←
Back to Dashboard
AWS Unified (SAA-C03 + DVA-C02)
The "Mega-Set"
🧠 AWS Unified Topic Mindmap (SAA + DVA)
AWS UNIFIED (ARCHITECT & DEVELOPER)
├── CORE INFRA (SAA Focus)
│ ├── Compute: EC2 (Instances/Spot), Auto Scaling, ELB
│ ├── Storage: S3 (Classes/Security), EBS, EFS, FSx
│ ├── Network: VPC, Route 53, CloudFront, Global Accelerator
│ └── Database: RDS (Multi-AZ/Read Replica), Aurora
├── SERVERLESS & APIS (DVA Focus)
│ ├── Lambda: Versions/Aliases, Layers, Powertools, Event Source Mapping
│ ├── API Gateway: Stages, Usage Plans, Mapping Templates, CORS, Websockets
│ ├── EventBridge: Rules, Pipes, Scheduler, Schema Registry
│ └── Step Functions: Standard vs Express, Saga Pattern, Wait States
├── DATA & ANALYTICS
│ ├── DynamoDB: Partition/Sort Keys, LSI/GSI, DAX, Streams, TTL
│ ├── Kinesis: Data Streams (Shards/Consumers), Firehose
│ ├── SQS/SNS: Fan-out, FIFO vs Standard, DLQ, Visibility Timeout
│ └── ElastiCache: Redis (Pub/Sub, Sorted Sets) vs Memcached
├── DEVELOPER TOOLS (CI/CD)
│ ├── CodeCommit: Git triggers, PRs, PR Approval Rules
│ ├── CodeBuild: buildspec.yml, Env Vars, Caching, Local Build
│ ├── CodeDeploy: appspec.yml, Hooks (BeforeInstall, AfterAllowTraffic), Blue/Green
│ ├── CodePipeline: Artifacts, Manual Approval, Multi-Region, Custom Actions
│ └── X-Ray: Tracing, Segments, Subsegments, Annotations vs Metadata, Daemon
└── SECURITY & OBSERVABILITY
├── IAM: Roles vs Resource Policies, Cognito (User/Identity Pools)
├── Secrets: Secrets Manager (Rotation) vs Parameter Store (Hierarchy/SecureString)
├── Encryption: KMS (Envelope Enc), CloudHSM, ACM
└── Monitoring: CloudWatch (Alarms, Logs, Insights, Synthetics)
1. The 6 Pillars of Well-Architected Framework
Operational Excellence: IAC, annotate documentation, frequent small changes, anticipate
failure.
Security: IAM roles (not users), protecting data in transit/rest, principle of least
privilege.
Reliability: Auto-scaling, Multi-AZ, horizontal scaling, automatic recovery.
Performance Efficiency: Serverless, right instance types, global reach (CloudFront),
experimentation.
Cost Optimization: Spot instances, savings plans, auto-scaling, managed services.
Sustainability: Maximizing utilization, efficient hardware/code practices.
2. Key Architecture Patterns
High Availability (HA): Use Multi-AZ (RDS, ASG covers multiple AZs).
Fault Tolerance: Application keeps running even if components fail (S3, SQS decoupled
architecture).
Decoupling: SQS (Queue), SNS (Pub/Sub) to break bad dependencies.
Disaster Recovery (DR): Backup & Restore (Slowest), Pilot Light (DB running), Warm
Standby (Scaled down), Multi-Site Active/Active (Fastest).
3. Storage Cheatsheet
S3: Object storage. Infinite scale. Standard, IA, Glacier (Archive). Static websites.
EBS: Block storage for one EC2. Persistence. GP3 (General), IO2 (High Performance).
Snapshots.
EFS: Linux Network File System (NFS). Shared across multiple EC2s. POSIX.
FSx for Windows: SMB share for Windows instances.
Storage Gateway: Hybrid cloud. File (S3 view), Volume (iSCSI), Tape.
Q1. A company needs to host a static website with the lowest possible cost. (A) EC2 with
ALB (B) S3 Bucket (C) ECS Fargate (D) RDS
Answer: B - S3 Static Website Hosting is the most cost-effective and scalable solution
for static content.
Q2. Which DB service is best for a high-traffic e-commerce shopping cart needing
single-digit ms latency? (A) RDS MySQL (B) DynamoDB (C) Redshift (D) Neptune
Answer: B - DynamoDB is high-performance NoSQL, perfect for key-value data like shopping
carts with millisecond latency.
