303 questions · instant answer feedback · concise explanations · free
Question 1 of 303An e-commerce company manages a digital catalog of consumer products submitted by third-party sellers. Each product submission includes a description stored as a text file in an Amazon S3 bucket. These descriptions may include ingredient information for consumable products like snacks, supplements, or beverages. The company wants to build a fully automated solution that extracts ingredient names from the uploaded product descriptions and uses those names to query an Amazon DynamoDB table, which returns precomputed health and safety scores for each ingredient. Non-food items and invalid submissions can be ignored without affecting application logic. The company has no in-house machine learning (ML) experts and is looking for the most cost-effective solution with minimal operational overhead. Which solution meets these requirements MOST cost-effectively?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Configure S3 Event Notifications to trigger an AWS Lambda function whenever a new product description is uploaded. Inside the function, use Amazon Comprehend's custom entity recognition feature to extract ingredient names. Store these names in the DynamoDB table and let the front-end application query for health scores
Amazon Comprehend custom entity recognition provides managed text analysis without requiring machine learning expertise. SageMaker requires ML skills, Lookout for Vision handles image analysis, and Amazon Transcribe processes audio rather than text files.
Question 2 of 303A digital wallet company plans to launch a new cloud-based service for processing user cash transfers and peer-to-peer payments. The application will receive transaction requests from mobile clients via a secure endpoint. Each transaction request must go through a lightweight validation step before being forwarded for backend processing, which includes fraud detection, ledger updates, and notifications. The backend workload is compute- and memory-intensive, requires scaling based on volume, and must run for a longer duration than typical short-lived tasks. The engineering team prefers a fully managed solution that minimizes infrastructure maintenance, including provisioning and patching of virtual machines or containers. Which solution will meet these requirements with the LEAST operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Expose an Amazon API Gateway REST API endpoint to receive transaction requests from mobile clients. Integrate the API with AWS Lambda to perform basic validation. For backend processing, deploy the long-running application to Amazon ECS using the Fargate launch type, allowing ECS to manage compute and memory provisioning automatically, with no server management required
API Gateway secures incoming requests, Lambda handles lightweight validation, and Fargate provides serverless compute for long-running heavy workloads. EKS with self-managed nodes, Lightsail, and EKS Anywhere all introduce infrastructure patching burdens.
Question 3 of 303A retail company runs a customer management system backed by a Microsoft SQL Server database. The system is tightly integrated with applications that rely on T-SQL queries. The company wants to modernize its infrastructure by migrating to Amazon Aurora PostgreSQL, but it needs to avoid major modifications to the existing application logic. Which combination of actions should the company take to achieve this goal with minimal application refactoring? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Deploy Babelfish for Aurora PostgreSQL to enable support for T-SQL commands · E. Use AWS Schema Conversion Tool (AWS SCT) along with AWS Database Migration Service (AWS DMS) to migrate the schema and data
Babelfish for Aurora PostgreSQL enables applications to run T-SQL queries directly, minimizing application refactoring. AWS Schema Conversion Tool and Database Migration Service handle schema translation and data transfer, whereas standard endpoints or AWS Glue lack native protocol conversion.
Question 4 of 303A healthcare company is developing a secure internal web portal hosted on AWS. The application must communicate with legacy systems that reside in the company's on-premises data centers. These data centers are connected to AWS via a site-to-site VPN. The company uses Amazon Route 53 as its DNS solution and requires the application to resolve private DNS records for the on-premises services from within its Amazon VPC. What is the MOST secure and appropriate way to meet these DNS resolution requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Create a Route 53 Resolver outbound endpoint. Define a forwarding rule that routes DNS queries for on-premises domains to the on-premises DNS server. Associate the rule with the VPC
A Route 53 Resolver outbound endpoint securely forwards DNS queries from a VPC to on-premises DNS servers across a VPN. Inbound endpoints serve the opposite direction, while private hosted zones are not authoritative for external infrastructure.
Question 5 of 303A retail analytics company operates a large-scale data lake on Amazon S3, where they store daily logs of customer transactions, product views, and inventory updates. Each morning, they need to transform and load the data into a data warehouse to support fast analytical queries. The company also wants to enable data analysts to build and train machine learning (ML) models using familiar SQL syntax without writing custom Python code. The architecture must support massively parallel processing (MPP) for fast data aggregation and scoring, and must use serverless AWS services wherever possible to reduce infrastructure management and operational overhead. Which solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use a daily AWS Glue job to transform and clean the data stored in Amazon S3. Load the transformed dataset into Amazon Redshift Serverless, which offers MPP capabilities in a serverless model. Enable analysts to use Amazon Redshift ML to build and train ML models
AWS Glue provides serverless ETL, Amazon Redshift Serverless delivers massively parallel processing for analytics, and Redshift ML enables SQL-based model training. Provisioned EMR and RDS fail the strict serverless requirements.
Question 6 of 303A news network uses Amazon Simple Storage Service (Amazon S3) to aggregate the raw video footage from its reporting teams across the US. The news network has recently expanded into new geographies in Europe and Asia. The technical teams at the overseas branch offices have reported huge delays in uploading large video files to the destination Amazon S3 bucket. Which of the following are the MOST cost-effective options to improve the file upload speed into Amazon S3? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Use multipart uploads for faster file uploads into the destination Amazon S3 bucket · C. Use Amazon S3 Transfer Acceleration (Amazon S3TA) to enable faster file uploads into the destination S3 bucket
Amazon S3 Transfer Acceleration and multipart upload optimize large file transfers over long distances. Direct Connect and Site-to-Site VPN are costly infrastructure provisions rather than simple transfer optimizations, and AWS Global Accelerator does not route traffic directly to S3 buckets.
Question 7 of 303A healthcare analytics company centralizes clinical and operational datasets in an Amazon S3–based data lake. Incoming data is ingested in Apache Parquet format from multiple hospitals and wearable health devices. To ensure quality and standardization, the company applies several transformation steps: anomaly filtering, datetime normalization, and aggregation by patient cohort. The company needs a solution to support a code-free interface that enables data engineers and business analysts to collaborate on data preparation workflows. The company also requires data lineage tracking, data profiling capabilities, and an easy way to share transformation logic across teams without writing or managing code. Which AWS solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use AWS Glue DataBrew to visually build transformation workflows on top of the raw Parquet files in S3. Use DataBrew recipes to track, audit, and share the transformation steps with others. Enable data profiling to inspect column statistics, null values, and data types across datasets
AWS Glue DataBrew is a visual data preparation tool that enables code-free transformations, data profiling, and shareable recipes for lineage tracking. AWS Glue Studio requires underlying Spark scripts and lacks built-in data profiling, making it less suitable for business analysts.
Question 8 of 303A large financial institution operates an on-premises data center with hundreds of petabytes of data managed on Microsoft's Distributed File System (DFS). The CTO wants the organization to transition into a hybrid cloud environment and run data-intensive analytics workloads that support DFS. Which of the following AWS services can facilitate the migration of these workloads?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Amazon FSx for Windows File Server
Amazon FSx for Windows File Server provides fully managed file storage accessible via SMB and natively supports Microsoft's Distributed File System. FSx for Lustre targets high-performance computing, while AWS Managed Microsoft AD handles identity rather than file system workloads.
Question 9 of 303The DevOps team at an e-commerce company wants to perform some maintenance work on a specific Amazon EC2 instance that is part of an Auto Scaling group using a step scaling policy. The team is facing a maintenance challenge – every time the team deploys a maintenance patch, the instance health check status shows as out of service for a few minutes. This causes the Auto Scaling group to provision another replacement instance immediately. As a solutions architect, which are the MOST time/resource efficient steps that you would recommend so that the maintenance work can be completed at the earliest? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Put the instance into the Standby state and then update the instance by applying the maintenance patch. Once the instance is ready, you can exit the Standby state and then return the instance to service · B. Suspend the ReplaceUnhealthy process type for the Auto Scaling group and apply the maintenance patch to the instance. Once the instance is ready, you can manually set the instance's health status back to healthy and activate the ReplaceUnhealthy process type again
Placing an instance in Standby state or suspending the ReplaceUnhealthy process prevents Auto Scaling from terminating it during temporary health check failures. ScheduledActions are irrelevant, and recreating instances is highly inefficient, eliminating those distractors.
Question 10 of 303A data analytics company measures what consumers watch and what advertising they're exposed to. This real-time data is ingested into its on-premises data center. Subsequently, the daily data feed is compressed into a single file and uploaded to Amazon S3 for backup. The typical compressed file size is around 2 gigabytes. Which of the following is the fastest way to upload the daily compressed file to Amazon S3?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Upload the compressed file using multipart upload with Amazon S3 Transfer Acceleration (Amazon S3TA)
S3 Transfer Acceleration speeds up long-distance public internet transfers by routing traffic through Amazon CloudFront edge locations. Combining this with a multipart upload parallelizes the file transfer, maximizing throughput over your available bandwidth. Option D correctly leverages both.
Question 11 of 303A file-hosting service uses Amazon Simple Storage Service (Amazon S3) under the hood to power its storage offerings. Currently all the customer files are uploaded directly under a single Amazon S3 bucket. The engineering team has started seeing scalability issues where customer file uploads have started failing during the peak access hours with more than 5000 requests per second. Which of the following is the MOST resource efficient and cost-optimal way of addressing this issue?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Change the application architecture to create customer-specific custom prefixes within the single Amazon S3 bucket and then upload the daily files into those prefixed locations
S3 scales automatically by distributing requests across distinct prefixes. Using customer-specific prefixes within a single bucket parallelizes the uploads, successfully bypassing the bottleneck of the baseline request rate. Creating multiple buckets or migrating storage types introduces unnecessary operational overhead.
Question 12 of 303A digital event-ticketing platform hosts its core transaction-processing service on AWS. The service runs on Amazon EC2 instances and stores finalized transactions in an Amazon Aurora PostgreSQL database. During periods of high user activity, such as flash ticket sales or holiday promotions, the application begins timing out, causing failed or delayed purchases. A solutions architect has been asked to redesign the backend for scalability and cost-efficiency without reengineering the database layer. Which combination of actions will meet these goals in the most cost-effective and scalable manner? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Modify the application to publish purchase events to an Amazon SQS queue. Launch an Auto Scaling group of EC2 workers that poll the queue and process purchases asynchronously · C. Implement Amazon RDS Proxy between the application and the Aurora PostgreSQL cluster. Deploy EC2 instances in an Auto Scaling group to retry transactions as needed
Amazon RDS Proxy efficiently pools database connections to prevent timeouts during compute scaling. Amazon SQS decouples transaction processing to buffer traffic bursts asynchronously. Caching transactions or slowing traffic with API Gateway risks data loss or user friction.
Question 13 of 303A software company has a globally distributed team of developers that requires secure and compliant access to AWS environments. The company manages multiple AWS accounts under AWS Organizations and uses an on-premises Microsoft Active Directory for user authentication. To simplify access control and identity governance across projects and accounts, the company wants a centrally managed solution that integrates with their existing infrastructure. The solution should require the least amount of ongoing operational management. Which approach best meets the company's requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS Directory Service AD Connector to connect AWS to the on-premises Active Directory. Integrate AD Connector with AWS IAM Identity Center. Use permission sets to assign access to AWS accounts and resources based on Active Directory group membership
AWS IAM Identity Center provides a centralized access portal and uses permission sets to manage accounts via Active Directory group membership. Integrating it with an AD Connector delegates authentication to the existing on-premises directory, completely eliminating the need to manage a separate cloud identity store.
Question 14 of 303A video analytics company runs data-intensive batch processing workloads that generate large log files and metadata daily. These files are currently stored in an on-premises NFS-based storage system located in the company's primary data center. However, the storage system is becoming increasingly difficult to scale and is unable to meet the company's growing storage demands. The IT team wants to migrate to a cloud-based storage solution that minimizes costs, retains NFS compatibility, and supports automated tiering of rarely accessed data to lower-cost storage. The team prefers to continue using existing NFS-based tools and protocols for compatibility with their current application stack. Which solution will meet these requirements MOST cost-effectively?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy an AWS Storage Gateway File Gateway on premises. Configure it to present an NFS-compatible file share to the workloads. Store the uploaded files in Amazon S3, and use S3 Lifecycle policies to automatically transition infrequently accessed objects to lower-cost storage classes
A File Gateway provides seamless NFS compatibility to existing applications while transparently storing files as S3 objects. This combination utilizes unlimited cloud storage and native lifecycle policies. Volume and FSx options require unnecessary architecture changes or protocol conversions.
Question 15 of 303A healthcare startup needs to enforce compliance and regulatory guidelines for objects stored in Amazon S3. One of the key requirements is to provide adequate protection against accidental deletion of objects. As a solutions architect, what are your recommendations to address these guidelines? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Enable multi-factor authentication (MFA) delete on the Amazon S3 bucket · E. Enable versioning on the Amazon S3 bucket
Amazon S3 versioning preserves, retrieves, and restores overwritten or accidentally deleted objects. Enabling multi-factor authentication delete adds a secondary authentication requirement, preventing unauthorized or accidental permanent deletions. SNS alerts or managerial approvals do not technically restrict the deletion action.
Question 16 of 303A research group runs its flagship application on a fleet of Amazon EC2 instances for a specialized task that must deliver high random I/O performance. Each instance in the fleet would have access to a dataset that is replicated across the instances by the application itself. Because of the resilient application architecture, the specialized task would continue to be processed even if any instance goes down, as the underlying application would ensure the replacement instance has access to the required dataset. Which of the following options is the MOST cost-optimal and resource-efficient solution to build this fleet of Amazon EC2 instances?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Instance Store based Amazon EC2 instances
Instance store volumes provide high random I/O performance and are physically attached to the host computer. Because the application replicates data across the fleet, ephemeral storage is the most cost-optimal and resource-efficient choice. Block storage like EBS incurs extra costs for provisioned IOPS.
Question 17 of 303A government agency is developing an online application to assist users in submitting permit requests through a web-based interface. The system architecture consists of a front-end web application tier and a background processing tier that handles the validation and submission of the forms. The application is expected to see high traffic and it must ensure that every submitted request is processed exactly once, with no loss of data. Which design choice best satisfies these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Implement an Amazon SQS FIFO queue to reliably buffer and deliver form submissions from the web application layer to the processing tier
Amazon SQS FIFO queues guarantee exactly-once message processing and preserve the order of operations. Standard queues only offer at-least-once delivery, risking duplicates, making FIFO the required choice for strict data integrity and reliable permit submissions.
Question 18 of 303A leading video streaming service delivers billions of hours of content from Amazon Simple Storage Service (Amazon S3) to customers around the world. Amazon S3 also serves as the data lake for its big data analytics solution. The data lake has a staging zone where intermediary query results are kept only for 24 hours. These results are also heavily referenced by other parts of the analytics pipeline. Which of the following is the MOST cost-effective strategy for storing this intermediary query data?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Store the intermediary query results in Amazon S3 Standard storage class
Amazon S3 Standard is the most cost-effective storage class for frequently accessed data with a lifespan of only 24 hours. Infrequent Access classes incur retrieval fees and minimum duration charges, making them more expensive for heavily referenced, short-lived data.
Question 19 of 303The engineering team at an e-commerce company wants to establish a dedicated, encrypted, low latency, and high throughput connection between its data center and AWS Cloud. The engineering team has set aside sufficient time to account for the operational overhead of establishing this connection. As a solutions architect, which of the following solutions would you recommend to the company?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS Direct Connect plus virtual private network (VPN) to establish a connection between the data center and AWS Cloud
AWS Direct Connect provides a dedicated, low latency, high throughput connection, but it is not encrypted by default. Adding a virtual private network ensures the traffic remains fully encrypted. Therefore, Direct Connect combined with a VPN satisfies all requirements.
Question 20 of 303A software engineering intern at an e-commerce company is documenting the process flow to provision Amazon EC2 instances via the Amazon EC2 API. These instances are to be used for an internal application that processes Human Resources payroll data. He wants to highlight those volume types that cannot be used as a boot volume. Can you help the intern by identifying those storage volume types that CANNOT be used as boot volumes while creating the instances? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Throughput Optimized Hard disk drive (st1) · D. Cold Hard disk drive (sc1)
Amazon EBS HDD-backed volumes like Throughput Optimized HDD and Cold HDD are optimized for large streaming workloads and cannot be used as boot volumes. Solid state drive backed volumes and Instance Store are the only valid options for booting an EC2 instance.
Question 21 of 303A US-based healthcare startup is building an interactive diagnostic tool for COVID-19 related assessments. The users would be required to capture their personal health records via this tool. As this is sensitive health information, the backup of the user data must be kept encrypted in Amazon S3. The startup does not want to provide its own encryption keys but still wants to maintain an audit trail of when an encryption key was used and by whom. Which of the following is the BEST solution for this use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use server-side encryption with AWS Key Management Service keys (SSE-KMS) to encrypt the user data on Amazon S3
Server-side encryption with AWS Key Management Service keys provides a detailed audit trail through AWS CloudTrail showing exactly when keys are used. SSE-S3 lacks this audit capability, while SSE-C and client-side encryption require the customer to manage keys.
Question 22 of 303A leading social media analytics company is contemplating moving its dockerized application stack into AWS Cloud. The company is not sure about the pricing for using Amazon ECS with the EC2 launch type compared to Amazon ECS with the Fargate launch type. Which of the following is correct regarding the pricing for these two services?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Amazon ECS with EC2 launch type is charged based on EC2 instances and EBS volumes used. Amazon ECS with Fargate launch type is charged based on vCPU and memory resources that the containerized application requests
Amazon ECS with the EC2 launch type bills for underlying infrastructure like EC2 and EBS volumes, while Fargate bills per vCPU and memory consumed. Understanding Fargate's serverless pricing model versus EC2 infrastructure management is key.
Question 23 of 303A biotechnology firm runs genomics data analysis workloads using AWS Lambda functions deployed inside a VPC in their central AWS account. The input data for these workloads consists of large files stored in an Amazon EFS that resides in a separate AWS account managed by a research partner. The firm wants the Lambda function in their account to access the shared EFS storage directly. The access pattern and file volume are expected to grow as additional research datasets are added over time, so the solution must be scalable and cost-efficient, and should require minimal operational overhead. Which solution best meets these requirements in the MOST cost-effective way?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon EFS resource policies to allow cross-account access to the file system from the central account. Attach the EFS mount target to a shared VPC or peered VPC, and mount the file system in the Lambda function configuration using an EFS access point
Amazon EFS supports cross-account mounting using resource policies and access points over a peered VPC. Lambda layers have size limits, proxy functions add latency, and copying large datasets to S3 creates unnecessary operational overhead.
Question 24 of 303A new DevOps engineer has joined a large financial services company recently. As part of his onboarding, the IT department is conducting a review of the checklist for tasks related to AWS IAM. As an AWS Certified Solutions Architect – Associate, which best practices would you recommend? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Configure AWS CloudTrail to log all AWS Identity and Access Management (AWS IAM) actions · E. Enable AWS Multi-Factor Authentication (AWS MFA) for privileged users
Enabling MFA for privileged users and logging actions via CloudTrail are foundational security best practices. Sharing credentials, granting maximum privileges, and using user credentials for EC2 instances violate least privilege principles.
Question 25 of 303The IT department at a consulting firm is conducting a training workshop for new developers. As part of an evaluation exercise on Amazon S3, the new developers were asked to identify the invalid storage class lifecycle transitions for objects stored on Amazon S3. Can you spot the INVALID lifecycle transitions from the options below? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Amazon S3 Intelligent-Tiering => Amazon S3 Standard · E. Amazon S3 One Zone-IA => Amazon S3 Standard-IA
S3 lifecycle transitions prohibit moving objects back to the Standard class or upgrading from One Zone-IA to Standard-IA. S3 uses a waterfall model where objects can move down to colder tiers, but never upward to warmer, more redundant classes.
Question 26 of 303An Electronic Design Automation (EDA) application produces massive volumes of data that can be divided into two categories. The 'hot data' needs to be both processed and stored quickly in a parallel and distributed fashion. The 'cold data' needs to be kept for reference with quick access for reads and updates at a low cost. Which of the following AWS services is BEST suited to accelerate the aforementioned chip design process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Amazon FSx for Lustre
Amazon FSx for Lustre is optimized for high-performance computing workloads like chip design, offering parallel processing for hot data and S3 integration for cold data. AWS Glue and EMR handle data analytics, while Windows File Server targets SMB workloads.
Question 27 of 303An enterprise runs a microservices-based application on Amazon EKS, deployed on EC2 worker nodes. The application includes a frontend UI service that interacts with Amazon DynamoDB and a data-processing service that stores and retrieves files from Amazon S3. The organization needs to strictly enforce least privilege access: the UI Pods must access only DynamoDB, and the data-processing Pods must access only S3. Which solution will best enforce these access controls within the EKS cluster?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create separate Kubernetes service accounts for the UI and data services. Use IAM Roles for Service Accounts (IRSA) to map each service account to an IAM role with only the required permissions. Assign DynamoDB access to the UI Pods and S3 access to the data Pods
IAM Roles for Service Accounts provides granular IAM permissions to individual Kubernetes pods. The node instance profile trap grants every pod on the node identical access, violating the required least privilege isolation.
Question 28 of 303An organization wants to delegate access to a set of users from the development environment so that they can access some resources in the production environment which is managed under another AWS account. As a solutions architect, which of the following steps would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create a new IAM role with the required permissions to access the resources in the production environment. The users can then assume this IAM role while accessing the resources from the production environment
Cross-account delegation relies on IAM roles to provide temporary security credentials. Sharing long-term IAM user credentials is an anti-pattern, and relying on it unnecessarily compromises your security posture across both environments.
Question 29 of 303A logistics company is building a multi-tier application to track the location of its trucks during peak operating hours. The company wants these data points to be accessible in real-time in its analytics platform via a REST API. The company has hired you as an AWS Certified Solutions Architect Associate to build a multi-tier solution to store and retrieve this location data for analysis. Which of the following options addresses the given use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Leverage Amazon API Gateway with Amazon Kinesis Data Analytics
Amazon Kinesis Data Analytics processes streaming data in real-time, which pairs seamlessly with API Gateway to expose RESTful endpoints. Business intelligence tools and serverless compute services lack the native streaming integration required for real-time location tracking.
Question 30 of 303A new DevOps engineer has just joined a development team and wants to understand the replication capabilities for Amazon RDS Multi-AZ deployment as well as Amazon RDS Read-replicas. Which of the following correctly summarizes these capabilities for the given database?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Multi-AZ follows synchronous replication and spans at least two Availability Zones (AZs) within a single region. Read replicas follow asynchronous replication and can be within an Availability Zone (AZ), Cross-AZ, or Cross-Region
Amazon RDS Multi-AZ deployments use synchronous replication across availability zones for high availability. Read replicas use asynchronous replication to scale read capacity and can span across availability zones or regions.
Question 31 of 303The flagship application for a gaming company connects to an Amazon Aurora database and the entire technology stack is currently deployed in the United States. Now, the company has plans to expand to Europe and Asia for its operations. It needs the games table to be accessible globally but needs the users and games_played tables to be regional only. How would you implement this with minimal application refactoring?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use an Amazon Aurora Global Database for the games table and use Amazon Aurora for the users and games_played tables
Amazon Aurora Global Database replicates data globally with low latency, fulfilling the global table requirement. Maintaining regional data in Amazon Aurora minimizes application refactoring, whereas mixing in DynamoDB requires transitioning from SQL to NoSQL APIs.
Question 32 of 303The engineering team at a data analytics company has observed that its flagship application functions at its peak performance when the underlying Amazon Elastic Compute Cloud (Amazon EC2) instances have a CPU utilization of about 50%. The application is built on a fleet of Amazon EC2 instances managed under an Auto Scaling group. The workflow requests are handled by an internal Application Load Balancer that routes the requests to the instances. As a solutions architect, what would you recommend so that the application runs near its peak performance state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Configure the Auto Scaling group to use target tracking policy and set the CPU utilization as the target metric with a target value of 50%
Target tracking scaling policies automatically adjust capacity to maintain a specific metric, such as 50% CPU utilization. Step and simple scaling require manual CloudWatch alarms, lacking the continuous stabilization provided by target tracking.
Question 33 of 303A retail company's dynamic website is hosted using on-premises servers in its data center in the United States. The company is launching its website in Asia, and it wants to optimize the website loading times for new users in Asia. The website's backend must remain in the United States. The website is being launched in a few days, and an immediate solution is needed. What would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon CloudFront with a custom origin pointing to the on-premises servers
Amazon CloudFront caches content at edge locations globally, reducing latency for international users while keeping the origin on-premises. Migrating to S3 fails the dynamic website requirement, and Route 53 routing alone cannot overcome the physical distance from the US servers.
Question 34 of 303A retail company has developed a REST API which is deployed in an Auto Scaling group behind an Application Load Balancer. The REST API stores the user data in Amazon DynamoDB and any static content, such as images, are served via Amazon Simple Storage Service (Amazon S3). On analyzing the usage trends, it is found that 90% of the read requests are for commonly accessed data across all users. As a Solutions Architect, which of the following would you suggest as the MOST efficient solution to improve the application performance?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable Amazon DynamoDB Accelerator (DAX) for Amazon DynamoDB and Amazon CloudFront for Amazon S3
Amazon DynamoDB Accelerator (DAX) delivers microsecond latency for DynamoDB reads without application code changes, while Amazon CloudFront provides low-latency access to static S3 assets. ElastiCache requires custom integration code, and Memcached cannot front S3 content.
Question 35 of 303The solo founder at a tech startup has just created a brand new AWS account. The founder has provisioned an Amazon EC2 instance 1A which is running in AWS Region A. Later, he takes a snapshot of the instance 1A and then creates a new Amazon Machine Image (AMI) in Region A from this snapshot. This AMI is then copied into another Region B. The founder provisions an instance 1B in Region B using this new AMI in Region B. At this point in time, what entities exist in Region B?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. 1 Amazon EC2 instance, 1 AMI and 1 snapshot exist in Region B
When an Amazon Machine Image is copied to a new region, the underlying Amazon EBS snapshot is also copied to that destination region. Launching the new instance from the copied AMI results in one instance, one AMI, and one snapshot residing in Region B.
