoning: Amazon RDS instances in a private subnet should not have public IP addresses to maintain network isolation and security. Assigning a public IP address to the DB instance would compromise the security model by exposing it to the public internet. - Rejected because the DB instance should remain in the private subnet, and it should not be publicly accessible. B) Set up an AWS Direct Connect connection between the Lambda function and the DB instance. - Reasoning: AWS Direct Connect provides a dedicated network connection between an on-premises network and AWS, which can be used to improve the performance of connections to AWS services. However, Direct Connect is not necessary or cost-effective for this use case where the Lambda function and the DB instance are both within the same AWS region. It is designed for hybrid cloud setups where on-premises systems need direct, dedicated connections to AWS. - Rejected because Direct Connect is not required for accessing resources within a VPC; it is more appropriate for on-premises to AWS communication. C) Configure an Amazon CloudFront distribution to create a secure connection between the Lamb...

Author: Michael · Last updated May 18, 2026

A developer needs temporary access to resources in a second account. What is the MOST secure way ...

To provide temporary access to resources in a second account in a secure and controlled way, let's analyze each option: A) Use the Amazon Cognito user pools to get short-lived credentials for the second account. - Reasoning: Amazon Cognito is typically used for managing user authentication in web and mobile apps, enabling users to sign up, sign in, and access resources. However, it's not the most suitable option for providing temporary access between AWS accounts. Cognito is not designed for inter-account access via roles or permissions in the AWS context. - Rejected because Cognito is not intended for cross-account access and does not integrate directly with IAM roles for secure, temporary access between AWS accounts. B) Create a dedicated IAM access key for the second account, and send it by mail. - Reasoning: Creating an IAM access key and sending it by mail is insecure and highly discouraged. Access keys should not be shared via email or any unencrypted methods, as this can lead to accidental exposure and misuse. Additionally, this method does not provide temporary access; it would require the manual management of keys, which can become difficult to control and audit over time. - Rejected because this is an insecure practice and lacks scalability, auditing, and control over temporary access. C) Create a cross-account access role, and use sts:AssumeRole API to get short-lived credentials. - Reasoning: This is the most secure and recommended approach. By creating a cross-...

Author: Arjun · Last updated May 18, 2026

A company wants to migrate applications from its on-premises servers to AWS. As a first step, the company is modifying and migrating a non-critical application to a single Amazon EC2 instance. The application will store information in an Amazon S3 bucket. The company needs to follow security best practices ...

To follow security best practices when deploying the application on AWS and allowing it to interact with Amazon S3, we need to evaluate each option with a focus on security, ease of management, and scalability. A) Create an IAM role that has administrative access to AWS. Attach the role to the EC2 instance. - Reasoning: Granting administrative access to the EC2 instance is not a best practice because it provides excessive permissions. The principle of least privilege suggests that the EC2 instance should only have permissions necessary to interact with Amazon S3, not full administrative rights across all AWS services. This creates unnecessary security risks if the instance is compromised. - Rejected because administrative access is too broad and should be avoided, as it exposes more resources than necessary. B) Create an IAM user. Attach the AdministratorAccess policy. Copy the generated access key and secret key. Within the application code, use the access key and secret key along with the AWS SDK to communicate with Amazon S3. - Reasoning: Using IAM users with AdministratorAccess is not recommended because it violates the principle of least privilege. Hardcoding the access key and secret key in the application code introduces security risks if the application code is ever exposed or accessed by unauthorized individuals. Managing keys in this way also makes rotation and revocation more difficult. - Rejected because hardcoding credentials and granting overly broad permissions increases security risks. C) Create an IAM role that has the necess...

Author: Evelyn · Last updated May 18, 2026

A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID Connect (OIDC) identity provider (IdP) can access the website. A developer needs to imp...