Q3. You need to store archived data for 7 years to meet compliance, access time can be
12 hours. (A) S3 Standard (B) S3 Glacier Instant Retrieval (C) S3 Deep Archive (D) S3
Intelligent-Tiering
Answer: C - Deep Archive is lowest cost for long-term retention where retrieval time of
12+ hours is acceptable.
Q4. Application EC2 instances are in a private subnet. They need to download updates
from internet. (A) Internet Gateway (B) NAT Gateway (C) Egress-Only Internet Gateway (D) VPS Peering
Answer: B - NAT Gateway allow private instances to initiate outbound IPv4 traffic to
internet but blocks inbound.
Q5. You want to decouple an image processing system. Uploads should trigger processing
asynchronously. (A) Direct EC2 call (B) SQS + Lambda (C) RDS trigger (D) ALB sticky sessions
Answer: B - S3 event -> SQS queue -> Lambda consumer is a classic decoupled, serverless
pattern.
Q6. Files need to be accessible by multiple Linux EC2 instances simultaneously across
AZs. (A) EBS (B) EFS (C) Instance Store (D) S3 Glacier
Answer: B - EFS (Elastic File System) provides a shared NFS file system for Linux
instances across AZs.
Q7. A global application needs users to be routed to the nearest AWS region with low
latency. (A) Route 53 Geolocation (B) CloudFront (C) AWS Global Accelerator (D) VPN
Answer: C - Global Accelerator uses AWS global network and static IPs to route to
optimal endpoint. (Route 53 Geolocation also works but GA is often preferred for TCP/UDP performance).
Q8. You need a data warehouse to analyze petabytes of data using SQL. (A) RDS (B)
DynamoDB (C) Redshift (D) ElastiCache
Answer: C - Redshift is AWS's petabyte-scale data warehouse solution (OLAP).
Q9. Manage encryption keys for AWS services and control rotation. (A) AWS Artifact (B)
KMS (C) Secrets Manager (D) Shield
Answer: B - KMS (Key Management Service) is used to create and manage cryptographic
keys.
Q10. Temporary access to S3 objects for mobile users without embedding credentials. (A)
IAM User (B) S3 Bucket Policy (C) Cognito Identity Pool / Presigned URLs (D) NACL
Answer: C - Cognito Identity Pools or Presigned URLs allow temporary, secure access for
unauthenticated or federated users.
Q11. Securely store database credentials and rotate them automatically. (A) KMS (B)
Parameter Store (C) Secrets Manager (D) S3 Encrypted
Answer: C - Secrets Manager supports automatic rotation of secrets (DB credentials),
Parameter Store does not rotate natively without Lambda.
Q12. Ensure an EBS volume can be recovered in another region for DR. (A) Take Snapshot
-> Copy to Region (B) Unmount and Move (C) Use TGW (D) VPC Peering
Answer: A - You make a snapshot, and then copy that snapshot to the target region to
restore a volume there.
Q13. Restrict access to an S3 bucket to only traffic coming from a specific VPC
Endpoint. (A) Security Group (B) Bucket Policy with aws:sourceVpce condition (C) NACL (D) IAM Role
Answer: B - Bucket Policies can deny requests that don't come from a specific VPC
Endpoint ID.
Q14. Run a containerized application with no server management. (A) EC2 (B) Fargate (C)
ECS on EC2 (D) EKS on EC2
Answer: B - AWS Fargate is the serverless compute engine for containers (ECS/EKS).
Q15. Migrate an on-premise Oracle DB to Aurora PostgreSQL with minimal downtime. (A)
Dump and Restore (B) AWS DMS (Database Migration Service) with SCT (C) DataSync (D) Snowball
Answer: B - DMS handles data replication for minimal downtime; SCT (Schema Conversion
Tool) converts the schema.
Q16. Protect a web application from SQL injection and XSS attacks. (A) Security Groups
(B) WAF (Web Application Firewall) (C) Shield Standard (D) GuardDuty
Answer: B - WAF allows you to inspect traffic at Layer 7 and block SQLi, XSS, etc.
Q17. High performance file system for Lustre (HPC) workloads. (A) EFS (B) FSx for Lustre
(C) S3 (D) EBS io2
Answer: B - FSx for Lustre is optimized for compute-intensive workloads (HPC, ML).
Q18. Route traffic based on user location to a specific version of the website (e.g.
French). (A) Latency Routing (B) Geolocation Routing (C) Weighted Routing (D) Failover Routing
Answer: B - Geolocation routing lets you route traffic based on the geographic location
of the request.