Question 36 of 303The engineering team at an in-home fitness company is evaluating multiple in-memory data stores with the ability to power its on-demand, live leaderboard. The company's leaderboard requires high availability, low latency, and real-time processing to deliver customizable user data for the community of users working out together virtually from the comfort of their home. As a solutions architect, which of the following solutions would you recommend? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Power the on-demand, live leaderboard using Amazon ElastiCache for Redis as it meets the in-memory, high availability, low latency requirements · D. Power the on-demand, live leaderboard using Amazon DynamoDB with DynamoDB Accelerator (DAX) as it meets the in-memory, high availability, low latency requirements
Amazon ElastiCache for Redis and Amazon DynamoDB with DAX both provide the required in-memory caching for real-time leaderboards. Standard DynamoDB, Aurora, and Neptune are not natively in-memory data stores.
Question 37 of 303A company runs a data processing workflow that takes about 60 minutes to complete. The workflow can withstand disruptions and it can be started and stopped multiple times. Which is the most cost-effective solution to build a solution for the workflow?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon EC2 spot instances to run the workflow processes
Amazon EC2 Spot Instances offer significant cost savings for workloads that are flexible and fault-tolerant. AWS Lambda has a strict fifteen-minute execution timeout, and both On-Demand and Reserved Instances are more expensive for interruptible tasks.
Question 38 of 303The development team at an e-commerce startup has set up multiple microservices running on Amazon EC2 instances under an Application Load Balancer. The team wants to route traffic to multiple back-end services based on the URL path of the HTTP header. So it wants requests for https://www.example.com/orders to go to a specific microservice and requests for https://www.example.com/products to go to another microservice. Which of the following features of Application Load Balancers can be used for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Path-based Routing
Application Load Balancers use path-based routing to direct traffic based on the URL path, such as forward slashes for orders or products. Host-based routing relies on domain names, and query string routing uses URL parameters.
Question 39 of 303One of the biggest football leagues in Europe has granted the distribution rights for live streaming its matches in the USA to a silicon valley based streaming services company. As per the terms of distribution, the company must make sure that only users from the USA are able to live stream the matches on their platform. Users from other countries in the world must be denied access to these live-streamed matches. Which of the following options would allow the company to enforce these streaming restrictions? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Use Amazon Route 53 based geolocation routing policy to restrict distribution of content to only the locations in which you have distribution rights · E. Use georestriction to prevent users in specific geographic locations from accessing content that you're distributing through a Amazon CloudFront web distribution
Amazon Route 53 geolocation routing and Amazon CloudFront geo restriction enforce geographic content limits. Route 53 failover, latency, and weighted routing policies distribute traffic based on health or performance, not user location.
Question 40 of 303An e-commerce company is looking for a solution with high availability, as it plans to migrate its flagship application to a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances. The solution should allow for content-based routing as part of the architecture. As a Solutions Architect, which of the following will you suggest for the company?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use an Application Load Balancer for distributing traffic to the Amazon EC2 instances spread across different Availability Zones (AZs). Configure Auto Scaling group to mask any failure of an instance
An Application Load Balancer operates at Layer 7 to enable content-based routing across multiple Availability Zones, fulfilling the high availability requirement. Network Load Balancers operate at Layer 4, and Auto Scaling groups alone cannot distribute traffic.
Question 41 of 303A leading carmaker would like to build a new car-as-a-sensor service by leveraging fully serverless components that are provisioned and managed automatically by AWS. The development team at the carmaker does not want an option that requires the capacity to be manually provisioned, as it does not want to respond manually to changing volumes of sensor data. Given these constraints, which of the following solutions is the BEST fit to develop this car-as-a-sensor service?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Ingest the sensor data in an Amazon Simple Queue Service (Amazon SQS) standard queue, which is polled by an AWS Lambda function in batches and the data is written into an auto-scaled Amazon DynamoDB table for downstream processing
Amazon SQS and AWS Lambda create a fully serverless, auto-scaling architecture for ingesting and processing sensor data. Options using Amazon EC2 require manual capacity planning, and Kinesis Data Firehose cannot write directly to Amazon DynamoDB.
Question 42 of 303The product team at a startup has figured out a market need to support both stateful and stateless client-server communications via the application programming interfaces (APIs) developed using its platform. You have been hired by the startup as a solutions architect to build a solution to fulfill this market need using Amazon API Gateway. Which of the following would you identify as correct?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Amazon API Gateway creates RESTful APIs that enable stateless client-server communication and Amazon API Gateway also creates WebSocket APIs that adhere to the WebSocket protocol, which enables stateful, full-duplex communication between client and server
Amazon API Gateway creates stateless RESTful APIs using standard HTTP methods and stateful WebSocket APIs for full-duplex communication. The distractors incorrectly assign stateful characteristics to REST APIs or stateless characteristics to WebSocket APIs, contradicting core protocol behaviors.
Question 43 of 303An IT company wants to review its security best-practices after an incident was reported where a new developer on the team was assigned full access to Amazon DynamoDB. The developer accidentally deleted a couple of tables from the production environment while building out a new feature. Which is the MOST effective way to address this issue so that such incidents do not recur?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use permissions boundary to control the maximum permissions employees can grant to the IAM principals
Permissions boundaries control the maximum permissions employees can grant to IAM principals, preventing excessive access. Removing all database access or relying on manual CTO reviews are impractical, and the root user should never perform daily administration.
Question 44 of 303A healthcare company uses its on-premises infrastructure to run legacy applications that require specialized customizations to the underlying Oracle database as well as its host operating system (OS). The company also wants to improve the availability of the Oracle database layer. The company has hired you as an AWS Certified Solutions Architect – Associate to build a solution on AWS that meets these requirements while minimizing the underlying infrastructure maintenance effort. Which of the following options represents the best solution for this use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Leverage multi-AZ configuration of Amazon RDS Custom for Oracle that allows the Database Administrator (DBA) to access and customize the database environment and the underlying operating system
Amazon RDS Custom for Oracle provides managed database high availability while permitting administrative access to the underlying operating system. Standard Amazon RDS restricts OS access, and deploying on EC2 instances violates the requirement to minimize maintenance.
Question 45 of 303An IT consultant is helping the owner of a medium-sized business set up an AWS account. What are the security recommendations he must follow while creating the AWS account root user? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: D. Enable Multi Factor Authentication (MFA) for the AWS account root user account · E. Create a strong password for the AWS account root user
Securing the AWS account root user requires enabling multi-factor authentication and setting a strong password. Root access keys should never be created or shared, and sending credentials via email introduces severe security vulnerabilities, eliminating those distractors.
Question 46 of 303A gaming company is looking at improving the availability and performance of its global flagship application which utilizes User Datagram Protocol and needs to support fast regional failover in case an AWS Region goes down. The company wants to continue using its own custom Domain Name System (DNS) service. Which of the following AWS services represents the best solution for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. AWS Global Accelerator
AWS Global Accelerator improves non-HTTP UDP traffic performance and provides fast regional failover without requiring DNS changes. Route 53 is a DNS service, which contradicts the requirement to keep the custom DNS provider.
Question 47 of 303An IT security consultancy is working on a solution to protect data stored in Amazon S3 from any malicious activity as well as check for any vulnerabilities on Amazon EC2 instances. As a solutions architect, which of the following solutions would you suggest to help address the given requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon GuardDuty to monitor any malicious activity on data stored in Amazon S3. Use security assessments provided by Amazon Inspector to check for vulnerabilities on Amazon EC2 instances
Amazon GuardDuty continuously monitors accounts and S3 data for malicious activity using threat intelligence and machine learning. Amazon Inspector specifically assesses EC2 instances for unintended network accessibility and software vulnerabilities. The correct option pairs each service with its exact intended use case.
Question 48 of 303An Ivy League university is assisting NASA to find potential landing sites for exploration vehicles of unmanned missions to our neighboring planets. The university uses High Performance Computing (HPC) driven application architecture to identify these landing sites. Which of the following Amazon EC2 instance topologies should this application be deployed on?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The Amazon EC2 instances should be deployed in a cluster placement group so that the underlying workload can benefit from low network latency and high network throughput
High Performance Computing workloads require tightly coupled node-to-node communication. A cluster placement group logically packs instances close together inside an Availability Zone to deliver the necessary low latency and high network throughput. Spread and partition groups prioritize isolation instead of network performance.
Question 49 of 303A gaming company is developing a mobile game that streams score updates to a backend processor and then publishes results on a leaderboard. The company has hired you as an AWS Certified Solutions Architect Associate to design a solution that can handle major traffic spikes, process the mobile game updates in the order of receipt, and store the processed updates in a highly available database. The company wants to minimize the management overhead required to maintain the solution. Which of the following will you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Push score updates to Amazon Kinesis Data Streams which uses an AWS Lambda function to process these updates and then store these processed updates in Amazon DynamoDB
Amazon Kinesis Data Streams seamlessly handles massive ingestion while maintaining strict record ordering. Using an AWS Lambda consumer abstracts polling complexities and pairs perfectly with Amazon DynamoDB for zero-administration processing. EC2-based alternatives violate the constraint to minimize operational overhead.
Question 50 of 303The DevOps team at an e-commerce company has deployed a fleet of Amazon EC2 instances under an Auto Scaling group (ASG). The instances under the ASG span two Availability Zones (AZ) within the us-east-1 Region. All the incoming requests are handled by an Application Load Balancer (ALB) that routes the requests to the Amazon EC2 instances under the Auto Scaling Group. As part of a test run, two instances (instance 1 and 2, belonging to AZ A) were manually terminated by the DevOps team causing the Availability Zones (AZ) to have unbalanced resources. Later that day, another instance (belonging to AZ B) was detected as unhealthy by the Application Load Balancer's health check. Can you identify the correct outcomes for these events? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. As the resources are unbalanced in the Availability Zones, Amazon EC2 Auto Scaling will compensate by rebalancing the Availability Zones. When rebalancing, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that rebalancing does not compromise the performance or availability of your application · D. Amazon EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it. Later, another scaling activity launches a new instance to replace the terminated instance
Amazon EC2 Auto Scaling compensates for unbalanced Availability Zones by launching new instances before terminating old ones to maintain availability. Conversely, when responding to an unhealthy instance, Auto Scaling creates a scaling activity to terminate it before launching a replacement.
Question 51 of 303A biotech research company needs to perform data analytics on real-time lab results provided by a partner organization. The partner stores these lab results in an Amazon RDS for MySQL instance within the partner's own AWS account. The research company has a private VPC that does not have internet access, Direct Connect, or a VPN connection. However, the company must establish secure and private connectivity to the RDS database in the partner's VPC. The solution must allow the research company to connect from its VPC while minimizing complexity and complying with data security requirements. Which solution will meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Instruct the partner to create a Network Load Balancer (NLB) in front of the Amazon RDS for MySQL instance. Use AWS PrivateLink to expose the NLB as an interface VPC endpoint in the research company's VPC
AWS PrivateLink provides private connectivity between VPCs without requiring internet gateways, VPN connections, or Direct Connect. By placing a Network Load Balancer in front of the database, the partner can securely expose the RDS instance as an interface endpoint.
Question 52 of 303A media company runs a photo-sharing web application that is accessed across three different countries. The application is deployed on several Amazon EC2 instances running behind an Application Load Balancer. With new government regulations, the company has been asked to block access from two countries and allow access only from the home country of the company. Which configuration should be used to meet this changed requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure AWS Web Application Firewall (AWS WAF) on the Application Load Balancer in a Amazon Virtual Private Cloud (Amazon VPC)
AWS Web Application Firewall provides geographic match conditions that allow or block web requests based on the viewer's geographic location. Security groups only filter IP addresses, and CloudFront geo restriction cannot attach directly to an Application Load Balancer inside a VPC.
Question 53 of 303A company has moved its business critical data to Amazon Elastic File System (Amazon EFS) which will be accessed by multiple Amazon EC2 instances. As an AWS Certified Solutions Architect – Associate, which of the following would you recommend to exercise access control such that only the permitted Amazon EC2 instances can read from the Amazon EFS file system? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Use an IAM policy to control access for clients who can mount your file system with the required permissions · E. Use VPC security groups to control the network traffic to and from your file system
Security groups restrict network access to the EFS mount targets. IAM policies evaluate identity-based authorization when mounting the file system. Network ACLs operate at the subnet boundary and lack the instance-level specificity required here.
Question 54 of 303A company uses Amazon S3 buckets for storing sensitive customer data. The company has defined different retention periods for different objects present in the Amazon S3 buckets, based on the compliance requirements. But, the retention rules do not seem to work as expected. Which of the following options represent a valid configuration for setting up retention periods for objects in Amazon S3 buckets? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. When you apply a retention period to an object version explicitly, you specify a Retain Until Date for the object version · D. Different versions of a single object can have different retention modes and periods
S3 Object Lock applies retention settings to individual object versions. You can specify an explicit retain until date for specific versions, and explicit settings override bucket default configurations.
Question 55 of 303A major bank is using Amazon Simple Queue Service (Amazon SQS) to migrate several core banking applications to the cloud to ensure high availability and cost efficiency while simplifying administrative complexity and overhead. The development team at the bank expects a peak rate of about 1000 messages per second to be processed via SQS. It is important that the messages are processed in order. Which of the following options can be used to implement this system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon SQS FIFO (First-In-First-Out) queue in batch mode of 4 messages per operation to process the messages at the peak rate
Amazon SQS FIFO queues support up to 3000 messages per second via batching, maintaining strict ordering. A standard queue offers best-effort ordering rather than strict ordering, failing the processing requirement, while a basic FIFO queue maxes out at 300 messages per second.
Question 56 of 303The sourcing team at the US headquarters of a global e-commerce company is preparing a spreadsheet of the new product catalog. The spreadsheet is saved on an Amazon Elastic File System (Amazon EFS) created in us-east-1 region. The sourcing team counterparts from other AWS regions such as Asia Pacific and Europe also want to collaborate on this spreadsheet. As a solutions architect, what is your recommendation to enable this collaboration with the LEAST amount of operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The spreadsheet on the Amazon Elastic File System (Amazon EFS) can be accessed in other AWS regions by using an inter-region VPC peering connection
Amazon EFS supports access across AWS regions via inter-region VPC peering, maintaining a single collaborative file system. Moving the spreadsheet to object storage or relational databases introduces significant operational overhead and requires custom application logic to simulate collaboration.
Question 57 of 303The payroll department at a company initiates several computationally intensive workloads on Amazon EC2 instances at a designated hour on the last day of every month. The payroll department has noticed a trend of severe performance lag during this hour. The engineering team has figured out a solution by using Auto Scaling Group for these Amazon EC2 instances and making sure that 10 Amazon EC2 instances are available during this peak usage hour. For normal operations only 2 Amazon EC2 instances are enough to cater to the workload. As a solutions architect, which of the following steps would you recommend to implement the solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure your Auto Scaling group by creating a scheduled action that kicks-off at the designated hour on the last day of the month. Set the desired capacity of instances to 10. This causes the scale-out to happen before peak traffic kicks in at the designated hour
Scheduled actions proactively adjust Auto Scaling group capacity for known recurring peaks by modifying the desired instance count. Target tracking policies react to metrics in real-time and cannot guarantee capacity ahead of designated schedule hours.
Question 58 of 303An audit department generates and accesses audit reports only twice in a financial year. The department uses AWS Step Functions to orchestrate the report creation process that has failover and retry scenarios built into the solution. The underlying data to create these audit reports is stored on Amazon S3, runs into hundreds of terabytes, and should be available with millisecond latency. As an AWS Certified Solutions Architect – Associate, which storage class is the MOST cost-effective for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
Amazon S3 Standard-IA is intended for data accessed less frequently but requiring rapid access when needed, offering millisecond latency at a lower storage price. Since the workflow includes built-in retry logic, the slightly lower SLA of Standard-IA is completely acceptable for this use case.
Question 59 of 303A financial services company operates a containerized microservices architecture using Kubernetes in its on-premises data center. Due to strict industry regulations and internal security policies, all application data and workloads must remain physically within the on-premises environment. The company's infrastructure team wants to modernize its Kubernetes stack and take advantage of AWS-managed services and APIs, including automated Kubernetes upgrades, Amazon CloudWatch integration, and access to AWS IAM features — but without migrating any data or compute resources to the cloud. Which AWS solution will best meet the company's requirements for modernization while ensuring that all data remains on premises?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Install an AWS Outposts rack in the company's data center. Use Amazon EKS Anywhere on Outposts to run containerized workloads locally while integrating with AWS APIs
AWS Outposts brings native AWS infrastructure and services directly into your on-premises data center. This allows you to run local compute and data while integrating with AWS APIs. However, option C is technically imprecise because EKS Anywhere is distinct from EKS on Outposts.
Question 60 of 303A junior scientist working with the Deep Space Research Laboratory at NASA is trying to upload a high-resolution image of a nebula into Amazon S3. The image size is approximately 3 gigabytes. The junior scientist is using Amazon S3 Transfer Acceleration (Amazon S3TA) for faster image upload. It turns out that Amazon S3TA did not result in an accelerated transfer. Given this scenario, which of the following is correct regarding the charges for this image transfer?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The junior scientist does not need to pay any transfer charges for the image upload
Amazon S3 Transfer Acceleration does not charge for uploads that are not accelerated. Data transferred into S3 from the internet is free, so you only pay standard or acceleration fees when the service functions correctly.
Question 61 of 303A social photo-sharing web application is hosted on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancer. The app gives the users the ability to upload their photos and also shows a leaderboard on the homepage of the app. The uploaded photos are stored in Amazon Simple Storage Service (Amazon S3) and the leaderboard data is maintained in Amazon DynamoDB. The Amazon EC2 instances need to access both Amazon S3 and Amazon DynamoDB for these features. As a solutions architect, which of the following solutions would you recommend as the MOST secure option?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Attach the appropriate IAM role to the Amazon EC2 instance profile so that the instance can access Amazon S3 and Amazon DynamoDB
Attaching an IAM role to an EC2 instance profile uses temporary credentials to grant secure access to AWS services. Hardcoding long-term access keys on instances is a security risk, eliminating the options relying on manual credentials.
Question 62 of 303An enterprise uses a centralized Amazon S3 bucket to store logs and reports generated by multiple analytics services. Each service writes to and reads from a dedicated prefix (folder path) in the bucket. The company wants to enforce fine-grained access control so that each service can access only its own prefix, without being able to see or modify other services' data. The solution must support scalable and maintainable permissions management with minimal operational overhead. Which approach will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure individual S3 access points for each analytics service. Attach access point policies that restrict access to only the relevant prefix in the S3 bucket
Amazon S3 Access Points provide scalable and manageable access control for shared datasets. By attaching distinct policies to dedicated access points, you isolate prefix-level permissions perfectly without maintaining massive bucket policies.
Question 63 of 303A company is looking at storing their less frequently accessed files on AWS that can be concurrently accessed by hundreds of Amazon EC2 instances. The company needs the most cost-effective file storage service that provides immediate access to data whenever needed. Which of the following options represents the best solution for the given requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Amazon Elastic File System (EFS) Standard–IA storage class
Amazon EFS Standard-Infrequent Access provides cost-effective, concurrent file storage for less frequently accessed data. Object storage lacks file system semantics, and EBS volumes cannot be mounted concurrently by hundreds of instances.
Question 64 of 303An e-commerce application uses an Amazon Aurora Multi-AZ deployment for its database. While analyzing the performance metrics, the engineering team has found that the database reads are causing high input/output (I/O) and adding latency to the write requests against the database. As an AWS Certified Solutions Architect Associate, what would you recommend to separate the read requests from the write requests?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Set up a read replica and modify the application to use the appropriate endpoint
Aurora read replicas offload read traffic via the cluster reader endpoint, reducing I/O contention on the writer instance. Options mentioning standby instances or built-in caching confuse Aurora with standard RDS or ElastiCache.
Question 65 of 303A video conferencing platform serves users worldwide through a globally distributed deployment of Amazon EC2 instances behind Network Load Balancers (NLBs) in several AWS Regions. The platform's architecture currently allows clients to connect to any Region via public endpoints, depending on how DNS resolves. However, users in regions far from the load balancers frequently experience high latency and slow connection times, especially during session initiation. The company wants to optimize the experience for global users by reducing end-to-end latency and load time while keeping the existing NLBs and EC2-based application infrastructure in place. Which solution will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Deploy a standard accelerator in AWS Global Accelerator and register the existing regional NLBs as endpoints. Use the accelerator to route user requests through AWS's global edge network to the closest healthy Regional NLB
AWS Global Accelerator routes TCP and UDP traffic through the AWS global network, reducing latency for real-time applications using Network Load Balancers. CloudFront cannot cache Layer 4 traffic, making it unsuitable here.
Question 66 of 303A company has recently launched a new mobile gaming application that the users are adopting rapidly. The company uses Amazon RDS MySQL as the database. The engineering team wants an urgent solution to this issue where the rapidly increasing workload might exceed the available database storage. As a solutions architect, which of the following solutions would you recommend so that it requires minimum development and systems administration effort to address this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable storage auto-scaling for Amazon RDS MySQL
Enabling storage auto-scaling on an existing RDS database automatically expands capacity with zero administrative effort. Migrating to Aurora or DynamoDB requires unnecessary downtime and engineering overhead.
Question 67 of 303An IT company has built a solution wherein an Amazon Redshift cluster writes data to an Amazon S3 bucket belonging to a different AWS account. However, it is found that the files created in the Amazon S3 bucket using the UNLOAD command from the Amazon Redshift cluster are not even accessible to the Amazon S3 bucket owner. What could be the reason for this denial of permission for the bucket owner?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. By default, an Amazon S3 object is owned by the AWS account that uploaded it. So the Amazon S3 bucket owner will not implicitly have access to the objects written by the Amazon Redshift cluster
By default, Amazon S3 objects are owned by the AWS account that uploaded them, even when the destination bucket is owned by another account. The bucket owner must explicitly grant object ownership or use cross-account IAM roles to access the unloaded files.
Question 68 of 303A financial institution is transitioning its critical back-office systems to AWS. These systems currently rely on Microsoft SQL Server databases hosted on on-premises infrastructure. The data is highly sensitive and subject to regulatory compliance. The organization wants to enhance security and minimize database management tasks as part of the migration. Which solution will best meet these goals with the least operational burden?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Migrate the SQL Server databases to a Multi-AZ Amazon RDS for SQL Server deployment. Enable encryption at rest by using an AWS Key Management Service (AWS KMS) managed key
Amazon RDS for SQL Server provides a fully managed relational database, significantly reducing operational overhead compared to EC2. A Multi-AZ deployment ensures high availability, and AWS KMS encryption easily meets stringent security and compliance requirements.
Question 69 of 303Upon a security review of your AWS account, an AWS consultant has found that a few Amazon RDS databases are unencrypted. As a Solutions Architect, what steps must be taken to encrypt the Amazon RDS databases?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Take a snapshot of the database, copy it as an encrypted snapshot, and restore a database from the encrypted snapshot. Terminate the previous database
Amazon RDS does not allow you to enable encryption on an existing unencrypted database instance directly. You must create a snapshot of the database, copy it with encryption enabled, restore a new instance from the encrypted snapshot, and delete the old one.
Question 70 of 303A big data consulting firm needs to set up a data lake on Amazon S3 for a healthcare client. The data lake is split into raw and refined zones. For compliance reasons, the source data needs to be kept for a minimum of 5 years. The source data arrives in the raw zone and is then processed via an AWS Glue based extract, transform, and load (ETL) job into the refined zone. The business analysts run ad-hoc queries only on the data in the refined zone using Amazon Athena. The team is concerned about the cost of data storage in both the raw and refined zones as the data is increasing at a rate of 1 terabyte daily in each zone. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Use AWS Glue ETL job to write the transformed data in the refined zone using a compressed file format · C. Setup a lifecycle policy to transition the raw zone data into Amazon S3 Glacier Deep Archive after 1 day of object creation
A lifecycle policy moves infrequently accessed raw data into Amazon S3 Glacier Deep Archive to minimize long-term storage costs. Writing refined data in a compressed format reduces storage expenses and improves Amazon Athena query performance.
Question 71 of 303The DevOps team at a major financial services company uses Multi-Availability Zone (Multi-AZ) deployment for its MySQL Amazon RDS database in order to automate its database replication and augment data durability. The DevOps team has scheduled a maintenance window for a database engine level upgrade for the coming weekend. Which of the following is the correct outcome during the maintenance window?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Any database engine level upgrade for an Amazon RDS database instance with Multi-AZ deployment triggers both the primary and standby database instances to be upgraded at the same time. This causes downtime until the upgrade is complete
Major database engine upgrades require downtime on Amazon RDS because both the primary and standby instances are upgraded simultaneously. This ensures they remain perfectly synchronized, ruling out options claiming zero downtime.
Question 72 of 303Your company has an on-premises Distributed File System Replication (DFSR) service to keep files synchronized on multiple Windows servers, and would like to migrate to AWS cloud. What do you recommend as a replacement for the DFSR?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Amazon FSx for Windows File Server
Amazon FSx for Windows File Server natively supports Windows environments and integrates with Microsoft Active Directory. It fully supports Distributed File System Replication, making it the ideal replacement for on-premises Windows file servers.
Question 73 of 303An IT company wants to optimize the costs incurred on its fleet of 100 Amazon EC2 instances for the next year. Based on historical analyses, the engineering team observed that 70 of these instances handle the compute services of its flagship application and need to be always available. The other 30 instances are used to handle batch jobs that can afford a delay in processing. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Purchase 70 reserved instances (RIs) and 30 spot instances
Reserved Instances provide significant discounts for steady-state workloads requiring continuous availability. Spot Instances offer the lowest cost for flexible, interruptible tasks like batch processing, making this combination the most cost-optimal.
Question 74 of 303A Hollywood studio is planning a series of promotional events leading up to the launch of the trailer of its next sci-fi thriller. The executives at the studio want to create a static website with lots of animations in line with the theme of the movie. The studio has hired you as a solutions architect to build a scalable serverless solution. Which of the following represents the MOST cost-optimal and high-performance solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Build the website as a static website hosted on Amazon S3. Create an Amazon CloudFront distribution with Amazon S3 as the origin. Use Amazon Route 53 to create an alias record that points to your Amazon CloudFront distribution
Static websites are best hosted on Amazon S3 paired with Amazon CloudFront for low-latency global content delivery. Using Route 53 alias records ensures seamless domain routing, while eliminating servers minimizes costs.
