CloudPass LogoCloud Pass
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
Certifications
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
  1. Cloud Pass
  2. AWS
  3. AWS Certified Solutions Architect - Professional (SAP-C02)
AWS Certified Solutions Architect - Professional (SAP-C02)

AWS

AWS Certified Solutions Architect - Professional (SAP-C02)

529+ Practice Questions with AI-Verified Answers

Free questions & answersReal Exam Questions
AI-powered explanationsDetailed Explanation
Real exam-style questionsClosest to the Real Exam
Browse 529+ Questions

AI-Powered

Triple AI-Verified Answers & Explanations

Every AWS Certified Solutions Architect - Professional (SAP-C02) answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.

GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy

Exam Domains

Design Solutions for Organizational ComplexityWeight 26%
Design for New SolutionsWeight 29%
Continuous Improvement for Existing SolutionsWeight 25%
Accelerate Workload Migration and ModernizationWeight 20%

Practice Questions

1
Question 1

A multinational gym franchise issues app-based QR visit passes that are scanned at turnstiles worldwide. The turnstile scanner calls a backend API to validate the QR data against a single database table and, after a successful scan, atomically marks the pass as redeemed. The company must deploy on AWS under the DNS name api.fitpass.example.org and host the database in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. Peak traffic is 75,000 validations per minute globally with payloads under 20 KB, and the business requires the lowest possible end-to-end validation latency with p95 under 120 ms from users’ nearest AWS edge location. Which solution will meet these requirements with the lowest latency?

This is the best option among the choices because AWS Global Accelerator is purpose-built to route users to the nearest healthy regional application endpoint using the AWS global network. That reduces internet path variability and typically provides lower latency for dynamic API calls than sending every request through a CDN-style origin model. Running the backend on ECS in the same Regions as the database also keeps application-to-database communication local within each Region. Route 53 can map the required DNS name to the accelerator endpoint, satisfying the naming requirement cleanly.

This option uses CloudFront in front of EKS clusters, but CloudFront is not the best fit for selecting the nearest regional backend for a write-heavy dynamic API. Requests would still traverse from the edge to an origin Region, and CloudFront does not provide the same purpose-built global anycast routing model for regional application endpoints that Global Accelerator does. It also adds unnecessary operational complexity by using EKS when the question is focused on latency rather than container orchestration features. Aurora Global Database still leaves the design less compelling than the Global Accelerator pattern in option A.

CloudFront Functions cannot make network calls to external services such as DynamoDB, so they cannot validate a pass against a database or perform an atomic redemption update. They are limited to lightweight request and response manipulation at the edge with very constrained execution capabilities. Because the core requirement is a database-backed validation plus atomic state change, this option is technically incapable of implementing the workflow. Therefore it cannot be the correct answer regardless of DynamoDB global tables being a strong database choice.

Although DynamoDB global tables are a strong fit for multi-Region active-active data and atomic conditional updates, Lambda@Edge is not the right service for implementing this transactional backend pattern. Lambda@Edge is designed for request and response customization around CloudFront, not as a primary globally distributed application runtime for database-driven API writes. The architecture is also less direct and less aligned with AWS best practices for low-latency dynamic API routing than using Global Accelerator with regional application endpoints. As a result, this option is less appropriate than option A for the stated requirement.

Question Analysis

Core concept: This question is about choosing the lowest-latency global architecture for a dynamic API that performs a database lookup and an atomic redemption update. For globally distributed API traffic, the AWS service specifically designed to route users to the nearest healthy regional application endpoint with optimal network performance is AWS Global Accelerator. The database must exist in three Regions, but the application still needs a practical request-routing layer for dynamic, non-cacheable API calls. Why correct: Option A is the best answer because it uses AWS Global Accelerator to direct clients to the nearest regional ECS-based API endpoint over the AWS global backbone, minimizing network latency for dynamic requests. ECS services in us-east-1, eu-west-1, and ap-southeast-1 provide regional processing close to users, and Route 53 can map the required DNS name to the accelerator. Among the provided options, this is the most appropriate architecture for a globally distributed low-latency API. Key features: - AWS Global Accelerator provides anycast static IPs and routes traffic to the nearest healthy regional endpoint with fast failover. - ECS is a valid regional compute platform for API services that need to perform database reads and writes. - Aurora Global Database supports cross-Region replication and multi-Region database presence, satisfying the requirement to host the database in three Regions. - Route 53 can alias the custom DNS name api.fitpass.example.org to the Global Accelerator endpoint. Common misconceptions: CloudFront is often mistaken as the best choice for all global APIs, but it is primarily a CDN and edge proxy, not the default best option for dynamic write-heavy API routing across multiple regional application stacks. CloudFront Functions cannot call databases at all, and Lambda@Edge is not the intended mechanism for implementing a write-heavy transactional backend against DynamoDB. DynamoDB global tables are excellent for active-active data, but the surrounding compute and routing pattern in options C and D is flawed. Exam tips: For globally distributed dynamic APIs that must reach the nearest regional backend with the lowest latency, look first at AWS Global Accelerator rather than CloudFront. Use CloudFront when caching, static content delivery, or edge request manipulation is central to the design. Be cautious when an option suggests CloudFront Functions or Lambda@Edge performing full backend business logic with direct database transactions, because those services have important capability and architectural limitations.

2
Question 2

A media company must migrate its payment processing database from an on-premises Microsoft SQL Server instance running on Windows Server 2019 to AWS, and a security policy mandates that the database credentials must be rotated every 90 days. Which solution will meet these requirements with the least operational overhead?

Incorrect. Converting SQL Server to DynamoDB using AWS SCT is a major modernization effort, not a straightforward migration, and it adds significant application refactoring risk for a payment processing relational workload. Also, using Parameter Store plus CloudWatch/Lambda for rotation is custom operational work compared to Secrets Manager’s managed rotation. This does not meet the “least operational overhead” requirement.

Correct. Amazon RDS for SQL Server provides a managed SQL Server environment with reduced operational burden (patching, backups, HA options, monitoring). AWS Secrets Manager is purpose-built for storing database credentials and supports automatic rotation on a defined schedule, including 90 days. This combination directly satisfies both migration and credential-rotation requirements with minimal custom code and maintenance.

Incorrect. Running SQL Server on EC2 increases operational overhead because the company must manage the Windows OS, SQL Server patching, backups, HA design, and monitoring. Using Parameter Store with a Lambda-based rotation schedule is also more custom work than Secrets Manager rotation and requires careful coordination to update the SQL login and dependent applications safely.

Incorrect. Amazon Neptune is a graph database and is not an appropriate target for migrating a Microsoft SQL Server payment processing database without significant redesign. AWS SCT does not make this a low-effort migration; it would require substantial schema and application changes. Additionally, using CloudWatch/Lambda for rotation is unnecessary compared to Secrets Manager’s managed rotation capabilities.

Question Analysis

Core Concept: This question tests selecting the lowest-operations managed database migration target and implementing mandatory credential rotation using native AWS managed capabilities. The key services are Amazon RDS for SQL Server (managed relational database) and AWS Secrets Manager (managed secret storage with built-in rotation). Why the Answer is Correct: Migrating an on-premises Microsoft SQL Server database to Amazon RDS for SQL Server minimizes operational overhead because AWS manages database provisioning, patching (engine and OS for RDS), backups, point-in-time recovery, monitoring integrations, and high availability options (Multi-AZ). The security requirement for rotating database credentials every 90 days is best met by storing credentials in AWS Secrets Manager and enabling automatic rotation on a 90-day schedule. Secrets Manager provides native rotation workflows (via Lambda) and integrates cleanly with RDS, reducing custom code and ongoing maintenance. Key AWS Features: - Amazon RDS for SQL Server: managed SQL Server with automated backups, maintenance windows, Multi-AZ, CloudWatch metrics, and simplified scaling/operations. - AWS Secrets Manager: encrypted secret storage (KMS), automatic rotation scheduling (e.g., every 90 days), rotation Lambda templates for supported engines, versioning (AWSCURRENT/AWSPREVIOUS), and auditability via CloudTrail. - Best practice: applications retrieve credentials at runtime from Secrets Manager (or via caching libraries) rather than hardcoding. Common Misconceptions: Options that propose Systems Manager Parameter Store plus custom Lambda rotation can look cheaper or simpler, but they increase operational overhead: you must build rotation logic, handle SQL login changes safely, coordinate application updates, manage failures/rollbacks, and maintain the Lambda and schedule. Options proposing DynamoDB or Neptune via AWS SCT are inappropriate because they require major re-architecture and are not direct targets for a payment processing relational SQL Server workload. Exam Tips: When you see “least operational overhead” with a commercial database engine, prefer managed services (RDS) over self-managed EC2. For “rotate credentials every X days,” prefer AWS Secrets Manager automatic rotation over custom rotation mechanisms. Also, avoid unnecessary modernization (e.g., DynamoDB/Neptune) unless the question explicitly requires it.

3
Question 3
(Select 3)

A global digital media agency runs short‑lived analytics workers on Amazon EC2 across 9 AWS accounts under a single AWS Organizations management account; Finance mandates that all EC2 spend be attributed via a required CostCenter tag, but an internal audit found that 43 of 240 running instances (18%) in two developer accounts are missing the CostCenter tag, and leadership requires immediate organization‑wide visibility and a preventive control that blocks launching any new EC2 instance without that tag while still allowing properly tagged launches; which actions should a solutions architect take to remediate the current gap and prevent recurrence with centralized reporting across the organization? (Choose three.)

Correct. AWS Config managed rule required-tags provides a detective control to evaluate resources (including EC2 instances) for required tag keys like CostCenter. It marks resources compliant/noncompliant and supports continuous evaluation. Deployed per account/Region (or via organization conformance packs), it directly addresses the audit finding by identifying the 43 untagged instances and any future drift.

Correct. An organization-level SCP is the strongest centralized preventive guardrail. By denying ec2:RunInstances when aws:RequestTag/CostCenter is missing (and typically also constraining aws:TagKeys), the SCP blocks launching new instances without the CostCenter tag while allowing properly tagged launches. This meets the requirement to prevent recurrence across all accounts under AWS Organizations.

Incorrect. Amazon Inspector focuses on vulnerability management and exposure findings (e.g., CVEs, network reachability), not governance for cost allocation tags. It is not designed to discover or enforce missing CostCenter tags on EC2 instances, and it would not provide the required preventive control to block untagged launches.

Incorrect. An IAM policy can deny ec2:RunInstances when a request tag is missing, but it must be attached and maintained in each account (and potentially for many roles/users). It is easier to misconfigure, may not cover all principals, and is not as robust as an SCP for organization-wide preventive governance. The question explicitly wants organization-wide control and centralized reporting.