Q19. Monitor EC2 memory usage. (A) CloudWatch Default Metrics (B) CloudTrail (C)
CloudWatch Custom Metric (Unified Agent) (D) Config
Answer: C - Memory is NOT a default EC2 metric (Hypervisor doesn't see inside OS). You
need the CloudWatch Agent.
Q20. Send email notifications to admins when CPU > 80%. (A) CloudWatch Alarm -> SNS (B)
CloudTrail -> S3 (C) EventBridge -> Lambda (D) VPC Flow Logs
Answer: A - CloudWatch Alarm monitors the metric and publishes to an SNS topic which
emails subscribers.
Q21. Connect an on-premise data center to VPC using private dedicated connection. (A)
VPN (B) Direct Connect (C) Internet Gateway (D) VPC Peering
Answer: B - Direct Connect (DX) is a dedicated physical fiber link, avoiding the public
internet.
Q22. Automate creation of AWS infrastructure using code. (A) CloudFormation (B)
CodeBuild (C) Config (D) Systems Manager
Answer: A - CloudFormation (or Terraform/CDK) enables Infrastructure as Code (IaC).
Q23. Which service helps you check service limits (quotas) and trusted advisor checks?
(A) AWS Trusted Advisor (B) Service Quotas (C) Inspector (D) Artifact
Answer: A - Trusted Advisor checks for cost, performance, security, and service limits.
Q24. A single fixed IP address is needed for whitelisting by a 3rd party API, but you
have ASG in private subnets. (A) Private IP (B) NAT Gateway IP (C) EIP on Instances (D) ALB IP
Answer: B - Traffic from private instances goes through the NAT Gateway, which has a
static Elastic IP (EIP) you can whitelist.
Q25. Requirement for "Read after Write" consistency for new objects. (A) DynamoDB (B)
EFS (C) S3 (D) ElastiCache
Answer: C - S3 now provides strong read-after-write consistency for all object
operations (PUTs and DELETEs).
Q26. Process real-time streaming data (clickstream). (A) SQS (B) Kinesis Data Streams
(C) Glacier (D) Batch
Answer: B - Kinesis is designed for real-time big data streaming ingestion.
Q27. Run a SQL query directly on JSON data sitting in S3 without loading it. (A)
Redshift (B) Athena (C) Aurora (D) Glue
Answer: B - Amazon Athena is a serverless query service to analyze data in S3 using
standard SQL.
Q28. Fastest way to transfer 500 TB of data to AWS where internet is slow. (A) VPN (B)
Snowball Edge (C) Multipart Upload (D) Direct Connect
Answer: B - Snowball / Snowmobile is faster for massive data transfer when bandwidth is
limited (Sneakernet).
Q29. Ensure RDS database is encrypted. (A) Enable encryption at creation (B) Encrypt via
OS (C) Use SSL (D) S3 Replication
Answer: A - RDS encryption (using KMS) must be defined at instance/volume creation time
(or by copying snapshot as encrypted).
Q30. Control traffic at the subnet level (Stateless firewall). (A) Security Group (B)
NACL (Network ACL) (C) WAF (D) Route Table
Answer: B - NACLs are stateless and operate at the subnet boundary. Security Groups are
stateful and operate at the ENI/Instance level.
Q31. Provide desktop-as-a-service (DaaS) to employees. (A) Workspace (B) AppStream 2.0
(C) EC2 (D) Connect
Answer: A - Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution.
Q32. Analyze logs for potential threats (e.g. crypto mining, unusual API calls). (A)
Inspector (B) Macie (C) GuardDuty (D) Shield
Answer: C - GuardDuty is an intelligent threat detection service that analyzes
CloudTrail, VPC Flow Logs, and DNS logs.
Q33. Store credit card data (PCI-DSS) with dedicated hardware requirement. (A) Dedicated
Instances (B) Dedicated Hosts (C) Spot Instances (D) Reserved Instances
Answer: B - Dedicated Hosts provide physical server visibility and affinity, often
required for strict compliance/licensing.
Q34. Distribute incoming application traffic across multiple targets in multiple AZs.
(A) Auto Scaling (B) ELB (Elastic Load Balancer) (C) Route 53 (D) CloudFormation
Answer: B - ELK/ALB/NLB distributes traffic to healthy targets.
Q35. Cache dynamic API responses to reduce load on DB. (A) CloudFront (B) ElastiCache
(C) S3 (D) DAX
Answer: B - ElastiCache (Redis/Memcached) is used to cache DB queries/sessions. DAX is
specifically for DynamoDB.