To meet the company's requirements of ensuring that only employees authenticated via OpenID Connect (OIDC) can access the website without modifying the website itself, the developer needs to use a combination of services that can enforce authentication before accessing the website. Let's break down each option and assess them: Option A: Create a public Network Load Balancer (NLB). - Reasoning: A Network Load Balancer is best suited for handling low-latency, TCP traffic and operates at the connection level (Layer 4). It does not support advanced routing or the ability to perform authentication actions like OIDC-based authentication. Since the requirement is to authenticate users through an OIDC IdP, this option is not appropriate. - Rejection: This option does not fit because it doesn't support the necessary authentication integration (OIDC). Option B: Create a public Application Load Balancer (ALB). - Reasoning: An Application Load Balancer is a better fit for this scenario because it operates at Layer 7 (application level), allowing for URL-based routing and integration with authentication services. ALBs support native authentication with OIDC and can be configured to trigger authentication actions before users reach the website. - Selected: This is the correct choice because the ALB can handle the necessary authentication logic by integrating with the OIDC IdP. Option C: Configure a listener for the load balancer that listens on HTTPS port 443. Add a default authenticate action providing the OIDC IdP configuration. - Reasoning: This is a valid option for achieving authentication. By configuring an ALB to listen on HTTPS (port 443), the traffic is encrypted, ensuring security for the authentication flow. The default a...

Author: FrostFalcon88 · Last updated May 18, 2026

A developer is working on a web application that requires selective activation of specific features. The developer wants to keep the features hidden from end users until the feature...

To meet the developer’s requirement of selectively activating specific features in a web application while keeping them hidden from end users until they are ready, we need a solution that allows the management and toggling of feature states (e.g., enabling or disabling features) dynamically without redeploying the application. Let's break down each option: Option A: Create a feature flag configuration profile in AWS AppSync. Store the feature flag values in the configuration profile. Activate and deactivate feature flags as needed. - Reasoning: AWS AppSync is designed to handle real-time data syncing for GraphQL APIs, which is useful for interactive, real-time applications. While AppSync can manage the feature flags, it’s primarily built for data management and API synchronization rather than feature flag management. This solution might require additional work and complexity to integrate feature flag functionality. - Rejection: AppSync is not the most appropriate tool for managing feature flags, especially considering that other AWS services are specifically built for this purpose. Therefore, this option is less efficient. Option B: Store prerelease data in an Amazon DynamoDB table. Enable Amazon DynamoDB Streams in the table. Toggle between hidden and visible states by using DynamoDB Streams. - Reasoning: DynamoDB is a NoSQL database and could technically store flags or data related to features. However, DynamoDB Streams is used for change data capture and real-time processing of table updates, not specifically for feature flag management. Using DynamoDB in this way would be inefficient and complex to manage feature toggling directly. - Rejection: DynamoDB is not designed for managing feature flags, and using DynamoDB Streams for toggling feature visibility would be overly complicated, especially compared to more specia...

Author: Julian · Last updated May 18, 2026

A developer at a company writes an AWS CloudFormation template. The template refers to subnets that were created by a separate AWS CloudFormation template that the company's network team wrote. When the developer attempts to launch the stack for the f...

Let's break down each option and evaluate it to identify the coding mistakes that could cause the failure. Option A: The developer's template does not use the Ref intrinsic function to refer to the subnets. - Reasoning: The `Ref` intrinsic function in CloudFormation is used to reference AWS resources in a template. However, in this case, the subnets were created by a separate template, so referring to them by `Ref` wouldn't work unless the subnets were created as part of the current template's resources. Since the subnets are created in a different template, simply using `Ref` won’t resolve them properly, especially if they are not explicitly imported into the developer’s template. - Rejection: This option is incorrect because the subnets are not resources within the developer’s template, and thus `Ref` alone won’t resolve them. Option B: The developer's template does not use the ImportValue intrinsic function to refer to the subnets. - Reasoning: If the subnets are created in another CloudFormation stack (the network team's stack), they need to be exported from that stack to be imported into the developer's template. The `ImportValue` intrinsic function is used to reference exported values from other CloudFormation stacks. If the subnets are exported in the network team's stack, the developer must use `ImportValue` to refer to them in their template. - Selected: This is the correct option because `ImportValue` is necessary to import values from another stack, such as subnets that were created separately. Option C: The Mappings section of the developer's template does not refer to the subnets. - Reasoning: The Mappings section of a CloudFormation template is used for creating static lookup tables based on keys and values, ofte...

Author: Krishna · Last updated May 18, 2026

A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application ...