Question 75 of 303A SaaS company is modernizing one of its legacy web applications by migrating it to AWS. The company aims to improve the availability of the application during both normal and peak traffic periods. Additionally, the company wants to implement protection against common web exploits and malicious traffic. The architecture must be scalable and integrate AWS WAF to secure incoming traffic. Which solution will best meet these requirements with high availability and minimal configuration complexity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy the application on multiple Amazon EC2 instances in an Auto Scaling group that spans two Availability Zones. Place an Application Load Balancer (ALB) in front of the group. Associate AWS WAF with the ALB
An Auto Scaling group across multiple Availability Zones ensures elasticity and fault tolerance. Integrating AWS WAF directly with an Application Load Balancer inspects Layer 7 traffic to block web exploits without managing underlying infrastructure.
Question 76 of 303A financial services company runs a Kubernetes-based microservices application in its on-premises data center. The application uses the Advanced Message Queuing Protocol (AMQP) to interact with a message queue. The company is experiencing rapid growth and its on-premises infrastructure cannot scale fast enough. The company wants to migrate the application to AWS with minimal code changes and reduce infrastructure management overhead. The messaging component must continue using AMQP, and the solution should offer high scalability and low operational effort. Which combination of options will together meet these requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Deploy the containerized application to Amazon Elastic Kubernetes Service (Amazon EKS) using AWS Fargate to avoid managing EC2 nodes · D. Replace the current messaging system with Amazon MQ, a fully managed broker that supports AMQP natively. Integrate the application with the Amazon MQ endpoint without modifying the existing message format
Amazon EKS with AWS Fargate removes the need to manage underlying worker nodes for Kubernetes workloads. Amazon MQ provides a fully managed message broker that natively supports AMQP, minimizing code changes and operational overhead.
Question 77 of 303A developer needs to implement an AWS Lambda function in AWS account A that accesses an Amazon Simple Storage Service (Amazon S3) bucket in AWS account B. As a Solutions Architect, which of the following will you recommend to meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create an IAM role for the AWS Lambda function that grants access to the Amazon S3 bucket. Set the IAM role as the AWS Lambda function's execution role. Make sure that the bucket policy also grants access to the AWS Lambda function's execution role
Cross-account access requires granting permissions in both the IAM role and the S3 bucket policy. The Lambda execution role allows the function to assume permission, while the bucket policy explicitly trusts the cross-account role.
Question 78 of 303You have a team of developers in your company, and you would like to ensure they can quickly experiment with AWS Managed Policies by attaching them to their accounts, but you would like to prevent them from doing an escalation of privileges, by granting themselves the AdministratorAccess managed policy. How should you proceed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. For each developer, define an IAM permission boundary that will restrict the managed policies they can attach to themselves
IAM permission boundaries set the maximum permissions an entity can ever attain, preventing privilege escalation. Boundaries can only be applied directly to IAM users or roles, not to IAM groups.
Question 79 of 303A global media agency is developing a cultural analysis project to explore how major sports stories have evolved over the last five years. The team has collected thousands of archived news bulletins and magazine spreads stored in PDF format. These documents are rich in unstructured text and come from various sources with differing layouts and font styles. The agency wants to better understand how public tone and narrative have shifted over time. The team has chosen to use Amazon Textract for its ability to accurately extract printed and scanned text from complex PDF layouts. They need a solution that can then analyze the emotional tone and subject matter of the extracted text with the least possible operational burden, using fully managed AWS services where possible. Which solution will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Send the extracted text to Amazon Comprehend for entity detection and sentiment analysis. Store the results in Amazon S3 for further access or visualization.
Amazon Comprehend provides pre-trained natural language processing for sentiment analysis and entity recognition directly from text. Pairing it with Amazon Textract creates a fully managed, serverless pipeline requiring no custom model training.
Question 80 of 303A media production studio is building a content rendering and editing platform on AWS. The editing workstations and rendering tools require access to shared files over the SMB (Server Message Block) protocol. The studio wants a managed storage solution that is simple to set up, integrates easily with SMB clients, and minimizes ongoing operational tasks. Which solution will best meet the requirements with the LEAST administrative overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Provision an Amazon FSx for Windows File Server file system. Mount the file system using the SMB protocol on the media servers
Amazon FSx for Windows File Server provides fully managed shared storage with native SMB protocol support. It automates administrative tasks like patching, backups, and replication, minimizing operational overhead for the media studio.
Question 81 of 303An application is currently hosted on four Amazon EC2 instances (behind Application Load Balancer) deployed in a single Availability Zone (AZ). To maintain an acceptable level of end-user experience, the application needs at least 4 instances to be always available. As a solutions architect, which of the following would you recommend so that the application achieves high availability with MINIMUM cost?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy the instances in three Availability Zones (AZs). Launch two instances in each Availability Zone (AZ)
Distributing six instances across three Availability Zones maintains the required capacity of four instances if one zone fails. This architecture provides high availability without the excessive costs of over-provisioning instances.
Question 82 of 303An e-commerce company operates multiple AWS accounts and has interconnected these accounts in a hub-and-spoke style using an AWS Transit Gateway. Amazon Virtual Private Cloud (Amazon VPCs) have been provisioned across these AWS accounts to facilitate network isolation. Which of the following solutions would reduce both the administrative overhead and the costs while providing shared access to services required by workloads in each of the VPCs?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Build a shared services Amazon Virtual Private Cloud (Amazon VPC)
A shared services VPC centralizes resources like directory services and VPC endpoints when using AWS Transit Gateway. Fully meshed peering or transit VPCs introduce massive administrative overhead and additional data transfer charges.
Question 83 of 303An HTTP application is deployed on an Auto Scaling Group, is accessible from an Application Load Balancer (ALB) that provides HTTPS termination, and accesses a PostgreSQL database managed by Amazon RDS. How should you configure the security groups? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. The security group of Amazon RDS should have an inbound rule from the security group of the Amazon EC2 instances in the Auto Scaling group on port 5432 · D. The security group of the Application Load Balancer should have an inbound rule from anywhere on port 443 · E. The security group of the Amazon EC2 instances should have an inbound rule from the security group of the Application Load Balancer on port 80
Security groups must follow the exact traffic flow, restricting inbound access to only the necessary ports and originating security groups. The load balancer accepts traffic on port 443, instances accept port 80 from the load balancer, and the database accepts port 5432 from the instances.
Question 84 of 303A startup has just developed a video backup service hosted on a fleet of Amazon EC2 instances. The Amazon EC2 instances are behind an Application Load Balancer and the instances are using Amazon Elastic Block Store (Amazon EBS) Volumes for storage. The service provides authenticated users the ability to upload videos that are then saved on the EBS volume attached to a given instance. On the first day of the beta launch, users start complaining that they can see only some of the videos in their uploaded videos backup. Every time the users log into the website, they claim to see a different subset of their uploaded videos. Which of the following is the MOST optimal solution to make sure that users can view all the uploaded videos? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Mount Amazon Elastic File System (Amazon EFS) on all Amazon EC2 instances. Write a one time job to copy the videos from all Amazon EBS volumes to Amazon EFS. Modify the application to use Amazon EFS for storing the videos · B. Write a one time job to copy the videos from all Amazon EBS volumes to Amazon S3 and then modify the application to use Amazon S3 standard for storing the videos
Using shared storage like Amazon S3 or Amazon EFS ensures data remains centrally accessible regardless of which load-balanced instance handles the request. Block storage like EBS is locally attached to one instance, causing data dispersion when traffic is distributed across multiple instances.
Question 85 of 303Amazon EC2 Auto Scaling needs to terminate an instance from Availability Zone (AZ) us-east-1a as it has the most number of instances amongst the Availability Zone (AZs) being used currently. There are 4 instances in the Availability Zone (AZ) us-east-1a like so: Instance A has the oldest launch template, Instance B has the oldest launch configuration, Instance C has the newest launch configuration and Instance D is closest to the next billing hour. Which of the following instances would be terminated per the default termination policy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Instance B
The default termination policy prioritizes instances using older launch configurations before those using launch templates. Proximity to the next billing hour is an outdated legacy criterion that no longer applies to modern AWS billing.
Question 86 of 303A health-care solutions company wants to run their applications on single-tenant hardware to meet regulatory guidelines. Which of the following is the MOST cost-effective way of isolating their Amazon Elastic Compute Cloud (Amazon EC2) instances to a single tenant?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Dedicated Instances
Dedicated Instances run on single-tenant hardware without offering visibility into the physical server sockets. Dedicated Hosts provide additional control for licensing but are more expensive and unnecessary unless you specifically need to manage instance placement.
Question 87 of 303A security consultant is designing a solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Since the individual developers will have AWS account root user-level access to their own accounts, the consultant wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified. Which of the following actions meets the given requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Set up a service control policy (SCP) that prohibits changes to AWS CloudTrail, and attach it to the developer accounts
Service control policies enforce maximum permission boundaries across AWS Organizations member accounts, completely restricting even the root user. IAM policies attached to the root user fail because the root user can simply modify or detach those policies.
Question 88 of 303A retail company wants to roll out and test a blue/green deployment for its global application in the next 48 hours. Most of the customers use mobile phones which are prone to Domain Name System (DNS) caching. The company has only two days left for the annual Thanksgiving sale to commence. As a Solutions Architect, which of the following options would you recommend to test the deployment on as many users as possible in the given time frame?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use AWS Global Accelerator to distribute a portion of traffic to a particular deployment
AWS Global Accelerator shifts traffic using static IP addresses, bypassing client DNS caching for immediate blue/green transitions. Route 53 weighted routing is unreliable for rapid deployments because mobile devices cache DNS records for extended periods.
Question 89 of 303A systems administrator has created a private hosted zone and associated it with a Virtual Private Cloud (VPC). However, the Domain Name System (DNS) queries for the private hosted zone remain unresolved. As a Solutions Architect, can you identify the Amazon Virtual Private Cloud (Amazon VPC) options to be configured in order to get the private hosted zone to work?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable DNS hostnames and DNS resolution for private hosted zones
Private hosted zones require both DNS resolution and DNS hostnames to be enabled on the VPC. The VPC resolver uses these settings to intercept and route internal domain queries to the correct Route 53 records.
Question 90 of 303A social media application is hosted on an Amazon EC2 fleet running behind an Application Load Balancer. The application traffic is fronted by an Amazon CloudFront distribution. The engineering team wants to decouple the user authentication process for the application, so that the application servers can just focus on the business logic. As a Solutions Architect, which of the following solutions would you recommend to the development team so that it requires minimal development effort?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon Cognito Authentication via Cognito User Pools for your Application Load Balancer
Application Load Balancers natively support integrating with Amazon Cognito User Pools to offload user authentication. This allows your backend EC2 instances to focus solely on application business logic without handling custom authentication code.
Question 91 of 303An engineering team wants to examine the feasibility of the user data feature of Amazon EC2 for an upcoming project. Which of the following are true about the Amazon EC2 user data configuration? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. By default, user data runs only during the boot cycle when you first launch an instance · E. By default, scripts entered as user data are executed with root user privileges
Amazon EC2 user data scripts execute with root user privileges and run only during the initial boot cycle when an instance is first launched. These defaults simplify automated configuration tasks without requiring sudo commands.
Question 92 of 303A financial services company has developed its flagship application on AWS Cloud with data security requirements such that the encryption key must be stored in a custom application running on-premises. The company wants to offload the data storage as well as the encryption process to Amazon S3 but continue to use the existing encryption key. Which of the following Amazon S3 encryption options allows the company to leverage Amazon S3 for storing data with given constraints?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Server-Side Encryption with Customer-Provided Keys (SSE-C)
Server-Side Encryption with Customer-Provided Keys (SSE-C) lets Amazon S3 manage the encryption process while you retain full control over the encryption keys. This offloads storage processing without surrendering custom key management.
Question 93 of 303To improve the performance and security of the application, the engineering team at a company has created an Amazon CloudFront distribution with an Application Load Balancer as the custom origin. The team has also set up an AWS Web Application Firewall (AWS WAF) with Amazon CloudFront distribution. The security team at the company has noticed a surge in malicious attacks from a specific IP address to steal sensitive data stored on the Amazon EC2 instances. As a solutions architect, which of the following actions would you recommend to stop the attacks?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create an IP match condition in the AWS WAF to block the malicious IP address
AWS WAF allows you to block specific malicious IP addresses using IP match conditions within your web ACL. Security groups only support allow rules, and network ACLs do not scale well for edge protection.
Question 94 of 303A media publishing company is migrating its legacy content management application to AWS. Currently, the application and its MySQL database run on a single on-premises virtual machine, which creates a single point of failure and limits scalability. As traffic has increased due to growing reader engagement and video uploads, the company needs to redesign the solution to ensure automatic scaling, high availability, and separation of application and database layers. The company wants to continue using a MySQL-compatible engine and needs a cost-effective, managed solution that minimizes operational overhead. Which AWS architecture will best fulfill these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Migrate the application to Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. Use Amazon Aurora Serverless v2 for MySQL to manage the database layer with auto-scaling and built-in high availability
Aurora Serverless v2 provides automatic scaling and high availability for MySQL-compatible workloads while minimizing operational overhead. Option D is viable but lacks the database auto-scaling requested, making Aurora Serverless v2 the strongest answer.
Question 95 of 303You have multiple AWS accounts within a single AWS Region managed by AWS Organizations and you would like to ensure all Amazon EC2 instances in all these accounts can communicate privately. Which of the following solutions provides the capability at the CHEAPEST cost?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Create a virtual private cloud (VPC) in an account and share one or more of its subnets with the other accounts using Resource Access Manager
Sharing subnets across accounts using AWS Resource Access Manager avoids transit gateway fees and complex peering meshes. Instances deployed in the same shared subnet communicate locally without extra costs.
Question 96 of 303You would like to use AWS Snowball to move on-premises backups into a long term archival tier on AWS. Which solution provides the MOST cost savings?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create an AWS Snowball job and target an Amazon S3 bucket. Create a lifecycle policy to transition this data to Amazon S3 Glacier Deep Archive on the same day
Snowball jobs must target a standard S3 bucket, where a zero-day lifecycle policy immediately moves data to Glacier Deep Archive for the lowest archival cost. Snowball cannot write directly to Glacier classes.
Question 97 of 303You are establishing a monitoring solution for desktop systems, that will be sending telemetry data into AWS every 1 minute. Data for each system must be processed in order, independently, and you would like to scale the number of consumers to be possibly equal to the number of desktop systems that are being monitored. What do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use an Amazon Simple Queue Service (Amazon SQS) FIFO (First-In-First-Out) queue, and make sure the telemetry data is sent with a Group ID attribute representing the value of the Desktop ID
Using an SQS FIFO queue with a Message Group ID matching the Desktop ID preserves per-system ordering while allowing multiple consumers to process messages concurrently. Without a Group ID, throughput is bottlenecked.
Question 98 of 303A retail company wants to share sensitive accounting data that is stored in an Amazon RDS database instance with an external auditor. The auditor has its own AWS account and needs its own copy of the database. Which of the following would you recommend to securely share the database with the auditor?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key Management Service (AWS KMS) encryption key
Sharing an encrypted RDS snapshot and granting KMS key access lets the auditor securely restore a private database copy. Options involving direct S3 exports or cross-account read replicas fail security or isolation requirements.
Question 99 of 303A wildlife research organization uses IoT-based motion sensors attached to thousands of migrating animals to monitor their movement across regions. Every few minutes, a sensor checks for significant movement and sends updated location data to a backend application running on Amazon EC2 instances spread across multiple Availability Zones in a single AWS Region. Recently, an unexpected surge in motion data overwhelmed the application, leading to lost location records with no mechanism to replay missed data. A solutions architect must redesign the ingestion mechanism to prevent future data loss and to minimize operational overhead. What should the solutions architect do to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create an Amazon Simple Queue Service (Amazon SQS) queue to buffer the incoming location data. Configure the backend application to poll the queue and process messages
An Amazon SQS queue decouples the ingestion layer from the processing layer, providing a buffer for traffic surges. Distractors like Firehose or custom queues introduce higher latency or unnecessary operational overhead.
Question 100 of 303A company has historically operated only in the us-east-1 region and stores encrypted data in Amazon S3 using SSE-KMS. As part of enhancing its security posture as well as improving the backup and recovery architecture, the company wants to store the encrypted data in Amazon S3 that is replicated into the us-west-1 AWS region. The security policies mandate that the data must be encrypted and decrypted using the same key in both AWS regions. Which of the following represents the best solution to address these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Create a new Amazon S3 bucket in the us-east-1 region with replication enabled from this new bucket into another bucket in us-west-1 region. Enable SSE-KMS encryption on the new bucket in us-east-1 region by using an AWS KMS multi-region key. Copy the existing data from the current Amazon S3 bucket in us-east-1 region into this new Amazon S3 bucket in us-east-1 region
AWS KMS multi-region keys allow data to be encrypted and decrypted across different regions without re-encryption. Existing single-region keys cannot be converted or shared, so you must create a new multi-region key and copy the data to a new bucket for replication.
Question 101 of 303A media company is migrating its flagship application from its on-premises data center to AWS for improving the application's read-scaling capability as well as its availability. The existing architecture leverages a Microsoft SQL Server database that sees a heavy read load. The engineering team does a full copy of the production database at the start of the business day to populate a dev database. During this period, application users face high latency leading to a bad user experience. The company is looking at alternate database options and migrating database engines if required. What would you suggest?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Leverage Amazon Aurora MySQL with Multi-AZ Aurora Replicas and create the dev database by restoring from the automated backups of Amazon Aurora
Amazon Aurora MySQL provides high availability and read scaling through Multi-AZ Aurora Replicas. You can restore the development database from continuous, incremental automated backups without impacting primary database performance.
Question 102 of 303A machine learning research group uses a proprietary computer vision application hosted on an Amazon EC2 instance. Every time the instance needs to be stopped and started again, the application takes about 3 minutes to start as some auxiliary software programs need to be executed so that the application can function. The research group would like to minimize the application bootstrap time whenever the system needs to be stopped and then started at a later point in time. As a solutions architect, which of the following solutions would you recommend for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use Amazon EC2 Instance Hibernate
Amazon EC2 instance hibernation saves the RAM contents to the EBS root volume upon stopping. When the instance restarts, the operating system and previously running applications resume instantly, bypassing the lengthy bootstrap process.
Question 103 of 303Your company has a monthly big data workload, running for about 2 hours, which can be efficiently distributed across multiple servers of various sizes, with a variable number of CPUs. The solution for the workload should be able to withstand server failures. Which is the MOST cost-optimal solution for this workload?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Run the workload on a Spot Fleet
A Spot Fleet automatically maintains target capacity by launching replacement instances if interruptions occur. Individual Spot Instances lack automatic fleet replenishment, while Reserved Instances and Dedicated Hosts are too expensive for intermittent workloads.
Question 104 of 303A manufacturing analytics company has a large collection of automated scripts that perform data cleanup, validation, and system integration tasks. These scripts are currently run by a local Linux cron scheduler and have an execution time of up to 30 minutes. The company wants to migrate these scripts to AWS without significant changes, and would prefer a containerized, serverless architecture that automatically scales and can respond to event-based triggers in the future. The solution must minimize infrastructure management. Which solution will best meet these requirements with minimal refactoring and operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Package the scripts into a container image. Use Amazon EventBridge Scheduler to define cron-based recurring schedules. Configure EventBridge Scheduler to invoke AWS Fargate tasks using Amazon ECS
Amazon EventBridge Scheduler combined with AWS Fargate provides a serverless, cron-based container execution environment without underlying infrastructure management. AWS Lambda is disqualified here because its fifteen-minute timeout cannot handle thirty-minute scripts.
Question 105 of 303A multinational logistics company is migrating its core systems to AWS. As part of this migration, the company has built an Amazon S3–based data lake to ingest and analyze supply chain data from external carriers and vendors. While some vendors have adopted the company's modern REST-based APIs for S3 uploads, others operate legacy systems that rely exclusively on SFTP for file transfers. These vendors are unable or unwilling to modify their workflows to support S3 APIs. The company wants to provide these vendors with an SFTP-compatible solution that allows direct uploads to Amazon S3, and must use fully managed AWS services to avoid managing any infrastructure. It must also support identity federation so that internal teams can map vendor access securely to specific S3 buckets or prefixes. Which combination of options will provide a scalable and low-maintenance solution for this use case? (Select two)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Deploy a fully managed AWS Transfer Family endpoint with SFTP enabled. Configure it to store uploaded files directly in an Amazon S3 bucket. Set up IAM roles mapped to each vendor for secure bucket or prefix access
AWS Transfer Family provides a managed SFTP endpoint that maps users to IAM roles for secure direct-to-S3 uploads. Option A incorrectly focuses on bucket policies and Cognito, blurring the primary managed integration.
Question 106 of 303An enterprise organization is expanding its cloud footprint and needs to centralize its security event data from various AWS accounts and services. The goal is to evaluate security posture across all environments and improve threat detection and response — without requiring significant custom code or manual integration. Which solution will fulfill these needs with the least development effort?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon Security Lake to create a centralized data lake that automatically collects security-related logs and events from AWS services and third-party sources. Store the data in an Amazon S3 bucket managed by Security Lake
Amazon Security Lake automatically centralizes and normalizes security data, minimizing development effort. The other options require custom integrations and lack built-in native log collection, or use the wrong service for security data.
Question 107 of 303An IT company is working on a client project to build a Supply Chain Management application. The web-tier of the application runs on an Amazon EC2 instance and the database tier is on Amazon RDS MySQL. For beta testing, all the resources are currently deployed in a single Availability Zone (AZ). The development team wants to improve application availability before the go-live. Given that all end users of the web application would be located in the US, which of the following would be the MOST resource-efficient solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Deploy the web-tier Amazon EC2 instances in two Availability Zones (AZs), behind an Elastic Load Balancer. Deploy the Amazon RDS MySQL database in Multi-AZ configuration
Deploying instances across two Availability Zones behind an Elastic Load Balancer with a Multi-AZ database provides high availability. Read replicas do not provide availability, and Elastic Load Balancers cannot span across multiple regions.
Question 108 of 303An IT company has an Access Control Management (ACM) application that uses Amazon RDS for MySQL but is running into performance issues despite using Read Replicas. The company has hired you as a solutions architect to address these performance-related challenges without moving away from the underlying relational database schema. The company has branch offices across the world, and it needs the solution to work on a global scale. Which of the following will you recommend as the MOST cost-effective and high-performance solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon Aurora Global Database to enable fast local reads with low latency in each region
Amazon Aurora Global Database provides low-latency global reads while maintaining the existing relational database schema. Options involving DynamoDB or Redshift require changing the database schema, violating the requirements.
Question 109 of 303A media company has created an AWS Direct Connect connection for migrating its flagship application to the AWS Cloud. The on-premises application writes hundreds of video files into a mounted NFS file system daily. Post-migration, the company will host the application on an Amazon EC2 instance with a mounted Amazon Elastic File System (Amazon EFS) file system. Before the migration cutover, the company must build a process that will replicate the newly created on-premises video files to the Amazon EFS file system. Which of the following represents the MOST operationally efficient way to meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Configure an AWS DataSync agent on the on-premises server that has access to the NFS file system. Transfer data over the AWS Direct Connect connection to an AWS PrivateLink interface VPC endpoint for Amazon EFS by using a private VIF. Set up an AWS DataSync scheduled task to send the video files to the Amazon EFS file system every 24 hours
AWS DataSync can efficiently transfer files over a private virtual interface to an Amazon EFS interface endpoint. The other options introduce unnecessary complexity or incorrectly use public VIFs and gateway endpoints for Direct Connect.
Question 110 of 303A financial services company has deployed its flagship application on Amazon EC2 instances. Since the application handles sensitive customer data, the security team at the company wants to ensure that any third-party Secure Sockets Layer certificate (SSL certificate) SSL/Transport Layer Security (TLS) certificates configured on Amazon EC2 instances via the AWS Certificate Manager (ACM) are renewed before their expiry date. The company has hired you as an AWS Certified Solutions Architect Associate to build a solution that notifies the security team 30 days before the certificate expiration. The solution should require the least amount of scripting and maintenance effort. What will you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Leverage AWS Config managed rule to check if any third-party SSL/TLS certificates imported into ACM are marked for expiration within 30 days. Configure the rule to trigger an Amazon SNS notification to the security team if any certificate expires within 30 days
AWS Config managed rules check for imported ACM certificates nearing expiration, triggering SNS with minimal effort. ACM-generated certificates renew automatically, while CloudWatch requires more configuration overhead.
Question 111 of 303An application runs big data workloads on Amazon Elastic Compute Cloud (Amazon EC2) instances. The application runs 24×7 all round the year and needs at least 20 instances to maintain a minimum acceptable performance threshold and the application needs 300 instances to handle spikes in the workload. Based on historical workloads processed by the application, it needs 80 instances 80% of the time. As a solutions architect, which of the following would you recommend as the MOST cost-optimal solution so that it can meet the workload demand in a steady state?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Purchase 80 reserved instances (RIs). Provision additional on-demand and spot instances per the workload demand (Use Auto Scaling Group with launch template to provision the mix of on-demand and spot instances)
Reserved instances provide the highest cost optimization for steady-state workloads, offering significant savings over on-demand. Spikes are handled by on-demand and spot instances, whereas steady spot instances risk interruptions.
Question 112 of 303An enterprise is building a secure business intelligence API using Amazon API Gateway to serve internal users with confidential analytics data. The API must be accessible only from a set of trusted IP addresses that are part of the organization's internal network ranges. No external IP traffic should be able to invoke the API. A solutions architect must design this access control mechanism with the least operational complexity. What should the architect do to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create a resource policy for the API Gateway API that explicitly denies access to all IP addresses except those listed in an allow list
API Gateway uses resource policies to restrict access based on IP addresses. Security groups cannot be attached to API Gateway because it is a managed service that does not deploy directly into your VPC subnets.
Question 113 of 303A silicon valley based startup has a content management application with the web-tier running on Amazon EC2 instances and the database tier running on Amazon Aurora. Currently, the entire infrastructure is located in us-east-1 region. The startup has 90% of its customers in the US and Europe. The engineering team is getting reports of deteriorated application performance from customers in Europe with high application load time. As a solutions architect, which of the following would you recommend addressing these performance issues? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Create Amazon Aurora read replicas in the eu-west-1 region · D. Setup another fleet of Amazon EC2 instances for the web tier in the eu-west-1 region. Enable latency routing policy in Amazon Route 53
Cross-region Aurora read replicas scale database reads globally, while Route 53 latency routing directs users to the closest web tier. Failover and geolocation policies target disaster recovery and content restrictions, not performance.