Q36. Serverless orchestration of workflows (state machine). (A) Lambda (B) Step
Functions (C) Batch (D) SQS
Answer: B - Step Functions lets you coordinate multiple AWS services into serverless
workflows (State Machine).
Q37. Identify PII (Personally Identifiable Information) in S3 buckets. (A) GuardDuty (B)
Macie (C) Inspector (D) Shield
Answer: B - Amazon Macie uses ML to discover and protect sensitive data (PII) in S3.
Q38. Block a specific IP address from accessing your subnet. (A) Security Group (B) NACL
(C) IAM Policy (D) Route 53
Answer: B - Only NACLs support "DENY" rules. Security Groups are "ALLOW" only.
Q39. Long-term storage for backup tapes replacement. (A) S3 Standard (B) Storage Gateway
Tape Gateway (C) EBS Snapshots (D) Snowball
Answer: B - Tape Gateway (VTL) allows you to keep using existing backup software but
store "tapes" in S3/Glacier.
Q40. Access AWS services from a VPC without traffic traversing the public internet. (A)
VPC Endpoint (PrivateLink) (B) NAT Gateway (C) IGW (D) VPN
Answer: A - VPC Endpoints allow private connections to supported AWS services (S3,
DynamoDB, API Gateway, etc.).
Q41. Mount a filesystem to an EC2 instance that is high performance and temporary
(cache). (A) EBS (B) Instance Store (Ephemeral) (C) EFS (D) S3
Answer: B - Instance Store is physically attached to the host (fastest) but data is lost
on stop/terminate. Great for cache/buffers.
Q42. Which ALB feature allows routing based on the URL path (e.g. /images vs /api)? (A)
Host-based routing (B) Path-based routing (C) Query string routing (D) Geo routing
Answer: B - Path-based routing allows directing traffic to different target groups based
on URL path.
Q43. Optimize costs for steady-state usage EC2 running 24/7 for 3 years. (A) Spot
Instances (B) On-Demand (C) Reserved Instances / Savings Plans (D) Dedicated Hosts
Answer: C - RIs or Savings Plans offer significant (up to 72%) discounts for committed
usage.
Q44. Deploy code changes automatically when pushed to a repo, run tests, and deploy. (A)
CodeCommit (B) CodePipeline (C) CloudTrail (D) X-Ray
Answer: B - CodePipeline orchestrates the CI/CD stages (Source -> Build -> Deploy).
Q45. Centralize and view logs from all EC2 instances and Lambda functions. (A)
CloudWatch Logs (B) S3 (C) CloudTrail (D) VPC Flow Logs
Answer: A - CloudWatch Logs centralizes log streams from various sources.
Q46. Trace user requests as they travel through microservices architecture. (A)
CloudWatch (B) X-Ray (C) Inspector (D) Ping
Answer: B - AWS X-Ray helps developers analyze and debug production, distributed
applications (tracing).
Q47. Automatically rotate secrets for RDS. (A) Secrets Manager (B) Systems Manager
Parameter Store (C) KMS (D) IAM
Answer: A - Secrets Manager has native built-in rotation integration for RDS.
Q48. Improve read performance of a database receiving many SELECT queries. (A) Multi-AZ
(B) Read Replicas (C) Sharding (D) Larger Instance
Answer: B - Read Replicas allow you to offload read traffic from the primary instance.
Multi-AZ is for HA/DR, not performance.
Q49. A legacy application requires multicast networking support. (A) VPC with Multicast
Hub (B) Transit Gateway (C) Direct Connect (D) VPN
Answer: B - AWS Transit Gateway is the only service that natively supports IP multicast.
Q50. You need to store objects. Data must be resilient if an entire AZ is destroyed, but
cost is critical. (A) S3 One Zone-IA (B) S3 Standard-IA (C) S3 Standard (D) EBS
Answer: B - S3 Standard-IA stores data across 3+ AZs (resilient to AZ loss) but is
cheaper than Standard. One Zone-IA dies with the AZ.
Q51. EC2 instance needs to access S3 bucket in another account. (A) IAM Role on Instance
+ Bucket Policy in other account (B) Access Keys (C) VPC Peering (D) Copy data
Answer: A - Cross-account access requires an IAM Role in the source and a Bucket Policy
in the destination granting access to that Role.
