Select the correct answers for each question, including multiple-choice options when applicable, and click Submit to view your results. The quiz calculates your score and percentage, highlighting any incorrect questions to help you identify areas for improvement.

Click on the Answer button for the correct answer and its explanation.

If this practice exam has been helpful to you please share it with others and react to this below.

Practice Exam 2

  1. A company is developing a new online game that will run on top of Amazon ECS. Four distinct Amazon ECS services will be part of the architecture, each requiring specific permissions to various AWS services. The company wants to optimize the use of the underlying Amazon EC2 instances by bin packing the containers based on memory reservation. Which configuration would allow the Development team to meet these requirements MOST securely?

    • A. Create a new Identity and Access Management (IAM) instance profile containing the required permissions for the various ECS services, then associate that instance role with the underlying EC2 instances.
    • B. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS service to reference the associated IAM role.
    • C. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then, create an IAM group and configure the ECS cluster to reference that group.
    • D. Create four distinct IAM roles, each containing the required permissions for the associated ECS service, then configure each ECS task definition to referenсe the associated IAM role.
    Answer

    Correct Answer: D

  2. A Developer must re-implement the business logic for an order fulfilment system. The business logic has to make requests to multiple vendors to decide where to purchase an item. The whole process can take up to a week to complete. What is the MOST efficient and SIMPLEST way to implement a system that meets these requirements?

    • A. Use AWS Step Functions to execute parallel Lambda functions, and join the results.
    • B. Create an AWS SQS for each vendor, poll the queue from a worker instance, and joint the results.
    • C. Use AWS Lambda to asynchronously call a Lambda function for each vendor, and join the results.
    • D. Use Amazon CloudWatch Events to orchestrate the Lambda functions.
    Answer

    Correct Answer: A

  3. A mobile app stores blog posts in an Amazon DynamoDB table. Millions of posts are added every day, and each post represents a single item in the table. The mobile app requires only recent posts. Any post that is older than 48 hours can be removed. What is the MOST cost-effective way to delete posts that are older than 48 hours?

    • A. For each item, add a new attribute of type String that has a timestamp that is set to the blog post creation time. Create a script to find old posts with a table scan and remove posts that are older than 48 hours by using the BatchWriteItem API operation. Schedule a cron job on an Amazon EC2 instance once an hour to start the script.
    • B. For each item, add a new attribute of type String that has a timestamp that is set to the blog post creation time. Create a script to find old posts with a table scan and remove posts that are older than 48 hours by using the BatchWriteItem API operation. Place the script in a container image. Schedule an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate that invokes the container every 5 minutes.
    • C. For each item, add a new attribute of type Date that has a timestamp that is set to 48 hours after the blog post creation time. Create a Global Secondary Index (GSI) that uses the new attribute as a sort key. Create an AWS Lambda function that references the GSI and removes expired items by using the BatchWriteItem API operation. Schedule the function with an Amazon CloudWatch event every minute.
    • D. For each item, add a new attribute of type Number that has a timestamp that is set to 48 hours after the blog post creation time. Configure the DynamoDB table with a TTL that references the new attribute.
    Answer

    Correct Answer: D

  4. A Developer is receiving HTTP 400: ThrottlingException errors intermittently when calling the Amazon CloudWatch API. When a call fails, no data is retrieved. What best practice should first be applied to address this issue?

    • A. Contact AWS Support for a limit increase.
    • B. Use the AWS CLI to get the metrics.
    • C. Analyze the applications and remove the API call.
    • D. Retry the call with exponential backoff.
    Answer

    Correct Answer: D

  5. An application is real-time processing millions of events that are received through an API. What service could be used to allow multiple consumers to process the data concurrently and MOST cost-effectively?

    • A. Amazon SNS with fanout to an SQS queue for each application.
    • B. Amazon SNS with fanout to an SQS FIFO (first-in, first-out) queue for each application.
    • C. Amazon Kinesis Firehose.
    • D. Amazon Kinesis Streams.
    Answer

    Correct Answer: D

  6. Where should the appspec.yml file be placed in order for AWS CodeDeploy to work?

    • A. In the root of the application source code directory structure.
    • B. In the bin folder along with all the complied code.
    • C. In an S3 bucket.
    • D. In the same folder as the application configuration files.
    Answer

    Correct Answer: A

  7. An application will ingest data at a very high throughput from many sources and must store the data in an Amazon S3 bucket. Which service would BEST accomplish this task?

    • A. Amazon Kinesis Firehose.
    • B. Amazon S3 Acceleration Transfer.
    • C. Amazon SQS.
    • D. Amazon SNS.
    Answer

    Correct Answer: A

  8. A Developer is creating a Lambda function and will be using external libraries that are not included in the standard Lambda libraries. What action would minimize the Lambda compute time consumed?