Question 114 of 303The engineering team at a logistics company has noticed that the Auto Scaling group (ASG) is not terminating an unhealthy Amazon EC2 instance. As a Solutions Architect, which of the following options would you suggest to troubleshoot the issue? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. The instance maybe in Impaired status · C. The health check grace period for the instance has not expired · D. The instance has failed the Elastic Load Balancing (ELB) health check status
Amazon EC2 Auto Scaling relies on configured health checks, grace periods, and specific health status reporting to determine when to terminate instances. A failing ELB health check won't trigger termination if the ASG health check type is still set to EC2, and impaired instances are given time to recover.
Question 115 of 303A silicon valley based startup has a two-tier architecture using Amazon EC2 instances for its flagship application. The web servers (listening on port 443), which have been assigned security group A, are in public subnets across two Availability Zones (AZs) and the MSSQL based database instances (listening on port 1433), which have been assigned security group B, are in two private subnets across two Availability Zones (AZs). The DevOps team wants to review the security configurations of the application architecture. As a solutions architect, which of the following options would you select as the MOST secure configuration? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. For security group B: Add an inbound rule that allows traffic only from security group A on port 1433 · D. For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433
Security groups enforce least privilege by restricting database access to specific ports and source security groups. The web tier allows public traffic on port 443 and restricts outbound traffic to the database on port 1433.
Question 116 of 303The engineering manager for a content management application wants to set up Amazon RDS read replicas to provide enhanced performance and read scalability. The manager wants to understand the data transfer charges while setting up Amazon RDS read replicas. Which of the following would you identify as correct regarding the data transfer charges for Amazon RDS read replicas?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. There are data transfer charges for replicating data across AWS Regions
There are no data transfer charges for replicating Amazon RDS data within the same AWS Region. Charges only apply when cross-Region replication is used. Regional or AZ-based replication options are incorrect because AWS does not bill for that traffic.
Question 117 of 303A startup is building a serverless microservices architecture where client applications (web and mobile) authenticate users via a third-party OIDC-compliant identity provider. The backend APIs must validate JSON Web Tokens (JWTs) issued by this provider, enforce scope-based access control, and be cost-effective with minimal latency. The development team wants to use a fully managed service that supports JWT validation natively, without writing custom authentication logic. Which solution should the team implement to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon API Gateway HTTP API with a native JWT authorizer configured to validate tokens from the OIDC provider
Amazon API Gateway HTTP APIs support native JWT authorizers, enabling automatic validation of tokens from an OIDC provider. REST APIs require custom Lambda authorizers, increasing latency and costs.
Question 118 of 303The engineering team at a social media company wants to use Amazon CloudWatch alarms to automatically recover Amazon EC2 instances if they become impaired. The team has hired you as a solutions architect to provide subject matter expertise. As a solutions architect, which of the following statements would you identify as correct regarding this automatic recovery process? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. If your instance has a public IPv4 address, it retains the public IPv4 address after recovery · E. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata
Automatic instance recovery preserves the instance ID, private IP addresses, Elastic IP addresses, and public IPv4 address. Terminated instances cannot be recovered, and in-memory data is lost during the recovery process because the underlying hardware has failed.
Question 119 of 303An e-commerce company is using Elastic Load Balancing (ELB) for its fleet of Amazon EC2 instances spread across two Availability Zones (AZs), with one instance as a target in Availability Zone A and four instances as targets in Availability Zone B. The company is doing benchmarking for server performance when cross-zone load balancing is enabled compared to the case when cross-zone load balancing is disabled. As a solutions architect, which of the following traffic distribution outcomes would you identify as correct?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. With cross-zone load balancing enabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each
With cross-zone load balancing enabled, traffic is distributed evenly across all registered targets, giving each instance twenty percent of the load. When disabled, each load balancer node routes strictly within its local Availability Zone, heavily skewing traffic distribution.
Question 120 of 303A national logistics company has a dedicated AWS Direct Connect connection from its corporate data center to AWS. Within its AWS account, the company operates 25 Amazon VPCs in the same Region, each supporting different regional distribution services. The VPCs were configured with non-overlapping CIDR blocks and currently use private VIFs for Direct Connect access to on-premises resources. As the architecture scales, the company wants to enable communication across all VPCs and the on-premises environment. The solution must scale efficiently, support full-mesh connectivity, and reduce the complexity of maintaining separate private VIFs for each VPC. Which combination of solutions will best fulfill these requirements with the least amount of operational overhead? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Create an AWS Transit Gateway and attach all 25 VPCs to it. Enable route propagation for each attachment to automatically manage inter-VPC routing · E. Create a transit virtual interface (VIF) from the Direct Connect connection and associate it with the transit gateway
A transit gateway centralizes routing and enables transitive peering between attached VPCs. Associating a Direct Connect transit VIF with the transit gateway extends this hub-and-spoke model to on-premises networks, eliminating the operational overhead of managing individual private VIFs.
Question 121 of 303A financial services company is migrating their messaging queues from self-managed message-oriented middleware systems to Amazon Simple Queue Service (Amazon SQS). The development team at the company wants to minimize the costs of using Amazon SQS. As a solutions architect, which of the following options would you recommend for the given use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use SQS long polling to retrieve messages from your Amazon SQS queues
Amazon SQS long polling reduces the number of empty responses by waiting for messages to arrive before returning. Short polling immediately returns empty responses, increasing API call costs.
Question 122 of 303A legacy application is built using a tightly-coupled monolithic architecture. Due to a sharp increase in the number of users, the application performance has degraded. The company now wants to decouple the architecture and adopt AWS microservices architecture. Some of these microservices need to handle fast running processes whereas other microservices need to handle slower processes. Which of these options would you identify as the right way of connecting these microservices?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Configure Amazon Simple Queue Service (Amazon SQS) queue to decouple microservices running faster processes from the microservices running slower ones
Amazon SQS effectively decouples microservices by buffering messages, allowing slower consumers to process tasks from faster producers. SNS pushes messages immediately without buffering.
Question 123 of 303The DevOps team at a multi-national company is helping its subsidiaries standardize Amazon EC2 instances by using the same Amazon Machine Image (AMI). Some of these subsidiaries are in the same AWS region but use different AWS accounts whereas others are in different AWS regions but use the same AWS account as the parent company. The DevOps team has hired you as a solutions architect for this project. Which of the following would you identify as CORRECT regarding the capabilities of an Amazon Machine Image (AMI)? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. You can copy an Amazon Machine Image (AMI) across AWS Regions · E. You can share an Amazon Machine Image (AMI) with another AWS account · F. Copying an Amazon Machine Image (AMI) backed by an encrypted snapshot cannot result in an unencrypted target snapshot
Amazon Machine Images can be copied across AWS Regions and shared between AWS Accounts. Additionally, copying an encrypted snapshot will always result in an encrypted target snapshot.
Question 124 of 303The DevOps team at an IT company has recently migrated to AWS and they are configuring security groups for their two-tier application with public web servers and private database servers. The team wants to understand the allowed configuration options for an inbound rule for a security group. As a solutions architect, which of the following would you identify as an INVALID option for setting up such a configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. You can use an Internet Gateway ID as the custom source for the inbound rule
Security group inbound rules require a valid source, such as an IP range or another security group. Internet Gateway IDs cannot be used as a source in security group rules.
Question 125 of 303A company wants to improve its gaming application by adding a leaderboard that uses a complex proprietary algorithm based on the participating user's performance metrics to identify the top users on a real-time basis. The technical requirements mandate high elasticity, low latency, and real-time processing to deliver customizable user data for the community of users. The leaderboard would be accessed by millions of users simultaneously. Which of the following options support the case for using Amazon ElastiCache to meet the given requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Use Amazon ElastiCache to improve the performance of compute-intensive workloads · D. Use Amazon ElastiCache to improve latency and throughput for read-heavy application workloads
Amazon ElastiCache accelerates read-heavy and compute-intensive workloads by serving frequently accessed data from memory. It is not optimal for write-heavy applications or complex relational joins.
Question 126 of 303A company has hired you as an AWS Certified Solutions Architect – Associate to help with redesigning a real-time data processor. The company wants to build custom applications that process and analyze the streaming data for its specialized needs. Which solution will you recommend to address this use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon Kinesis Data Streams to process the data streams as well as decouple the producers and consumers for the real-time data processor
Amazon Kinesis Data Streams enables custom applications to process and analyze streaming data in real time. SNS and SQS lack native streaming capabilities, while Kinesis Data Firehose is designed to load data directly into destinations rather than supporting custom processing logic.
Question 127 of 303A gaming company uses Application Load Balancers in front of Amazon EC2 instances for different services and microservices. The architecture has now become complex with too many Application Load Balancers in multiple AWS Regions. Security updates, firewall configurations, and traffic routing logic have become complex with too many IP addresses and configurations. The company is looking for an easy and effective way to bring down the number of IP addresses allowed by the firewall and easily manage the entire network infrastructure. Which of these options represents an appropriate solution for this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Launch AWS Global Accelerator and create endpoints for all the Regions. Register the Application Load Balancers of each Region to the corresponding endpoints
AWS Global Accelerator provides two static anycast IP addresses that front Application Load Balancers across multiple regions, simplifying firewall rules. Elastic IPs cannot be assigned to Application Load Balancers, and Layer 3 load balancing introduces unnecessary operational complexity.
Question 128 of 303A financial services company wants to move their Windows file server clusters out of their data centers. They are looking for cloud file storage offerings that provide full Windows compatibility. Can you identify the AWS storage services that provide highly reliable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol compatible with Windows systems? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. File Gateway Configuration of AWS Storage Gateway · E. Amazon FSx for Windows File Server
Amazon FSx for Windows File Server provides fully managed native Windows file storage. The File Gateway configuration of AWS Storage Gateway also offers SMB protocol access, seamlessly bridging on-premises environments with Amazon S3.
Question 129 of 303A startup has recently moved their monolithic web application to AWS Cloud. The application runs on a single Amazon EC2 instance. Currently, the user base is small and the startup does not want to spend effort on elaborate disaster recovery strategies or an Auto Scaling group. The application can afford a maximum downtime of 10 minutes. In case of a failure, which of these options would you suggest as a cost-effective and automatic recovery procedure for the instance?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure an Amazon CloudWatch alarm that triggers the recovery of the Amazon EC2 instance, in case the instance fails. The instance, however, should only be configured with an Amazon EBS volume
Configuring an Amazon CloudWatch alarm to automatically recover an EC2 instance provides a cost-effective solution for system failures. The recovery action requires the instance to use Amazon EBS volumes, as instances relying on ephemeral instance store volumes cannot be restored.
Question 130 of 303An IT training company hosted its website on Amazon S3 a couple of years ago. Due to COVID-19 related travel restrictions, the training website has suddenly gained traction. With an almost 300% increase in the requests served per day, the company's AWS costs have skyrocketed for just the Amazon S3 outbound data costs. As a Solutions Architect, can you suggest an alternate method to reduce costs while keeping the latency low?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Configure Amazon CloudFront to distribute the data hosted on Amazon S3 cost-effectively
Configuring Amazon CloudFront to distribute website content reduces both user latency and data transfer costs. Serving data directly from CloudFront edge locations is significantly cheaper than standard Amazon S3 outbound internet data transfer rates.
Question 131 of 303A retail company has connected its on-premises data center to the AWS Cloud via AWS Direct Connect. The company wants to be able to resolve Domain Name System (DNS) queries for any resources in the on-premises network from the AWS VPC and also resolve any DNS queries for resources in the AWS VPC from the on-premises network. As a solutions architect, which of the following solutions can be combined to address the given use case? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Create an outbound endpoint on Amazon Route 53 Resolver and then Amazon Route 53 Resolver can conditionally forward queries to resolvers on the on-premises network via this endpoint · C. Create an inbound endpoint on Amazon Route 53 Resolver and then DNS resolvers on the on-premises network can forward DNS queries to Amazon Route 53 Resolver via this endpoint
An inbound Route 53 Resolver endpoint allows on-premises networks to forward DNS queries to AWS. Conversely, an outbound endpoint uses conditional forwarding rules to resolve AWS VPC queries against your on-premises DNS infrastructure securely.
Question 132 of 303A company has set up AWS Organizations to manage several departments running their own AWS accounts. The departments operate from different countries and are spread across various AWS Regions. The company wants to set up a consistent resource provisioning process across departments so that each resource follows pre-defined configurations such as using a specific type of Amazon EC2 instances, specific IAM roles for AWS Lambda functions, etc. As a solutions architect, which of the following options would you recommend for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS CloudFormation StackSets to deploy the same template across AWS accounts and regions
AWS CloudFormation StackSets extend stack functionality to deploy templates across multiple accounts and regions in a single operation. Standard templates and stacks lack this cross-account deployment capability, and AWS Resource Access Manager shares resources rather than deploying them.
Question 133 of 303A financial services company wants to identify any sensitive data stored on its Amazon S3 buckets. The company also wants to monitor and protect all data stored on Amazon S3 against any malicious activity. As a solutions architect, which of the following solutions would you recommend to help address the given requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon GuardDuty to monitor any malicious activity on data stored in Amazon S3. Use Amazon Macie to identify any sensitive data stored on Amazon S3
Amazon Macie uses machine learning to discover sensitive data like PII in S3, while Amazon GuardDuty analyzes logs for threats. GuardDuty handles threat detection, and Macie handles data classification and discovery.
Question 134 of 303A financial services company is modernizing its analytics platform on AWS. Their legacy data processing scripts, built for both Windows and Linux environments, require shared access to a file system that supports Windows ACLs and SMB protocol for compatibility with existing Windows workloads. At the same time, their Linux-based applications need to read from and write to the same shared storage to maintain cross-platform consistency. The solutions architect needs to design a storage solution that allows both Windows and Linux EC2 instances to access the shared file system simultaneously, while preserving Windows-specific features like NTFS permissions and Active Directory (AD) integration. Which solution will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy Amazon FSx for Windows File Server and mount it using the SMB protocol from both Windows and Linux EC2 instances
Amazon FSx for Windows File Server natively supports SMB, NTFS permissions, and Active Directory integration for Windows and Linux instances. EFS and Lustre lack Windows ACL support, while Mountpoint for S3 is Linux-only and lacks file system features.
Question 135 of 303An IT company hosts Windows-based applications on its on-premises data center. The company is looking at moving the business to the AWS Cloud. The cloud solution should offer shared storage space that multiple applications can access without a need for replication. Also, the solution should integrate with the company's self-managed Active Directory domain. Which of the following solutions addresses these requirements with the minimal integration effort?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon FSx for Windows File Server as a shared storage solution
Amazon FSx for Windows File Server natively integrates with self-managed Active Directory and provides SMB shared storage. EFS and Lustre are Linux-based, and File Gateway acts as a hybrid bridge rather than a native shared file system.
Question 136 of 303A financial services firm runs a containerized risk analytics tool in its on-premises data center using Docker. The tool depends on persistent data storage for maintaining customer simulation results and operates on a single host machine where the volume is locally mounted. The infrastructure team is looking to replatform the tool to AWS using a fully managed service because they want to avoid managing EC2 instances, volumes, or underlying servers. Which AWS solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon ECS with Fargate launch type. Provision an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS volume inside the container at runtime to provide persistent storage access
Amazon ECS with the Fargate launch type provides a fully managed, serverless compute environment that natively supports mounting Amazon EFS volumes for persistent storage. Options using EKS or manual EBS management violate the requirement to avoid infrastructure management.
Question 137 of 303A developer has configured inbound traffic for the relevant ports in both the Security Group of the Amazon EC2 instance as well as the Network Access Control List (Network ACL) of the subnet for the Amazon EC2 instance. The developer is, however, unable to connect to the service running on the Amazon EC2 instance. As a solutions architect, how will you fix this issue?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Security Groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic
Security groups are stateful, automatically allowing return traffic for approved inbound connections. Network ACLs are stateless, requiring explicit outbound rules for ephemeral ports to complete the connection.
Question 138 of 303A healthcare company has deployed its web application on Amazon Elastic Container Service (Amazon ECS) container instances running behind an Application Load Balancer. The website slows down when the traffic spikes and the website availability is also reduced. The development team has configured Amazon CloudWatch alarms to receive notifications whenever there is an availability constraint so the team can scale out resources. The company wants an automated solution to respond to such events. Which of the following addresses the given use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Configure AWS Auto Scaling to scale out the Amazon ECS cluster when the ECS service's CPU utilization rises above a threshold
Amazon ECS service auto scaling uses CloudWatch metrics from your specific ECS service, such as average CPU utilization, to add or remove tasks dynamically. Load balancers and generic CloudWatch alarms do not directly trigger ECS service scaling policies.
Question 139 of 303The DevOps team at an IT company is provisioning a two-tier application in a VPC with a public subnet and a private subnet. The team wants to use either a Network Address Translation (NAT) instance or a Network Address Translation (NAT) gateway in the public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet but needs some technical assistance in terms of the configuration options available for the Network Address Translation (NAT) instance and the Network Address Translation (NAT) gateway. As a solutions architect, which of the following options would you identify as CORRECT? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. Security Groups can be associated with a NAT instance · C. NAT instance can be used as a bastion server · E. NAT instance supports port forwarding
A NAT instance operates as a standard EC2 instance, meaning it can be used as a bastion server, supports port forwarding, and utilizes security groups. A managed NAT gateway is a highly available service that does not support these specific features.
Question 140 of 303A data analytics company manages an application that stores user data in a Amazon DynamoDB table. The development team has observed that once in a while, the application writes corrupted data in the Amazon DynamoDB table. As soon as the issue is detected, the team needs to remove the corrupted data at the earliest. What do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon DynamoDB point in time recovery to restore the table to the state just before corrupted data was written
Amazon DynamoDB point-in-time recovery (PITR) provides continuous backups with per-second granularity, allowing you to restore a table to a specific state before data corruption occurred. On-demand backups are manual snapshots and cannot recover unscheduled mid-write errors.
Question 141 of 303An e-commerce company uses Microsoft Active Directory to provide users and groups with access to resources on the on-premises infrastructure. The company has extended its IT infrastructure to AWS in the form of a hybrid cloud. The engineering team at the company wants to run directory-aware workloads on AWS for a SQL Server-based application. The team also wants to configure a trust relationship to enable single sign-on (SSO) for its users to access resources in either domain. As a solutions architect, which of the following AWS services would you recommend for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)
AWS Managed Microsoft AD allows you to run directory-aware workloads in the cloud and establish trust relationships with your on-premises Active Directory. Simple AD lacks trust support, and AD Connector merely proxies requests to your existing infrastructure.
Question 142 of 303A financial services company has recently migrated from on-premises infrastructure to AWS Cloud. The DevOps team wants to implement a solution that allows all resource configurations to be reviewed and make sure that they meet compliance guidelines. Also, the solution should be able to offer the capability to look into the resource configuration history across the application stack. As a solutions architect, which of the following solutions would you recommend to the team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Config to review resource configurations to meet compliance guidelines and maintain a history of resource configuration changes
AWS Config is designed specifically to assess resource configurations for compliance and maintain a detailed history of changes over time. CloudTrail logs API actions, while CloudWatch monitors performance metrics, neither providing configuration state histories.
Question 143 of 303A company is transferring a significant volume of data from on-site storage to AWS, where it will be accessed by Windows, Mac, and Linux-based Amazon EC2 instances within the same AWS region using both SMB and NFS protocols. Part of this data will be accessed regularly, while the rest will be accessed less frequently. The company requires a hosting solution for this data that minimizes operational overhead. What solution would best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Set up an Amazon FSx for ONTAP instance. Configure an FSx for ONTAP file system on the root volume and migrate the data to the FSx for ONTAP volume
Amazon FSx for NetApp ONTAP provides multi-protocol access to both SMB and NFS clients natively. FSx for OpenZFS and EFS only support NFS, eliminating them for environments requiring simultaneous Windows and Linux access.
Question 144 of 303A media streaming startup is building a set of backend APIs that will be consumed by external mobile applications. To prevent API abuse, protect downstream resources, and ensure fair usage across clients, the architecture must enforce rate limiting and throttling on a per-client basis. The team also wants to define usage quotas and apply different limits to different API consumers. Which solution should the team implement to enforce rate limiting and usage quotas at the API layer?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use Amazon API Gateway and configure usage plans with API keys to apply rate limits and quotas per client
Amazon API Gateway natively supports per-client rate limiting and usage quotas through API keys tied to usage plans. Load balancers operate at the network layer and do not provide built-in application-layer quota management for external consumers.
Question 145 of 303An e-commerce company runs its web application on Amazon EC2 instances in an Auto Scaling group and it's configured to handle consumer orders in an Amazon Simple Queue Service (Amazon SQS) queue for downstream processing. The DevOps team has observed that the performance of the application goes down in case of a sudden spike in orders received. As a solutions architect, which of the following solutions would you recommend to address this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use a target tracking scaling policy based on a custom Amazon SQS queue metric
A target tracking scaling policy uses a custom backlog per instance metric to dynamically adjust capacity based on real demand. Simple or step scaling policies react slower to sudden traffic spikes, leading to degraded application performance.
Question 146 of 303An IT consultant is helping a small business revamp their technology infrastructure on the AWS Cloud. The business has two AWS accounts and all resources are provisioned in the us-west-2 region. The IT consultant is trying to launch an Amazon EC2 instance in each of the two AWS accounts such that the instances are in the same Availability Zone (AZ) of the us-west-2 region. Even after selecting the same default subnet (us-west-2a) while launching the instances in each of the AWS accounts, the IT consultant notices that the Availability Zones (AZs) are still different. As a solutions architect, which of the following would you suggest to resolve this issue?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Availability Zone (AZ) ID to uniquely identify the Availability Zones across the two AWS Accounts
AWS maps availability zone names differently across individual accounts for resource distribution. To ensure instances align in the exact same physical location across accounts, you must reference the unique Availability Zone ID.
Question 147 of 303An application running on an Amazon EC2 instance needs to access an Amazon DynamoDB table in the same AWS account. Which of the following solutions should a solutions architect configure for the necessary permissions?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Set up an IAM service role with the appropriate permissions to allow access to the Amazon DynamoDB table. Configure an instance profile to assign this IAM role to the Amazon EC2 instance
Assigning an IAM role via an instance profile is the secure AWS best practice for granting EC2 instances access to other AWS services. Hardcoding IAM user credentials in local storage or S3 buckets poses a severe security risk and violates AWS security principles.
Question 148 of 303A retail organization is moving some of its on-premises data to AWS Cloud. The DevOps team at the organization has set up an AWS Managed IPSec VPN Connection between their remote on-premises network and their Amazon VPC over the internet. Which of the following represents the correct configuration for the IPSec VPN Connection?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create a virtual private gateway (VGW) on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN
For an AWS Site-to-Site VPN, the virtual private gateway anchors the AWS side, while the customer gateway represents the on-premises router. Placing the virtual private gateway on-premises fails because that component is strictly an AWS-managed VPC endpoint.
Question 149 of 303A company recently experienced a database outage in its on-premises data center. The company now wants to migrate to a reliable database solution on AWS that minimizes data loss and stores every transaction on at least two nodes. Which of the following solutions meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Set up an Amazon RDS MySQL DB instance with Multi-AZ functionality enabled to synchronously replicate the data
Amazon RDS Multi-AZ deployments provide high availability by synchronously replicating data to a standby instance in a different Availability Zone. Read replicas rely on asynchronous replication, making them unsuitable for meeting strict data loss prevention requirements.
Question 150 of 303A software company manages a fleet of Amazon EC2 instances that support internal analytics applications. These instances use an IAM role with custom policies to connect to Amazon RDS and AWS Secrets Manager for secure access to credentials and database endpoints. The IT operations team wants to implement a centralized patch management solution that simplifies compliance and security tasks. Their goal is to automate OS patching across EC2 instances without disrupting the running applications. Which approach will allow the company to meet these goals with the least administrative overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable Default Host Management Configuration in AWS Systems Manager Quick Setup
Systems Manager Default Host Management Configuration automatically configures EC2 instances with required permissions for patching without altering existing IAM roles. Detaching or replacing roles risks application disruption, while cron jobs and hybrid activations add administrative overhead.
Question 151 of 303The application maintenance team at a company has noticed that the production application is very slow when the business reports are run on the Amazon RDS database. These reports fetch a large amount of data and have complex queries with multiple joins, spanning across multiple business-critical core tables. CPU, memory, and storage metrics are around 50% of the total capacity. Can you recommend an improved and cost-effective way of generating the business reports while keeping the production application unaffected?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create a read replica and connect the report generation tool/application to it
Routing heavy business reporting queries to an Amazon RDS read replica offloads read traffic from the primary database, keeping production applications unaffected. Multi-AZ standby instances cannot serve read traffic, and upgrading instances unnecessarily increases costs.
Question 152 of 303A leading online gaming company is migrating its flagship application to AWS Cloud for delivering its online games to users across the world. The company would like to use a Network Load Balancer to handle millions of requests per second. The engineering team has provisioned multiple instances in a public subnet and specified these instance IDs as the targets for the NLB. As a solutions architect, can you help the engineering team understand the correct routing mechanism for these target instances?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance
When registering targets via instance IDs, a Network Load Balancer routes traffic using the primary private IP address of the instance's primary network interface. Public and Elastic IP addresses are ignored for internal routing to maintain VPC network boundaries.
Question 153 of 303A global pharmaceutical company wants to move most of the on-premises data into Amazon S3, Amazon Elastic File System (Amazon EFS), and Amazon FSx for Windows File Server easily, quickly, and cost-effectively. As a solutions architect, which of the following solutions would you recommend as the BEST fit to automate and accelerate online data transfers to these AWS storage services?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS DataSync to automate and accelerate online data transfers to the given AWS storage services
AWS DataSync automates and accelerates online migrations directly into Amazon S3, Amazon EFS, and Amazon FSx. AWS Transfer Family and File Gateway lack support for all three services, while Snowball Edge is strictly an offline physical migration appliance.