Q52. Secure a highly sensitive DB. Ensure admins cannot delete the DB instances
accidentally or maliciously. (A) MFA Delete (B) IAM Condition (C) Service Control Policy (SCP) (D)
Deletion Protection
Answer: D - Enabling "Deletion Protection" on the RDS instance prevents it from being
deleted until the flag is unchecked.
Q53. A user has a Policy allowing "S3:*" but is part of a Group with a Policy "Deny
S3:DeleteObject". Effect? (A) Allowed (B) Denied (C) Prompted (D) Error
Answer: B - Explicit DENY always trumps ALLOW.
Q54. Company requires all EBS volumes to be encrypted. How to enforce this for new
volumes? (A) CloudWatch Event (B) IAM Policy (C) EBS Encryption by Default (Account Setting) (D) Lambda
Answer: C - Enabling "EBS Encryption by Default" in the EC2 dashboard ensures every new
volume created in that region is encrypted.
Q55. Website uses CloudFront. You need to geo-restrict content to US only. (A) Route 53
(B) WAF (C) CloudFront Geo Restriction (D) S3 Bucket Policy
Answer: C - CloudFront has a native "Geo Restriction" (whitelist/blacklist) feature.
Q56. DB layer needs auto-scaling for *read* traffic. (A) Multi-AZ (B) Read Replicas +
Aurora Auto Scaling (C) Larger Instance (D) Sharding
Answer: B - Amazon Aurora can automatically add/remove Read Replicas based on
CPU/Connections logic.
Q57. Which service provides a shared file system for Windows servers? (A) EFS (B) FSx
for Windows File Server (C) S3 (D) Storage Gateway
Answer: B - FSx for Windows File Server provides fully managed native Microsoft Windows
file systems (SMB).
Q58. Connect 100 VPCs together. VPC Peering is becoming a mesh nightmare. (A) Transit
Gateway (B) Direct Connect (C) VPN Hub (D) VPC Endpoints
Answer: A - Transit Gateway (TGW) acts as a central hub (router) to connect thousands of
VPCs and on-prem networks.
Q59. Disaster Recovery: RPO/RTO can be minutes. Low cost is not primary driver. (A)
Backup & Restore (B) Pilot Light (C) Warm Standby (D) Multi-Region Active-Passive
Answer: C - Warm Standby implies a scaled-down version is always running, allowing
faster failover than Pilot Light (minutes).
Q60. You need to run a script once a day for 10 minutes. (A) EC2 Reserved (B) EC2 Spot
(C) Lambda (if < 15min) (D) EventBridge Scheduler + Lambda
Answer: D - EventBridge Scheduler triggers the Lambda function daily. Lambda is
perfect for short, scheduled tasks.
Q61. Protect S3 data from accidental deletion/overwrites. (A) Replication (B)
Versioning (C) Encryption (D) MFA
Answer: B - S3 Versioning keeps multiple variants of an object. If you delete, it
inserts a delete marker, which can be undone.
Q62. Application needs extreme performance storage (100,000 IOPS) on EC2. (A) gp3
(B) io2 Block Express (C) st1 (D) sc1
Answer: B - io2 Block Express is the highest performance EBS volume type, designed
for mission-critical sub-millisecond latency.
Q63. Share a specific S3 object with a user for 10 minutes only. (A) IAM Role (B)
Presigned URL (C) Bucket Policy (D) ACL
Answer: B - Presigned URLs grant temporary access to a specific private object.
Q64. What is the difference between Security Group (SG) and NACL? (A) SG is
Stateless, NACL is Stateful (B) SG is Stateful, NACL is Stateless (C) No difference (D) SG works at
VPC level
Answer: B - Security Groups are Stateful (return traffic allowed auto). NACLs are
Stateless (must allow return explicitly).
Q65. Decrypt data inside an EC2 instance (enclave) securely. (A) KMS (B) Nitro
Enclaves (C) CloudHSM (D) Macie
Answer: B - AWS Nitro Enclaves create isolated compute environments to protect
highly sensitive data during processing.
Q66. Host a static website using custom domain and HTTPS. (A) S3 + Route 53 (B) S3 +
CloudFront + ACM (C) EC2 + Apache (D) Lightsail
Answer: B - S3 by itself supports HTTP. For HTTPS with a custom domain, you MUST
front it with CloudFront and use an ACM certificate.
Q67. Monitor for PII data leaking into a bucket. (A) Macie (B) GuardDuty (C)
Inspector (D) WAF
Answer: A - Macie is the data security service that discovers sensitive data (PII,
PHI) in S3.