    • A. Install the dependencies and external libraries at the beginning of the Lambda function.
    • B. Create a Lambda deployment package that includes the external libraries.
    • C. Copy the external libraries to Amazon S3, and reference the external libraries to the S3 location.
    • D. Install the external libraries in Lambda Layer to be available to all Lambda functions.
    Answer

    Correct Answer: D

  9. During non-peak hours, a Developer wants to minimize the execution time of a full Amazon DynamoDB table scan without affecting normal workloads. The workloads average half of the strongly consistent read capacity units during non-peak hours. How would the Developer optimize this scan?

    • A. Use parallel scans while limiting the rate.
    • B. Use sequential scans.
    • C. Increase read capacity units during the scan operation.
    • D. Change consistency to eventually consistent during the scan operation.
    Answer

    Correct Answer: A

  10. A large e-commerce site is being designed to deliver static objects from Amazon S3. The Amazon S3 bucket will server more than 300 GET requests per second. What should be done to optimize performance? (Choose TWO)

    • A. Integrate Amazon CloudFront with Amazon S3.
    • B. Enable Amazon S3 cross-region replication.
    • C. Delete expired Amazon S3 server log files.
    • D. Configure Amazon S3 lifecycle rules.
    • E. Randomize Amazon S3 key name prefixes.
    Answer

    Correct Answer: AE

  11. A legacy service has an XML-based SOAP interface. The Developer wants to expose the functionality of the service to external clients with the Amazon API Gateway. Which technique will accomplish this?

    • A. Create a RESTful API with the API Gateway; transform the incoming JSON into a valid XML message for the SOAP interface using mapping templates.
    • B. Create a RESTful API with the API Gateway; pass the incoming JSON to the SOAP interface through an Application Load Balancer.
    • C. Create a RESTful API with the API Gateway; pass the incoming XML to the SOAP interface through an Application Load Balancer.
    • D. Create a RESTful API with the API Gateway; transform the incoming XML into a valid message for the SOAP interface using mapping templates.
    Answer

    Correct Answer: A

  12. A Developer has an application that can upload tens of thousands of objects per second to Amazon S3 in parallel within a single AWS account. As part of new requirements, data stored in S3 must use server side encryption with AWS KMS (SSE-KMS). After creating this change, performance of the application is slower. Which of the following is MOST likely the cause of the application latency?

    • A. Amazon S3 throttles the rate at which uploaded objects can be encrypted using Customer Master Keys.
    • B. The AWS KMS API calls limit is less than needed to achieve the desired performance.
    • C. The client encryption of the objects is using a poor algorithm.
    • D. KMS requires that an alias be used to create an independent display name that can be mapped to a CM.
    Answer

    Correct Answer: B

  13. A customer wants to deploy its source code on an AWS Elastic Beanstalk environment. The customer needs to perform deployment with minimal outage and should only use existing instances to retain application access log. What deployment policy would satisfy these requirements?

    • A. Rolling.
    • B. All at once.
    • C. Rolling with an additional batch.
    • D. Immutable.
    Answer

    Correct Answer: A

  14. A Developer has setup an Amazon Kinesis Stream with 4 shards to ingest a maximum of 2500 records per second. A Lambda function has been configured to process these records. In which order will these records be processed?

    • A. Lambda will receive each record in the reverse order it was placed into the stream following a LIFO (last-in, first-out) method.
    • B. Lambda will receive each record in the exact order it was placed into the stream following a FIFO (first­-in, first-out) method.
    • C. Lambda will receive each record in the exact order it was placed into the shard following a FIFO (first-in, first-out) method. There is no guarantee of order across shards.
    • D. The Developer can select FIFO, (first-in, first-out), LIFO (last-in, last-out), random, or request specific record using the getRecords API.
    Answer

    Correct Answer: C

  15. An organization must store thousands of sensitive audio and video files in an Amazon S3 bucket. Organizational security policies require that all data written to this bucket be encrypted. How can compliance with this policy be ensured?

    • A. Use AWS Lambda to send notifications to the security team if unencrypted objects are put in the bucket.
    • B. Configure an Amazon S3 bucket policy to prevent the upload of objects that do not contain the x-amz­-server-side-encryption header.
    • C. Create an Amazon CloudWatch event rule to verify that all objects stored in the Amazon S3 bucket are encrypted.
    • D. Configure an Amazon S3 bucket policy to prevent the upload of objects that contain the x-amz-server­side-encryption header.
    Answer

    Correct Answer: B

  16. An application is designed to use Amazon SQS to manage messages from many independent senders. Each sender’s messages must be processed in the order they are received. Which SQS feature should be implemented by the Developer?

    • A. Configure each sender with a unique MessageGroupId.
    • B. Enable MessageDeduplicationIds on the SQS queue.
    • C. Configure each message with unique MessageGroupIds.
    • D. Enable ContentBasedDeduplication on the SQS queue.
    Answer

    Correct Answer: A

  17. A Developer created a dashboard for an application using Amazon API Gateway, Amazon S3, AWS Lambda, and Amazon RDS. The Developer needs an authentication mechanism allowing a user to sign in and view the dashboard. It must be accessible from mobile applications, desktops, and tablets, and must remember user preferences across platforms. Which AWS service should the Developer use to support this authentication scenario?