Question 154 of 303The DevOps team at an IT company has created a custom VPC (V1) and attached an Internet Gateway (I1) to the VPC. The team has also created a subnet (S1) in this custom VPC and added a route to this subnet's route table (R1) that directs internet-bound traffic to the Internet Gateway. Now the team launches an Amazon EC2 instance (E1) in the subnet S1 and assigns a public IPv4 address to this instance. Next the team also launches a Network Address Translation (NAT) instance (N1) in the subnet S1. Under the given infrastructure setup, which of the following entities is doing the Network Address Translation for the Amazon EC2 instance E1?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Internet Gateway (I1)
An Internet Gateway performs network address translation for instances assigned public IPv4 addresses in a public subnet. A NAT instance translates traffic for private subnet instances, so it is unnecessary and unused when the destination is already internet routable.
Question 155 of 303A company has its application servers in the public subnet that connect to the database instances in the private subnet. For regular maintenance, the database instances need patch fixes that need to be downloaded from the internet. Considering the company uses only IPv4 addressing and is looking for a fully managed service, which of the following would you suggest as an optimal solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure a Network Address Translation gateway (NAT gateway) in the public subnet of the VPC
A NAT gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet while preventing inbound connections. The question specifies a fully managed service, which eliminates the unmanaged NAT instance, and IPv4, which eliminates the IPv6-only egress-only gateway.
Question 156 of 303An AWS Organization is using Service Control Policies (SCPs) for central control over the maximum available permissions for all accounts in their organization. This allows the organization to ensure that all accounts stay within the organization's access control guidelines. Which of the given scenarios are correct regarding the permissions described below? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable service control policy (SCP), the user or role can't perform that action · C. Service control policy (SCP) affects all users and roles in the member accounts, including root user of the member accounts · D. Service control policy (SCP) does not affect service-linked role
Service Control Policies act as guardrails that set the maximum available permissions for an organization, overriding even the root user of member accounts. The key trap is that SCPs never affect service-linked roles, and any IAM policy granting access is rendered invalid if denied by an SCP.
Question 157 of 303An engineering lead is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates. Which of the following options represents the correct solution to set up internet access for the private subnets?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Set up three NAT gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ
NAT gateways must be deployed in public subnets to provide outbound internet access to private subnets. To maintain high availability across Availability Zones, you must deploy a NAT gateway in the public subnet of each specific Availability Zone rather than sharing one.
Question 158 of 303A video conferencing application is hosted on a fleet of EC2 instances which are part of an Auto Scaling group. The Auto Scaling group uses a Launch Template (LT1) with "dedicated" instance tenancy but the VPC (V1) used by the Launch Template LT1 has the instance tenancy set to default. Later the DevOps team creates a new Launch Template (LT2) with shared (default) instance tenancy but the VPC (V2) used by the Launch Template LT2 has the instance tenancy set to dedicated. Which of the following is correct regarding the instances launched via Launch Template LT1 and Launch Template LT2?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The instances launched by both Launch Template LT1 and Launch Template LT2 will have dedicated instance tenancy
EC2 instance tenancy becomes dedicated if either the launch template or the VPC specifies dedicated tenancy. If either layer forces dedicated hardware, the resulting instance inherits it.
Question 159 of 303A media startup is looking at hosting their web application on AWS Cloud. The application will be accessed by users from different geographic regions of the world to upload and download video files that can reach a maximum size of 10 gigabytes. The startup wants the solution to be cost-effective and scalable with the lowest possible latency for a great user experience. As a Solutions Architect, which of the following will you suggest as an optimal solution to meet the given requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon S3 for hosting the web application and use Amazon S3 Transfer Acceleration (Amazon S3TA) to reduce the latency that geographically dispersed users might face
Amazon S3 Transfer Acceleration optimizes large file uploads by routing traffic over the AWS global backbone. CloudFront can also accelerate large transfers, creating slight ambiguity.
Question 160 of 303An engineering team wants to orchestrate multiple Amazon ECS task types running on Amazon EC2 instances that are part of an Amazon ECS cluster. The output and state data for all tasks need to be stored. The amount of data output by each task is approximately 20 megabytes and there could be hundreds of tasks running at a time. As old outputs are archived, the storage size is not expected to exceed 1 terabyte. As a solutions architect, which of the following would you recommend as an optimized solution for high-frequency reading and writing?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon EFS with Provisioned Throughput mode
Amazon EFS with Provisioned Throughput mode decouples throughput capacity from storage size, optimizing high-frequency access for smaller datasets. DynamoDB has a strict 400 KB item size limit, while standard EFS bursting relies heavily on the total data stored.
Question 161 of 303A company is migrating a legacy workload from on-premises to AWS. The application receives customer order files from an on-premises ERP system by using the SFTP protocol. After files arrive, the application must process them immediately rather than relying on periodic polling. The company already has secure network connectivity between AWS and the on-premises environment. The new solution must remain highly available, secure, and resilient across infrastructure failures. Which solution should you implement to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Deploy an internal AWS Transfer Family SFTP server across two Availability Zones backed by Amazon S3. Configure a Transfer Family managed workflow to invoke an AWS Lambda function immediately after file upload completes
Deploying an internal Transfer Family server across multiple Availability Zones ensures secure network integration and high availability. Configuring a managed workflow to trigger Lambda guarantees immediate event-driven processing without relying on inefficient polling.
Question 162 of 303An e-commerce company has deployed its application on several Amazon EC2 instances that are configured in a private subnet using IPv4. These Amazon EC2 instances read and write a huge volume of data to and from Amazon S3 in the same AWS region. The company has set up subnet routing to direct all the internet-bound traffic through a Network Address Translation gateway (NAT gateway). The company wants to build the most cost-optimal solution without impacting the application's ability to communicate with Amazon S3 or the internet. As an AWS Certified Solutions Architect Associate, which of the following would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Set up a VPC gateway endpoint for Amazon S3. Attach an endpoint policy to the endpoint. Update the route table to direct the S3-bound traffic to the VPC endpoint
A VPC gateway endpoint routes S3 traffic privately within the AWS network, bypassing the NAT gateway and eliminating data processing fees. Egress-only gateways apply to IPv6 traffic, and Gateway Load Balancer endpoints secure virtual appliances, not S3 access.
Question 163 of 303Your application is hosted by a provider on yourapp.provider.com. You would like to have your users access your application using www.your-domain.com, which you own and manage under Amazon Route 53. Which Amazon Route 53 record should you create?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create a CNAME record
A CNAME record maps one fully qualified domain name to another, which properly aliases the third-party application. Alias records only point to AWS resources, and A records map to IP addresses.
Question 164 of 303The engineering team at an e-commerce company wants to migrate from Amazon Simple Queue Service (Amazon SQS) Standard queues to FIFO (First-In-First-Out) queues with batching. As a solutions architect, which of the following steps would you have in the migration checklist? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: C. Make sure that the name of the FIFO (First-In-First-Out) queue ends with the .fifo suffix · D. Make sure that the throughput for the target FIFO (First-In-First-Out) queue does not exceed 3,000 messages per second · E. Delete the existing standard queue and recreate it as a FIFO (First-In-First-Out) queue
To migrate from an SQS standard queue, you must delete it and recreate a new FIFO queue with the mandatory .fifo suffix. FIFO queues support up to 3,000 messages per second when batching is enabled. You cannot convert existing queues.
Question 165 of 303A media company wants a low-latency way to distribute live sports results which are delivered via a proprietary application using UDP protocol. As a solutions architect, which of the following solutions would you recommend such that it offers the BEST performance for this use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Global Accelerator to provide a low latency way to distribute live sports results
AWS Global Accelerator optimizes non-HTTP traffic like UDP by routing users to optimal endpoints over the AWS global network. CloudFront is meant for HTTP and HTTPS content delivery, making it incompatible with proprietary UDP protocols.
Question 166 of 303A company has a license-based, expensive, legacy commercial database solution deployed at its on-premises data center. The company wants to migrate this database to a more efficient, open-source, and cost-effective option on AWS Cloud. The CTO at the company wants a solution that can handle complex database configurations such as secondary indexes, foreign keys, and stored procedures. As a solutions architect, which of the following AWS services should be combined to handle this use-case? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. AWS Database Migration Service (AWS DMS) · C. AWS Schema Conversion Tool (AWS SCT)
Heterogeneous database migrations require the AWS Schema Conversion Tool to translate source schemas before moving data with AWS Database Migration Service. Basic Schema Copy omits stored procedures and foreign keys, failing complex requirements.
Question 167 of 303An online gaming application has a large chunk of its traffic coming from users who download static assets such as historic leaderboard reports and the game tactics for various games. The current infrastructure and design are unable to cope with the traffic and the application freezes on most of the pages. Which of the following is a cost-optimal solution that does not need provisioning of infrastructure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon CloudFront with Amazon S3 as the storage solution for the static assets
Amazon CloudFront paired with Amazon S3 creates a highly available, serverless architecture ideal for delivering static assets globally without provisioning underlying infrastructure. Distractors involving relational databases or Lambda introduce unnecessary compute overhead for simple file downloads.
Question 168 of 303A regional transportation authority operates a high-traffic public information portal hosted on AWS. The backend consists of Amazon EC2 instances behind an Application Load Balancer (ALB). In recent weeks, the operations team has observed intermittent slowdowns and performance issues. After investigation, the team suspect the application is being targeted by distributed denial-of-service (DDoS) attacks coming from a wide range of IP addresses. The team needs a solution that provides DDoS mitigation, detailed logs for audit purposes, and requires minimal changes to the existing architecture. Which solution best addresses these needs?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Subscribe to AWS Shield Advanced to gain proactive DDoS protection. Engage the AWS DDoS Response Team (DRT) to analyze traffic patterns and apply mitigations. Use the built-in logging and reporting to maintain an audit trail of detected events
AWS Shield Advanced provides managed DDoS protection, access to the DDoS Response Team, and detailed diagnostic reports for Layer 3, 4, and 7 attacks. Services like Inspector and GuardDuty focus on vulnerability and threat detection, not real-time volumetric attack mitigation.
Question 169 of 303A startup has created a new web application for users to complete a risk assessment survey via a self-administered questionnaire. The startup has purchased a domain using Amazon Route 53. The web development team would like to create an Amazon Route 53 record so that all traffic for the apex domain is routed to the www subdomain. As a solutions architect, which of the following is the MOST cost-effective solution that you would recommend to the web development team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create an alias record for covid19survey.com that routes traffic to www.covid19survey.com
Amazon Route 53 alias records allow traffic routing for a zone apex to specific AWS resources and other records. Alias queries to AWS resources are free, making them more cost-effective than standard CNAME records.
Question 170 of 303A social media startup uses AWS Cloud to manage its IT infrastructure. The engineering team at the startup wants to perform weekly database rollovers for a MySQL database server using a serverless cron job that typically takes about 5 minutes to execute the database rollover script written in Python. The database rollover will archive the past week's data from the production database to keep the database small while still keeping its data accessible. As a solutions architect, which of the following would you recommend as the MOST cost-efficient and reliable solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Schedule a weekly Amazon EventBridge event cron expression to invoke an AWS Lambda function that runs the database rollover job
Amazon EventBridge can trigger AWS Lambda on a weekly cron schedule to execute a short Python script efficiently. AWS Glue is suited for heavy ETL processing, and EC2 instances violate the serverless requirement while adding unnecessary operational overhead.
Question 171 of 303A big data analytics company is working on a real-time vehicle tracking solution. The data processing workflow involves both I/O intensive and throughput intensive database workloads. The development team needs to store this real-time data in a NoSQL database hosted on an Amazon EC2 instance and needs to support up to 25,000 IOPS per volume. As a solutions architect, which of the following Amazon Elastic Block Store (Amazon EBS) volume types would you recommend for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Provisioned IOPS SSD (io1)
Provisioned IOPS SSD volumes deliver consistent, high-performance storage tailored for I/O intensive workloads. It easily scales to 25,000 IOPS per volume, whereas standard SSDs cap at 16,000 and HDDs offer significantly lower limits.
Question 172 of 303The development team at a retail company wants to optimize the cost of Amazon EC2 instances. The team wants to move certain nightly batch jobs to spot instances. The team has hired you as a solutions architect to provide the initial guidance. Which of the following would you identify as CORRECT regarding the capabilities of spot instances? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: D. If a spot request is persistent, then it is opened again after your Spot Instance is interrupted · E. Spot Fleets can maintain target capacity by launching replacement instances after Spot Instances in the fleet are terminated · F. When you cancel an active spot request, it does not terminate the associated instance
Persistent spot requests reopen after an instance is interrupted, and Spot Fleets automatically launch replacement instances to maintain target capacity. Canceling an active spot request does not terminate its already running associated instances.
Question 173 of 303A retail company uses AWS Cloud to manage its IT infrastructure. The company has set up AWS Organizations to manage several departments running their AWS accounts and using resources such as Amazon EC2 instances and Amazon RDS databases. The company wants to provide shared and centrally-managed VPCs to all departments using applications that need a high degree of interconnectivity. As a solutions architect, which of the following options would you choose to facilitate this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
VPC sharing via AWS Resource Access Manager enables sharing individual subnets across accounts within AWS Organizations. VPC peering connects entire VPC networks and does not support centralized subnet sharing for highly interconnected application resources.
Question 174 of 303A healthcare startup is modernizing its monolithic Python-based analytics application by transitioning to a microservices architecture on AWS. As a pilot, the team wants to refactor one module into a standalone microservice that can handle hundreds of requests per second. They are seeking an AWS-native solution that supports Python, scales automatically with traffic, and requires minimal infrastructure management and operational overhead to build, test, and deploy the service efficiently. Which AWS solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Lambda to run the Python-based microservice. Integrate it with Amazon API Gateway for HTTP access and enable provisioned concurrency for performance during peak loads
AWS Lambda paired with Amazon API Gateway provides a fully managed, automatically scaling serverless architecture ideal for Python microservices. Provisioned concurrency further reduces cold start latency. Container services like ECS require more operational overhead.
Question 175 of 303A small business has been running its IT systems on the on-premises infrastructure but the business now plans to migrate to AWS Cloud for operational efficiencies. As a Solutions Architect, can you suggest a cost-effective serverless solution for its flagship application that has both static and dynamic content?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Host the static content on Amazon S3 and use AWS Lambda with Amazon DynamoDB for the serverless web application that handles dynamic content. Amazon CloudFront will sit in front of AWS Lambda for distribution across diverse regions
A serverless architecture requires services that do not require you to provision or manage servers, making S3, Lambda, and DynamoDB the ideal combination here. Options using Amazon EC2 are eliminated because virtual servers require operating system management.
Question 176 of 303The engineering team at a company wants to use Amazon Simple Queue Service (Amazon SQS) to decouple components of the underlying application architecture. However, the team is concerned about the VPC-bound components accessing Amazon Simple Queue Service (Amazon SQS) over the public internet. As a solutions architect, which of the following solutions would you recommend to address this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use VPC endpoint to access Amazon SQS
VPC endpoints powered by AWS PrivateLink allow private connectivity to supported AWS services without traversing the public internet. Since the requirement is to keep traffic off the public internet, options relying on internet gateways, NAT devices, or VPNs are invalid.
Question 177 of 303A health care application processes the real-time health data of the patients into an analytics workflow. With a sharp increase in the number of users, the system has become slow and sometimes even unresponsive as it does not have a retry mechanism. The startup is looking at a scalable solution that has minimal implementation overhead. Which of the following would you recommend as a scalable alternative to the current solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon Kinesis Data Streams to ingest the data, process it using AWS Lambda or run analytics using Amazon Kinesis Data Analytics
Amazon Kinesis Data Streams provides massive scalability for real-time data streaming and integrates natively with Lambda for analytics. SQS handles message decoupling, but Kinesis is purpose-built for high-throughput streaming time-series data.
Question 178 of 303A company maintains its business-critical customer data on an on-premises system in an encrypted format. Over the years, the company has transitioned from using a single encryption key to multiple encryption keys by dividing the data into logical chunks. With the decision to move all the data to an Amazon S3 bucket, the company is now looking for a technique to encrypt each file with a different encryption key to provide maximum security to the migrated on-premises data. How will you implement this requirement without adding the overhead of splitting the data into logical groups?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Configure a single Amazon S3 bucket to hold all data. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data
When using Amazon S3 server-side encryption with S3 managed keys (SSE-S3), each object is automatically encrypted with a unique data key. This satisfies the requirement for unique keys without requiring complex data partitioning or KMS configuration.
Question 179 of 303The database backend for a retail company's website is hosted on Amazon RDS for MySQL having a primary instance and three read replicas to support read scalability. The company has mandated that the read replicas should lag no more than 1 second behind the primary instance to provide the best possible user experience. The read replicas are falling further behind during periods of peak traffic spikes, resulting in a bad user experience as the searches produce inconsistent results. Which of the following will you recommend to reduce the replication lag as much as possible with minimal changes to the application code or the effort required to manage the underlying resources?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Set up database migration from Amazon RDS MySQL to Amazon Aurora MySQL. Swap out the MySQL read replicas with Aurora Replicas. Configure Aurora Auto Scaling
Migrating to Amazon Aurora MySQL provides low-latency replicas that share the same distributed storage volume as the primary instance. This virtually eliminates replication lag without requiring code changes or intense resource management.
Question 180 of 303A global pharmaceutical company operates a hybrid cloud network. Its primary AWS workloads run in the us-west-2 Region, connected to its on-premises data center via an AWS Direct Connect connection. After acquiring a biotech firm headquartered in Europe, the company must integrate the biotech's workloads, which are hosted in several VPCs in the eu-central-1 Region and connected to the biotech's on-premises facility through a separate Direct Connect link. All CIDR blocks are non-overlapping, and the business requires full connectivity between both data centers and all VPCs across the two Regions. The company also wants a scalable solution that minimizes manual network configuration and long-term operational overhead. Which solution will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Connect both Direct Connect links to a shared Direct Connect gateway. Attach each Region's virtual private gateway (VGW) to the Direct Connect gateway, enabling transitive routing between the VPCs and the on-premises networks across Regions
A Direct Connect gateway connects Direct Connect links to VPCs across different Regions, enabling scalable hybrid transit. Inter-Region VPC peering lacks transitive routing, and third-party VPNs require excessive operational overhead.
Question 181 of 303A ride-hailing startup has launched a mobile app that matches passengers with nearby drivers based on real-time GPS coordinates. The application backend uses an Amazon RDS for PostgreSQL instance with read replicas to store the latitude and longitude of drivers and passengers. As the service scales, the backend experiences performance bottlenecks during peak hours, especially when thousands of updates and reads occur per second to keep location data current. The company expects its user base to double in the next few months and needs a high-performance, scalable solution that can handle frequent write and read operations with minimal latency. What do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Place an Amazon ElastiCache for Redis cluster in front of the PostgreSQL database. Modify the application to cache recent location reads and updates in Redis, using a TTL-based eviction strategy
Amazon ElastiCache for Redis provides sub-millisecond latency and natively supports geospatial data, making it perfect for handling frequent GPS updates. The other options fail to address the high-frequency write bottleneck, as read replicas and multi-AZ deployments do not offload rapid write operations.
Question 182 of 303A transportation logistics company runs a shipment tracking application on Amazon EC2 instances with an Amazon Aurora MySQL database cluster. The application is experiencing rapid growth due to increased demand from mobile app users querying package delivery statuses. Although the compute layer (EC2) has remained stable, the Aurora DB cluster is under growing read pressure, especially from frequent repeated queries about package locations and delivery history. The company added an Aurora read replica, which temporarily alleviated the load, but read traffic continues to spike as user queries grow. The company wants to reduce the repeated reads pressure on the DB cluster. Which solution will best meet these requirements in a cost-effective manner?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Integrate Amazon ElastiCache for Redis between the application and Aurora. Cache frequently accessed query results in Redis to reduce the number of identical read requests hitting the database
Amazon ElastiCache for Redis acts as an in-memory caching layer to serve repeated reads directly, significantly reducing identical database queries. Adding Aurora read replicas is less cost-effective here because it still routes repeated queries to the database, consuming unnecessary resources.
Question 183 of 303A developer in your company has set up a classic 2 tier architecture consisting of an Application Load Balancer and an Auto Scaling group (ASG) managing a fleet of Amazon EC2 instances. The Application Load Balancer is deployed in a subnet of size 10.0.1.0/24 and the Auto Scaling group is deployed in a subnet of size 10.0.4.0/22. As a solutions architect, you would like to adhere to the security pillar of the well-architected framework. How do you configure the security group of the Amazon EC2 instances to only allow traffic coming from the Application Load Balancer?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Add a rule to authorize the security group of the Application Load Balancer
Referencing a security group directly inside an inbound rule ensures strict traffic isolation between associated resources. Allowing specific CIDR blocks is less secure because any resource within that network range could bypass the intended load balancer perimeter.
Question 184 of 303A company's business logic is built on several microservices that are running in the on-premises data center. They currently communicate using a message broker that supports the MQTT protocol. The company is looking at migrating these applications and the message broker to AWS Cloud without changing the application logic. Which technology allows you to get a managed message broker that supports the MQTT protocol?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Amazon MQ
Amazon MQ provides a managed message broker service that supports industry-standard protocols including MQTT for seamless migrations. AWS native services like SQS and SNS rely on proprietary APIs, requiring you to rewrite application logic during cloud migration.
Question 185 of 303A streaming media company operates a high-traffic content delivery platform on AWS. The application backend is deployed on Amazon EC2 instances within an Auto Scaling group across multiple Availability Zones in a VPC. The team has observed that workloads follow predictable usage patterns, such as higher viewership on weekends and in the evenings, along with occasional real-time spikes due to viral content. To reduce cost and improve responsiveness, the team wants an automated scaling approach that can forecast future demand using historical usage patterns, scale in advance based on those predictions, and react quickly to unplanned usage surges in real time. Which scaling strategy should a solutions architect recommend to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use predictive scaling for the Auto Scaling group to analyze daily and weekly patterns, and configure dynamic scaling with target tracking policies to respond to real-time traffic changes
Predictive scaling uses machine learning to analyze historical traffic and provision capacity proactively before demand spikes occur. Combining it with target tracking ensures the system reacts dynamically to real-time changes, whereas step or scheduled scaling reactively handles traffic.
Question 186 of 303A company uses Application Load Balancers in multiple AWS Regions. The Application Load Balancers receive inconsistent traffic that varies throughout the year. The engineering team at the company needs to allow the IP addresses of the Application Load Balancers in the on-premises firewall to enable connectivity. Which of the following represents the MOST scalable solution with minimal configuration changes?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Set up AWS Global Accelerator. Register the Application Load Balancers in different Regions to the AWS Global Accelerator. Configure the on-premises firewall's rule to allow static IP addresses associated with the AWS Global Accelerator
AWS Global Accelerator provides static anycast IP addresses that serve as fixed entry points for regional load balancers. Using Lambda scripts or migrating to Network Load Balancers creates administrative overhead because underlying IP addresses frequently change.
Question 187 of 303A social media company wants the capability to dynamically alter the size of a geographic area from which traffic is routed to a specific server resource. Which feature of Amazon Route 53 can help achieve this functionality?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Geoproximity routing
Geoproximity routing uses a bias value to dynamically expand or shrink the geographic boundary routing traffic to resources. Geolocation routing maps fixed boundaries to resources, lacking the dynamic bias sizing feature.
Question 188 of 303A retail company is using AWS Site-to-Site VPN connections for secure connectivity to its AWS cloud resources from its on-premises data center. Due to a surge in traffic across the VPN connections to the AWS cloud, users are experiencing slower VPN connectivity. Which of the following options will maximize the VPN throughput?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create an AWS Transit Gateway with equal cost multipath routing and add additional VPN tunnels
AWS Transit Gateway supports equal cost multi-path routing, allowing multiple VPN tunnels to aggregate throughput beyond single tunnel limits. Virtual private gateways lack ECMP support, making them incapable of increasing VPN bandwidth.
Question 189 of 303A company runs a popular dating website on the AWS Cloud. As a Solutions Architect, you've designed the architecture of the website to follow a serverless pattern on the AWS Cloud using Amazon API Gateway and AWS Lambda. The backend uses an Amazon RDS PostgreSQL database. Currently, the application uses a username and password combination to connect the AWS Lambda function to the Amazon RDS database. You would like to improve the security at the authentication level by leveraging short-lived credentials. What will you choose? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Attach an AWS Identity and Access Management (IAM) role to AWS Lambda · D. Use IAM authentication from AWS Lambda to Amazon RDS PostgreSQL
IAM database authentication allows AWS Lambda to use temporary tokens to access Amazon RDS for PostgreSQL. You must attach an execution role to the function to grant permissions to generate these tokens, while security groups only control network access.
Question 190 of 303A company has migrated its application from a monolith architecture to a microservices based architecture. The development team has updated the Amazon Route 53 simple record to point "myapp.mydomain.com" from the old Load Balancer to the new one. The users are still not redirected to the new Load Balancer. What has gone wrong in the configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The Time To Live (TTL) is still in effect
DNS resolvers cache records for the duration of the Time To Live, or TTL. If the TTL has not expired, clients will continue using the cached IP address of the old load balancer instead of querying Route 53 for the updated record.
Question 191 of 303A CRM company has a software as a service (SaaS) application that feeds updates to other in-house and third-party applications. The SaaS application and the in-house applications are being migrated to use AWS services for this inter-application communication. As a Solutions Architect, which of the following would you suggest to asynchronously decouple the architecture?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon EventBridge to decouple the system architecture
Amazon EventBridge is the ideal service to asynchronously decouple a SaaS application because it natively integrates with third-party providers. While SNS and SQS decouple systems, they lack built-in partner integrations for this specific SaaS requirement.
Question 192 of 303An e-commerce analytics company is preparing to archive several years of transaction records and customer analytics reports in Amazon S3 for long-term storage. To meet compliance requirements, the archived data must be encrypted at rest. Additionally, the solution must be cost-effective and ensure that key rotation occurs automatically every 12 months to comply with the company's internal data governance policy. Which solution will meet these requirements with the least operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Key Management Service (KMS) to create a customer managed key with automatic rotation enabled. Configure the S3 bucket's default encryption to use the customer managed key. Migrate the data to the S3 bucket
A customer managed KMS key with automatic rotation satisfies the strict compliance requirement for auditable annual key rotation. SSE-S3 handles encryption transparently but does not allow you to control or track the key rotation schedule.