Correct. An AWS Config aggregator (with organization aggregation) provides centralized visibility by collecting AWS Config compliance data from all accounts and Regions into a single aggregator account. This enables immediate organization-wide reporting and querying of EC2 instances missing CostCenter, aligning with leadership’s requirement for centralized reporting across the organization.

Incorrect. AWS Security Hub aggregates security findings from services and partners; it is not a primary mechanism for tag compliance reporting across all EC2 instances. While custom findings could be created indirectly, it does not natively provide the required-tag compliance evaluation and does not enforce preventive controls to block untagged EC2 launches.

Question Analysis

Core Concept: This question tests organization-wide governance for tagging: (1) detective controls to find existing noncompliant resources, (2) preventive controls to stop future noncompliant launches, and (3) centralized visibility across multiple AWS accounts in AWS Organizations. The primary services are AWS Config (rules + aggregation) and AWS Organizations SCPs (guardrails). Why the Answer is Correct: To remediate the current gap (43 instances missing CostCenter) and provide immediate visibility, you need a detective mechanism that evaluates EC2 resources for required tags and reports compliance centrally. AWS Config’s managed rule required-tags can evaluate EC2 instances and flag those missing CostCenter (A). To centralize reporting across 9 accounts and multiple Regions, an AWS Config aggregator at the organization level collects compliance results into a single account for querying and dashboards (E). To prevent recurrence, you need a preventive control that blocks new EC2 launches without the tag while still allowing properly tagged launches. An organization-level SCP can deny ec2:RunInstances when aws:RequestTag/CostCenter is absent (and optionally enforce TagSpecifications on create) so untagged launches are blocked across all member accounts, including developer accounts (B). Key AWS Features: - AWS Config managed rule required-tags: continuously evaluates supported resource types for presence of specified tag keys; integrates with remediation workflows. - AWS Config Aggregator (organization aggregation): central view of compliance across accounts/Regions; query via advanced queries. - SCP condition keys: aws:RequestTag/CostCenter and aws:TagKeys can enforce tag-on-create for API calls like RunInstances when TagSpecifications are provided. Common Misconceptions: Security Hub and Inspector are security posture/vulnerability tools, not authoritative tag-compliance enforcement mechanisms. IAM policies can deny RunInstances, but distributing and maintaining them per account is weaker than an SCP guardrail and can be bypassed by principals not covered by the policy. Exam Tips: For “required tags” at scale: use AWS Config for detection + Config Aggregator for centralized reporting. For “block creation without tag” across an organization: use SCPs with aws:RequestTag and aws:TagKeys. Remember: SCPs set maximum permissions; they don’t grant access, but they are ideal for preventive governance across accounts.

4
Question 4

A global media subscription service plans to launch a stateless customer dashboard on Amazon EC2 in ap-southeast-2 across three Availability Zones, requiring 99.9% availability with Auto Scaling from 6 to 120 instances when average CPU > 60% for 5 minutes, and to implement an active-passive disaster recovery environment in ap-northeast-1 with an RTO of 10 minutes and Route 53 health checks (30-second interval, fail after 2 consecutive failures) while serving traffic only from ap-southeast-2 during normal operations. Which solution will meet these requirements?

Incorrect. An Application Load Balancer is Regional and cannot span multiple Regions or be attached to subnets in two different VPCs/Regions. Likewise, an Auto Scaling group cannot launch instances across multiple Regions; it is scoped to one Region and one VPC. VPC peering does not change these service boundaries, so this design cannot implement the required cross-Region active-passive DR.

Incorrect/insufficient. While it correctly builds separate stacks in each Region, it does not explicitly configure Route 53 for active-passive behavior. “Enable health checks on both records” without a failover routing policy could lead to active-active behavior (depending on routing policy) or ambiguous traffic routing. The requirement states traffic must be served only from ap-southeast-2 during normal operations.

Correct. It deploys the primary stack in ap-southeast-2 across three AZs with an ALB and an Auto Scaling group (min 6/max 120) and the same stack in ap-northeast-1 as standby. Route 53 failover routing with primary/secondary records and health checks (30s, 2 failures) ensures traffic stays on the primary during normal operations and fails over to the secondary within the RTO window; 60s TTL helps reduce DNS caching delays.

Incorrect. Like option A, it relies on an ALB and Auto Scaling group spanning multiple VPCs/Regions, which is not supported. A single Route 53 record pointing to one ALB also does not provide the required active-passive cross-Region failover. VPC peering is unnecessary for this pattern and does not enable cross-Region load balancing.

Question Analysis

Core Concept: This question tests multi-Region high availability and disaster recovery (DR) design for a stateless EC2 web tier using Application Load Balancers, Auto Scaling, and Amazon Route 53 DNS failover with health checks. It also implicitly tests service scoping: ALBs and Auto Scaling groups are Regional, and cannot span Regions/VPCs the way some options suggest. Why the Answer is Correct: Option C implements an active-passive DR pattern: ap-southeast-2 serves all traffic during normal operations (primary), while ap-northeast-1 is provisioned and ready (secondary) but receives traffic only upon failure. Route 53 failover routing with health checks ensures DNS answers switch to the secondary when the primary endpoint becomes unhealthy. The specified health check settings (30-second interval, fail after 2 consecutive failures) align with the requirement, and a 60-second TTL helps meet the 10-minute RTO by reducing DNS caching delay. The primary Region uses an ALB across three AZs and an Auto Scaling group with min 6/max 120 and scaling on average CPU > 60% for 5 minutes, meeting the scaling and 99.9% availability goals. Key AWS Features: - ALB is Regional and can span multiple AZs within a Region, improving resilience. - EC2 Auto Scaling across multiple AZs provides elasticity and AZ fault tolerance. - Route 53 failover routing policy supports primary/secondary records with health checks. - Health check interval and failure threshold determine detection time; TTL influences client-side DNS caching and therefore effective failover time. Common Misconceptions: A and D assume an ALB can “extend” across VPCs/Regions and that a single Auto Scaling group can launch instances across both Regions/VPCs. In reality, ALBs and ASGs are scoped to a single Region (and an ALB is associated with subnets in that Region). VPC peering also does not enable a single ALB to target instances in another Region. B sounds close but does not enforce active-passive behavior; “health checks on both records” is ambiguous and could result in active-active (e.g., weighted/multivalue) or unintended traffic distribution. Exam Tips: - Remember Regional boundaries: ALB, ASG, and subnets are Regional; Route 53 is global. - For active-passive DR with Route 53, look for “failover routing policy” with explicit primary/secondary and health checks. - RTO depends on detection time + DNS TTL + provisioning readiness; keeping the secondary stack warm and TTL low improves RTO.

5
Question 5

A logistics company is deploying a fleet of 2,500 autonomous warehouse robots that each push 8 KB of telemetry every second to AWS over Wi-Fi, and it needs a data platform that provides near-real-time (<=3 seconds) analytics on the inbound stream, ensures durable, ordered, highly parallel ingestion with the ability to reprocess data, and delivers processed results to a data warehouse for BI; which strategy should a solutions architect use to meet these requirements?

Kinesis Data Firehose is primarily a delivery service (to S3, Redshift, OpenSearch, etc.) with buffering and optional lightweight transforms. It is not designed for custom near-real-time analytics with strict per-partition ordering and consumer-controlled replay. Firehose also doesn’t “analyze with Kinesis clients” (KCL is for KDS). Storing results in Amazon RDS is not a typical BI warehouse pattern compared to Redshift.

Kinesis Data Streams best matches the requirements: durable multi-AZ ingestion, ordered records per shard, high parallelism via shards, and retention that enables replay/reprocessing. KCL-based consumers (or a processing layer such as EMR/Spark) can meet sub-3-second analytics with proper shard sizing and consumer scaling. Processed outputs can be loaded into Amazon Redshift for BI, aligning with a warehouse-centric analytics platform.

Amazon S3 is an object store, not a near-real-time ingestion bus; writing every second from 2,500 devices would create many small objects and higher end-to-end latency. The flow “analyze the data from Amazon SQS with Kinesis” is also incoherent: Kinesis does not consume from SQS as a native source. SQS provides at-least-once delivery but does not guarantee strict ordering at scale (standard queues) and is not ideal for replayable stream analytics.

API Gateway + SQS + Lambda can ingest events, but it is not a strong fit for ordered streaming with replay and high-throughput analytics. SQS standard queues do not guarantee ordering; FIFO queues provide ordering but have throughput constraints and operational complexity at this scale. Lambda-based analytics can struggle with stateful windowing and sub-3-second continuous processing compared to stream processors. EMR after SQS adds unnecessary complexity and latency.

Question Analysis

Core Concept: This question tests selecting the right streaming ingestion and near-real-time analytics architecture. The key requirements—durable, ordered ingestion; high parallelism; ability to replay/reprocess; and delivery to a data warehouse—map directly to Amazon Kinesis Data Streams (KDS) plus a stream processing layer and a Redshift sink. Why the Answer is Correct: Amazon Kinesis Data Streams is purpose-built for high-throughput, low-latency streaming ingestion with ordered records per shard and multi-consumer fan-out. With 2,500 robots sending 8 KB/s each, inbound volume is ~20 MB/s (~160 Mb/s). KDS can scale horizontally by adding shards to meet write throughput and parallel processing needs. Because KDS retains data for 24 hours by default (up to 365 days), consumers can re-read from a checkpoint to reprocess historical data—explicitly required. Near-real-time analytics (<=3 seconds) is achievable using Kinesis Client Library (KCL) consumers or managed processing (often Kinesis Data Analytics / Apache Flink), and then loading curated results into Amazon Redshift for BI. The option’s mention of EMR reflects a common exam pattern: use a scalable compute layer to transform and then load into Redshift. Key AWS Features: KDS provides ordered processing within a shard, durable replication across multiple AZs, and horizontal scaling via shards. Enhanced fan-out supports multiple parallel consumers with dedicated throughput. Checkpointing (via KCL/DynamoDB) enables exactly-once/at-least-once processing patterns and replay. For Redshift, typical delivery is via micro-batch COPY from S3 or streaming ingestion patterns; EMR/Spark can aggregate/window telemetry and write to S3/Redshift efficiently. Common Misconceptions: Firehose (Option A) is great for simple delivery to S3/Redshift but does not provide the same replay/reprocess control and per-shard ordering semantics as KDS, and its buffering can add latency. SQS-based designs (Options C/D) do not preserve strict ordering at scale and are not ideal for high-throughput streaming analytics with replay. Exam Tips: When you see “ordered, durable stream,” “parallel ingestion,” and “reprocess/replay,” think Kinesis Data Streams (or Kafka/MSK). When you see “deliver to data warehouse for BI,” think Redshift as the sink, often via an intermediate curated store (commonly S3) and a processing engine (Flink/Spark/EMR).