    • A. AWS KMS.
    • B. Amazon Cognito.
    • C. AWS Directory Service.
    • D. Amazon IAM.
    Answer

    Correct Answer: B

  18. A Lambda function is packaged for deployment to multiple environments, including development, test, production, etc. Each environment has unique set of resources such as databases, etc. How can the Lambda function use the resources for the current environment?

    • A. Apply tags to the Lambda functions.
    • B. Hardcore resources in the source code.
    • C. Use environment variables for the Lambda functions.
    • D. Use separate function for development and production.
    Answer

    Correct Answer: C

  19. A Developer needs temporary access to resources in a second account. What is the MOST secure way to achieve this?

    • A. Use the Amazon Cognito user pools to get short-lived credentials for the second account.
    • B. Create a dedicated IAM access key for the second account, and send it by mail.
    • C. Create a cross-account access role, and use sts:AssumeRole API to get short-lived credentials.
    • D. Establish trust, and add an SSH key for the second account to the IAM user.
    Answer

    Correct Answer: C

  20. A Developer needs to use AWS X-Ray to monitor an application that is deployed on EC2 instances. What steps have to be executed to perform the monitoring?

    • A. Deploy the X-Ray SDK with the application and use X-Ray annotation.
    • B. Install the X-Ray daemon and instrument the application code.
    • C. Install the X-Ray daemon and configure it to forward data to Amazon CloudWatch Events.
    • D. Deploy the X-Ray SDK with the application and instrument the application code.
    Answer

    Correct Answer: B

  21. A Developer is creating an Auto Scaling group whose instances need to publish a custom metric to Amazon CloudWatch. Which method would be the MOST secure way to authenticate a CloudWatch PUT request?

    • A. Create an IAM user with PutMetricData permission and put the user credentials in a private repository; have applications pull the credentials as needed.
    • B. Create an IAM user with PutMetricData permission, and modify the Auto Scaling launch configuration to inject the user credentials into the instance user data.
    • C. Modify the CloudWatch metric policies to allow the PutMetricData permission to instances from the Auto Scaling group.
    • D. Create an IAM role with PutMetricData permission and modify the Auto Scaling launching configuration to launch instances using that role.
    Answer

    Correct Answer: D

  22. A Developer is working on an application that tracks hundreds of millions of product reviews in an Amazon DynamoDB table. The records include the data elements shown in the table. Which field, when used as the partition key, would result in the MOST consistent performance using DynamoDB? Question 87

    • A. starRating.
    • B. reviewID.
    • C. comment.
    • D. productID.
    Answer 
    Correct Answer: B

  23. A development team consists of 10 team members. Similar to a home directory for each team member, the manager wants to grant access to user-specific folders in an Amazon S3 bucket. For the team member with the username TeamMemberX, the snippet of the IAM policy looks like this. Instead of creating distinct policies for each team member, what approach can be used to make this policy snippet generic for all team members? Question 88

    • A. Use IAM policy condition.
    • B. Use IAM policy principal.
    • C. Use IAM policy variables.
    • D. Use IAM policy resource.
    Answer 
    Correct Answer: A

  24. A company needs to encrypt data at rest, but it wants to leverage an AWS managed service using its own master key. Which of the following AWS service can be used to meet these requirements?

    • A. SSE with Amazon S3.
    • B. SSE with AWS KMS.
    • C. Client-side encryption.
    • D. AWS IAM roles and policies.
    Answer

    Correct Answer: B

  25. A Developer has created a software package to be deployed on multiple EC2 instances using IAM roles. What actions could be performed to verify IAM access to get records from Amazon Kinesis Streams? (Select TWO)

    • A. Use the AWS CLI to retrieve the IAM group.
    • B. Query Amazon EC2 metadata for in-line IAM policies.
    • C. Request a token from AWS STS, and perform a describe action.
    • D. Perform a get action using the --dry-run argument.
    • E. Validate the IAM role policy with the IAM policy simulator.
    Answer

    Correct Answer: DE

  26. A company wants to implement a continuous integration for its workloads on AWS. The company wants to trigger unit test in its pipeline for commits-on its code repository, and wants to be notified of failure events in the pipeline. How can these requirements be met?

    • A. Store the source code in AWS CodeCommit. Create a CodePipeline to automate unit testing. Use Amazon SNS to trigger notifications of failure events.
    • B. Store the source code in GitHub. Create a CodePipeline to automate unit testing. Use Amazon SES to trigger notifications of failure events.
    • C. Store the source code on GitHub. Create a CodePipeline to automate unit testing. Use Amazon CloudWatch to trigger notifications of failure events.
    • D. Store the source code in AWS CodeCommit. Create a CodePipeline to automate unit testing. Use Amazon CloudWatch to trigger notification of failure events.
    Answer

    Correct Answer: A

  27. An application takes 40 seconds to process instructions received in an Amazon SQS message. Assuming the SQS queue is configured with the default VisibilityTimeout value, what is the BEST way, upon receiving a message, to ensure that no other instances can retrieve a message that has already been processed or is currently being processed?