Question 193 of 303An Elastic Load Balancer has marked all the Amazon EC2 instances in the target group as unhealthy. Surprisingly, when a developer enters the IP address of the Amazon EC2 instances in the web browser, he can access the website. What could be the reason the instances are being marked as unhealthy? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. The security group of the Amazon EC2 instance does not allow for traffic from the security group of the Application Load Balancer · C. The route for the health check is misconfigured
An Application Load Balancer marks targets as unhealthy if its health checks fail. This usually happens when the health check ping path is misconfigured or the target security group blocks traffic from the load balancer.
Question 194 of 303Amazon Route 53 is configured to route traffic to two Network Load Balancer nodes belonging to two Availability Zones (AZs): AZ-A and AZ-B. Cross-zone load balancing is disabled. AZ-A has four targets and AZ-B has six targets. Which of the below statements is true about traffic distribution to the target instances from Amazon Route 53?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Each of the four targets in AZ-A receives 12.5% of the traffic
Route 53 distributes traffic equally between the two Network Load Balancer nodes. With cross-zone load balancing disabled, each node routes its fifty percent of traffic strictly within its own zone, giving each target in the four-target zone exactly twelve point five percent.
Question 195 of 303An e-commerce company wants to migrate its on-premises application to AWS. The application consists of application servers and a Microsoft SQL Server database. The solution should result in the maximum possible availability for the database layer while minimizing operational and management overhead. As a solutions architect, which of the following would you recommend to meet the given requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Migrate the data to Amazon RDS for SQL Server database in a Multi-AZ deployment
Amazon RDS for SQL Server in a Multi-AZ deployment provides high availability through an automatic standby instance in another zone. This minimizes operational overhead compared to EC2, while avoiding the non-existent cross-region Multi-AZ configuration.
Question 196 of 303An enterprise has decided to move its secondary workloads such as backups and archives to the AWS cloud. The CTO wishes to move the data stored on physical tapes to the cloud, without changing their current tape backup workflows. The company holds petabytes of data on tapes and needs a cost-optimized solution to move this data to the cloud. What is an optimal solution that meets these requirements while keeping the costs to a minimum?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Tape Gateway, which can be used to move on-premises tape data onto AWS Cloud. Then, Amazon S3 archiving storage classes can be used to store data cost-effectively for years
Tape Gateway presents cloud-backed virtual tapes to on-premises backup applications without changing existing workflows. It archives this data directly into low-cost Amazon S3 Glacier or Glacier Deep Archive storage classes, minimizing long-term storage costs.
Question 197 of 303A financial services firm has traditionally operated with an on-premises data center and would like to create a disaster recovery strategy leveraging the AWS Cloud. As a Solutions Architect, you would like to ensure that a scaled-down version of a fully functional environment is always running in the AWS cloud, and in case of a disaster, the recovery time is kept to a minimum. Which disaster recovery strategy is that?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Warm Standby
A warm standby disaster recovery strategy keeps a scaled-down but fully functional version of your environment always running in the cloud. This differs from a pilot light, which only keeps core services active while scaling others during a failover event.
Question 198 of 303A development team has configured Elastic Load Balancing for host-based routing. The idea is to support multiple subdomains and different top-level domains. The rule *.example.com matches which of the following?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. test.example.com
In Elastic Load Balancing host-based routing, an asterisk wildcard matches zero or more characters before the specified domain. Therefore, the pattern asterisk dot example dot com matches test dot example dot com, but it does not match the exact apex domain example dot com.
Question 199 of 303A fintech startup hosts its real-time transaction metadata in Amazon DynamoDB tables. During a recent system maintenance event, a junior engineer accidentally deleted a production table, resulting in major service downtime and irreversible data loss. Leadership has mandated an immediate solution that prevents future data loss from human error, while requiring minimal ongoing maintenance or manual effort from the engineering team. Which approach best addresses these requirements with the least operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Enable deletion protection on DynamoDB tables
Enabling deletion protection on a DynamoDB table prevents accidental table deletion by blocking the destructive API call entirely. Point-in-time recovery is a reactive backup mechanism that helps restore deleted data but does not prevent the initial deletion or resulting downtime.
Question 200 of 303A global insurance company is modernizing its infrastructure by migrating multiple line-of-business applications from its on-premises data centers to AWS. These applications will be deployed across several AWS accounts, all governed under a centralized AWS Organizations structure. The company manages all user identities, groups, and access policies within its on-premises Microsoft Active Directory and wants to continue doing so. The goal is to enable seamless single sign-in across all AWS accounts without duplicating user identity stores or manually provisioning accounts. Which solution best meets these requirements in the most operationally efficient manner?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Deploy AWS IAM Identity Center and configure it to use AWS Directory Service for Microsoft Active Directory (Enterprise Edition). Establish a two-way trust relationship between the managed directory and the on-premises Active Directory to enable federated authentication across all AWS accounts
AWS IAM Identity Center centrally manages single sign-on access across multiple AWS accounts. By connecting it to an AWS Managed Microsoft AD with a two-way trust to your on-premises directory, users can federate seamlessly without duplicating identity stores.
Question 201 of 303A research organization is running a high-performance computing (HPC) workload using Amazon EC2 instances that are distributed across multiple Availability Zones (AZs) within a single AWS Region. The workload requires access to a shared file system with the lowest possible latency for frequent reads and writes. The team decides to use Amazon Elastic File System (Amazon EFS) for its scalability and simplicity. To ensure optimal performance and reduce network latency, the solution architect must design the architecture so that each EC2 instance can access the file system with the least possible delay. Which of the following is the most appropriate solution to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create EFS mount targets in each AZ and mount the EFS file system to EC2 instances in the same AZ as the mount target
Provisioning an Amazon EFS mount target in each Availability Zone ensures instances access local resources, yielding the lowest possible latency. Deploying a single target forces cross-AZ traffic, increasing delay, while using Mountpoint for S3 confuses object storage with shared file systems.
Question 202 of 303A company wants to adopt a hybrid cloud infrastructure where it uses some AWS services such as Amazon S3 alongside its on-premises data center. The company wants a dedicated private connection between its on-premises data center and AWS. In case of failures though, the company needs to guarantee uptime and is willing to use the public internet for an encrypted connection. What do you recommend? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Use AWS Direct Connect connection as a primary connection · C. Use AWS Site-to-Site VPN as a backup connection
AWS Direct Connect provides a dedicated private network path for a primary connection. To guarantee uptime over the public internet during a failure, an encrypted AWS Site-to-Site VPN serves as the standard backup layer. Egress-only gateways are for IPv6 VPC outbound traffic, not hybrid connectivity.
Question 203 of 303You started a new job as a solutions architect at a company that has both AWS experts and people learning AWS. Recently, a developer misconfigured a newly created Amazon RDS database which resulted in a production outage. How can you ensure that Amazon RDS specific best practices are incorporated into a reusable infrastructure template to be used by all your AWS users?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use AWS CloudFormation to manage Amazon RDS databases
AWS CloudFormation allows you to provision resources using infrastructure as code, ensuring reusable templates with standardized best practices. The other options are incorrect because they rely on reactive monitoring, generic alerts, or unrelated IAM policies instead of using a proactive template.
Question 204 of 303An e-commerce company has copied 1 petabyte of data from its on-premises data center to an Amazon S3 bucket in the us-west-1 Region using an AWS Direct Connect link. The company now wants to set up a one-time copy of the data to another Amazon S3 bucket in the us-east-1 Region. The on-premises data center does not allow the use of AWS Snowball. As a solutions architect, which of the following options can be used to accomplish this goal? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Set up Amazon S3 batch replication to copy objects across Amazon S3 buckets in another Region using S3 console and then delete the replication configuration · E. Copy data from the source bucket to the destination bucket using the aws S3 sync command
The AWS CLI sync command efficiently copies large datasets between S3 buckets without duplicating existing files. S3 batch replication is the second valid choice because it enables you to replicate existing objects on demand, which can be deleted afterward for a one-time migration.
Question 205 of 303You are working for a software as a service (SaaS) company as a solutions architect and help design solutions for the company's customers. One of the customers is a bank and has a requirement to whitelist a public IP when the bank is accessing external services across the internet. Which architectural choice do you recommend to maintain high availability, support scaling-up to 10 instances and comply with the bank's requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use a Network Load Balancer with an Auto Scaling Group
A Network Load Balancer provides a static, predictable IP address required for strict whitelisting. Application and Classic Load Balancers expose dynamic DNS names, making them unsuitable for fixed IP whitelisting requirements.
Question 206 of 303A company has developed a popular photo-sharing website using a serverless pattern on the AWS Cloud using Amazon API Gateway and AWS Lambda. The backend uses an Amazon RDS PostgreSQL database. The website is experiencing high read traffic and the AWS Lambda functions are putting an increased read load on the Amazon RDS database. The architecture team is planning to increase the read throughput of the database, without changing the application's core logic. As a Solutions Architect, what do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon RDS Read Replicas
Amazon RDS Read Replicas scale read capacity horizontally without modifying application database logic. ElastiCache requires code changes, and Multi-AZ strictly provides availability and disaster recovery failover.
Question 207 of 303The engineering team at a global e-commerce company is currently reviewing their disaster recovery strategy. The team has outlined that they need to be able to quickly recover their application stack with a Recovery Time Objective (RTO) of 5 minutes, in all of the AWS Regions that the application runs. The application stack currently takes over 45 minutes to install on a Linux system. As a Solutions architect, which of the following options would you recommend as the disaster recovery strategy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create an Amazon Machine Image (AMI) after installing the software and copy the AMI across all Regions. Use this Region-specific AMI to run the recovery process in the respective Regions
Pre-baked Amazon Machine Images launch instances in minutes to meet strict Recovery Time Objectives. AMIs are Regional resources, so they must be copied to target Regions to enable rapid multi-Region disaster recovery.
Question 208 of 303A Pharmaceuticals company is looking for a simple solution to connect its VPCs and on-premises networks through a central hub. As a Solutions Architect, which of the following would you suggest as the solution that requires the LEAST operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Transit Gateway to connect the Amazon VPCs to the on-premises networks
AWS Transit Gateway provides a fully managed, highly available hub-and-spoke model connecting VPCs and on-premises networks. VPC peering is eliminated because it lacks transitive routing required for on-premises connectivity.
Question 209 of 303The engineering team at a social media company has recently migrated to AWS Cloud from its on-premises data center. The team is evaluating Amazon CloudFront to be used as a CDN for its flagship application. The team has hired you as an AWS Certified Solutions Architect – Associate to advise on Amazon CloudFront capabilities on routing, security, and high availability. Which of the following would you identify as correct regarding Amazon CloudFront? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: A. Use field level encryption in Amazon CloudFront to protect sensitive data for specific content · C. Use an origin group with primary and secondary origins to configure Amazon CloudFront for high-availability and failover · F. Amazon CloudFront can route to multiple origins based on the content type
Amazon CloudFront uses cache behaviors to route requests to different origins based on path patterns or content type. Origin groups provide automatic failover for high availability, while field-level encryption protects specific sensitive data at the edge.
Question 210 of 303A company wants to grant access to an Amazon S3 bucket to users in its own AWS account as well as to users in another AWS account. Which of the following options can be used to meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use a bucket policy to grant permission to users in its account as well as to users in another account
S3 bucket policies are resource-based policies that can easily grant cross-account access to an S3 bucket. However, the question is ambiguous because IAM user policies in the target account can also be used to assume a role for cross-account access.
Question 211 of 303A company has recently created a new department to handle their services workload. An IT team has been asked to create a custom VPC to isolate the resources created in this new department. They have set up the public subnet and internet gateway (IGW). However, they are not able to ping the Amazon EC2 instances with elastic IP address (EIP) launched in the newly created VPC. As a Solutions Architect, the team has requested your help. How will you troubleshoot this scenario? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Check if the route table is configured with internet gateway · E. Check if the security groups allow ping from the source
If you cannot ping an Amazon EC2 instance, you must verify that the route table directs internet traffic to the internet gateway. You must also ensure the security group allows inbound ICMP traffic, which is required for ping requests.
Question 212 of 303A niche social media application allows users to connect with sports athletes. As a solutions architect, you've designed the architecture of the application to be fully serverless using Amazon API Gateway and AWS Lambda. The backend uses an Amazon DynamoDB table. Some of the star athletes using the application are highly popular, and therefore Amazon DynamoDB has increased the read capacity units (RCUs). Still, the application is experiencing a hot partition problem. What can you do to improve the performance of Amazon DynamoDB and eliminate the hot partition problem without a lot of application refactoring?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon DynamoDB DAX
Amazon DynamoDB Accelerator (DAX) provides a fully managed in-memory cache that directly integrates with DynamoDB to resolve hot partition read issues transparently. Using ElastiCache would require significant application code refactoring, which violates the scenario constraints.
Question 213 of 303Your company is deploying a website running on AWS Elastic Beanstalk. The website takes over 45 minutes for the installation and contains both static as well as dynamic files that must be generated during the installation process. As a Solutions Architect, you would like to bring the time to create a new instance in your AWS Elastic Beanstalk deployment to be less than 2 minutes. Which of the following options should be combined to build a solution for this requirement? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Use Amazon EC2 user data to customize the dynamic installation parts at boot time · D. Create a Golden Amazon Machine Image (AMI) with the static installation components already setup
Baking static installation components into a custom Golden AMI drastically reduces boot times, while EC2 user data handles the remaining dynamic configuration. Attempting to run the entire forty-five minute installation process via user data alone violates the two-minute requirement.
Question 214 of 303A Big Data processing company has created a distributed data processing framework that performs best if the network performance between the processing machines is high. The application has to be deployed on AWS, and the company is only looking at performance as the key measure. As a Solutions Architect, which deployment do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use a Cluster placement group
A cluster placement group packs EC2 instances close together inside a single Availability Zone, delivering low-latency, high-throughput network performance for tightly coupled workloads. Spread placement groups intentionally isolate instances across hardware to reduce correlated failures, which hurts performance.
Question 215 of 303A retail company uses AWS Cloud to manage its technology infrastructure. The company has deployed its consumer-focused web application on Amazon EC2-based web servers and uses Amazon RDS PostgreSQL database as the data store. The PostgreSQL database is set up in a private subnet that allows inbound traffic from selected Amazon EC2 instances. The database also uses AWS Key Management Service (AWS KMS) for encrypting data at rest. Which of the following steps would you recommend to facilitate end-to-end security for the data-in-transit while accessing the database?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Configure Amazon RDS to use SSL for data in transit
Configuring Amazon RDS to use SSL or TLS encrypts the data in transit between the application and the database, fulfilling the end-to-end security requirement. Security groups, network ACLs, and IAM authentication manage access control rather than encrypting the network payload.
Question 216 of 303You have an Amazon S3 bucket that contains files in two different folders – s3://my-bucket/images and s3://my-bucket/thumbnails. When an image is first uploaded and new, it is viewed several times. But after 45 days, analytics prove that image files are on average rarely requested, but the thumbnails still are. After 180 days, you would like to archive the image files and the thumbnails. Overall you would like the solution to remain highly available to prevent disasters happening against a whole Availability Zone (AZ). How can you implement an efficient cost strategy for your Amazon S3 bucket? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Create a Lifecycle Policy to transition objects to Amazon S3 Standard IA using a prefix after 45 days · E. Create a Lifecycle Policy to transition all objects to Amazon S3 Glacier after 180 days
Amazon S3 Standard-IA provides high availability across multiple Availability Zones while lowering costs for infrequently accessed data. S3 One Zone-IA fails the availability requirement, and using a prefix for the 45-day transition isolates the image files from the actively viewed thumbnails.
Question 217 of 303A ride-sharing company wants to improve the ride-tracking system that stores GPS coordinates for all rides. The engineering team at the company is looking for a NoSQL database that has single-digit millisecond latency, can scale horizontally, and is serverless, so that they can perform high-frequency lookups reliably. As a Solutions Architect, which database do you recommend for their requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Amazon DynamoDB
Amazon DynamoDB is a serverless NoSQL database that delivers consistent single-digit millisecond latency and scales horizontally to handle high-frequency lookloads. ElastiCache is meant for caching rather than primary storage, while RDS and Neptune do not meet all the required constraints.
Question 218 of 303A ride-sharing company wants to use an Amazon DynamoDB table for data storage. The table will not be used during the night hours whereas the read and write traffic will often be unpredictable during day hours. When traffic spikes occur they will happen very quickly. Which of the following will you recommend as the best-fit solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Set up Amazon DynamoDB table in the on-demand capacity mode
DynamoDB on-demand capacity instantly accommodates unpredictable traffic spikes without relying on CloudWatch alarms or scaling delays. Provisioned capacity with auto-scaling reacts too slowly for rapid bursts, while global tables and secondary indexes address replication and queries rather than capacity.
Question 219 of 303An IT company runs a high-performance computing (HPC) workload on AWS. The workload requires high network throughput and low-latency network performance along with tightly coupled node-to-node communications. The Amazon EC2 instances are properly sized for compute and storage capacity and are launched using default options. Which of the following solutions can be used to improve the performance of the workload?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Select a cluster placement group while launching Amazon EC2 instances
Cluster placement groups pack EC2 instances close together within a single Availability Zone to deliver the low-latency network performance required for tightly coupled HPC workloads. Dedicated tenancy, capacity reservations, and Elastic Inference address compliance, availability, and machine learning rather than network performance.
Question 220 of 303As an e-sport tournament hosting company, you have servers that need to scale and be highly available. Therefore you have deployed an Elastic Load Balancing (ELB) with an Auto Scaling group (ASG) across 3 Availability Zones (AZs). When e-sport tournaments are running, the servers need to scale quickly. And when tournaments are done, the servers can be idle. As a general rule, you would like to be highly available, have the capacity to scale and optimize your costs. What do you recommend? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Use Reserved Instances (RIs) for the minimum capacity · D. Set the minimum capacity to 2
Setting a minimum capacity of two instances across separate Availability Zones ensures high availability during a failure. Covering this constant baseline with Reserved Instances optimizes costs, whereas Dedicated Hosts or higher minimum capacities increase expenses without adding necessary value.
Question 221 of 303You have developed a new REST API leveraging the Amazon API Gateway, AWS Lambda and Amazon Aurora database services. Most of the workload on the website is read-heavy. The data rarely changes and it is acceptable to serve users outdated data for about 24 hours. Recently, the website has been experiencing high load and the costs incurred on the Aurora database have been very high. How can you easily reduce the costs while improving performance, with minimal changes?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable Amazon API Gateway Caching
Enabling API Gateway caching reduces the load on your backend database by serving repeated requests directly from the cache. Aurora Read Replicas would increase costs, and Lambda lacks native in-memory caching, making the caching feature the most effective solution.
Question 222 of 303As a solutions architect, you have created a solution that utilizes an Application Load Balancer with stickiness and an Auto Scaling Group (ASG). The Auto Scaling Group spans across 2 Availability Zones (AZs). AZ-A has 3 Amazon EC2 instances and AZ-B has 4 Amazon EC2 instances. The Auto Scaling Group is about to go into a scale-in event due to the triggering of a Amazon CloudWatch alarm. What will happen under the default Auto Scaling Group configuration?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The instance with the oldest launch template or launch configuration will be terminated in AZ-B
The default Auto Scaling termination policy balances instances across Availability Zones by terminating instances in the most populated zone first. Within that zone, it removes the instance using the oldest launch template or configuration to maintain updated configurations.
Question 223 of 303A media company operates a video rendering pipeline on Amazon EKS, where containerized jobs are scheduled using Kubernetes deployments. The application experiences bursty traffic patterns, particularly during peak streaming hours. The platform uses the Kubernetes Horizontal Pod Autoscaler (HPA) to scale pods based on CPU utilization. A solutions architect observes that the total number of EC2 worker nodes remains constant during traffic spikes, even when all nodes are at maximum resource utilization. The company needs a solution that enables automatic scaling of the underlying compute infrastructure when pod demand exceeds cluster capacity. Which solution should the architect implement to resolve this issue with the least operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy the Kubernetes Cluster Autoscaler to the EKS cluster. Configure it to integrate with the existing EC2 Auto Scaling group to automatically launch or terminate nodes based on pending pod demands
The Kubernetes Cluster Autoscaler automatically adjusts the underlying EC2 Auto Scaling Group when pods become unschedulable due to resource constraints. Dynamic CloudWatch alarms lack scheduling visibility, while custom Lambda functions and Fargate migrations introduce unnecessary operational overhead.
Question 224 of 303A startup's cloud infrastructure consists of a few Amazon EC2 instances, Amazon RDS instances and Amazon S3 storage. A year into their business operations, the startup is incurring costs that seem too high for their business requirements. Which of the following options represents a valid cost-optimization solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use AWS Cost Optimization Hub to get a report of Amazon EC2 instances that are either idle or have low utilization and use AWS Compute Optimizer to look at instance type recommendations
Cost Optimization Hub identifies idle and underutilized EC2 instances, while Compute Optimizer recommends right-sized instance types to reduce expenses. Compute Optimizer does not handle purchasing options, S3 Analytics excludes Glacier, and Trusted Advisor cannot automatically renew instances.
Question 225 of 303For security purposes, a development team has decided to deploy the Amazon EC2 instances in a private subnet. The team plans to use VPC endpoints so that the instances can access some AWS services securely. The members of the team would like to know about the two AWS services that support Gateway Endpoints. As a solutions architect, which of the following services would you suggest for this requirement? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Amazon S3 · E. Amazon DynamoDB
Amazon S3 and Amazon DynamoDB are the only AWS services that support Gateway VPC Endpoints, which use route tables for private connectivity. SQS, Kinesis, and SNS rely on Interface Endpoints, which use Elastic Network Interfaces and PrivateLink instead of route tables.
Question 226 of 303A Big Data analytics company writes data and log files in Amazon S3 buckets. The company now wants to stream the existing data files as well as any ongoing file updates from Amazon S3 to Amazon Kinesis Data Streams. As a Solutions Architect, which of the following would you suggest as the fastest possible way of building a solution for this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Leverage AWS Database Migration Service (AWS DMS) as a bridge between Amazon S3 and Amazon Kinesis Data Streams
AWS Database Migration Service can stream existing data and ongoing changes from Amazon S3 to Amazon Kinesis Data Streams out of the box. The event-based alternatives require custom Lambda code to process files, making them slower to implement than a managed replication service.
Question 227 of 303An IT company has a large number of clients opting to build their application programming interface (API) using Docker containers. To facilitate the hosting of these containers, the company is looking at various orchestration services available with AWS. As a Solutions Architect, which of the following solutions will you suggest? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: C. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate for serverless orchestration of the containerized services · E. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate for serverless orchestration of the containerized services
Amazon ECS and Amazon EKS are the native AWS container orchestration services. Pairing either with AWS Fargate provides a serverless compute engine, eliminating the need to manage underlying EC2 instances.
Question 228 of 303A media company uses Amazon ElastiCache Redis to enhance the performance of its Amazon RDS database layer. The company wants a robust disaster recovery strategy for its caching layer that guarantees minimal downtime as well as minimal data loss while ensuring good application performance. Which of the following solutions will you recommend to address the given use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Opt for Multi-AZ configuration with automatic failover functionality to help mitigate failure
A Multi-AZ configuration with automatic failover guarantees high availability and low data loss during a cache failure. Scheduled backups or manual AOF retention incur significant recovery delays, and read replicas alone cannot provide automatic failover for writes.
Question 229 of 303A company has noticed that its Amazon EBS Elastic Volume (io1) accounts for 90% of the cost and the remaining 10% cost can be attributed to the Amazon EC2 instance. The Amazon CloudWatch metrics report that both the Amazon EC2 instance and the Amazon EBS volume are under-utilized. The Amazon CloudWatch metrics also show that the Amazon EBS volume has occasional I/O bursts. The entire infrastructure is managed by AWS CloudFormation. As a solutions architect, what do you propose to reduce the costs?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Convert the Amazon EC2 instance EBS volume to gp2
General purpose SSD gp2 volumes provide cost-effective storage with the ability to burst to higher IOPS levels, perfectly matching the requirements. Provisioned IOPS volumes remain expensive and unnecessary for under-utilized workloads, and CloudFormation itself incurs no additional service charges.
Question 230 of 303The engineering team at a leading e-commerce company is anticipating a surge in the traffic because of a flash sale planned for the weekend. You have estimated the web traffic to be 10x. The content of your website is highly dynamic and changes very often. As a Solutions Architect, which of the following options would you recommend to make sure your infrastructure scales for that day?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use an Auto Scaling Group
Auto Scaling Groups dynamically provision and terminate compute resources based on demand, providing the underlying scaling required. CloudFront is eliminated because the highly dynamic content is unsuitable for edge caching.
Question 231 of 303A digital media platform is preparing to launch a new interactive content service that is expected to receive sudden spikes in user engagement, especially during live events and media releases. The backend uses an Amazon Aurora PostgreSQL Serverless v2 cluster to handle dynamic workloads. The architecture must be capable of scaling both compute and storage performance to maintain low latency and avoid bottlenecks under load. The engineering team is evaluating storage configuration options and wants a solution that will scale automatically with traffic, optimize I/O performance, and remain cost-effective without manual provisioning or tuning. Which configuration will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Configure the Aurora cluster to use Aurora I/O-Optimized storage. This configuration delivers high throughput and low-latency I/O performance with predictable pricing and no I/O-based charges
Aurora I/O-Optimized storage provides consistent high throughput with predictable pricing, automatically handling spikes. Provisioned IOPS and Magnetic options are eliminated as they are unsupported configurations for Aurora clusters.
Question 232 of 303The engineering team at an e-commerce company has been tasked with migrating to a serverless architecture. The team wants to focus on the key points of consideration when using AWS Lambda as a backbone for this architecture. As a Solutions Architect, which of the following options would you identify as correct for the given requirement? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: B. By default, AWS Lambda functions always operate from an AWS-owned VPC and hence have access to any public internet address or public AWS APIs. Once an AWS Lambda function is VPC-enabled, it will need a route through a Network Address Translation gateway (NAT gateway) in a public subnet to access public resources · C. Since AWS Lambda functions can scale extremely quickly, it's a good idea to deploy a Amazon CloudWatch Alarm that notifies your team when function metrics such as ConcurrentExecutions or Invocations exceeds the expected threshold · E. If you intend to reuse code in more than one AWS Lambda function, you should consider creating an AWS Lambda Layer for the reusable code
Lambda functions rely on Layers for shared code, require NAT gateways for public internet access inside a VPC, and need CloudWatch alarms to monitor concurrency. Timeout over-provisioning is discouraged because it incurs unexpected costs.