Let's break down each option and analyze how it aligns with the requirement of giving the application the ability to read from the S3 bucket with the least disruption to the application. Option A: Add the permission to the role. Terminate the existing EC2 instance. Launch a new EC2 instance. - Reasoning: This option involves terminating the existing EC2 instance and launching a new one after updating the IAM role. While this would solve the issue of the missing S3 permission, terminating the EC2 instance would lead to unnecessary downtime and application disruption, especially if it's a critical application. - Rejection: This solution introduces significant disruption, as it requires terminating and restarting the instance, which can cause downtime. Option B: Add the permission to the role so that the change will take effect automatically. - Reasoning: When permissions are added to an IAM role, the changes take effect automatically for any EC2 instance that assumes the role. The EC2 instance does not need to be restarted, and the application will be able to access the S3 bucket as soon as the permission is granted. This is the least disruptive approach because it allows the application to continue running without needing to restart or re-launch any resources. - Selected: This is the best solution because it applies the permission change without requiring any downtime or disruption. The instance will automatically have the updated permissions as soon as the IAM role is modified. Option C: Add the permission to the role. Hiber...

Author: Carlos Garcia · Last updated May 18, 2026

A developer is writing a web application that is deployed on Amazon EC2 instances behind an internet-facing Application Load Balancer (ALB). The developer must add an Amazon CloudFront distribution in front of the ALB. The developer also must ensure that customer data from outside the VPC is encrypted in t...

To meet the requirements of ensuring customer data from outside the VPC is encrypted in transit while placing an Amazon CloudFront distribution in front of an Application Load Balancer (ALB), the developer needs to focus on settings that enforce HTTPS communication, ensuring secure data transmission. Option A: Restrict viewer access by using signed URLs. - Reasoning: Signed URLs in CloudFront allow you to control access to specific content, such as for private content or when access needs to be restricted based on certain conditions. However, restricting access using signed URLs is not necessary to meet the requirement of encrypting customer data in transit. This setting is more for security purposes related to controlling access rather than encrypting data. - Rejection: This option is not necessary for ensuring encryption in transit, and it adds complexity that isn't required by the given scenario. Option B: Set the Origin Protocol Policy setting to Match Viewer. - Reasoning: The Origin Protocol Policy determines how CloudFront communicates with the origin (ALB in this case). Setting this to Match Viewer means that CloudFront will use HTTPS if the client uses HTTPS to connect. This setting ensures that the communication between CloudFront and the origin (ALB) will be encrypted if the client’s request is encrypted. It ensures that CloudFront respects the viewer's protocol and secures the data transit from the client to the ALB. - Selected: This is the correct choice because it ensures that CloudFront respects the viewer's protocol and encrypts data between the viewer and the ALB, fulfilling the requirement of encryption in transit. Option C: Enable field-level encryption. - Reasoning: Field-level encryption is a security feature that encrypts specific data fields (such as user credentials or payment information) before sending them to the origin ser...

Author: Leah · Last updated May 18, 2026

A developer is implementing an AWS Lambda function that will be invoked when an object is uploaded to Amazon S3. The developer wants to test the Lambda function in a local development machine before publishing the function to a produc...

To meet the requirement of testing the AWS Lambda function locally before publishing it to the AWS production environment, we need to consider the simplicity of local testing with minimal overhead. Let's evaluate each option: Option A: Upload an object to Amazon S3 using the `aws s3api put-object` CLI command. Wait for the local Lambda invocation from the S3 event. - Reasoning: This option relies on invoking the Lambda function through an S3 event, which would occur in a live AWS environment. To trigger the event locally, the Lambda would need to be published in AWS and connected to an S3 bucket in the cloud. This defeats the purpose of local testing because the Lambda would only trigger once the object is uploaded to S3 in AWS. Additionally, waiting for such a trigger introduces latency and complicates the local testing process. - Rejected: Not efficient for local testing because it requires interacting with AWS resources and does not minimize operational overhead. Option B: Create a sample JSON text file for a `put-object` S3 event. Invoke the Lambda function locally. Use the `aws lambda invoke` CLI command with the JSON file and Lambda function name as arguments. - Reasoning: This option is a step toward simulating the S3 event locally but does not fully emulate the environment where the event is triggered. It still assumes that Lambda is invoked through AWS CLI, which might not fully represent the actual AWS S3-to-Lambda integration. The Lambda function might be expecting specific triggers or context data related to the S3 service that would not be fully replicated in this scenario. - Rejected: This is better than option A but still misses emulating a full event scenario with the minimal...