    • A. Use the ChangeMessageVisibility API to increase the VisibilityTimeout, then use the DeleteMessage API to delete the message.
    • B. Use the DeleteMessage API call to delete the message from the queue, then call DeleteQueue API to remove the queue.
    • C. Use the ChangeMessageVisibility API to decrease the timeout value, then use the DeleteMessage API to delete the message.
    • D. Use the DeleteMessageVisibility API to cancel the VisibilityTimeout, then use the DeleteMessage API to delete the message.
    Answer

    Correct Answer: A

  28. A Developer is developing an application that manages financial transactions. To improve security, multi-factor authentication (MFA) will be required as part of the login protocol. What services can the Developer use to meet these requirements?

    • A. Amazon DynamoDB to store MFA session data, and Amazon SNS to send MFA codes.
    • B. Amazon Cognito with MFA.
    • C. AWS Directory Service.
    • D. AWS IAM with MFA enabled.
    Answer

    Correct Answer: B

  29. A Developer is writing transactions into a DynamoDB table called SystemUpdates that has 5 write capacity units. Which option has the highest read throughput?

    • A. Eventually consistent reads of 5 read capacity units reading items that are 4 KB in size.
    • B. Strongly consistent reads of 5 read capacity units reading items that are 4 KB in size.
    • C. Eventually consistent reads of 15 read capacity units reading items that are 1 KB in size.
    • D. Strongly consistent reads of 15 read capacity units reading items that are 1 KB in size.
    Answer

    Correct Answer: A

  30. A Developer has created an S3 bucket s3://mycoolapp and has enabled server across logging that points to the folder s3://mycoolapp/logs. The Developer moved 100 KB of Cascading Style Sheets (CSS) documents to the folder s3://mycoolapp/css, and then stopped work. When the developer came back a few days later, the bucket was 50 GB. What is the MOST likely cause of this situation?

    • A. The CSS files were not compressed and S3 versioning was enabled.
    • B. S3 replication was enabled on the bucket.
    • C. Logging into the same bucket caused exponential log growth.
    • D. An S3 lifecycle policy has moved the entire CSS file to S3 Infrequent Access.
    Answer

    Correct Answer: C

  31. A Developer is testing a Docker-based application that uses the AWS SDK to interact with Amazon DynamoDB. In the local development environment, the application has used IAM access keys. The application is now ready for deployment onto an ECS cluster. How should the application authenticate with AWS services in production?

    • A. Configure an ECS task IAM role for the application to use.
    • B. Refactor the application to call AWS STS AssumeRole based on an instance role.
    • C. Configure AWS access key/secret access key environment variables with new credentials.
    • D. Configure the credentials file with a new access key/secret access key.
    Answer

    Correct Answer: A

  32. A company is using AWS CodeBuild to compile a website from source code stored in AWS CodeCommit. A recent change to the source code has resulted in the CodeBuild project being unable to successfully compile the website. How should the Developer identify the cause of the failures?

    • A. Modify the buildspec.yml file to include steps to send the output of build commands to Amazon CloudWatch.
    • B. Use a custom Docker image that includes the AWS X-Ray agent in the AWS CodeBuild project configuration.
    • C. Check the build logs of the failed phase in the last build attempt in the AWS CodeBuild project build history.
    • D. Manually re-run the build process on a local machine so that the output can be visualized.
    Answer

    Correct Answer: C

  33. For a deployment using AWS CodeDeploy, what is the run order of the hooks for in-place deployments?

    • A. Before Install -> Application Stop -> Application Start -> After Install.
    • B. Application Stop -> Before Install -> After Install -> Application Start.
    • C. Before Install -> Application Stop -> Validate Service -> Application Start.
    • D. Application Stop -> Before Install -> Validate Service -> Application Start.
    Answer

    Correct Answer: B

  34. A Developer executed a AWS CLI command and received the error shown below. What action should the Developer perform to make this error human-readable? Question 99

    • A. Make a call to AWS KMS to decode the message.
    • B. Use the AWS STS decode-authorization-message API to decode the message.
    • C. Use an open source decoding library to decode the message.
    • D. Use the AWS IAM decode-authorization-message API to decode this message.
    Answer 
    Correct Answer: B

  35. A Developer uses AWS CodeDeploy to automate application deployment that connects to an external MySQL database. The Developer wants to securely access the encrypted secrets, such as API keys and database passwords. Which of the following solutions would involve the LEAST administrative effort?