Question 233 of 303A digital media company needs to manage uploads of around 1 terabyte each from an application being used by a partner company. As a Solutions Architect, how will you handle the upload of these files to Amazon S3?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use multi-part upload feature of Amazon S3
Amazon S3 multipart upload is the required method for uploading files larger than five gigabytes, allowing parallel transmission and recovery from network failures. AWS Snowball is intended for offline petabyte-scale migrations, and Direct Connect only provides bandwidth without addressing the file size limit.
Question 234 of 303A CRM web application was written as a monolith in PHP and is facing scaling issues because of performance bottlenecks. The CTO wants to re-engineer towards microservices architecture and expose their application from the same load balancer, linked to different target groups with different URLs: checkout.mycorp.com, www.mycorp.com, yourcorp.com/profile and yourcorp.com/search. The CTO would like to expose all these URLs as HTTPS endpoints for security purposes. As a solutions architect, which of the following would you recommend as a solution that requires MINIMAL configuration effort?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Secure Sockets Layer certificate (SSL certificate) with SNI
Application Load Balancers use Server Name Indication (SNI) to serve multiple secure HTTPS applications, each with its own TLS certificate, behind a single listener. A wildcard certificate cannot cover entirely different base domains like mycorp and yourcorp.
Question 235 of 303You are working as a Solutions Architect for a photo processing company that has a proprietary algorithm to compress an image without any loss in quality. Because of the efficiency of the algorithm, your clients are willing to wait for a response that carries their compressed images back. You also want to process these jobs asynchronously and scale quickly, to cater to the high demand. Additionally, you also want the job to be retried in case of failures. Which combination of choices do you recommend to minimize cost and comply with the requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Amazon Simple Queue Service (Amazon SQS) · C. Amazon EC2 Spot Instances
Amazon SQS decouples the application to buffer image compression jobs asynchronously, enabling built-in retries for failed tasks. Combining this with EC2 Spot Instances minimizes compute costs for asynchronous, interruptible workloads without requiring long-term commitments.
Question 236 of 303A small rental company had 5 employees, all working under the same AWS cloud account. These employees deployed their applications built for various functions- including billing, operations, finance, etc. Each of these employees has been operating in their own VPC. Now, there is a need to connect these VPCs so that the applications can communicate with each other. Which of the following is the MOST cost-effective solution for this use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use a VPC peering connection
VPC peering provides the most cost-effective way to route traffic privately between instances in separate VPCs within the same AWS account. Direct Connect is an expensive dedicated circuit for on-premises connectivity, while internet gateways and NAT gateways do not route internal traffic.
Question 237 of 303A systems administrator is creating IAM policies and attaching them to IAM identities. After creating the necessary identity-based policies, the administrator is now creating resource-based policies. Which is the only resource-based policy that the IAM service supports?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Trust policy
The IAM service only supports one type of resource-based policy, which is the role trust policy attached to an IAM role. Access control lists are external service-level policies, while permissions boundaries and Service Control Policies govern maximum entity permissions.
Question 238 of 303A financial services company is implementing two separate data retention policies to comply with regulatory standards:Policy A: Critical transaction records must be immediately available for audit and must not be deleted or overwritten for 7 years. Policy B: Archived compliance data must be stored in a low-cost, long-term storage solution and locked from deletion or modification for at least 10 years.As a solutions architect, which combination of AWS features should you recommend to enforce these policies effectively?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: G. Use Amazon S3 Object Lock in Compliance mode for Policy A, and S3 Glacier Vault Lock for Policy B
S3 Object Lock in Compliance mode enforces strict write-once-read-many protections for immediately accessible transaction records. S3 Glacier Vault Lock provides a tamper-proof policy for long-term, low-cost archival data, perfectly meeting both regulatory retention requirements.
Question 239 of 303A Customer relationship management (CRM) application is facing user experience issues with users reporting frequent sign-in requests from the application. The application is currently hosted on multiple Amazon EC2 instances behind an Application Load Balancer. The engineering team has identified the root cause as unhealthy servers causing session data to be lost. The team would like to implement a distributed in-memory cache-based session management solution. As a solutions architect, which of the following solutions would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon Elasticache for distributed in-memory cache based session management
Amazon ElastiCache provides a distributed in-memory data store that allows an Application Load Balancer to distribute traffic across all instances. Sticky sessions fail when an instance becomes unhealthy, while RDS and DynamoDB do not provide in-memory caching.
Question 240 of 303A global e-commerce platform currently operates its order processing system in a single on-premises data center located in Europe. As the company grows its customer base across Asia and North America, it plans to deploy the application across multiple AWS Regions to improve availability and reduce latency. The company requires that updates to the central order database be completed in under one second with global consistency. The application layer will be deployed separately in each Region, but the order management data must remain centrally managed and globally synchronized. Which solution should a solutions architect recommend to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Migrate the order data to Amazon DynamoDB and create a global table. Deploy the application in each Region and connect to the local DynamoDB replica for low-latency access
Amazon DynamoDB global tables provide a fully managed multi-Region, multi-active database with typical replication latency under one second. Aurora and RDS cross-Region read replicas force all writes through a single primary Region, increasing global latency.
Question 241 of 303An enterprise runs a critical Oracle database workload in its on-premises environment. The company now plans to replicate both existing records and continuous transactional changes to a managed Oracle environment in AWS. The target database will run on Amazon RDS for Oracle. Data transfer volume is expected to fluctuate throughout the day, and the team wants the solution to provision compute resources automatically based on actual workload requirements. Which solution will meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Configure an AWS DMS Serverless replication task to synchronize historical and ongoing changes between the on-premises Oracle database and Amazon RDS for Oracle
AWS DMS Serverless automatically provisions and scales compute capacity to match fluctuating database migration workloads. AWS Glue handles batch ETL rather than continuous transactional replication, and building custom EC2 scaling logic adds operational overhead.
Question 242 of 303A company's cloud architect has set up a solution that uses Amazon Route 53 to configure the DNS records for the primary website with the domain pointing to the Application Load Balancer (ALB). The company wants a solution where users will be directed to a static error page, configured as a backup, in case of unavailability of the primary website. Which configuration will meet the company's requirements, while keeping the changes to a bare minimum?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Set up Amazon Route 53 active-passive type of failover routing policy. If Amazon Route 53 health check determines the Application Load Balancer endpoint as unhealthy, the traffic will be diverted to a static error page, hosted on Amazon S3 bucket
Route 53 active-passive failover routing uses health checks to automatically divert traffic to a static S3 backup site during a primary outage. Latency and weighted routing cannot provide automatic failover, and Route 53 does not have an active-active failover policy type.
Question 243 of 303A retail company wants to establish encrypted network connectivity between its on-premises data center and the AWS Cloud. The company wants to get the solution up and running in the fastest possible time and it should also support encryption in transit. As a solutions architect, which of the following solutions would you suggest to the company?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS Site-to-Site VPN to establish encrypted network connectivity between the on-premises data center and AWS Cloud
An AWS Site-to-Site VPN establishes encrypted IPsec connections over the public internet and can be provisioned almost immediately. AWS Direct Connect provides dedicated bandwidth but does not natively encrypt traffic, while DataSync and Secrets Manager do not establish network connectivity.
Question 244 of 303A streaming solutions company is building a video streaming product by using an Application Load Balancer (ALB) that routes the requests to the underlying Amazon EC2 instances. The engineering team has noticed a peculiar pattern. The Application Load Balancer removes an instance from its pool of healthy instances whenever it is detected as unhealthy but the Auto Scaling group fails to kick-in and provision the replacement instance. What could explain this anomaly?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The Auto Scaling group is using Amazon EC2 based health check and the Application Load Balancer is using ALB based health check
When an Auto Scaling group relies on EC2 health checks while an Application Load Balancer uses ALB health checks, a failed application can cause the ALB to drop the instance without triggering a replacement. Configuring the ASG to use ELB health checks ensures it detects application failures and provisions replacements.
Question 245 of 303An application with global users across AWS Regions had suffered an issue when the Elastic Load Balancing (ELB) in a Region malfunctioned thereby taking down the traffic with it. The manual intervention cost the company significant time and resulted in major revenue loss. What should a solutions architect recommend to reduce internet latency and add automatic failover across AWS Regions?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Set up AWS Global Accelerator and add endpoints to cater to users in different geographic locations
AWS Global Accelerator uses static anycast IP addresses and the AWS global network to route traffic to healthy regional endpoints with automatic failover. Route 53 geo-proximity routing relies on DNS caching, which slows down failover, and CloudFront only routes static content.
Question 246 of 303A digital content production company has transitioned all of its media assets to Amazon S3 in an effort to reduce storage costs. However, the rendering engine used in production continues to run in an on-premises data center and requires frequent and low-latency access to large media files. The company wants to implement a storage solution that maintains application performance while keeping costs low. Which approach should the company choose to meet these requirements in the most cost-effective way?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Set up an Amazon S3 File Gateway to provide storage for the on-premises application
Amazon S3 File Gateway provides on-premises applications with low-latency access to S3 by caching frequently accessed files locally via standard NFS or SMB mounts. FSx for Lustre is optimized for cloud compute workloads, while Mountpoint lacks local caching capabilities.
Question 247 of 303A SaaS analytics company is deploying a microservices-based application on Amazon ECS using the Fargate launch type. The application requires access to a shared, POSIX-compliant file system that is available across multiple Availability Zones for redundancy and availability. To meet compliance requirements, the system must support regional backups and cross-Region data recovery with a recovery point objective (RPO) of no more than 8 hours. A backup strategy will be implemented using AWS Backup to automate replication across Regions. As the lead cloud architect, you are evaluating file storage solutions that align with these requirements. Which option best meets the application's availability, durability, and RPO objectives?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use Amazon Elastic File System (Amazon EFS) with the Standard storage class and configure AWS Backup to create cross-Region backups on a scheduled basis
Amazon EFS provides a managed POSIX-compliant NFS file system with multi-AZ redundancy that integrates natively with AWS Backup for scheduled cross-Region replication. Mountpoint for S3 lacks POSIX compliance, and AWS Backup does not currently support automatic cross-Region replication for Amazon FSx for NetApp ONTAP.
Question 248 of 303A mobile-based e-learning platform is migrating its backend storage layer to Amazon DynamoDB to support a rapidly increasing number of student users and learning transactions. The platform must ensure seamless availability and minimal disruption for a global user base. The DynamoDB design must provide low-latency performance, high availability, and automatic fault tolerance across geographies with the lowest possible operational overhead and cost. Which solution will fulfill these needs in the most cost-efficient manner?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use DynamoDB global tables for automatic multi-Region replication. Enable provisioned capacity mode with auto scaling to optimize cost and ensure consistent availability
DynamoDB global tables provide native multi-Region replication, ensuring high availability and low latency. Provisioned capacity with auto scaling optimizes costs; custom Lambda replication or Data Pipeline adds operational overhead and risk.
Question 249 of 303Computer vision researchers at a university are trying to optimize the I/O bound processes for a proprietary algorithm running on Amazon EC2 instances. The ideal storage would facilitate high-performance IOPS when doing file processing in a temporary storage space before uploading the results back into Amazon S3. As a solutions architect, which of the following AWS storage options would you recommend as the MOST performant as well as cost-optimal?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon EC2 instances with Instance Store as the storage option
Instance store volumes provide temporary block-level storage physically attached to the host machine, delivering the highest performance and lowest latency for scratch data. EBS volumes cost extra and introduce additional latency compared to local instance storage.
Question 250 of 303A financial auditing firm uses Amazon S3 to store sensitive client records that are subject to write-once-read-many (WORM) regulations to prevent alteration or deletion of records for a specific retention period. The firm wants to enforce immutable storage, such that even administrators cannot overwrite or delete the records during the lock duration. They also need audit-friendly enforcement to prevent accidental or malicious deletion. Which configuration of S3 Object Lock will ensure that the retention policy is strictly enforced, and no user (including root or administrators) can override or delete protected objects during the lock period?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use S3 Object Lock in Compliance Mode, which enforces retention policies strictly and prevents all users from modifying or deleting data during the retention period
S3 Object Lock in Compliance Mode enforces a strict retention period that prevents any user, including the root account, from deleting or overwriting the object. Governance Mode allows privileged users to bypass locks.
Question 251 of 303A fintech company currently operates a real-time search and analytics platform on-premises. This platform ingests streaming data from multiple data-producing systems and provides immediate search capabilities and interactive visualizations for end users. As part of its cloud migration strategy, the company wants to rearchitect the solution using AWS-native services. Which of the following represents the most efficient solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Ingest and process the streaming data using Amazon Kinesis Data Streams, then index the data with Amazon OpenSearch Service for real-time search capabilities. Use Amazon QuickSight to build interactive dashboards and visualizations based on the indexed data
Amazon Kinesis Data Streams captures real-time streaming data, which OpenSearch indexes for low-latency full-text search and analytics. Amazon QuickSight connects to OpenSearch to provide interactive dashboards for end users.
Question 252 of 303A medical devices company uses Amazon S3 buckets to store critical data. Hundreds of buckets are used to keep the data segregated and well organized. Recently, the development team noticed that the lifecycle policies on the Amazon S3 buckets have not been applied optimally, resulting in higher costs. As a Solutions Architect, can you recommend a solution to reduce storage costs on Amazon S3 while keeping the IT team's involvement to a minimum?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon S3 Intelligent-Tiering storage class to optimize the Amazon S3 storage costs
Amazon S3 Intelligent-Tiering automatically moves data between access tiers based on usage patterns, optimizing storage costs without operational overhead. Manual tiering via lifecycle policies requires administration, while One-IA risks durability.
Question 253 of 303A media company operates a web application that enables users to upload photos. These uploads are stored in an Amazon S3 bucket located in the eu-west-2 Region. To enhance performance and provide secure access under a custom domain name, the company wants to integrate Amazon CloudFront for uploads to the S3 bucket. The architecture must support secure HTTPS connections using a custom domain, and the upload process must ensure optimal speed and security. Which combination of actions will fulfill these requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Request a public certificate from AWS Certificate Manager (ACM) in the us-east-1 Region and associate it with the CloudFront distribution · C. Set up Amazon S3 to accept uploads from CloudFront by enabling origin access control (OAC)
CloudFront requires AWS Certificate Manager public certificates to be provisioned in the us-east-1 Region for custom HTTPS domains. Origin Access Control securely restricts S3 bucket access so only CloudFront can upload files.
Question 254 of 303A pharmaceutical company is considering moving to AWS Cloud to accelerate the research and development process. Most of the daily workflows would be centered around running batch jobs on Amazon EC2 instances with storage on Amazon Elastic Block Store (Amazon EBS) volumes. The CTO is concerned about meeting HIPAA compliance norms for sensitive data stored on Amazon EBS. Which of the following options outline the correct capabilities of an encrypted Amazon EBS volume? (Select three)
Select 3 answers.
Show answer & explanation
Correct answer: A. Data at rest inside the volume is encrypted · B. Data moving between the volume and the instance is encrypted · F. Any snapshot created from the volume is encrypted
Encrypting an Amazon EBS volume secures data at rest and data moving between the volume and the EC2 instance. This encryption automatically applies to any snapshots created from that volume and volumes restored from those snapshots.
Question 255 of 303An application hosted on Amazon EC2 contains sensitive personal information about all its customers and needs to be protected from all types of cyber-attacks. The company is considering using the AWS Web Application Firewall (AWS WAF) to handle this requirement. Can you identify the correct solution leveraging the capabilities of AWS WAF?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create Amazon CloudFront distribution for the application on Amazon EC2 instances. Deploy AWS WAF on Amazon CloudFront to provide the necessary safety measures
AWS WAF integrates directly with CloudFront, Application Load Balancers, and API Gateway to inspect web requests. Option A is likely the intended answer, but because WAF also attaches directly to an ALB, a reasonable test-taker could argue option B is partially valid despite its stated inaccuracy.
Question 256 of 303A medium-sized business has a taxi dispatch application deployed on an Amazon EC2 instance. Because of an unknown bug, the application causes the instance to freeze regularly. Then, the instance has to be manually restarted via the AWS management console. Which of the following is the MOST cost-optimal and resource-efficient way to implement an automated solution until a permanent fix is delivered by the development team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Setup an Amazon CloudWatch alarm to monitor the health status of the instance. In case of an Instance Health Check failure, an EC2 Reboot CloudWatch Alarm Action can be used to reboot the instance
CloudWatch alarms can directly trigger reboot, stop, or recover actions for failing EC2 instances without custom code. Using Lambda or EventBridge to poll status checks introduces unnecessary operational overhead compared to the native built-in alarm action.
Question 257 of 303An enterprise SaaS provider is currently operating a legacy web application hosted on a single Amazon EC2 instance within a public subnet. The same instance also hosts a MySQL database. DNS records for the application are configured through Amazon Route 53. As part of a modernization initiative, the company wants to rearchitect this application for high availability and scalability. In addition, the company wants to improve read performance on the database layer to handle increasing user traffic. Which combination of solutions will meet these requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: D. Migrate the existing MySQL database to an Amazon Aurora MySQL cluster. Deploy the primary DB instance and one or more read replicas in different Availability Zones · E. Use an Auto Scaling group to deploy EC2 instances across multiple Availability Zones within a single Region. Register the instances in a target group behind an Application Load Balancer to distribute web traffic evenly
Deploying EC2 instances across multiple Availability Zones within a single Region using an Auto Scaling group and ALB ensures high availability. Migrating the database to Aurora MySQL with read replicas enhances fault tolerance and improves read scaling performance.
Question 258 of 303The infrastructure team at a company maintains 5 different VPCs (let's call these VPCs A, B, C, D, E) for resource isolation. Due to the changed organizational structure, the team wants to interconnect all VPCs together. To facilitate this, the team has set up VPC peering connection between VPC A and all other VPCs in a hub and spoke model with VPC A at the center. However, the team has still failed to establish connectivity between all VPCs. As a solutions architect, which of the following would you recommend as the MOST resource-efficient and scalable solution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use AWS transit gateway to interconnect the VPCs
AWS Transit Gateway acts as a central hub, solving the transitive routing limitations of VPC peering. Full mesh peering is operationally complex, while internet gateways and VPC endpoints do not route private traffic between separate VPCs.
Question 259 of 303A company hosts a Microsoft SQL Server database on Amazon EC2 instances with attached Amazon EBS volumes. The operations team takes daily snapshots of these EBS volumes as backups. However, a recent incident occurred in which an automated script designed to clean up expired snapshots accidentally deleted all available snapshots, leading to potential data loss. The company wants to improve the backup strategy to avoid permanent data loss while still ensuring that old snapshots are eventually removed to optimize cost. A solutions architect needs to implement a mechanism that prevents immediate and irreversible deletion of snapshots. Which solution will best meet these requirements with the least development effort?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Set up a 7-day EBS snapshot retention rule in Recycle Bin and apply the rule for all snapshots
Amazon EBS Snapshot Recycle Bin retains accidentally deleted snapshots for a specified period before permanent removal. It requires minimal setup, unlike Vault Lock which only protects resources explicitly managed by AWS Backup.
Question 260 of 303An e-commerce company uses Amazon Simple Queue Service (Amazon SQS) queues to decouple their application architecture. The engineering team has observed message processing failures for some customer orders. As a solutions architect, which of the following solutions would you recommend for handling such message failures?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use a dead-letter queue to handle message processing failures
A dead-letter queue isolates messages that cannot be processed successfully after a configured number of retries. Polling methods only control how messages are retrieved, and temporary queues handle short-lived request-response patterns rather than capturing failed messages.
Question 261 of 303A leading media company wants to do an accelerated online migration of hundreds of terabytes of files from their on-premises data center to Amazon S3 and then establish a mechanism to access the migrated data for ongoing updates from the on-premises applications. As a solutions architect, which of the following would you select as the MOST performant solution for the given use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS DataSync to migrate existing data to Amazon S3 and then use File Gateway to retain access to the migrated data for ongoing updates from the on-premises applications
AWS DataSync accelerates and automates large-scale online data migrations to Amazon S3. File Gateway then provides low-latency, on-premises access to that migrated data for ongoing updates. Transfer Acceleration optimizes long-distance internet transfers but does not provide local cache access.
Question 262 of 303A digital media startup allows users to submit images through its web portal. These images are uploaded directly into an Amazon S3 bucket. On average, around 200 images are uploaded daily. The company wants to automatically generate a smaller preview version (thumbnail) of each new image and store the resulting thumbnails in a separate Amazon S3 bucket. The team prefers a design that is low-cost, requires minimal infrastructure management, and automatically reacts to new uploads. Which solution will meet these requirements MOST cost-effectively?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Configure the S3 bucket to send an event notification to an AWS Lambda function each time a new image is uploaded. Use the Lambda function to process the image, create a thumbnail, and store the thumbnail in the second S3 bucket
Amazon S3 event notifications can trigger an AWS Lambda function to process new objects automatically. This event-driven architecture is serverless, minimizes operational overhead, and is highly cost-effective for intermittent workloads compared to continuously polling with compute resources.
Question 263 of 303An organization operates a legacy reporting tool hosted on an Amazon EC2 instance located within a public subnet of a VPC. This tool aggregates scanned PDF reports from field devices and temporarily stores them on an attached Amazon EBS volume. At the end of each day, the tool transfers the accumulated files to an Amazon S3 bucket for archival. A solutions architect identifies that the files are being uploaded over the internet using S3's public endpoint. To improve security and avoid exposing data traffic to the public internet, the architect needs to reconfigure the setup so that uploads to Amazon S3 occur privately without using the public S3 endpoint. Which solution will fulfill these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create a gateway VPC endpoint for Amazon S3 in the VPC. Ensure that the EC2 instance's subnet route table is updated to route S3 traffic through the endpoint. Confirm that appropriate IAM policies are in place to permit access via the VPC endpoint
A gateway VPC endpoint routes Amazon S3 traffic over the private AWS network, keeping it completely off the public internet. Updating route tables directs traffic correctly. NAT gateways still route over the public internet, and S3 access points only manage permissions, not network paths.
Question 264 of 303You are a cloud architect at an IT company. The company has multiple enterprise customers that manage their own mobile applications that capture and send data to Amazon Kinesis Data Streams. They have been getting a ProvisionedThroughputExceededException exception. You have been contacted to help and upon analysis, you notice that messages are being sent one by one at a high rate. Which of the following options will help with the exception while keeping costs at a minimum?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use batch messages
Using the API to batch multiple records into a single request dramatically increases throughput and prevents throttling exceptions. Increasing shards also works but raises costs, making it an inferior choice. Exponential backoff manages temporary errors but does not optimize overall shard efficiency.
Question 265 of 303An e-commerce company uses a two-tier architecture with application servers in the public subnet and an Amazon RDS MySQL DB in a private subnet. The development team can use a bastion host in the public subnet to access the MySQL database and run queries from the bastion host. However, end-users are reporting application errors. Upon inspecting application logs, the team notices several "could not connect to server: connection timed out" error messages. Which of the following options represent the root cause for this issue?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The security group configuration for the database instance does not have the correct rules to allow inbound connections from the application servers
A connection timeout indicates that network traffic is blocked before reaching the database. The database security group must allow inbound traffic from the application servers' security group. Incorrect credentials or privileges result in access denied errors, which immediately confirms the network connection succeeded.
Question 266 of 303A financial analytics firm runs performance-intensive modeling software on Amazon EC2 instances backed by Amazon EBS volumes. The production data resides on EBS volumes attached to EC2 instances in the same AWS Region where the testing environment is hosted. To maintain data integrity, any changes made during testing must not affect production data. The development team needs to frequently create clones of this production data for simulations. The modeling software requires high and consistent I/O performance, and the firm wants to minimize the time required to provision test data. Which solution should a solutions architect recommend to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Take snapshots of the production EBS volumes. Enable EBS fast snapshot restore on the snapshots. Create new EBS volumes from the snapshots and attach them to EC2 instances in the test environment
EBS fast snapshot restore eliminates the initialization latency of new volumes, providing immediate high I/O performance for intensive workloads. Creating new volumes from snapshots safely clones the data. Using Multi-Attach breaks isolation requirements, while standard backups lack the required speed.
Question 267 of 303You have built an application that is deployed with Elastic Load Balancing and an Auto Scaling Group. As a Solutions Architect, you have configured aggressive Amazon CloudWatch alarms, making your Auto Scaling Group (ASG) scale in and out very quickly, renewing your fleet of Amazon EC2 instances on a daily basis. A production bug appeared two days ago, but the team is unable to SSH into the instance to debug the issue, because the instance has already been terminated by the Auto Scaling Group. The log files are saved on the Amazon EC2 instance. How will you resolve the issue and make sure it doesn't happen again?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Install an Amazon CloudWatch Logs agents on the Amazon EC2 instances to send logs to Amazon CloudWatch
Installing the CloudWatch agent automatically streams logs from ephemeral instances to a centralized service before termination. This ensures logs survive instance deletion and removes the need for manual intervention. Taking snapshots or disabling termination introduces unnecessary operational overhead and reduces elasticity.
Question 268 of 303A big data analytics company is using Amazon Kinesis Data Streams (KDS) to process IoT data from the field devices of an agricultural sciences company. Multiple consumer applications are using the incoming data streams and the engineers have noticed a performance lag for the data delivery speed between producers and consumers of the data streams. As a solutions architect, which of the following would you recommend for improving the performance for the given use-case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Enhanced Fanout feature of Amazon Kinesis Data Streams
Enhanced Fanout for Amazon Kinesis Data Streams provides each consumer with a dedicated two megabits per second throughput per shard. This eliminates the read bottleneck that occurs when multiple consumers share the default stream capacity.
Question 269 of 303A multinational logistics company operates its shipment tracking platform from Amazon EC2 instances deployed in the AWS us-west-2 Region. The platform exposes a set of APIs over HTTPS, which are used by logistics partners and customers around the world to retrieve real-time tracking data. The company has observed that users from Europe and Asia experience latency issues and inconsistent API response times when accessing the service. As a cloud architect, you have been tasked to propose the most cost-effective solution to improve performance for these international users without migrating the application. Which solution should you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Configure AWS Global Accelerator in front of the existing HTTPS API, create one endpoint group in us-west-2 for the current application endpoint, and use the accelerator's global edge network to improve performance for users connecting from Europe and Asia
AWS Global Accelerator routes traffic over the AWS global network to reduce latency for international users. Because this API serves real-time tracking data that cannot be cached, Global Accelerator is preferred over CloudFront.