Want to practice all questions on the go?

Download Cloud Pass — includes practice tests, progress tracking & more.

6
Question 6

A multimedia analytics startup stores JSON summaries and thumbnails in a single Amazon S3 bucket (average object size 200 KB; ~80,000 new objects per hour; both reads and writes by the application); The company must deploy identical application stacks in two AWS Regions (us-east-1 and ap-southeast-2) to reduce latency, support writes from both Regions, provide a single data access endpoint for the application, accept eventual consistency with replication lag under 15 minutes, require only minimal application code changes, and achieve the least operational overhead—which solution should the company implement?

CloudFront can cache and reduce read latency, but it is not a multi-Region write solution and does not replicate objects between Regions. Global Accelerator improves routing to regional endpoints, but S3 is not fronted by GA in a way that provides active-active writes and a single S3 data endpoint. This option also keeps a single bucket, so ap-southeast-2 writes still traverse to us-east-1, increasing latency.

This is the intended AWS-native pattern: two regional buckets, replication between them, and an S3 Multi-Region Access Point to provide one global endpoint with latency-based routing and failover. With bidirectional replication (two CRR rules), both Regions can write locally while data is asynchronously replicated. This meets the single endpoint, eventual consistency, <15-minute lag expectation, and low operational overhead requirements.

One-way CRR only replicates from the original bucket to the new bucket. If the application in ap-southeast-2 writes to its local bucket, those objects will not replicate back to us-east-1, violating the requirement to support writes from both Regions while keeping datasets aligned. It also lacks a single global access endpoint; the application would need region-specific bucket logic.

S3 gateway endpoints provide private connectivity from a VPC to S3 within a Region; they do not create a global endpoint, do not enable multi-Region writes, and do not replicate data. S3 Intelligent-Tiering is a storage class optimization for cost and access patterns, unrelated to cross-Region latency reduction or active-active multi-Region data access.

Question Analysis

Core Concept: This question tests active-active, multi-Region Amazon S3 access with writes from multiple Regions, minimal application change, and low operational overhead. The key services are S3 Cross-Region Replication (CRR) and S3 Multi-Region Access Points (MRAP), which provide a single global endpoint that routes requests to the closest healthy S3 bucket. Why the Answer is Correct: Option B is the only choice that satisfies all requirements simultaneously: two identical stacks in us-east-1 and ap-southeast-2, writes originating from both Regions, a single data access endpoint, and minimal code changes. With two buckets (one per Region) and an MRAP, the application can use one S3 endpoint name globally while MRAP routes reads/writes to the nearest bucket based on latency and availability. Bidirectional replication keeps data convergent across Regions, and eventual consistency with replication lag under 15 minutes aligns with typical CRR behavior (with Replication Time Control available if stricter SLAs are needed). Key AWS Features: - S3 Multi-Region Access Points: one global endpoint, intelligent routing, automatic failover, and simplified multi-Region architecture. - Bidirectional replication: implemented using two one-way CRR rules (each bucket replicates to the other). Requires versioning enabled on both buckets and appropriate IAM roles/policies. - Replication considerations: handle replication of new objects; optionally configure delete marker replication and replica modification sync depending on requirements. Common Misconceptions: CloudFront and Global Accelerator (Option A) can improve read latency, but they do not provide multi-Region, active-active S3 writes with a single consistent data layer. One-way CRR (Option C) fails the “writes from both Regions” requirement. VPC gateway endpoints and Intelligent-Tiering (Option D) are networking/cost features and do not solve multi-Region replication or a single global endpoint. Exam Tips: When you see “single endpoint” + “multi-Region S3” + “writes from both Regions” + “minimal app changes,” think S3 MRAP plus two buckets and replication. Also remember S3 replication is configured per bucket pair and is inherently asynchronous; if the question mentions a replication SLA, consider Replication Time Control, but MRAP remains the global-access building block.

7
Question 7

A multinational retail enterprise uses AWS Organizations with a single payer account and 12 member accounts; three years ago the company purchased 3-year All Upfront Amazon EC2 Standard Reserved Instances that expired last month, current EC2 usage averages 2,000 normalized units across us-east-1, eu-west-1, and ap-southeast-2, and the company has launched a new event-driven data processing pipeline on AWS Lambda and AWS Fargate with steady daily usage. The company expects stable EC2 and serverless consumption for the next 36 months and wants to maximize cost savings across all accounts; which purchasing strategy will provide the most savings?

Incorrect. Standard Reserved Instances apply only to EC2 and are much more rigid than Savings Plans because they are tied to specific instance attributes and do not help with Lambda or Fargate usage. While the added Compute Savings Plan would cover serverless services, this answer mixes older RI purchasing with a newer mixed-compute environment instead of using a more scalable organization-wide Savings Plans strategy. It is therefore not the best overall purchasing model for maximizing savings across a modern multi-account, multi-service compute portfolio.

Incorrect. A 1-year term and No Upfront payment provide lower discounts than a 3-year commitment, which is not aligned with the stated 36-month stable usage pattern. Purchasing separately in each member account also fragments commitments and can reduce the effectiveness of discount sharing across the organization. In addition, this option uses only Compute Savings Plans and misses the opportunity to use a more discounted EC2-specific plan for the large steady EC2 footprint.

Correct. This option purchases commitments in the management account, which allows Savings Plans benefits to be shared across member accounts under AWS Organizations and improves utilization across the enterprise. It also uses the right combination of plan types: an EC2 Instance Savings Plan for EC2 usage and a Compute Savings Plan for Lambda and Fargate, which Standard RIs cannot cover. Although All Upfront would provide a larger discount than No Upfront, this is still the only option that correctly addresses all compute services and centralizes commitments for maximum organization-wide savings among the choices provided.

Incorrect. Purchasing in each member account is less efficient than buying centrally in the management account because it can strand commitments if usage shifts between accounts. EC2 Instance Savings Plans also do not cover Lambda or Fargate, so this option fails to address the new serverless pipeline at all. Even though it uses a 3-year All Upfront term, it is incomplete for the company’s full compute usage and therefore cannot provide the most savings overall.

Question Analysis

Core Concept: This question tests long-term AWS cost-optimization across AWS Organizations using commitment-based discounts: EC2 Reserved Instances (RIs) versus Savings Plans (Compute and EC2 Instance), and how these apply across multiple accounts and services (EC2, Lambda, Fargate) under consolidated billing. Why the Answer is Correct: The company has stable, predictable usage for 36 months and wants maximum savings. For EC2, 3-year Standard RIs with All Upfront historically provide the deepest discount for steady-state, instance-family/size/region-specific usage (especially when the fleet is well understood and stable). Their prior behavior (3-year All Upfront Standard RIs) and stable 2,000 normalized units across three Regions indicates they can effectively utilize regional RI coverage. For the new serverless pipeline, EC2 RIs do not apply to Lambda or Fargate; a 3-year Compute Savings Plan with All Upfront provides broad coverage across Lambda, Fargate, and also EC2 (as a backstop for any EC2 not perfectly matched by RIs). Purchased in the management (payer) account, Savings Plans benefits can apply across member accounts when sharing is enabled in AWS Organizations, maximizing utilization and minimizing stranded discounts. Key AWS Features: - Consolidated billing and discount sharing: RI and Savings Plans discounts can be shared across accounts in an organization (subject to sharing settings). - Standard RIs (3-year, All Upfront): typically highest EC2 discount when usage is stable and attributes are known. - Compute Savings Plans: apply to EC2, Fargate, and Lambda; ideal for mixed compute portfolios and modernization. - All Upfront payment: generally yields the highest effective discount versus Partial/No Upfront. Common Misconceptions: - Assuming Savings Plans always beat RIs: while Savings Plans are flexible, Standard RIs can still be the best discount for highly predictable EC2 footprints. - Buying per member account: this can reduce flexibility and increase the chance of underutilization compared to centrally purchased commitments shared across the org. - Choosing No Upfront for “flexibility”: the question states stable usage for 36 months and asks to maximize savings, which favors longer terms and upfront payments. Exam Tips: - If the workload mix includes Lambda/Fargate, include Compute Savings Plans for those services. - For very stable EC2, consider 3-year Standard RIs (often highest discount) and use Compute Savings Plans to cover non-EC2 compute and residual EC2. - Prefer organization-level purchases (management account) when discount sharing is enabled to maximize utilization across accounts.

8
Question 8

A fitness education platform runs its web tier on Amazon EC2 behind an Application Load Balancer with an Auto Scaling group and stores all static assets on Amazon EFS (General Purpose), but after launching a 1080p training video library (average file size 200 MB) traffic spiked 12x to about 20,000 concurrent users at peak and users now see 5–10 second buffering and occasional HTTP 504 errors, so which is the most cost-efficient and scalable deployment change to resolve these issues without replatforming the compute layer?

Max I/O performance mode can improve scalability for highly parallel access by distributing load, but it often increases latency and does not automatically provide the massive sustained throughput needed for 20,000 concurrent 1080p streams. You would still need to address EFS throughput limits (bursting credits or provisioned throughput), and costs can rise significantly. It’s a partial mitigation, not the most cost-efficient scalable fix.

Using instance store for videos is operationally complex and fragile: instance store is ephemeral, requires large local capacity, and syncing 200 MB assets back to S3 at shutdown is unreliable with scaling events and terminations. It also duplicates content across the fleet, wastes storage, and doesn’t provide global low-latency delivery. This is not a standard, cost-efficient pattern for video libraries.

S3 + CloudFront is the canonical AWS pattern for large static media at scale. S3 handles massive concurrency and throughput, while CloudFront reduces origin load and latency by caching at the edge and supporting range requests for streaming/seek. This directly addresses buffering and 504s by removing EFS from the hot path for video delivery, and it requires no replatforming of the EC2/ALB compute tier.

CloudFront in front of the ALB can accelerate dynamic content and cache some static responses, but keeping videos on EFS leaves the origin bottleneck in place. Video delivery often relies on range requests and can produce cache fragmentation or misses; when CloudFront must fetch from origin, EFS throughput/latency constraints still cause slow responses and timeouts. This is less effective and potentially more expensive than using S3 as the origin.