    • A. Save the secrets in Amazon S3 with AWS KMS server-side encryption, and use a signed URL to access them by using the IAM role from Amazon EC2 instances.
    • B. Use the instance metadata to store the secrets and to programmatically access the secrets from EC2 instances.
    • C. Use the Amazon DynamoDB client-side encryption library to save the secrets in DynamoDB and to programmatically access the secrets from EC2 instances.
    • D. Use AWS SSM Parameter Store to store the secrets and to programmatically access them by using the IAM role from EC2 instances.
    Answer

    Correct Answer: D

  36. An application stops working with the following error: The specified bucket does not exist. Where is the BEST place to start the root cause analysis?

    • A. Check the Elastic Load Balancer logs for DeleteBucket requests.
    • B. Check the application logs in Amazon CloudWatch Logs for Amazon S3 DeleteBucket errors.
    • C. Check AWS X-Ray for Amazon S3 DeleteBucket alarms.
    • D. Check AWS CloudTrail for a DeleteBucket event.
    Answer

    Correct Answer: D

  37. A Developer will be using the AWS CLI on a local development server to manage AWS services. What can be done to ensure that the CLI uses the Developer’s IAM permissions when making commands?

    • A. Specify the Developer’s IAM access key ID and secret access key as parameters for each CLI command.
    • B. Run the aws configure CLI command, and provide the Developer’s IAM access key ID and secret access key.
    • C. Specify the Developer’s IAM user name and password as parameters for each CLI command.
    • D. Use the Developer’s IAM role when making the CLI command.
    Answer

    Correct Answer: B

  38. An application stores images in an S3 bucket. Amazon S3 event notifications are used to trigger a Lambda function that resizes the images. Processing each image takes less than a second. How will AWS Lambda handle the additional traffic?

    • A. Lambda will scale out to execute the requests concurrently.
    • B. Lambda will handle the requests sequentially in the order received.
    • C. Lambda will process multiple images in a single execution.
    • D. Lambda will add more compute to each execution to reduce processing time.
    Answer

    Correct Answer: A

  39. A company is building a stock trading application that requires sub-millisecond latency in processing trading requests. Amazon DynamoDB is used to store all the trading data that is used to process each request. After load testing the application, the development team found that due to data retrieval times, the latency requirement is not satisfied. Because of sudden high spikes in the number of requests, DynamoDB read capacity has to be significantly over-provisioned to avoid throttling. What steps should be taken to meet latency requirements and reduce the cost of running the application?

    • A. Add Global Secondary Indexes for trading data.
    • B. Store trading data in Amazon S3 and use Transfer Acceleration.
    • C. Add retries with exponential back-off for DynamoDB queries.
    • D. Use DynamoDB Accelerator to cache trading data.
    Answer

    Correct Answer: D

  40. A Developer created a Lambda function for a web application backend. When testing the Lambda function from the AWS Lambda console, the Developer can see that the function is being executed, but there is no log data being generated in Amazon CloudWatch Logs, even after several minutes. What could cause this situation?

    • A. The Lambda function does not have any explicit log statements for the log data to send it to CloudWatch Logs.
    • B. The Lambda function is missing CloudWatch Logs as a source trigger to send log data.
    • C. The execution role for the Lambda function is missing permissions to write log data to the CloudWatch Logs.
    • D. The Lambda function is missing a target CloudWatch Log group.
    Answer

    Correct Answer: C

  41. A Developer wants to use AWS X-Ray to trace a user request end-to-end throughput the software stack. The Developer made the necessary changes in the application tested it, and found that the application is able to send the traces to AWS X-Ray. However, when the application is deployed to an EC2 instance, the traces are not availableWhich of the following could create this situation? (Choose TWO)

    • A. The traces are reaching X-Ray, but the Developer does not have access to view the records.
    • B. The X-Ray daemon is not installed on the EC2 instance.
    • C. The X-Ray endpoint specified in the application configuration is incorrect.
    • D. The instance role does not have xray:BatchGetTraces and xray:GetTraceGraph permissions.The instance role does not have xray:PutTraceSegments and xray:PutTelemetryRecords permissions.
    • E. The instance role does not have xray:PutTraceSegments and xray:PutTelemetryRecords permissions.
    Answer

    Correct Answer: BE

  42. An application has hundreds of users. Each user may use multiple devices to access the application. The Developer wants to assign unique identifiers to these users regardless of the device they use. Which of the following methods should be used to obtain unique identifiers?

    • A. Create a user table in Amazon DynamoDB as key-value pairs of users and their devices. Use these keys as unique identifiers.
    • B. Use IAM-generated access key IDs for the users as the unique identifier, but do not store secret keys.
    • C. Implement developer-authenticated identities by using Amazon Cognito, and get credentials for these identities.
    • D. Assign IAM users and roles to the users. Use the unique IAM resource ID as the unique identifier.
    Answer

    Correct Answer: C

  43. What are the steps to using the AWS CLI to launch a templatized serverless application?

    • A. Use AWS CloudFormation get-template then CloudFormation execute-change-set.
    • B. Use AWS CloudFormation validate-template then CloudFormation create-change-set.
    • C. Use AWS CloudFormation package then CloudFormation deploy.
    • D. Use AWS CloudFormation create-stack then CloudFormation update-stack.
    Answer

    Correct Answer: C

  44. A deployment package uses the AWS CLI to copy files into any S3 bucket in the account, using access keys stored in environment variables. The package is running on EC2 instances, and the instances have been modified to run with an assumed IAM role and a more restrictive policy that allows access to only one bucket. After the change, the Developer logs into the host and still has the ability to write into all of the S3 buckets in that account. What is the MOST likely cause of this situation?