Question 270 of 303A logistics company runs a two-step job handling process on AWS. The first step quickly receives job submissions from clients, while the second step requires longer processing time to complete each job. Currently, both steps run on separate Amazon EC2 Auto Scaling groups. However, during high-demand hours, the job processing stage falls behind, and there is concern that jobs may be lost due to instance termination during scaling events. A solutions architect needs to design a more scalable and reliable architecture that preserves job data and accommodates fluctuating demand in both stages. Which solution will meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Set up two Amazon SQS queues to decouple the job intake and job processing stages respectively. Assign one SQS queue to collect incoming jobs, and another to queue them for processing. Configure the EC2 instances to poll the relevant queue. Scale the Auto Scaling groups based on number of messages in each queue
Using Amazon SQS queues to decouple the intake and processing stages preserves job data during scaling events. You should scale your EC2 Auto Scaling groups based on the number of visible messages in each queue to handle demand.
Question 271 of 303A digital publishing platform stores large volumes of media assets (such as images and documents) in an Amazon S3 bucket. These assets are accessed frequently during business hours by internal editors and content delivery tools. The company has strict encryption policies and currently uses AWS KMS to handle server-side encryption. The cloud operations team notices that AWS KMS request costs are increasing significantly due to the high frequency of object uploads and accesses. The team is now looking for a way to maintain the same encryption method but reduce the cost of KMS usage, especially for frequent access patterns. Which solution meets the company's encryption and cost optimization goals?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Enable S3 Bucket Keys for server-side encryption with AWS KMS (SSE-KMS) so that new objects use a bucket-level key rather than requesting individual KMS data keys for every object
Amazon S3 Bucket Keys decrease AWS KMS request costs by generating a bucket-level data key for temporary use. This reduces the volume of API requests sent from S3 to KMS while maintaining standard encryption controls.
Question 272 of 303A DevOps team is tasked with enabling secure and temporary SSH access to Amazon EC2 instances for developers during deployments. The team wants to avoid distributing long-term SSH key pairs and instead prefers ephemeral access that can be audited and revoked immediately after the session ends. The team wants direct access via the AWS Management Console. What do you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use EC2 Instance Connect to inject a temporary public key and establish SSH access using the instance's public IP address
Amazon EC2 Instance Connect pushes a temporary SSH public key to the instance metadata for short-lived access. Without Session Manager, it requires instances to have a public IP address to establish the connection.
Question 273 of 303A financial services company runs its flagship web application on AWS. The application serves thousands of users during peak hours. The company needs a scalable near-real-time solution to share hundreds of thousands of financial transactions with multiple internal applications. The solution should also remove sensitive details from the transactions before storing the cleansed transactions in a document database for low-latency retrieval. As an AWS Certified Solutions Architect Associate, which of the following would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Feed the streaming transactions into Amazon Kinesis Data Streams. Leverage AWS Lambda integration to remove sensitive data from every transaction and then store the cleansed transactions in Amazon DynamoDB. The internal applications can consume the raw transactions off the Amazon Kinesis Data Stream
Amazon Kinesis Data Streams captures real-time transactions and allows multiple consumers, including AWS Lambda, to process the data simultaneously. Lambda can then remove sensitive details before storing records in Amazon DynamoDB.
Question 274 of 303A fintech company recently conducted a security audit and discovered that some IAM roles and Amazon S3 buckets might be unintentionally shared with external accounts or publicly accessible. The security team wants to identify these overly permissive resources and ensure that only intended principals (within their AWS Organization or specific AWS accounts) have access. They need a solution that can analyze IAM policies and resource policies to detect unintended access paths to AWS resources such as S3 buckets, IAM roles, KMS keys, and SNS topics. Which solution should the team use to meet this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS Identity and Access Management (IAM) Access Analyzer to evaluate resource-based and identity-based policies and identify resources shared outside the account or organization
AWS IAM Access Analyzer evaluates resource-based policies to identify resources shared with external entities. It uses automated reasoning to detect unintended access paths, whereas tools like Amazon Inspector focus on vulnerability scanning, not policy analysis.
Question 275 of 303A streaming service provider collects user experience feedback through embedded feedback forms in their mobile and web apps. Feedback submissions frequently spike to thousands per hour during content launches or service outages. Currently, the feedback is sent via email to the operations team for manual review. The company now wants to automate feedback collection and sentiment analysis so that insights can be generated quickly and stored for a full year for trend analysis. Which solution provides the most scalable and automated approach to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Design a RESTful API with Amazon API Gateway that forwards incoming feedback data to an Amazon SQS queue. Set up an AWS Lambda function to process the queue messages, analyze sentiment using Amazon Comprehend, and store results in a DynamoDB table with a 365-day TTL configured on each item
Using Amazon API Gateway with an SQS queue decouples the ingestion of sudden traffic spikes from backend processing. AWS Lambda and Amazon Comprehend then provide automated sentiment analysis, while DynamoDB TTL handles the automatic one year data expiration.
Question 276 of 303A healthcare startup runs a lightweight reporting application on a single Amazon EC2 On-Demand instance. The application is designed to be stateless, fault-tolerant, and optimized for fast rendering of analytics dashboards. During major health events or news cycles, the team observes latency issues and occasional 5xx errors due to traffic spikes. To meet growing demand without over-provisioning resources during off-peak hours, the company wants to implement a cost-effective, scalable solution that ensures consistent performance even under unpredictable load. Which approach best meets the requirements while minimizing costs?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Build an Amazon Machine Image (AMI) from the existing EC2 instance and configure a launch template. Create an Auto Scaling group using the launch template with Spot Instance pricing enabled. Attach an Application Load Balancer to distribute traffic across dynamically launched instances
An EC2 Auto Scaling group with an Application Load Balancer dynamically adjusts capacity to match unpredictable traffic spikes for stateless workloads. Utilizing Spot Instances significantly reduces compute costs compared to On-Demand, while the load balancer ensures fault tolerance.
Question 277 of 303The engineering team at an e-commerce company uses an AWS Lambda function to write the order data into a single DB instance Amazon Aurora cluster. The team has noticed that many order-writes to its Aurora cluster are getting missed during peak load times. The diagnostics data has revealed that the database is experiencing high CPU and memory consumption during traffic spikes. The team also wants to enhance the availability of the Aurora DB. Which of the following steps would you combine to address the given scenario? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Create a replica Aurora instance in another Availability Zone to improve the availability as the replica can serve as a failover target · B. Handle all read operations for your application by connecting to the reader endpoint of the Amazon Aurora cluster so that Aurora can spread the load for read-only connections across the Aurora replica
Adding Aurora Replicas improves high availability by providing automatic failover targets, and using the reader endpoint offloads read traffic to reduce CPU and memory spikes. Aurora does not use standby instances for failover, and increasing Lambda concurrency would worsen the database bottleneck.
Question 278 of 303While troubleshooting, a cloud architect realized that the Amazon EC2 instance is unable to connect to the internet using the Internet Gateway. Which conditions should be met for internet connectivity to be established? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: D. The route table in the instance's subnet should have a route to an Internet Gateway · E. The network access control list (network ACL) associated with the subnet must have rules to allow inbound and outbound traffic
For an EC2 instance to reach the internet, its subnet's route table must include a route to the Internet Gateway. Additionally, the associated network ACL must permit the necessary inbound and outbound traffic.
Question 279 of 303A health-care company manages its web application on Amazon EC2 instances running behind Auto Scaling group (ASG). The company provides ambulances for critical patients and needs the application to be reliable. The workload of the company can be managed on 2 Amazon EC2 instances and can peak up to 6 instances when traffic increases. As a Solutions Architect, which of the following configurations would you select as the best fit for these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The Auto Scaling group should be configured with the minimum capacity set to 4, with 2 instances each in two different Availability Zones. The maximum capacity of the Auto Scaling group should be set to 6
To guarantee high availability across an Availability Zone failure, an Auto Scaling group needs a minimum capacity of four instances spread evenly across two zones. This ensures two instances survive if one zone fails.
Question 280 of 303A media company is evaluating the possibility of moving its IT infrastructure to the AWS Cloud. The company needs at least 10 terabytes of storage with the maximum possible I/O performance for processing certain files which are mostly large videos. The company also needs close to 450 terabytes of very durable storage for storing media content and almost double of it, i.e. 900 terabytes for archival of legacy data. As a Solutions Architect, which set of services will you recommend to meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage
Amazon EC2 instance store delivers maximum IOPS for processing large video files. Amazon S3 provides highly durable storage for active media, and Amazon S3 Glacier offers low-cost archival storage for legacy data.
Question 281 of 303A retail enterprise is expanding its hybrid IT infrastructure and plans to securely connect its on-premises corporate network to its AWS environment. The company wants to ensure that all data exchanged between on-premises systems and AWS is encrypted at both the network and session layers. Additionally, the solution must incorporate granular security controls that restrict unnecessary or unauthorized access between the cloud and on-premises environments. A solutions architect must recommend a scalable and secure approach that supports these goals. Which solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Set up AWS Site-to-Site VPN to connect the on-premises network to the AWS VPC. Use route tables to manage traffic flow and configure security groups and network ACLs to allow only authorized communication between systems
AWS Site-to-Site VPN encrypts traffic between on-premises networks and AWS VPCs using IPsec tunnels. Layering TLS satisfies the session encryption requirement, while route tables, security groups, and network ACLs provide the necessary granular access controls.
Question 282 of 303The content division at a digital media agency has an application that generates a large number of files on Amazon S3, each approximately 10 megabytes in size. The agency mandates that the files be stored for 5 years before they can be deleted. The files are frequently accessed in the first 30 days of the object creation but are rarely accessed after the first 30 days. The files contain critical business data that is not easy to reproduce, therefore, immediate accessibility is always required. Which solution is the MOST cost-effective for the given use case?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Set up an Amazon S3 bucket lifecycle policy to move files from Amazon S3 Standard to Amazon S3 Standard-IA 30 days after object creation. Delete the files 5 years after object creation
Amazon S3 Standard-IA provides immediate millisecond access for critical data while lowering costs for infrequently accessed objects. One Zone-IA is eliminated because it lacks multi-AZ durability for non-reproducible data, and Glacier lacks immediate access.
Question 283 of 303A global media company uses a fleet of Amazon EC2 instances (behind an Application Load Balancer) to power its video streaming application. To improve the performance of the application, the engineering team has also created an Amazon CloudFront distribution with the Application Load Balancer as the custom origin. The security team at the company has noticed a spike in the number and types of SQL injection and cross-site scripting attack vectors on the application. As a solutions architect, which of the following solutions would you recommend as the MOST effective in countering these malicious attacks?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use AWS Web Application Firewall (AWS WAF) with Amazon CloudFront distribution
AWS WAF inspects web requests at the edge to block common application-layer exploits like SQL injection and cross-site scripting. Security Hub, Firewall Manager, and Route 53 provide security posture management or DNS routing, not request-level attack prevention.
Question 284 of 303A silicon valley based healthcare startup uses AWS Cloud for its IT infrastructure. The startup stores patient health records on Amazon Simple Storage Service (Amazon S3). The engineering team needs to implement an archival solution based on Amazon S3 Glacier to enforce regulatory and compliance controls on data access. As a solutions architect, which of the following solutions would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon S3 Glacier vault to store the sensitive archived data and then use a vault lock policy to enforce compliance controls
Amazon S3 Glacier Vault Lock enforces compliance controls via a write-once-read-many policy to prevent future alterations. Lifecycle policies and Access Control Lists manage object transitions and basic permissions, but they cannot enforce strict regulatory retention rules.
Question 285 of 303A digital media company runs its content rendering service on Amazon EC2 instances that are registered with an Application Load Balancer (ALB) using IP-based target groups. The company relies on AWS Systems Manager to manage and patch these instances regularly. According to new compliance requirements, EC2 instances must be safely removed from production traffic during patching to prevent user disruption and maintain application integrity. However, during the most recent patch cycle, the operations team noticed application failures and API timeouts, even though patching succeeded on the instances. You are asked to suggest a reliable and scalable way to ensure safe patching while preserving service availability. Which solution will best meet the new compliance and operational requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Use AWS Systems Manager Automation with the AWSEC2-PatchLoadBalancerInstance document to manage patching · D. Configure Systems Manager Maintenance Windows to coordinate patching and instance removal from the ALB during the defined window
AWS Systems Manager Maintenance Windows schedule patching operations, and the dedicated automation document safely deregisters targets before patching. This coordination prevents traffic disruptions during patching. Manually altering configurations or disabling network interfaces introduces unnecessary risk and does not scale.
Question 286 of 303A financial data processing company runs a workload on Amazon EC2 instances that fetch and process real-time transaction batches from an Amazon SQS queue. The application needs to scale based on unpredictable message volume, which fluctuates significantly throughout the day. The system must process messages with minimal delay and no downtime, even during peak spikes. The company is seeking a solution that balances cost-efficiency with availability and elasticity. Which EC2 purchasing strategy best meets these requirements in the most cost-effective manner?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Reserved Instances for the baseline level of traffic and configure EC2 Auto Scaling with Spot Instances to handle spikes in message volume
A blended purchasing strategy uses Reserved Instances for steady baseline capacity and Spot Instances for unpredictable traffic spikes, optimizing costs. However, because the scenario demands no downtime despite Spot Instance interruptions, relying solely on Spot for spikes is arguably ambiguous without explicit fallback policies.
Question 287 of 303An online gaming company wants to block access to its application from specific countries; however, the company wants to allow its remote development team (from one of the blocked countries) to have access to the application. The application is deployed on Amazon EC2 instances running behind an Application Load Balancer with AWS Web Application Firewall (AWS WAF). As a solutions architect, which of the following solutions can be combined to address the given use-case? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Use AWS WAF geo match statement listing the countries that you want to block · C. Use AWS WAF IP set statement that specifies the IP addresses that you want to allow through
AWS WAF uses geo match statements to block or allow traffic from specific countries. You can combine this with an IP set statement to explicitly allow specific IP addresses, such as those of your remote development team.
Question 288 of 303A company needs a massive PostgreSQL database and the engineering team would like to retain control over managing the patches, version upgrades for the database, and consistent performance with high IOPS. The team wants to install the database on an Amazon EC2 instance with the optimal storage type on the attached Amazon EBS volume. As a solutions architect, which of the following configurations would you suggest to the engineering team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Amazon EC2 with Amazon EBS volume of Provisioned IOPS SSD (io1) type
Provisioned IOPS SSD volumes are designed to deliver predictable, high-performance database workloads. Because the engineering team wants strict control over the database and high IOPS, running it on an EC2 instance with this storage type is the right fit.
Question 289 of 303The engineering team at a weather tracking company wants to enhance the performance of its relational database and is looking for a caching solution that supports geospatial data. As a solutions architect, which of the following solutions will you suggest?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Use Amazon ElastiCache for Redis
Amazon ElastiCache for Redis enhances database performance by caching data and supports advanced data structures like geospatial indexing. Memcached does not support geospatial data, making Redis the required choice.
Question 290 of 303A company hires experienced specialists to analyze the customer service calls attended by its call center representatives. Now, the company wants to move to AWS Cloud and is looking at an automated solution to analyze customer service calls for sentiment analysis via ad-hoc SQL queries. As a Solutions Architect, which of the following solutions would you recommend?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use Amazon Transcribe to convert audio files to text and Amazon Athena to perform SQL based analysis to understand the underlying customer sentiments
Amazon Transcribe converts audio files to text, and Amazon Athena runs ad-hoc SQL queries directly against data stored in Amazon S3. This pairing provides a serverless pipeline for analyzing the transcribed text.
Question 291 of 303A tech company runs a web application that includes multiple internal services deployed across Amazon EC2 instances within a VPC. These services require communication with a third-party SaaS provider's API for analytics and billing, which is also hosted on the AWS infrastructure. The company is concerned about minimizing public internet exposure while maintaining secure and reliable connectivity. The solution must ensure private access without allowing unsolicited incoming traffic from the SaaS provider. Which solution will best meet these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Use AWS PrivateLink to create a private endpoint within the application's VPC that connects securely to the SaaS provider's VPC
AWS PrivateLink provides private connectivity between VPCs and supported SaaS applications without exposing traffic to the public internet. VPC peering lacks granular access controls and could allow unsolicited inbound traffic, making PrivateLink the superior and more secure choice.
Question 292 of 303A data analytics team at a global media firm is building a new analytics platform to process large volumes of both historical and real-time data. This data is stored in Amazon S3. The team wants to implement a serverless solution that allows them to query the data directly using SQL. Additionally, the solution must ensure that all data is encrypted at rest and automatically replicated to another AWS Region to support business continuity. Which solution will meet these requirements with the LEAST operational overhead?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create an Amazon S3 bucket configured with server-side encryption using AWS KMS multi-Region keys (SSE-KMS). Enable cross-Region replication (CRR) on the source bucket. Use Amazon Athena to run SQL queries on the data
Amazon Athena is a serverless query service that analyzes S3 data using standard SQL without managing infrastructure. Using S3 with AWS KMS multi-Region keys allows seamless cross-Region replication while maintaining least operational overhead.
Question 293 of 303A media streaming company expects a major increase in user activity during the launch of a highly anticipated live event. The streaming platform is deployed on AWS and uses Amazon EC2 instances for the application layer and Amazon RDS for persistent storage. The operations team needs to proactively monitor system performance to ensure a smooth user experience during the event. Their monitoring setup must provide data visibility with intervals of no more than 2 minutes, and the team prefers a solution that is quick to implement and low-maintenance. Which solution should the team implement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Enable detailed monitoring on all EC2 instances and use Amazon CloudWatch metrics to track performance
Enabling detailed monitoring on EC2 instances changes CloudWatch metric intervals from five minutes to one minute, meeting the requirement for frequent visibility. This native integration provides the fastest implementation and lowest maintenance compared to custom log pipelines.
Question 294 of 303A retail company maintains an AWS Direct Connect connection to AWS and has recently migrated its data warehouse to AWS. The data analysts at the company query the data warehouse using a visualization tool. The average size of a query returned by the data warehouse is 60 megabytes and the query responses returned by the data warehouse are not cached in the visualization tool. Each webpage returned by the visualization tool is approximately 600 kilobytes. Which of the following options offers the LOWEST data transfer egress cost for the company?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Deploy the visualization tool in the same AWS region as the data warehouse. Access the visualization tool over a Direct Connect connection at a location in the same region
Deploying the visualization tool in the same AWS Region as the data warehouse avoids transferring large query results over the network. Accessing the small web pages over Direct Connect minimizes data transfer egress costs compared to querying on-premises.
Question 295 of 303A company wants to ensure high availability for its Amazon RDS database. The development team wants to opt for Multi-AZ deployment and they would like to understand what happens when the primary instance of the Multi-AZ configuration goes down. As a Solutions Architect, which of the following will you identify as the outcome of the scenario?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The CNAME record will be updated to point to the standby database
During a failover in an Amazon RDS Multi-AZ deployment, Amazon RDS automatically updates the DNS CNAME record to point to the standby replica. This ensures the connection endpoint URL remains the same without requiring manual intervention.
Question 296 of 303A biomedical research firm operates a file exchange system for external research partners to upload and download experimental data. Currently, the system runs on two Amazon EC2 Linux instances, each configured with Elastic IP addresses to allow access from trusted IPs. File transfers use the SFTP protocol, and Linux user accounts are manually provisioned to enforce file-level access control. Data is stored on a shared file system mounted to both EC2 instances. The firm wants to modernize the solution to a fully managed, serverless model with high IOPS, fine-grained user permission control, and strict IP-based access restrictions. They also want to reduce operational overhead without sacrificing performance or security. Which solution best meets these requirements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon EFS with encryption enabled. Create an AWS Transfer Family SFTP endpoint in a VPC with Elastic IP addresses. Restrict access using a security group that allows traffic only from known IPs. Manage user access using POSIX identity mappings and IAM policies
Amazon EFS provides scalable, low-latency file storage natively supported by AWS Transfer Family for high-IOPS SFTP workloads. Deploying the SFTP endpoint within a VPC allows security groups to restrict access to trusted IP addresses, while POSIX mappings handle permissions.
Question 297 of 303The data engineering team at an e-commerce company has set up a workflow to ingest the clickstream data into the raw zone of the Amazon S3 data lake. The team wants to run some SQL-based data sanity checks on the raw zone of the data lake. What AWS services would you recommend for this use case such that the solution is cost-effective and easy to maintain?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Use Amazon Athena to run SQL based analytics against Amazon S3 data
Amazon Athena is a serverless interactive query service that analyzes data directly in Amazon S3 using standard SQL. It requires no infrastructure management, making it the most cost-effective and easiest to maintain solution compared to provisioning Redshift, EMR, or RDS clusters.
Question 298 of 303A media company wants to get out of the business of owning and maintaining its own IT infrastructure. As part of this digital transformation, the media company wants to archive about 5 petabytes of data in its on-premises data center to durable long term storage. As a solutions architect, what is your recommendation to migrate this data in the MOST cost-optimal way?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Transfer the on-premises data into multiple AWS Snowball Edge Storage Optimized devices. Copy the AWS Snowball Edge data into Amazon S3 and create a lifecycle policy to transition the data into Amazon S3 Glacier
AWS Snowball Edge Storage Optimized is optimal for securely transferring petabytes of data to AWS. The data must first be imported into Amazon S3 before a lifecycle policy can transition it to S3 Glacier, as Snowball does not write directly to Glacier.
Question 299 of 303A digital design company has migrated its project archiving platform to AWS. The application runs on Amazon EC2 Linux instances in an Auto Scaling group that spans multiple Availability Zones. Designers upload and retrieve high-resolution image files from a shared file system, which is currently configured to use Amazon EFS Standard-IA. Metadata for these files is stored and indexed in an Amazon RDS for PostgreSQL database. The company's cloud engineering team has been asked to optimize storage costs for the image archive without compromising reliability. They are open to refactoring the application to use managed AWS services when necessary. Which solution offers the most cost-effective architecture?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Create an Amazon S3 bucket with Intelligent-Tiering enabled. Update the application to store and retrieve project files using the Amazon S3 API
Amazon S3 Intelligent-Tiering automatically moves objects between access tiers based on changing usage patterns, optimizing costs for unpredictable workloads. Refactoring to use the S3 API provides the most cost-effective and durable storage compared to maintaining EFS or FSx file systems.
Question 300 of 303An enterprise is developing an internal compliance framework for its cloud infrastructure hosted on AWS. The enterprise uses AWS Organizations to group accounts under various organizational units (OUs) based on departmental function. As part of its governance controls, the security team mandates that all Amazon EC2 instances must be tagged to indicate the level of data classification — either 'confidential' or 'public'. Additionally, the organization must ensure that IAM users cannot launch EC2 instances without assigning a classification tag, nor should they be able to remove the tag from running instances. A solutions architect must design a solution to meet these compliance controls while minimizing operational overhead. Which combination of steps will meet these requirements? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Create a service control policy (SCP) that denies the ec2:RunInstances API action unless the required tag key is present in the request. Create a second SCP that denies the ec2:DeleteTags action for EC2 resources. Attach both SCPs to the relevant OU in AWS Organizations · C. Define a tag policy in AWS Organizations that enforces the dataClassification key and restricts values to 'confidential' and 'public'. Attach this tag policy to the applicable organizational unit (OU) to enforce uniform tagging behavior across accounts
Service Control Policies can explicitly deny the RunInstances and DeleteTags API actions unless specific tagging conditions are met. Additionally, AWS Organizations tag policies enforce standardized tag keys and values, effectively eliminating the operational overhead of custom lambda remediation.
Question 301 of 303Reporters at a news agency upload and download video files (about 500 megabytes each) to and from an Amazon S3 bucket as part of their daily work. As the agency has opened offices in remote locations, it has resulted in poor latency for uploading and accessing data from the given Amazon S3 bucket. The agency wants to continue using a serverless storage solution such as Amazon S3 but wants to improve the performance. As a solutions architect, which of the following solutions do you propose to address this issue? (Select two)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Enable Amazon S3 Transfer Acceleration (Amazon S3TA) for the Amazon S3 bucket. This would speed up uploads as well as downloads for the video files
Amazon S3 Transfer Acceleration and Amazon CloudFront both leverage edge locations to optimize global file transfers. However, CloudFront is primarily designed for downloads, making Transfer Acceleration the technically superior AWS service for accelerating large file uploads.
Question 302 of 303The engineering team at a retail company manages 3 Amazon EC2 instances that make read-heavy database requests to the Amazon RDS for the PostgreSQL database instance. As an AWS Certified Solutions Architect – Associate, you have been tasked to make the database instance resilient from a disaster recovery perspective. Which of the following features will help you in disaster recovery of the database? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: A. Enable the automated backup feature of Amazon RDS in a multi-AZ deployment that creates backups across multiple Regions · D. Use cross-Region Read Replicas
Cross-Region Read Replicas and Cross-Region Automated Backups provide regional disaster recovery capabilities. Option A is slightly imprecise because automated backups do not inherently span Regions unless explicitly copied, creating slight ambiguity.
Question 303 of 303A global enterprise is modernizing its hybrid IT infrastructure to improve both availability and network performance. The company operates a TCP-based application hosted on Amazon EC2 instances that are deployed across multiple AWS Regions, while a secondary UDP-based component of the application is hosted in its on-premises data centers. These application components must be accessed by customers around the world with minimal latency and consistent uptime. Which combination of options should a solutions architect implement for the given use case? (Select two)
Select 2 answers.
Show answer & explanation
Correct answer: B. Create a Network Load Balancer (NLB) in each Region to handle the EC2-based TCP traffic. For the UDP-based on-premises workload, configure NLBs in each Region to route to the on-premises endpoints via IP-based target groups · D. Configure an AWS Global Accelerator standard accelerator, and register the TCP-based EC2 workloads behind the load balancers
AWS Global Accelerator leverages the AWS global network to route TCP traffic to the closest healthy regional endpoints. Network Load Balancers are required here because they support both TCP and UDP protocols, whereas Application Load Balancers only support Layer 7.
More free practice tests at certpunch.com and new video rounds on @CertPunch.