Question Analysis

Core Concept: This question tests designing scalable, cost-efficient content delivery for large static media using Amazon S3 and Amazon CloudFront, and recognizing when Amazon EFS is the wrong backend for high-fanout, large-object distribution. Why the Answer is Correct: Serving 1080p videos (200 MB average) to ~20,000 concurrent users creates extremely high aggregate throughput and many simultaneous reads. With EFS General Purpose, performance is governed by throughput mode (bursting or provisioned) and can become a bottleneck, increasing latency and causing upstream timeouts that manifest as HTTP 504s at the ALB. Migrating the video library to Amazon S3 and fronting it with CloudFront offloads the origin, scales essentially without limit for concurrent viewers, and dramatically reduces latency via edge caching and optimized delivery. This resolves buffering and 504s without changing the EC2/ALB compute layer. Key AWS Features: S3 provides highly durable object storage with very high request rates and throughput. CloudFront caches content at edge locations, supports large file delivery, HTTP range requests (critical for video seeking and adaptive players), origin shielding, and signed URLs/cookies if access control is needed. Using S3 as the origin also simplifies lifecycle policies (e.g., transition older videos to S3 Intelligent-Tiering) and reduces cost compared to scaling EFS throughput for peak. Common Misconceptions: Increasing EFS performance mode (Max I/O) can help with highly parallel workloads but does not inherently solve throughput economics for massive streaming; it can also increase latency and still requires sufficient throughput configuration. Putting CloudFront in front of the ALB while keeping EFS as the origin doesn’t fix the core issue if the videos are effectively uncacheable (frequent access patterns, range requests, cache misses) or if the origin remains constrained. Exam Tips: For large static assets (images, downloads, video), default to S3 + CloudFront. Use EFS for shared POSIX file systems for applications, not as a CDN origin for high-scale media distribution. When you see buffering + 504s under load, think origin saturation and move heavy static delivery off the compute/file tier to edge/object storage.

9
Question 9

A fintech startup operates a currency-quotation API on AWS for a compliance program that will last the next 3 years. The API runs on 20 Amazon EC2 On-Demand Instances registered in a target group behind a Network Load Balancer (NLB) across two Availability Zones. The service is stateless and runs 24x7. Users report slow responses; metrics show average CPU at 10% during normal traffic, but CPU spikes to 100% during market open hours for a few hours each day. The company needs a new architecture that resolves latency during spikes while minimizing cost over the 3-year period. Which solution is the MOST cost-effective?

This improves performance by adding capacity (desired 28) and uses Reserved Instances for 20, but it is not the most cost-effective. The workload’s average CPU is only 10%, indicating 20 instances are significantly overprovisioned for baseline. Reserving 20 instances for 3 years locks in unnecessary spend. Also, setting desired capacity to 28 is not true elasticity; it keeps extra instances running even outside spike hours unless scaling policies reduce it.

Spot Fleet with DefaultTargetCapacityType set to On-Demand effectively provisions mostly On-Demand capacity, so it doesn’t materially reduce cost versus using Auto Scaling with On-Demand. Additionally, Spot Fleet is a legacy approach compared to EC2 Auto Scaling with mixed instances policies. It also doesn’t address right-sizing the baseline; it keeps TotalTargetCapacity at 20 continuously, which remains overprovisioned given 10% average CPU.

This relies primarily on Spot capacity (DefaultTargetCapacityType=Spot) with a maintain request, which can reduce cost but introduces interruption and capacity-availability risk during critical market-open spikes. The question emphasizes resolving latency during spikes for a compliance program; without explicit interruption tolerance and fallback to On-Demand, Spot is risky. Replacing NLB with ALB is unnecessary for a stateless API already behind NLB and adds change without clear benefit.

This is the most cost-effective: it right-sizes the always-on baseline (min 4) and scales out to meet spike demand (max 28), resolving latency during market open hours. Buying Reserved Instances for only the baseline minimizes 3-year committed spend, while burst capacity runs only for a few hours daily on On-Demand. It aligns with AWS Cost Optimization best practices: commit to steady usage and use elasticity for variable demand.

Question Analysis

Core Concept: This question tests cost-optimized elasticity for a steady 24x7 baseline with predictable daily spikes. The key services/concepts are EC2 Auto Scaling (dynamic scaling for stateless workloads behind a load balancer) and EC2 pricing models (Reserved Instances/Savings Plans for baseline, On-Demand for burst). Why the Answer is Correct: The workload is stateless, behind an NLB, and experiences a low average CPU (10%) with short daily periods of saturation (100%). The most cost-effective 3-year design is to right-size the always-on baseline and scale out only during spike windows. Option D sets a small minimum capacity (4) to cover baseline and uses Auto Scaling up to 28 during market open hours, eliminating latency by adding capacity when CPU spikes. Purchasing Reserved Instances for the baseline (4 instances) minimizes long-term cost, while the additional instances run only during spikes (On-Demand), which is cheaper than reserving capacity you don’t need 24x7. Key AWS Features: - EC2 Auto Scaling with target tracking (e.g., average CPU or NLB metrics) to add/remove instances automatically. - NLB target group integration with Auto Scaling for health checks and registration/deregistration. - Reserved Instances (or Compute Savings Plans) for the always-on baseline; On-Demand for burst capacity. - Well-Architected Cost Optimization: match supply to demand and commit only to steady-state usage. Common Misconceptions: A common trap is reserving too many instances (Option A) because the current fleet is 20. But the metrics show chronic overprovisioning (10% CPU), so reserving 20 wastes money for 3 years. Another misconception is that Spot is always cheapest (Options B/C). For a compliance program and latency-sensitive market-open spikes, Spot interruption risk and capacity availability can harm performance and reliability unless carefully engineered with diversification and fallback. Exam Tips: When you see “24x7 for 3 years” plus “spiky,” think “reserve the baseline, autoscale the burst.” Use metrics to infer baseline overprovisioning. Prefer Auto Scaling behind the existing load balancer for stateless services. Spot can be cost-effective, but on exams it’s usually chosen when interruption tolerance is explicit and architecture includes graceful handling and fallback.

10
Question 10

A gaming analytics company is deploying a matchmaking REST API behind Amazon API Gateway that invokes several AWS Lambda functions written in Java 17; these functions perform heavy static initialization outside the handler (loading third-party libraries, building a Spring context, and creating unique IDs/cryptographic seeds), and cold starts currently take 800–1200 ms during load tests. The service-level objective requires that 95% of cold initializations complete in under 200 ms, traffic bursts from 0 to 60 concurrent requests within seconds, and the team wants the most cost-effective way to minimize startup latency without paying for always-on capacity; which solution should the team choose?

Incorrect. Moving all initialization into the handler usually increases per-invocation latency and defeats the benefit of doing heavy work once per execution environment. Also, SnapStart cannot be configured on $LATEST; it requires a published version. This option both misuses SnapStart and worsens performance characteristics.

Incorrect for the stated cost goal. Provisioned Concurrency on an alias will reduce cold starts and handle bursts, but it incurs ongoing charges for the provisioned capacity even when traffic is zero. The question explicitly asks to minimize startup latency without paying for always-on capacity, making this less cost-effective for spiky workloads.

Incorrect/less appropriate. While SnapStart must be enabled on published versions and can be combined with Provisioned Concurrency, adding Provisioned Concurrency reintroduces always-on cost. Also, it does not address the correctness risk of snapshotting unique IDs/cryptographic seeds; without moving that logic out of the snapshot, you can still get duplicated or unsafe state.

Correct. A pre-snapshot hook plus moving unique ID/cryptographic seed generation into the handler (or otherwise ensuring it is not captured in the snapshot) addresses the correctness issue of snapshotting uniqueness-sensitive state. Publishing a version and enabling SnapStart on that version is the supported configuration and provides major cold-start reduction for Java without paying for always-on provisioned capacity.

Question Analysis

Core Concept: This question tests AWS Lambda cold-start mitigation for Java runtimes using Lambda SnapStart versus Provisioned Concurrency, and how to handle initialization code that must remain unique per execution environment (e.g., cryptographic seeds/unique IDs). It also implicitly tests versioning/aliases requirements and cost tradeoffs for bursty traffic behind API Gateway. Why the Answer is Correct: Lambda SnapStart (for Java) reduces cold starts by taking a snapshot of the initialized execution environment after the init phase and restoring it on-demand. This is ideal for heavy static initialization such as loading libraries and building a Spring context. However, anything that must be unique at runtime (random seeds, unique IDs, certain crypto material, timestamps) must not be “frozen” into the snapshot, or you risk duplicated values across restored environments. The correct approach is to use a pre-snapshot hook to prepare the runtime for snapshotting and move uniqueness-sensitive initialization into the handler (or post-restore logic) so it is generated per environment/invocation as appropriate. SnapStart requires publishing a version and enabling SnapStart on that version (not $LATEST). This meets the <200 ms cold init SLO without paying for always-on capacity. Key AWS Features: - Lambda SnapStart: snapshots initialized Java execution environments to dramatically reduce cold starts. - Published versions: SnapStart is enabled on versions; API Gateway should invoke an alias/version for stability. - Runtime hooks (pre-snapshot/post-restore): ensure correctness when snapshotting (e.g., re-seeding RNG, refreshing ephemeral state). - Best practice: keep heavy deterministic init outside handler; keep per-invocation/per-environment uniqueness inside handler or post-restore. Common Misconceptions: Provisioned Concurrency can also reduce cold starts, but it charges for pre-warmed capacity and is less cost-effective when traffic is frequently at zero with sudden bursts. Another trap is enabling SnapStart on $LATEST (not supported) or snapshotting unique IDs/seeds, which can cause duplicate identifiers or weakened randomness. Exam Tips: - For Java cold starts with heavy frameworks, think SnapStart first when you want on-demand cost behavior. - Remember: SnapStart works on published versions, not $LATEST. - If the question mentions unique IDs/crypto seeds or “must be unique,” expect a hook/handler change to avoid snapshotting that state. - Choose Provisioned Concurrency when you need guaranteed warm capacity and can justify the ongoing cost; choose SnapStart when you want lower cold starts without always-on spend.

Want to practice all questions on the go?

Download Cloud Pass — includes practice tests, progress tracking & more.

11
Question 11

A digital education platform runs its enrollment service on AWS. The service exposes a REST endpoint through Amazon API Gateway that invokes an AWS Lambda function, which performs transactional reads and writes against an Amazon RDS for PostgreSQL DB instance. During a 2-hour “Early Access” promotion, Amazon CloudWatch showed concurrent Lambda executions spiking from a baseline of 80 to 3,200, active database connections climbing to 470 out of a 500-connection limit, and DB CPU utilization sustained above 85%, resulting in intermittent 502 errors and p95 API latencies over 2.5 seconds. What should a solutions architect recommend to optimize the application’s performance under these burst conditions?