Q68. EC2 in private subnet needs to access S3. Compliance says "Traffic must NOT
leave Amazon network". (A) NAT Gateway (B) VPC Endpoint (Gateway) (C) Internet Gateway (D) VPN
Answer: B - Gateway Endpoint for S3 routes traffic privately within AWS network. NAT
Gateway would work but traffic leaves subnet to NAT (though still in AWS, Endpoint is strictly
private routing).
Q69. High Velocity data ingestion (IoT sensors). (A) SQS (B) Kinesis Data Streams
(C) SNS (D) S3
Answer: B - Kinesis Data Streams is built for massive ingestion of real-time data
streams.
Q70. "Fan-out" architecture: One message needs to trigger a Lambda, an Email, and an
SQS queue. (A) SQS (B) SNS (C) Kinesis (D) Step Functions
Answer: B - SNS (Simple Notification Service) is Pub/Sub. You publish once, and it
"fans out" to all subscribers (Lambda, Email, SQS).
Q71. Cost effective DB for purely key-value lookups, millions/sec. (A) RDS (B)
DynamoDB (C) Redshift (D) Neptune
Answer: B - DynamoDB is the choice for high-scale, key-value workloads.
Q72. Prevent users from disabling CloudTrail logs in a specific account in an
Organization. (A) IAM Policy (B) Service Control Policy (SCP) (C) CloudWatch Alarm (D) Config Rule
Answer: B - SCPs (Organization level) act as guardrails. A Deny on
"cloudtrail:StopLogging" in SCP prevents ANY user (even root) in the account from doing it.
Q73. Global application. Writes go to US-East, Reads happen locally in Europe/Asia.
(A) RDS Multi-AZ (B) Aurora Global Database (C) DynamoDB Global Tables (D) S3 Replication
Answer: B - Aurora Global DB allows a primary writer in one region and low-latency
read replicas in others.
Q74. Limit the max number of requests from a single IP to your API. (A) Shield (B)
WAF Rate-based Rule (C) NACL (D) Security Group
Answer: B - AWS WAF supports "Rate-based rules" to block IPs that exceed a threshold
(e.g. 2000 req/5min).
Q75. You need to ensure an EC2 instance is placed on a distinct physical rack. (A)
Cluster Placement Group (B) Spread Placement Group (C) Partition Placement Group (D) Dedicated Host
Answer: B - Spread Placement Groups strictly place each instance on a separate rack.
(Partition distributes across groups of racks).
Q76. A company wants to prevent ANY public access to S3 buckets at the account
level. (A) Bucket Policy (B) S3 Block Public Access (C) IAM (D) NACL
Answer: B - S3 Block Public Access can be configured at the Account level to
override any bucket/object permissions.
Q77. Store JSON documents, flexible schema, query by any attribute. (A) S3 (B)
DynamoDB (C) DocumentDB (D) RDS
Answer: C - Amazon DocumentDB is MongoDB-compatible and designed specifically for
JSON document storage/querying.
Q78. Transfer 50 TB data from on-prem to S3 over internet is too slow. VPN is flaky.
(A) Direct Connect public VIF (B) AWS Snowball Edge Storage Optimized (C) Site-to-Site VPN (D)
Database Migration Service
Answer: B - For 50TB with poor connectivity, physical transfer via Snowball is the
standard recommendation.
Q79. Which Load Balancer is best for millions of requests/sec with ultra-low latency
(TCP/UDP)? (A) ALB (B) NLB (C) CLB (D) GWLB
Answer: B - Network Load Balancer (NLB) operates at Layer 4 and handles millions of
requests/sec with extremely low latency.
Q80. Grant an EC2 instance permissions to upload to S3. (A) Store keys in code (B)
IAM User (C) IAM Role attached to Instance Profile (D) Bucket Policy
Answer: C - Never store keys on EC2. Attach an IAM Role.
Q81. Authenticate users for your ALB-fronted app using Google/Facebook. (A) Cognito
User Pools (B) IAM (C) Directory Service (D) Shield
Answer: A - ALB integrates natively with Amazon Cognito to handle OIDC/SAML
authentication.
Q82. Run a short task (30s) every time an object is uploaded to S3. (A) EC2 (B)
Lambda (C) ECS (D) AppRunner
Answer: B - S3 Event Notifications triggering Lambda is the most efficient,
cost-effective serverless pattern.