    • A. An IAM inline policy is being used on the IAM role.
    • B. An IAM managed policy is being used on the IAM role.
    • C. The AWS CLI is corrupt and needs to be reinstalled.
    • D. The AWS credential provider looks for instance profile credentials last.
    Answer

    Correct Answer: B

  45. An application overwrites an object in Amazon S3, and then immediately reads the same object. Why would the application sometimes retrieve the old version of the object?

    • A. S3 overwrite PUTS are eventually consistent, so the application may read the old object.
    • B. The application needs to add extra metadata to label the latest version when uploading to Amazon S3.
    • C. All S3 PUTS are eventually consistent, so the application may read the old object.
    • D. The application needs to explicitly specify latest version when retrieving the object.
    Answer

    Correct Answer: A

  46. An application under development is required to store hundreds of video files. The data must be encrypted within the application prior to storage, with a unique key for each video file. How should the Developer code the application?

    • A. Use the KMS Encrypt API to encrypt the data. Store the encrypted data key and data.
    • B. Use a cryptography library to generate an encryption key for the application. Use the encryption key to encrypt the data. Store the encrypted data.
    • C. Use the KMS GenerateDataKey API to get a data key. Encrypt the data with the data key. Store the encrypted data key and data.
    • D. Upload the data to an S3 bucket using server side-encryption with an AWS KMS key.
    Answer

    Correct Answer: C

  47. A developer is testing an application that invokes an AWS Lambda function asynchronously. During the testing phase, the Lambda function fails to process after two retries. How can the developer troubleshoot the failure?

    • A. Configure AWS CloudTrail logging to investigate the invocation failures.
    • B. Configure Dead Letter Queues by sending events to Amazon SQS for investigatio.
    • C. Configure Amazon Simple Workflow Service to process any direct unprocessed events.
    • D. Configure AWS Config to process any direct unprocessed events.
    Answer

    Correct Answer: B

  48. A developer is setting up Amazon API Gateway for their company’s products. The API will be used by registered developers to query and update their environments. The company wants to limit the amount of requests end users can send for both cost and security reasons. Management wants to offer registered developers the option of buying larger packages that allow for more requests. How can the developer accomplish this with the LEAST amount of overhead management?

    • A. Enable throttling for the API Gateway stage. Set a value for both the rate and burst capacity. If a registered user chooses a larger package, create a stage for them, adjust the values, and share the new URL with them.
    • B. Set up Amazon CloudWatch API logging in API Gateway. Create a filter based on the user and requestTime fields and create an alarm on this filter. Write an AWS Lambda function to analyze the values and requester information, and respond accordingly. Set up the function as the target for the alarm. If a registered user chooses a larger package, update the Lambda code with the values.
    • C. Enable Amazon CloudWatch metrics for the API Gateway stage. Set up CloudWatch alarms based off the Count metric and the ApiName, Method, Resource, and Stage dimensions to alerts when request rates pass the threshold. Set the alarm action to Deny. If a registered user chooses a larger package, create a user-specific alarm and adjust the values.
    • D. Set up a default usage plan, specify values for the rate and burst capacity, and associate it with a stage. If a registered user chooses a larger package, create a custom plan with the appropriate values and associate the plan with the user.
    Answer

    Correct Answer: D

  49. A developer is refactoring a monolithic application. The application takes a POST request and performs several operations. Some of the operations are in parallel while others run sequentially. These operations have been refactored into individual AWS Lambda functions. The POST request will be processed by Amazon API Gateway. How should the developer invoke the Lambda functions in the same sequence using API Gateway?

    • A. Use Amazon SQS to invoke the Lambda functions.
    • B. Use an AWS Step Functions activity to run the Lambda functions.
    • C. Use Amazon SNS to trigger the Lambda functions.
    • D. Use an AWS Step Functions state machine to orchestrate the Lambda functions.
    Answer

    Correct Answer: D

  50. A company is adding stored value (or gift card) capability to its highly popular casual gaming website. Users need to be able to trade this value for other users’ items on the platform. This would require both users’ records be updated as a single transaction, or both users’ records to be completely rolled back. Which AWS database options can provide the transactional capability required for this new feature? (Choose TWO)

    • A. Amazon DynamoDB with operations made with the ConsistentRead parameter set to true.
    • B. Amazon ElastiCache for Memcached with operations made within a transaction block.
    • C. Amazon Aurora MySQL with operations made within a transaction block.
    • D. Amazon DynamoDB with reads and writes made using Transact* operations.
    • E. Amazon Redshift with operations made within a transaction block.
    Answer

    Correct Answer: CD

  51. A developer is creating an AWS Lambda function that generates a new file each time it runs. Each new file must be checked into an AWS CodeCommit repository hosted in the same AWS account. How should the developer accomplish this?