Increasing Lambda memory can reduce function runtime, but it does not directly solve the database connection limit or connection storm. Explicitly closing the DB connection after each query is usually counterproductive for Lambda-to-RDS because it increases connection churn (auth/TLS setup) and can raise DB CPU. This option might slightly reduce concurrent duration, but it won’t reliably prevent exhausting 500 connections during bursts.

ElastiCache for Redis is useful when repeated read queries dominate and results can be cached (e.g., course catalog browsing). However, the workload is described as transactional reads and writes for enrollment, and the symptoms include near-max DB connections and high CPU. Caching does not reduce the number of concurrent DB connections created by Lambda, and it does not help write-heavy or strongly consistent transactional paths.

RDS Proxy is purpose-built for Lambda and bursty workloads. It pools and reuses database connections, allowing thousands of Lambda invocations to share a smaller number of backend PostgreSQL connections. This directly addresses the observed 470/500 connections, reduces CPU spent on connection management, improves latency consistency, and mitigates intermittent 502 errors caused by DB saturation. Modifying Lambda to use the proxy endpoint is the standard best practice.

Initializing the DB client outside the handler and reusing connections is a good Lambda optimization, but it only helps within a single warm execution environment. With concurrency spiking to 3,200, Lambda will create many parallel environments, each potentially holding one or more connections, still overwhelming a 500-connection RDS limit. This is a partial mitigation, not a robust solution for burst conditions compared to RDS Proxy.

Question Analysis

Core Concept: This question tests burst scaling behavior of AWS Lambda calling Amazon RDS and the resulting “connection storm” problem. The key service is Amazon RDS Proxy, which provides connection pooling and manages database connections for serverless and highly concurrent clients. Why the Answer is Correct: During the promotion, Lambda concurrency jumped to 3,200 while the database hit 470/500 connections and sustained >85% CPU, causing 502s and high p95 latency. This pattern strongly indicates that the database is overwhelmed by too many concurrent client connections and connection churn (frequent opens/closes, TLS/auth overhead), not just slow queries. RDS Proxy sits between Lambda and RDS, maintains a warm pool of established connections to PostgreSQL, and multiplexes many Lambda invocations over fewer DB connections. This reduces connection spikes, lowers CPU spent on connection management, improves resilience during bursts, and stabilizes latency. Key AWS Features: RDS Proxy supports PostgreSQL, integrates with IAM and AWS Secrets Manager for credential management, provides connection pooling, and can improve failover handling by reducing application-side reconnection logic. For Lambda, the best practice is to point the function to the proxy endpoint and keep application connections open (the proxy manages backend pooling). This aligns with AWS Well-Architected Reliability and Performance Efficiency pillars by smoothing burst load and protecting the database. Common Misconceptions: Caching (ElastiCache) can help read-heavy workloads, but the question states transactional reads/writes and shows connection saturation; caching won’t fix write pressure or connection storms. Reusing connections in Lambda (initializing outside the handler) helps, but it is not sufficient under extreme concurrency because each concurrent execution environment can still create its own connection(s), quickly exhausting DB limits. Increasing Lambda memory may speed compute, but it does not address DB connection limits and can even increase parallelism against the DB. Exam Tips: When you see Lambda/API Gateway + RDS with sudden concurrency spikes, high DB connections near the limit, and elevated CPU with intermittent 502s/timeouts, think “RDS Proxy/connection pooling.” Choose RDS Proxy over “close connections” guidance; in serverless, closing per request often worsens churn. Use caching only when the bottleneck is repeated reads and you can tolerate eventual consistency.

12
Question 12

An online ticketing platform runs microservices that are containerized and deployed on multiple Amazon EC2 instances with public IP addresses, a self-managed Apache Kafka cluster also runs on those EC2 instances, and its transactional database has been migrated to Amazon RDS for PostgreSQL; marketing forecasts a 5x traffic spike during a 72-hour nationwide presale next week and engineering leadership wants to minimize operational toil while elastically handling the surge—what changes to the current architecture will best reduce operational overhead and support the presale event?

ASG + ALB can add EC2 capacity, but it does not reduce operational toil for container orchestration (still managing hosts, deployments, bin packing) and leaves the self-managed Kafka cluster problem unsolved by switching to Kinesis (requires app changes and redesign). Read replicas help, and S3 offloads static assets, but overall it’s not the best “minimize toil” answer given Kafka and container management remain heavy.

Multi-AZ and storage autoscaling improve database availability and storage management, but they do not materially increase read throughput for a presale surge. Like option A, it proposes moving from Kafka to Kinesis, which is not a low-toil, low-change swap for an existing Kafka-based architecture. It also keeps compute on EC2 ASGs, which still requires significant operational work for containers and scaling behavior.

Creating your own Kubernetes cluster on EC2 increases operational overhead (control plane/worker management, upgrades, scaling, security hardening) compared to managed EKS/Fargate. MSK and CloudFront are strong choices, but the compute layer conflicts with the requirement to minimize toil quickly before next week’s event. This option modernizes streaming and CDN, but makes container operations more complex than the current setup.

EKS with Fargate best reduces ops by removing EC2 node management while enabling elastic pod scaling behind an ALB. MSK replaces self-managed Kafka with a managed Kafka-compatible service, cutting broker ops and improving resilience. RDS read replicas directly address read scaling during traffic spikes. S3 + CloudFront offloads static content and absorbs bursty nationwide demand. This combination aligns with both elasticity and reduced operational overhead.

Question Analysis

Core Concept: This question tests modernization choices that reduce operational toil while providing elastic scaling for containers, streaming, database read scaling, and edge/static content delivery. Key managed services: Amazon EKS with AWS Fargate, Amazon MSK, Amazon RDS read replicas, and Amazon CloudFront + Amazon S3. Why the Answer is Correct: The current state has high ops burden: self-managed containers on EC2 with public IPs and a self-managed Kafka cluster on EC2. For a known 5x spike over 72 hours, the best approach is to move undifferentiated heavy lifting to managed services that scale quickly and predictably. Option D replaces EC2 instance management for microservices with EKS on Fargate (no node provisioning/patching/capacity planning) and supports autoscaling (HPA/KEDA with ALB ingress) to handle burst traffic. It also replaces self-managed Kafka with Amazon MSK, eliminating broker provisioning, patching, and recovery toil while retaining Kafka APIs. For the database, adding RDS for PostgreSQL read replicas is the most directly relevant scaling lever for read-heavy surges typical of ticket browsing/searching; Multi-AZ primarily improves availability, not read throughput. Finally, serving static assets via S3 behind CloudFront offloads origin traffic, reduces latency nationwide, and absorbs spikes. Key AWS Features: - EKS on Fargate: serverless compute for pods, integrates with ALB Ingress Controller / AWS Load Balancer Controller, supports Cluster Autoscaler alternatives (Fargate profiles) and pod autoscaling. - Amazon MSK: managed Kafka control plane, automated patching, monitoring integration, and easier scaling than self-managed EC2 brokers. - RDS read replicas: horizontal read scaling; can also be promoted if needed. - S3 + CloudFront: caching, origin shielding, and high request-rate handling. Common Misconceptions: - “Multi-AZ equals scaling”: Multi-AZ improves failover/availability, not read capacity (unless using reader endpoints in Aurora; this is RDS PostgreSQL). - “Kinesis is a drop-in for Kafka”: Kinesis is excellent but requires application changes and operational rework; MSK is the closest lift-and-shift from self-managed Kafka. - “ASG behind ALB is enough”: it still leaves container orchestration and Kafka ops on EC2, which conflicts with the goal to minimize toil. Exam Tips: When the prompt emphasizes minimizing operational overhead during a spike, prefer managed/serverless options (Fargate, MSK, CloudFront) and choose scaling mechanisms aligned to the bottleneck (read replicas for read surges; caching for static content). Also watch for “self-managed Kafka” cues—MSK is the canonical AWS-managed replacement when Kafka compatibility matters.

13
Question 13

A fintech firm runs a risk analytics tool on Windows VMs in a co-location facility, and the tool reads and writes to a 65 TB shared file repository over SMB with an average daily change rate of about 100 GB. The firm wants to move the shared storage to Amazon S3 for durability and cost, but the application will not be refactored to use native S3 APIs for another 4 months. During this period, the on-premises application must continue to access the same dataset via SMB with minimal client changes, and the cutover must not require running file servers in AWS. A solutions architect must migrate the data to its new S3 location while ensuring uninterrupted SMB access from on premises during and after migration. Which solution will meet these requirements?

Amazon FSx for Windows File Server provides a managed SMB file system that applications can access over SMB, and AWS DataSync can migrate data into it. However, the requirement is specifically to move the shared storage to Amazon S3 for durability and cost efficiency during the interim period. FSx for Windows stores data in the FSx file system rather than using S3 as the primary storage backend, so it does not satisfy the core storage-location requirement. It also introduces an AWS-hosted file system service when the design goal is to keep SMB access on premises while S3 serves as the durable backend.

Copying data directly from the on-premises SMB repository to an S3 bucket can satisfy the durability/cost goal, but it does not satisfy the access requirement. The application cannot use native S3 APIs for 4 months and must continue to access the dataset via SMB with minimal changes. S3 is an object store and does not provide an SMB endpoint for Windows clients without an intermediary service.

AWS Server Migration Service (historical) is for migrating server workloads, not for providing an SMB interface backed by S3. Even if a file server were lifted and shifted to EC2, that would still mean operating a file server in AWS, which the requirements prohibit. It also adds operational burden (patching, scaling, HA) and does not inherently achieve the goal of storing the dataset in S3 as the primary repository.

AWS Storage Gateway File Gateway is designed to present SMB (or NFS) file shares to on-premises applications while storing the data as objects in Amazon S3. Deploying the gateway on an on-premises VM meets the constraint of not running file servers in AWS, and it allows minimal client change (repointing to a new SMB share). Local caching improves performance, and S3 becomes the durable, cost-effective backend during and after migration.