Author: Ethan · Last updated May 18, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A developer needs to deploy an application in three AWS Regions by using AWS CloudFormation. Each Region will use an AWS Elastic Beanstalk environment with an Application Load Balancer (ALB). The developer wants to use AWS Certificate ...

A company is adopting serverless computing for some of its new services. A development team needs to create a serverless infrastructure by using AWS Serverless Application Model (AWS SAM). All infrastructure must be deployed by us...

A developer is building an application that invokes AWS Lambda functions asynchronously to process events. The developer notices that a Lambda function fails to process some events at random times. The developer needs to investigate the failed events and...

A company uses an AWS Lambda function that reads messages from an Amazon Simple Queue Service (Amazon SQS) standard queue. The Lambda function makes an HTTP call to a third-party API for each message. The company wants to ensure that the Lambda function does not ove...

A company is using Amazon API Gateway to develop an API for its application on AWS. A developer needs to test and generate API responses. Other teams are required to test the ...

A developer is building a microservices-based application by using Python on AWS and several AWS services. The developer must use AWS X-Ray. The developer views the service map by using the console to view the service dependencies. During testing, the developer notices that some services...

A developer is building a containerized application on AWS. The application communicates with a third-party service by using API keys. The developer needs a secure way to store the API keys and pass the API keys to ...

A developer is storing many objects in a single Amazon S3 bucket. The developer needs to optimize the S3 bucket for high request rates. How s...

A company deploys a new application to AWS. The company is streaming application logs to Amazon CloudWatch Logs. The company's development team must receive notification by email when the word "ERROR" appears in any log lines. A developer sets up an Amazon Simple Notification Service (Amazo...

A company uses Amazon Simple Queue Service (Amazon SQS) to decouple its microservices architecture. Some messages in an SQS queue contain sensitive information. A developer must implement a soluti...

A developer is using an AWS CodePipeline pipeline to provide continuous integration and continuous delivery (CI/CD) support for a Java application. The developer needs to update the pipeline to support the introduction of a new application dependency .jar file. The pipeline mu...

A developer has an application that asynchronously invokes an AWS Lambda function. The developer wants to store messages that resulted in failed invocations of the Lambda function so that the application can retry the call la...

A company is using AWS CloudFormation templates to deploy AWS resources. The company needs to update one of its AWS CloudFormation stacks. What can the company do...

A gaming website gives users the ability to trade game items with each other on the platform. The platform requires both users' records to be updated and persisted in one transaction. If any update fails, the transaction must roll back. Whic...

A company uses an AWS Lambda function to call a third-party service. The third-party service has a limit of requests each minute. If the number of requests exceeds the limit, the third-party service returns rate-limiting errors. A developer needs to configure the Lambda functi...

A developer is creating a new application for a pet store. The application will manage customer rewards points. The developer will use Amazon DynamoDB to store the data for the application. The developer needs to optimize query performance and limit partition overload before...

A developer needs temporary access to resources in a second account. What is the MOST secure way ...

A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID Connect (OIDC) identity provider (IdP) can access the website. A developer needs to imp...

A developer is working on a web application that requires selective activation of specific features. The developer wants to keep the features hidden from end users until the feature...

A developer at a company writes an AWS CloudFormation template. The template refers to subnets that were created by a separate AWS CloudFormation template that the company's network team wrote. When the developer attempts to launch the stack for the f...

A developer is running an application on an Amazon EC2 instance. When the application tries to read an Amazon S3 bucket, the application fails. The developer notices that the associated IAM role is missing the S3 read permission. The developer needs to give the application ...

A developer is implementing an AWS Lambda function that will be invoked when an object is uploaded to Amazon S3. The developer wants to test the Lambda function in a local development machine before publishing the function to a produc...