    • A. When the Lambda function starts, use the Git CLI to clone the repository. Check the new file into the cloned repository and push the change.
    • B. After the new file is created in Lambda, use cURL to invoke the CodeCommit API. Send the file to the repository.
    • C. Use an AWS SDK to instantiate a CodeCommit client. Invoke the put_file method to add the file to the repository.
    • D. Upload the new to an Amazon S3 bucket. Create an AWS Step Function to accept S3 events. In the Step Function, add the new file to the repository.
    Answer

    Correct Answer: A

  52. A developer must ensure that the IAM credentials used by an application in Amazon EC2 are not misused or compromised. What should the developer use to keep user credentials secure?

    • A. Environment variables.
    • B. AWS credentials file.
    • C. Instance profile credentials.
    • D. Command line options.
    Answer

    Correct Answer: C

  53. A company has an application where reading objects from Amazon S3 is based on the type of user. The user types are registered user and guest user. The company has 25,000 users and is growing. Information is pulled from an S3 bucket depending on the user type. Which approaches are recommended to provide access to both user types? (Choose TWO)

    • A. Provide a different access key and secret access key in the application code for registered users and guest users to provide read access to the objects.
    • B. Use S3 bucket policies to restrict read access to specific IAM users.
    • C. Use Amazon Cognito to provide access using authenticated and unauthenticated roles.
    • D. Create a new IAM user for each user and grant read access.
    • E. Use the AWS IAM service and let the application assume the different roles using the AWS Security Token Service (AWS STS) AssumeRole action depending on the type of user and provide read access to Amazon S3 using the assumed role.
    Answer

    Correct Answer: CE

  54. A company has 25,000 employees and is growing. The company is creating an application that will be accessible to its employees only. A developer is using Amazon S3 to store images and Amazon RDS to store application data. The company requires that all employee information remain in the legacy Security Assertion Markup Language (SAML) employee directory only and is not interested in mirroring any employee information on AWS. How can the developer provide authorized access for the employees who will be using this application so each employee can access their own application data only?

    • A. Use Amazon VPC and keep all resources inside the VPC, and use a VPC link for the S3 bucket with the bucket policy.
    • B. Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy.
    • C. Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognito-identity.amazonaws.com:sub variable to grant access to the employees.
    • D. Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.
    Answer

    Correct Answer: C

  55. A company has developed a new serverless application using AWS Lambda functions that will be deployed using the AWS Serverless Application Model (AWS SAM) CLI. Which step should the developer complete prior to deploying the application?

    • A. Compress the application to a .zip file and upload it into AWS Lambda.
    • B. Test the new AWS Lambda function by first tracing it in AWS X-Ray.
    • C. Bundle the serverless application using a SAM package.
    • D. Create the application environment using the eb create my-env command.
    Answer

    Correct Answer: C

  56. An application needs to encrypt data that is written to Amazon S3 where the keys are managed in an on-premises data center, and the encryption is handled by S3. Which type of encryption should be used?

    • A. Use server-side encryption with Amazon S3-managed keys.
    • B. Use server-side encryption with AWS KMS-managed keys.
    • C. Use client-side encryption with customer master keys.
    • D. Use server-side encryption with customer-provided keys.
    Answer

    Correct Answer: D

  57. A development team is working on a mobile app that allows users to upload pictures to Amazon S3. The team expects the app will be used by hundreds of thousands of users during a single event simultaneously. Once the pictures are uploaded, the backend service will scan and parse the pictures for inappropriate content. Which approach is the MOST resilient way to achieve this goal, which also smooths out temporary volume spikes for the backend service?

    • A. Develop an AWS Lambda function to check the upload folder in the S3 bucket. If new uploaded pictures are detected, the Lambda function will scan and parse them.
    • B. Once a picture is uploaded to Amazon S3, publish the event to an Amazon SQS queue. Use the queue as an event source to trigger an AWS Lambda function. In the Lambda function, scan and parse the picture.
    • C. When the user uploads a picture, invoke an API hosted in Amazon API Gateway. The API will invoke an AWS Lambda function to scan and parse the picture.
    • D. Create a state machine in AWS Step Functions to check the upload folder in the S3 bucket. If a new picture is detected, invoke an AWS Lambda function to scan and parse it.
    Answer

    Correct Answer: B

  58. A development team wants to run their container workloads on Amazon ECS. Each application container needs to share data with another container to collect logs and metrics. What should the developer team do to meet these requirements?