Question Analysis

Core Concept: This question tests how to provide SMB/NFS file access to data that is ultimately stored durably and cost-effectively in Amazon S3, without refactoring applications and without running file servers in AWS. The key service is AWS Storage Gateway (File Gateway), which presents an SMB file share to on-premises clients while storing objects in S3. Why the Answer is Correct: The firm wants the dataset to live in S3 now, but the Windows VMs must keep using SMB for ~4 months with minimal client changes. AWS Storage Gateway file gateway can be deployed as a VM on premises and expose an SMB share backed by an S3 bucket. The application continues to access the same data over SMB (typically by repointing the UNC path to the gateway share), while the gateway transparently stores files as S3 objects. This meets the “no file servers in AWS” constraint because the SMB server endpoint is the on-premises gateway VM, not an EC2-based file server. Key AWS Features: File Gateway supports SMB shares, integrates with Active Directory for authentication/authorization, and uses local cache for low-latency access to hot data while asynchronously uploading to S3. It supports large datasets and incremental changes (100 GB/day) efficiently. You can perform the initial data copy by copying from the existing SMB repository to the gateway SMB share (or using tools like Robocopy), after which ongoing access continues through the gateway with S3 as the system of record. Common Misconceptions: FSx for Windows File Server (option A) provides SMB but stores data on FSx (EBS-backed) rather than S3, and it is a managed file server in AWS—explicitly disallowed. Directly copying to S3 (option B) breaks SMB access unless the app is refactored. Lifting and shifting a file server to EC2 (option C) violates the “must not require running file servers in AWS” requirement and adds admin overhead. Exam Tips: When you see “keep SMB/NFS clients unchanged” + “store in S3” + “no refactor,” think Storage Gateway File Gateway. When you see “SMB in AWS” with Windows semantics, think FSx for Windows, but verify constraints about S3 backing and whether running a file system in AWS is allowed.

14
Question 14

An independent cybersecurity auditing firm that operates under an AWS Organizations organization named blueOrg (orgA) must programmatically access a customer’s AWS account that belongs to a separate organization named greenOrg (orgB) to run an automated compliance scanner from the firm’s management account every 4 hours that reads only EC2 Describe*, IAM Get*, and S3 List* metadata using temporary credentials and least privilege. What is the MOST secure way to enable orgA to access resources in orgB via API/CLI?

Incorrect. Sharing account access keys (especially root or broadly privileged keys) is one of the least secure approaches. It uses long-term credentials, is hard to audit and rotate safely, and violates AWS best practices. It also breaks least privilege because account-level keys typically imply broad access and create significant blast radius if compromised.

Incorrect. Creating an IAM user and sharing long-term access keys is explicitly discouraged for third-party access. Even if permissions are scoped, long-term credentials increase exposure (leakage, reuse, storage risk) and require ongoing rotation and secure distribution. This does not meet the requirement to use temporary credentials and is not the most secure pattern.

Partially correct but not the MOST secure. Using an IAM role and STS AssumeRole provides temporary credentials and supports least privilege, which is good. However, for independent third-party access, omitting an ExternalId leaves the customer more exposed to confused deputy scenarios. Adding ExternalId (and optionally other conditions) is the stronger, recommended control.

Correct. A customer-managed least-privilege IAM role with a trust policy that allows the auditor’s account to assume it only with a unique ExternalId is the recommended, most secure third-party access pattern. The auditor uses sts:AssumeRole to obtain temporary credentials every 4 hours, meeting the temporary credential requirement while enabling strong auditing, tight trust controls, and confused deputy protection.

Question Analysis

Core Concept: This question tests secure cross-account access across separate AWS Organizations using AWS STS AssumeRole, least-privilege IAM roles, and the confused deputy protection mechanism (ExternalId). It also implicitly tests best practices: avoid long-term credentials, use temporary credentials, and tightly scope trust and permissions. Why the Answer is Correct: Option D is the most secure pattern for a third-party auditor accessing a customer account programmatically. The customer creates an IAM role in orgB (customer account) with only the required read-only permissions (EC2 Describe*, IAM Get*, S3 List*). The role’s trust policy allows assumption by the auditor’s AWS account in orgA, but only when the auditor supplies a unique ExternalId. The auditor then calls sts:AssumeRole from its management account every 4 hours to obtain short-lived credentials. This satisfies temporary credentials, least privilege, and strong protection against unauthorized role assumption. Key AWS Features: 1) IAM Role + Trust Policy: The trust policy specifies the principal (auditor account) and conditions (sts:ExternalId). Optionally, the customer can further restrict with aws:PrincipalArn to a specific role in the auditor account. 2) AWS STS Temporary Credentials: AssumeRole returns time-bound credentials, reducing blast radius and eliminating key rotation burdens. 3) Confused Deputy Mitigation: ExternalId is the AWS-recommended control when a third party accesses customer accounts, preventing the auditor from being tricked into using its permissions to access other customers’ roles. 4) Least Privilege Permissions Policy: Limit actions to ec2:Describe*, iam:Get*, s3:List* and scope resources where possible (not all actions support resource-level constraints). Common Misconceptions: Option C (role without ExternalId) is better than users/keys, but it omits a key third-party security control and is not the “MOST secure” for an independent firm scenario. Options A and B rely on long-term credentials, which violates best practices and increases risk of leakage and misuse. Exam Tips: When you see “third-party access,” “temporary credentials,” and “least privilege,” think: customer creates IAM role, auditor assumes via STS. If it’s a vendor/independent auditor, add ExternalId in the trust policy. Avoid sharing access keys. This aligns with AWS IAM guidance and Well-Architected Security Pillar principles (identity foundation, least privilege, and credential management).

15
Question 15

A genomics research consortium provides a regulated data-annotation service to regional laboratories across North America and Europe. The service runs entirely on AWS across more than 30 member accounts that are centrally managed in a single AWS Organizations organization; workloads are deployed in all enabled Regions, and new accounts are added monthly. For audit and regulatory requirements, every API call to AWS resources across all current and future accounts and Regions must be recorded, tracked for changes, and stored durably and securely for 7 years with encryption at rest; logs must be immutable (recoverable from accidental deletions), and the solution must minimize ongoing operational effort without introducing third-party tooling. Which solution meets these requirements with the least operational overhead?

A trail in the management account that writes to an S3 bucket is not necessarily an organization trail. Without enabling an organization-level trail, CloudTrail will not automatically capture events from all member accounts. Even with multi-Region enabled and S3 encryption/MFA Delete, it fails the requirement to record every API call across all current and future accounts with minimal ongoing effort.

Creating a trail and bucket in each member account can capture API activity per account and can be configured for all Regions with encryption and MFA Delete. However, it has high operational overhead (30+ accounts, new accounts monthly, many Regions) and increases the chance of configuration drift. This contradicts the requirement to minimize ongoing operational effort.

An organization-level CloudTrail trail in the management account is the most scalable and lowest-operations way to capture API activity across all existing and future accounts in an AWS Organizations environment. Configuring the trail for all Regions ensures coverage across enabled Regions without requiring per-account trail administration. Sending logs to a centralized S3 bucket with encryption at rest satisfies the durability and security requirements for long-term retention. Enabling S3 Versioning and MFA Delete helps protect the logs from accidental deletion by preserving prior versions and requiring MFA for permanent version deletion.

Adding SNS notifications to an external management system introduces extra integration and operational burden and is not required to meet the core logging and retention requirements. Also, a trail in the management account alone does not guarantee coverage of all member accounts unless it is configured as an organization trail. This option is both incomplete and higher-ops than necessary.

Question Analysis

Core Concept: This question is about implementing centralized, organization-wide AWS API activity logging with AWS CloudTrail across all existing and newly added AWS accounts, storing logs securely for long-term retention with encryption and protection against accidental deletion, while minimizing operational overhead. Why correct: An AWS CloudTrail organization trail created in the management account is specifically designed to apply automatically across all member accounts in an AWS Organizations organization. Configuring the trail as multi-Region provides logging across all enabled Regions, and central delivery to an Amazon S3 bucket gives durable, low-operations storage. Enabling S3 encryption at rest satisfies the encryption requirement, while S3 Versioning plus MFA Delete helps protect against accidental deletions by allowing recovery of prior object versions. This is the most operationally efficient native AWS solution among the options. Key features: - CloudTrail organization trail automatically includes current and future member accounts. - Multi-Region trail records events from all enabled Regions. - Centralized S3 storage supports long-term retention and simplified audit access. - S3 Versioning and MFA Delete provide strong protection against accidental deletion and overwrite. - S3 server-side encryption supports compliance requirements for encryption at rest. Common misconceptions: A standard trail in the management account does not automatically capture events from all member accounts; it must be an organization trail. Creating separate trails in every account can work technically, but it creates unnecessary operational burden and configuration drift risk. Also, Versioning plus MFA Delete improves recoverability, but if a question explicitly required strict WORM immutability, S3 Object Lock would be the stronger feature; it is simply not offered in the answer choices here. Exam tips: When a question mentions AWS Organizations with current and future accounts, prefer organization-level services such as CloudTrail organization trails. For centralized audit logging, look for a dedicated S3 bucket with encryption and retention controls. Be careful not to assume that a generic trail in one account automatically covers the organization, and distinguish between recoverability controls like Versioning/MFA Delete and true immutable retention controls like Object Lock.

Want to practice all questions on the go?

Download Cloud Pass — includes practice tests, progress tracking & more.

16
Question 16

A fitness analytics startup exposes a serverless REST API that powers its mobile app with workout leaderboards; the stack uses an Amazon API Gateway API with a Regional endpoint, AWS Lambda functions, and an Amazon Aurora PostgreSQL Serverless v2 DB cluster. After onboarding several wearable-device partners, request volume surged and the DB began reporting intermittent out-of-memory and scaling pressure events. Traffic analysis shows clients issuing many identical HTTP GET requests for the same leaderboard queries within 30–90 seconds; 70% of traffic occurs between 09:00–18:00 local time, with 3x spikes during New Year promotions and marathon events. The company must support the additional usage while minimizing incremental cost and operational complexity. Which strategy meets these requirements?

API Gateway REST API stage caching is the lowest-complexity way to absorb repeated identical GET requests. With a short TTL (e.g., 60 seconds) and correct cache keys (query strings/headers/path params), most duplicate leaderboard reads are served from cache, reducing Lambda invocations and Aurora Serverless v2 queries. This directly addresses intermittent OOM/scaling pressure while minimizing cost and avoiding application code changes.

ElastiCache for Redis can reduce database load, but it increases operational complexity (VPC design, node sizing, scaling, patching, monitoring) and requires Lambda code changes plus a cache invalidation/TTL strategy. For a pattern of identical GET requests within 30–90 seconds, API Gateway caching provides similar benefits with far less effort and fewer moving parts, making Redis unnecessary here.

Raising Aurora Serverless v2 maximum capacity can help handle spikes by allowing more compute and memory, but it increases cost during peak scaling and does not eliminate redundant reads. The traffic pattern indicates avoidable repeated queries; caching is a more cost-effective first step. Scaling the database is typically used after optimizing request patterns and adding caching layers.

API Gateway throttling (rate/burst limits) protects downstream systems from overload but does so by rejecting or delaying requests (429 responses), which harms the mobile app experience and does not meet the requirement to support additional usage. Throttling is appropriate as a safety mechanism, not as the primary strategy for handling legitimate increased demand and repeated read traffic.