Q83. "Serverless" SQL database that scales down to zero when not used. (A) RDS MySQL
(B) Aurora Serverless (C) DynamoDB (D) Redshift Serverless
Answer: B - Aurora Serverless v2 scales capacity up/down instantly; v1 can pause
(scale to zero).
Q84. Coordinate microservices where some steps might take hours (human approval).
(A) Lambda (B) Step Functions (C) SQS (D) SNS
Answer: B - Step Functions "Standard Workflows" can run for up to 1 year, perfect
for human approval steps (callbacks).
Q85. Audit configuration changes to AWS resources over time. (A) CloudTrail (B)
Config (C) CloudWatch (D) Inspector
Answer: B - AWS Config records the *configuration state* of resources (timeline of
changes), whereas CloudTrail records API *calls*.
Q86. Centralized DNS management for multiple VPCs. (A) Route 53 Resolver (B) Host
files (C) AD Connector (D) Direct Connect
Answer: A - Route 53 Resolver (Outbound/Inbound endpoints) manages DNS between VPCs
and on-premise networks.
Q87. Encrypt an existing unencrypted DB snapshot. (A) You can't (B) Copy the
snapshot and check "Encrypt" (C) Modify the snapshot settings (D) Use S3
Answer: B - You cannot encrypt an existing snapshot in place. You must copy it and
enable encryption on the copy.
Q88. Which Route 53 policy for Active-Passive failover? (A) Weighted (B) Failover
(C) Latency (D) Geolocation
Answer: B - Failover routing policy is for Active-Passive (Primary -> Secondary if
Primary unhealthy).
Q89. Improve performance for users downloading large files from S3 across the globe.
(A) S3 Transfer Acceleration (B) Direct Connect (C) VPN (D) Multipart Upload
Answer: A - S3 Transfer Acceleration uses CloudFront edge locations to route data to
S3 faster over the AWS backbone.
Q90. Securely access Linux instances without opening Port 22 (SSH). (A) Systems
Manager Session Manager (B) EC2 Instance Connect (C) Putty (D) Bastion Host
Answer: A - Session Manager allows browser-based shell access via IAM, logging
commands to CloudWatch/S3, with NO inbound ports needed.
Q91. What is the SLA for S3 Standard Durability? (A) 99.9% (B) 99.99% (C) 11 9s
(99.999999999%) (D) 100%
Answer: C - 11 9s of Durability (not to be confused with Availability, which is
99.99%).
Q92. Application needs a Graph Database. (A) DynamoDB (B) Neptune (C) RDS (D)
Timestream
Answer: B - Amazon Neptune is the managed Graph Database service (Gremlin/SPARQL).
Q93. Store Time-Series data (IoT telemetry). (A) DynamoDB (B) Timestream (C) RDS (D)
QLDB
Answer: B - Amazon Timestream is a serverless time-series database.
Q94. You need an immutable ledger for banking transactions. (A) Blockchain (B) QLDB
(Quantum Ledger DB) (C) RDS (D) DynamoDB
Answer: B - QLDB provides a transparent, immutable, cryptographically verifiable
transaction log.
Q95. Accelerate UDP traffic for online gaming globally. (A) CloudFront (B) Global
Accelerator (C) Route 53 (D) Direct Connect
Answer: B - Global Accelerator supports TCP/UDP and works well for non-HTTP gaming
use cases. CloudFront is HTTP/S.
Q96. Identify underutilized EC2 instances to save money. (A) Cost Explorer (B)
Trusted Advisor / Compute Optimizer (C) Budgets (D) CloudTrail
Answer: B - Trusted Advisor and Compute Optimizer specifically recommend rightsizing
for underutilized resources.
Q97. Mount S3 bucket as a local drive? (A) Not native (B) File Gateway (C) Volume
Gateway (D) Tape Gateway
Answer: B - File Gateway exposes S3 as an NFS/SMB share. (Mountpoint for S3 is a
newer agent, but File Gateway is the classic infrastructure answer).
Q98. Difference between SQS Standard and FIFO? (A) FIFO is cheaper (B) Standard
guarantees order (C) FIFO guarantees order and exactly-once processing (D) Standard is slower
Answer: C - FIFO = First In First Out (Strict Order) + Exactly-Once. Standard = Best
Effort order + At-Least-Once (duplicates possible).
Q99. You need to pre-warm an ALB for a massive spike (Flash Sale). (A) It happens
auto (B) Contact AWS Support (C) Use NLB (D) Adding instances
Answer: B - While ALBs scale, for *instant* massive spikes, you should contact AWS
Support to pre-warm the load balancer heat.