    • A. Create two pod specifications. Make one to include the application container and the other to include the other container. Link the two pods together.
    • B. Create two task definitions. Make one to include the application container and the other to include the other container. Mount a shared volume between the two tasks.
    • C. Create one task definition. Specify both containers in the definition. Mount a shared volume between those two containers.
    • D. Create a single pod specification. Include both containers in the specification. Mount a persistent volume to both containers.
    Answer

    Correct Answer: C

  59. An ecommerce startup is preparing for an annual sales event. As the traffic to the company’s application increases, the development team wants to be notified when the Amazon EC2 instance’s CPU utilization exceeds 80%. Which solution will meet this requirement?

    • A. Create a custom Amazon CloudWatch alarm that sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
    • B. Create a custom AWS Cloud Trail alarm that sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
    • C. Create a cron job on the EC2 instance that executes the –describe-instance-information command on the host instance every 15 minutes and sends the results to an Amazon SNS topic.
    • D. Create an AWS Lambda function that queries the AWS CloudTrail logs for the CPUUtilization metric every 15 minutes and sends a notification to an Amazon SNS topic when the CPU utilization exceeds 80%.
    Answer

    Correct Answer: A

  60. An application running on Amazon EC2 opens connections to an Amazon RDS SQL Server database. The developer does not want to store the user name and password for the database in the code. The developer would also like to automatically rotate the credentials. What is the MOST secure way to store and access the database credentials?

    • A. Create an IAM role that has permissions to access the database. Attach the role to the EC2 instance.
    • B. Use AWS Secrets Manager to store the credentials. Retrieve the credentials from Secrets Manager as needed.
    • C. Store the credentials in an encrypted text file in an Amazon S3 bucket. Configure the EC2 instance’s user data to download the credentials from Amazon S3 as the instance boots.
    • D. Store the user name and password credentials directly in the source code. No further action is needed because the source code is stored in a private repository.
    Answer

    Correct Answer: B

  61. A developer is updating an application deployed on AWS Elastic Beanstalk. The new version is incompatible with the old version. To successfully deploy the update, a full cutover to the new, updated version must be performed on all instances at one time, with the ability to roll back changes in case of a deployment failure in the new version. How can this be performed with the LEAST amount of downtime?

    • A. Use the Elastic Beanstalk All at once deployment policy to update all instances simultaneously.
    • B. Perform an Elastic Beanstalk Rolling with additional batch deployment.
    • C. Deploy the new version in a new Elastic Beanstalk environment and swap environment URLs.
    • D. Perform an Elastic Beanstalk Rolling deployment.
    Answer

    Correct Answer: C

  62. A developer is writing a web application that must share secure documents with end users. The documents are stored in a private Amazon S3 bucket. The application must allow only authenticated users to download specific documents when requested, and only for a duration of 15 minutes. How can the developer meet these requirements?

    • A. Copy the documents to a separate S3 bucket that has a lifecycle policy for deletion after 15 minutes.
    • B. Create a presigned S3 URL using the AWS SDK with an expiration time of 15 minutes.
    • C. Use server-side encryption with AWS KMS managed keys (SSE-KMS) and download the documents using HTTPS.
    • D. Modify the S3 bucket policy to only allow specific users to download the documents. Revert the change after 15 minutes.
    Answer

    Correct Answer: B

  63. A company is developing a report executed by AWS Step Functions, Amazon CloudWatch shows errors in the Step Functions task state machine. To troubleshoot each task, the state input needs to be included along with the error message in the state output. Which coding practice can preserve both the original input and the error for the state?

    • A. Use ResultPath in a Catch statement to include the error with the original input.
    • B. Use InputPath in a Catch statement and set the value to null.
    • C. Use Error Equals in a Retry statement to include the error with the original input.
    • D. Use OutputPath in a Retry statement and set the value to $.
    Answer

    Correct Answer: A

  64. A developer receives the following error message when trying to launch or terminate an Amazon EC2 instance using a boto3 script. What should the developer do to correct this error message? Question 129

    • A. Assign an IAM role to the EC2 instance to allow necessary API calls on behalf of the client.
    • B. Implement an exponential backoff algorithm for optimizing the number of API requests made to Amazon EC2.
    • C. Increase the overall network bandwidth to handle higher API request rates.
    • D. Upgrade to the latest AWS CLI version so that boto3 can handle higher request rates.
    Answer 
    Correct Answer: B

  65. Given the following AWS CloudFormation template. What is the MOST efficient way to reference the new Amazon S3 bucket from another AWS CloudFormation template? Question 130

    • A. Add an Export declaration to the Outputs section of the original template and use ImportValue in other templates.
    • B. Add Exported: true to the Content.Bucket in the original template and use ImportResource in other templates.
    • C. Create a custom AWS CloudFormation resource that gets the bucket name from the ContentBucket resource of the first stack.
    • D. Use Fn::Include to include the existing template in other templates and use the ContentBucket resource directly.
    Answer 
    Correct Answer: A