Question Analysis

Core Concept: This question tests choosing the simplest, most cost-effective way to reduce repeated read load on a serverless backend by caching at the edge of the API layer. The key service feature is Amazon API Gateway stage-level caching for REST APIs (Regional endpoint), which can cache responses for GET requests and dramatically reduce Lambda invocations and downstream database queries. Why the Answer is Correct: The workload shows many identical GET requests for the same leaderboard queries within 30–90 seconds. Enabling API Gateway caching with a short TTL (for example, 60 seconds) directly targets this pattern: repeated requests within the TTL are served from the cache, avoiding Lambda execution and Aurora Serverless v2 reads. This reduces database memory pressure and scaling events while minimizing incremental cost and operational complexity. It also aligns with the diurnal traffic pattern and event spikes: caching absorbs bursty read traffic without requiring application code changes. Key AWS Features: API Gateway REST API caching is configured per stage, with configurable cache size, TTL, and cache key parameters (e.g., query string parameters, headers, path parameters) to ensure correct cache segmentation per leaderboard (such as leaderboardId, time window, region). You can also selectively enable caching for methods and require authorization settings to be considered in cache keys when needed. This is a classic “cache in front of compute and database” pattern and supports Well-Architected cost optimization by reducing unnecessary work. Common Misconceptions: ElastiCache (option B) is powerful but adds operational overhead (cluster sizing, scaling, patching, VPC networking) and requires code changes and cache invalidation strategy—more complexity than necessary for short-lived identical GETs. Increasing Aurora capacity (option C) treats the symptom by paying for more compute/memory during spikes rather than reducing redundant reads. Throttling (option D) protects the backend but degrades user experience and does not “support additional usage.” Exam Tips: When you see “many identical GETs,” “short time window,” and “minimize cost/complexity,” prefer managed caching closest to the request path (API Gateway caching or CloudFront where applicable). Scale-up database capacity is usually a secondary choice after eliminating avoidable load. Throttling is for protection, not for meeting higher demand.

17
Question 17

An ad-tech startup is building a metrics ingestion API with Amazon API Gateway and AWS Lambda. Across 12 Lambda functions written in Python 3.11, the team must reuse five internal libraries and custom classes maintained by a central platform team (about 15 MB when compressed). The security team requires production deployments to pull artifacts only from an approved registry; Amazon ECR is approved, but build jobs are not allowed to upload artifacts to S3 in the production account. A solutions architect must simplify deployments for all functions and maximize code reuse with minimal packaging complexity. Which approach meets these requirements?

Incorrect. It violates the security requirement because artifacts would be stored in S3, which is not the approved registry. Also, Lambda layers are ZIP archives, not created from a Docker image stored in S3. While attaching a layer to multiple ZIP-based functions is a common reuse pattern, it conflicts with the stated production constraint and misstates how layers are built and published.

Incorrect. Although ECR is the approved registry, Lambda layers are not created directly from an ECR container image. Layers are published as ZIP archives (uploaded to Lambda), and typical deployment workflows often involve S3 as a staging location. The option’s premise (layer-from-ECR-image) is not a supported Lambda feature, making it an invalid approach despite sounding governance-friendly.

Incorrect. ECS/Fargate runs long-lived containers, but Lambda cannot “reference a running container” as a Lambda layer. Layers are static dependency bundles mounted into the Lambda execution environment at init time. Using ECS would also add unnecessary operational overhead (service management, scaling, networking) and does not solve the packaging/reuse requirement for Lambda runtimes.

Correct. Build one container image per Lambda function, inheriting from a standardized base image that contains the shared internal libraries. Push images to ECR so production deployments pull only from the approved registry, avoiding S3 artifact uploads in the production account. This maximizes reuse (shared base image), reduces packaging complexity across 12 functions, and leverages Lambda’s native container image deployment model.

Question Analysis

Core Concept: This question tests AWS Lambda deployment packaging choices (ZIP vs container images), code reuse strategies (layers vs shared base images), and supply-chain controls (approved artifact registries such as Amazon ECR). It also implicitly tests Lambda limits and operational simplicity across multiple functions. Why the Answer is Correct: Option D best satisfies all constraints: the security team requires production deployments to pull artifacts only from an approved registry (ECR is approved), and build jobs cannot upload artifacts to S3 in the production account. Lambda container image support allows each function’s deployment package to be an OCI image stored in ECR, eliminating the need to place ZIPs or layer artifacts into S3 in the production account. Code reuse is achieved by standardizing on a common base image that contains the 15 MB compressed internal libraries and shared classes; each function image then adds only its handler code. This approach minimizes packaging complexity for 12 functions because the shared dependencies are managed once in the base image and inherited consistently. Key AWS Features: - AWS Lambda container image support (up to 10 GB image size) with images stored in Amazon ECR. - Docker multi-stage builds and a shared base image pattern to maximize reuse and reduce duplication. - ECR repository policies, image scanning, immutable tags, and lifecycle policies to meet governance and security requirements. - CI/CD can build and push images to ECR, and deployments update the Lambda function image URI/digest. Common Misconceptions: A and B may look attractive because Lambda layers are the classic reuse mechanism. However, Lambda layers are not created “from a Docker image in ECR” in the way described; layers are published as ZIP archives (typically uploaded to Lambda, often sourced from S3 during deployment tooling). Additionally, A violates the “approved registry” requirement by using S3 as the artifact store, and B incorrectly assumes ECR can directly back a layer. C is incorrect because Lambda cannot reference a running ECS/Fargate container as a layer; layers are static artifacts, not network-attached runtime dependency services. Exam Tips: When you see “approved registry = ECR” and restrictions on S3 artifact uploads, strongly consider Lambda container images. Use layers for ZIP-based functions, but for strict registry-based supply chain controls and simplified dependency reuse, a shared base image in ECR is often the cleanest pattern. Also remember: Lambda layers are ZIP-based, while Lambda container images are pulled from ECR.

18
Question 18

A design studio is enabling 1,200 employees to work remotely and needs a scalable, cost-effective AWS Client VPN solution so that up to 300 concurrent users can securely access internal workloads deployed in six VPCs across four AWS accounts, where a shared networking (hub) account hosts a hub VPC already peered to five spoke VPCs with non-overlapping CIDR blocks, the corporate network currently reaches the hub VPC via a single AWS Site-to-Site VPN, and the solution must minimize monthly spend while allowing remote users to reach applications in all VPCs.

Creating a Client VPN endpoint in each AWS account could provide access, but it is not the best architecture here because it creates multiple endpoints, duplicated configuration, and higher operational overhead. It also does not inherently solve centralized access across all six VPCs from a single user connection unless users connect to different endpoints as needed. The question asks for a scalable solution that allows remote users to reach applications in all VPCs, and this option fragments access rather than centralizing it. It is also less elegant and potentially more expensive than a single endpoint with proper transit routing.

This option is incorrect because VPC peering does not support transitive routing. A Client VPN endpoint associated with the hub VPC can provide access to resources in that VPC, but traffic from VPN clients cannot simply traverse the hub and then continue over peering connections to the spoke VPCs as a transit path. Even with route tables and authorization rules configured, AWS does not allow using a peered VPC as a transit gateway for this purpose. Therefore, a single Client VPN endpoint in the hub account cannot reach all peered VPCs using peering alone.

This is the correct answer because a single AWS Client VPN endpoint can provide centralized remote access only when the underlying network supports transitive routing between the client-connected VPC and the other VPCs. AWS Transit Gateway is designed for exactly this multi-account, multi-VPC connectivity pattern and allows the hub VPC and all spoke VPCs to exchange routes in a controlled, scalable way. By attaching each VPC to the Transit Gateway and associating the Client VPN endpoint with the hub VPC, remote users can reach applications in all six VPCs through one endpoint. While Transit Gateway adds cost, it is the only option listed that actually satisfies the technical routing requirement.

This option is incorrect because AWS Client VPN is not designed to connect to an existing Site-to-Site VPN as a mechanism for reaching AWS workloads across multiple VPCs. The Site-to-Site VPN connects the corporate network to AWS, but remote users connecting through Client VPN would still face the same underlying routing limitations to the spoke VPCs. It also introduces unnecessary hairpinning and complexity without solving the lack of transitive connectivity between the hub VPC and the peered spokes. As a result, this design does not meet the requirement for scalable access to applications in all VPCs.

Question Analysis

Core Concept: This question tests whether AWS Client VPN can be centralized for multi-account, multi-VPC remote access and what network construct is required for scalable routing. The key point is that VPC peering is non-transitive, so traffic from a Client VPN endpoint associated with a hub VPC cannot simply traverse peering connections to reach spoke VPCs. To provide remote users access to workloads across multiple VPCs and accounts from a single Client VPN endpoint, you need a transit routing service such as AWS Transit Gateway. Why the Answer is Correct: A single Client VPN endpoint in the shared networking account combined with AWS Transit Gateway is the correct design because Transit Gateway supports centralized, transitive routing across multiple VPCs and accounts. The Client VPN endpoint associates with subnets in the hub VPC, that VPC attaches to the Transit Gateway, and each spoke VPC in the other accounts also attaches to the Transit Gateway. With proper route propagation and authorization rules, remote users can access applications in all six VPCs from one VPN endpoint. Although Transit Gateway adds cost, it is the only option presented that satisfies the connectivity requirement with a single scalable endpoint. Key AWS Features / Configurations: - AWS Client VPN endpoint associated with subnets in the shared networking account. - AWS Transit Gateway attachments for the hub VPC and each spoke VPC across accounts. - Transit Gateway route tables configured so the Client VPN client CIDR and all VPC CIDRs are mutually reachable. - Client VPN authorization rules for the required destination CIDRs. - Security groups and network ACLs updated to allow traffic from the Client VPN client CIDR. Common Misconceptions: - Assuming VPC peering allows a centralized Client VPN endpoint to reach peered VPCs. It does not, because peering does not support transitive routing. - Thinking the existing Site-to-Site VPN can be reused as a path for remote users to reach all AWS VPCs. That would not solve the core routing limitation and is not how Client VPN is designed for this use case. - Assuming the cheapest-looking option is automatically correct. If it cannot meet the routing requirement, it is not a valid solution. Exam Tips: When you see centralized remote access to many VPCs across accounts, immediately check whether the existing network is based on peering or Transit Gateway. For hub-and-spoke remote access with one VPN endpoint, Transit Gateway is usually the required service because it supports transitive routing. On the exam, eliminate answers that rely on VPC peering for transit between VPN clients and other VPCs.

19
Question 19

A digital publishing company runs a content API on Amazon ECS Fargate tasks in three private subnets behind an Application Load Balancer (ALB) deployed across three public subnets; a single Amazon CloudFront distribution uses the ALB as its only origin, and the company must prevent any direct-to-origin traffic while allowing only CloudFront-originated requests, with automated shared-secret rotation at least every 30 days and no reliance on static IP allow lists—what should a solutions architect do to enhance origin security?

Correct. Uses a rotating shared secret (Secrets Manager + rotation Lambda) and enforces it at the origin with AWS WAF on the ALB via a header string match rule. CloudFront injects the secret as a custom origin header, so only CloudFront-originated requests are allowed. Meets the requirements: blocks direct-to-origin traffic, no static IP allow lists, and automated rotation at least every 30 days.

Incorrect. Relies on IP allow listing CloudFront service IP ranges, which the question explicitly forbids and is operationally brittle due to frequent changes. Also, “move the ALB into private subnets” conflicts with the described architecture (ALB in public subnets) and would require redesign (internal ALB) while still needing a supported path for CloudFront to reach the origin.

Incorrect. Systems Manager Parameter Store does not provide automatic rotation for arbitrary random strings in the same way Secrets Manager does for secrets rotation. Additionally, ALB listener rules are primarily for routing/forwarding decisions; they are not a robust security enforcement mechanism to block unauthorized requests based on a secret header compared to AWS WAF’s explicit allow/block controls.

Incorrect. Shield Advanced provides DDoS protections and visibility but does not solve origin authentication. The option still depends on allowing CloudFront IP ranges at the network layer (security group policy), which violates the “no static IP allow lists” requirement and is difficult to maintain. Origin access control here needs an application-layer verification mechanism (e.g., WAF header match).

Question Analysis

Core Concept: This question tests CloudFront origin protection patterns for an ALB origin, specifically preventing direct-to-origin access while allowing only requests that truly came through CloudFront, without using IP allow lists, and with automated secret rotation. The key services are CloudFront (custom origin headers), AWS WAF (header-based allow/deny at L7), and AWS Secrets Manager (managed secret rotation). Why the Answer is Correct: Option A implements a shared-secret “origin verification” mechanism: CloudFront injects a custom HTTP header on every origin request, and AWS WAF on the ALB allows only requests that contain the expected header value. Direct clients hitting the ALB won’t know the secret header value, so they are blocked. Using Secrets Manager with a rotation Lambda meets the requirement for automated rotation at least every 30 days. This approach avoids static IP allow lists entirely and works even as CloudFront edge IPs change. Key AWS Features: - CloudFront custom origin headers: CloudFront can add a header (e.g., X-Origin-Verify) to requests sent to the ALB origin. - AWS WAF web ACL on ALB: A rule can require the header and match its value (string match). Default action can be block, with an allow rule for matching requests. - AWS Secrets Manager rotation: Native rotation scheduling with a Lambda rotation function enables periodic secret updates. Operationally, you update the CloudFront origin custom header value when the secret rotates (often via automation/CI/CD or an EventBridge-triggered workflow). Common Misconceptions: - “Just allow CloudFront IPs” (B/D) is explicitly disallowed and brittle because CloudFront IP ranges change and are numerous. - “Put ALB in private subnets” (B) is not a valid configuration for an internet-facing ALB; internal ALBs can be private, but CloudFront must still reach the origin, typically via public internet-facing endpoints or other supported connectivity patterns. - “Use ALB listener rules to inspect headers” (C) is not supported as a security control; ALB listener rules can route based on headers, but they are not a substitute for WAF-based blocking, and Parameter Store does not provide automatic rotation for arbitrary strings like Secrets Manager. Exam Tips: For CloudFront-to-ALB origin lockdown, look for “custom header + WAF header match” as the canonical pattern. When rotation is required, prefer Secrets Manager rotation over ad hoc mechanisms. If a question forbids IP allow lists, eliminate any option relying on CloudFront IP ranges or security group IP policies.

20
Question 20

A healthcare analytics firm is architecting a patient telemetry platform on AWS that must store approximately 9 TB of relational data and meet an RPO of under 4 minutes and an RTO of under 12 minutes while complying with a requirement to fail over to a secondary AWS Region at the lowest possible cost, which solution should the team choose?

Taking snapshots every 4 minutes and copying them to another Region is not a practical way to achieve a sub-4-minute RPO for a 9 TB relational database. Snapshot creation, cross-Region copy, and restore operations introduce substantial delay, and restoring a new Aurora cluster from backup would almost certainly exceed the 12-minute RTO. This option is a backup-and-restore strategy, not a warm standby disaster recovery design. It is suitable for longer recovery windows, not near-real-time cross-Region failover.

An RDS for PostgreSQL cross-Region read replica is a valid disaster recovery pattern, but it is not the strongest choice for a strict RPO under 4 minutes on a 9 TB database. Cross-Region replication for standard RDS PostgreSQL is asynchronous and can experience lag that is harder to bound tightly under heavy write workloads or large-scale operational conditions. The option may work in some environments, but the question asks for a solution that should be chosen to meet the stated objectives with confidence. Aurora-based cross-Region replication patterns are generally better aligned with stringent minute-level DR requirements.

Deploying Aurora PostgreSQL in both Regions and using AWS DMS for ongoing replication creates a warm standby environment in the secondary Region. Because the target database is already running, failover does not require restoring many terabytes from backup, which is critical for meeting a 12-minute RTO. Continuous replication also makes it feasible to keep data loss within the 4-minute RPO target. Although this is not the absolute cheapest architecture in general, it is the lowest-cost option among those listed that can realistically satisfy both the strict recovery objectives and the cross-Region requirement.

A read replica in the same Region does not satisfy the explicit requirement to fail over to a secondary AWS Region. It can help with instance or Availability Zone failures, but it offers no protection against a full Regional outage. Because the compliance requirement specifically calls for secondary-Region failover, this option must be eliminated regardless of its cost or promotion speed. Therefore it cannot be the correct answer.

Question Analysis

Core concept: This question is about choosing a cross-Region disaster recovery architecture for a large relational PostgreSQL workload that must meet a strict RPO of under 4 minutes and an RTO of under 12 minutes while minimizing cost. The key is to balance recovery objectives against operational complexity and the cost of keeping a secondary Region ready. Aurora PostgreSQL is designed for faster replication and failover characteristics than snapshot-based recovery, and using continuous replication is necessary for minute-level RPO. Why correct: Running an Aurora PostgreSQL cluster in the primary Region and another in the secondary Region with AWS DMS replication provides an active warm standby pattern that can satisfy the required RPO and RTO. The secondary database is already provisioned, so failover avoids the long restore times associated with snapshots. Compared with backup-and-restore approaches, this design is much more likely to meet both the sub-4-minute RPO and sub-12-minute RTO requirements. Key features: Aurora provides managed PostgreSQL-compatible relational storage with high performance and fast recovery behavior. AWS DMS supports ongoing replication to keep a target database in another Region synchronized with the source. Because the target database is already running in the secondary Region, the team only needs to cut over applications and validate final replication state during a disaster event. Common misconceptions: Snapshot copying is often mistaken for a DR solution that can meet tight RPO/RTO, but snapshots are fundamentally backup artifacts and restoring 9 TB is too slow. Same-Region replicas do not satisfy cross-Region compliance requirements. Cross-Region read replicas on standard RDS PostgreSQL can be useful, but for a very large database and strict minute-level objectives, Aurora-based architectures are generally more suitable. Exam tips: When you see very low RPO and RTO together with a cross-Region requirement, eliminate snapshot/restore options first. Then compare warm standby or continuously replicated architectures. Also pay attention to whether the question asks for the lowest possible cost among solutions that still meet the objectives, not simply the cheapest option overall.

Success Stories(9)

S
s******Nov 24, 2025

Study period: 3 months

I used these practice questions and successfully passed my exam. Thanks for providing such well-organized question sets and clear explanations. Many of the questions felt very close to the real exam.

T
t**********Nov 13, 2025

Study period: 3 months

Just got certified last week! It was a tough exam, but I’m really thankful to cloud pass. the app questions helped me a lot in preparing for it.

효
효**Nov 12, 2025

Study period: 1 month

앱 이용 잘했습니다 ^^

P
p*******Nov 7, 2025

Study period: 2 months

These practice exams are help for me to pass the certification. A lot of questions are mimicked from here.

D
d***********Nov 7, 2025

Study period: 1 month

Thanks. I think I passed because of high quality contents here. I am thinking to take next aws exam here.

Practice Tests

Practice Test #1

75 Questions·180 min·Pass 750/1000

Practice Test #2

75 Questions·180 min·Pass 750/1000

Practice Test #3

75 Questions·180 min·Pass 750/1000

Practice Test #4

75 Questions·180 min·Pass 750/1000

Practice Test #5

75 Questions·180 min·Pass 750/1000

Other AWS Certifications

AWS Certified Solutions Architecture - Associate (SAA-C03)

AWS Certified Solutions Architecture - Associate (SAA-C03)

Associate

AWS Certified AI Practitioner (AIF-C01)

AWS Certified AI Practitioner (AIF-C01)

Practitioner

AWS Certified Advanced Networking - Specialty (ANS-C01)

AWS Certified Advanced Networking - Specialty (ANS-C01)

Specialty

AWS Certified Cloud Practitioner (CLF-C02)

AWS Certified Cloud Practitioner (CLF-C02)

Practitioner

AWS Certified Data Engineer - Associate (DEA-C01)

AWS Certified Data Engineer - Associate (DEA-C01)

Associate

AWS Certified Developer - Associate (DVA-C02)

AWS Certified Developer - Associate (DVA-C02)

Associate

AWS Certified DevOps Engineer - Professional (DOP-C02)

AWS Certified DevOps Engineer - Professional (DOP-C02)

Professional

AWS Certified Machine Learning Engineer - Associate (MLA-C01)

AWS Certified Machine Learning Engineer - Associate (MLA-C01)

Associate

AWS Certified Security - Specialty (SCS-C02)

AWS Certified Security - Specialty (SCS-C02)

Specialty

Start Practicing Now

Download Cloud Pass and start practicing all AWS Certified Solutions Architect - Professional (SAP-C02) exam questions.

Get it on Google PlayDownload on the App Store
Cloud PassCloud Pass

IT Certification Practice App

Get it on Google PlayDownload on the App Store

Certifications

AWSGCPMicrosoftCiscoCompTIADatabricks

Legal

FAQPrivacy PolicyTerms of Service

Company

ContactDelete Account

© Copyright 2026 Cloud Pass, All rights reserved.

Want to practice all questions on the go?

Get the app

Download Cloud Pass — includes practice tests, progress tracking & more.