Q100. Best practice for Root User? (A) Use it daily (B) Create Access Keys for it
(C) Lock it away (MFA), delete keys, use only for account tasks (D) Share it
Answer: C - Lock away the root user. It has unlimited power and cannot be restricted
by IAM policies.
🚀 DEVELOPER ASSOCIATE TRACK (DVA-C02)
Additional Concepts & Questions for Developers
⚡ Developer Cheat Sheet
Lambda: 15 min max timeout. /tmp size 512MB-10GB.
Layers for dependencies. Aliases for traffic shifting.
API Gateway: 10,000 RPS (soft limit). 29s max timeout. Stage
Variables for env config. CORS enablement needed for cross-origin.
DynamoDB: RCU (4KB chunks), WCU (1KB chunks).
LSI (created ONLY at table creation, share capacity). GSI (created
anytime, own capacity). DAX = Cache.
CI/CD Files: buildspec.yml (CodeBuild),
appspec.yml (CodeDeploy).
X-Ray: Annotations (Indexed/Searchable: "GameID").
Metadata (Not indexed). Daemon listens on UDP 2000.
KMS: Envelope Encryption -> GenerateDataKey returns
Plaintext + Encrypted key.
S3 Encryption: SSE-S3 (Managed Keys), SSE-KMS
(Customer Managed), SSE-C (Client Key provided in correct header).
Q101. You need to deploy a Lambda function that connects to an RDS database in a
Private Subnet. (A) Assign a Public IP to Lambda (B) Configure Lambda with VPC Subnets and Security
Group (C) Use NAT Gateway (D) Use API Gateway
Answer: B - To access resources in a VPC (RDS, ElastiCache), the Lambda function
must be configured with the VPC's Subnets and Security Groups.
Q102. Which DynamoDB feature allows you to query data by a non-key attribute? (A)
Partition Key (B) Sort Key (C) Global Secondary Index (GSI) (D) Scan
Answer: C - GSIs allow you to create an alternate index with a different
Partition/Sort Key to support efficient queries on non-primary attributes.
Q103. Update an AWS CloudFormation stack but preview changes before applying them.
(A) Change Set (B) Stack Set (C) Drift Detection (D) Nested Stack
Answer: A - "Change Sets" allow you to preview how proposed changes to a stack might
impact your running resources before you execute them.
Q104. You need to debug performance issues in a distributed microservices
application. You want to see the "Waterfalls" of service calls. (A) CloudTrail (B) X-Ray (C)
CloudWatch Logs (D) VPC Flow Logs
Answer: B - AWS X-Ray provides end-to-end tracing capabilities, visualizing the
service map and latency "waterfalls" for each request.
Q105. Securely store and retrieve database passwords in code without hardcoding. You
also need *automatic rotation*. (A) Systems Manager Parameter Store (B) Secrets Manager (C)
Environment Variables (D) S3 Encryption
Answer: B - Secrets Manager is specifically designed for secrets (DB creds) and
supports *native automatic rotation* (unlike Parameter Store).
Q106. Your API Gateway is receiving too many requests, overwhelming your backend.
(A) Enable Caching (B) Configure Throttling (Rate Limiting) (C) Use Usage Plans (D) All of the above
Answer: D - All are valid, but Throttling (account-level or stage-level) is the
primary mechanism to protect the backend from spikes.
Q107. Which CodeDeploy Hook runs *before* traffic is shifted to the new replacement
task set? (A) BeforeInstall (B) AfterInstall (C) BeforeAllowTraffic (D) ApplicationStop
Answer: C - `BeforeAllowTraffic` is used (often with Lambda) to run validation tests
on the new deployment *before* the Load Balancer routes actual traffic.
Q108. Lambda function is failing because the deployment package is 100MB (too
large). (A) Request limit increase (B) Use S3 to upload ZIP (C) Use Lambda Layers (D) Use EC2
Answer: C - Lambda Layers allow you to separate dependencies (numpy, pandas, SDKs)
from your function code, keeping the deployment package small.
Q109. Ensure writes to DynamoDB are durable across multiple regions (Active-Active).
(A) DynamoDB Streams (B) Global Tables (C) DAX (D) Read Replicas
Answer: B - DynamoDB Global Tables provide a fully managed, multi-region, and
multi-active database (writes in any region replicate to all others).
Q110. You need to enable Cross-Origin Resource Sharing (CORS) for your Serverless
API. (A) Enable CORS on S3 (B) Enable CORS on API Gateway methods (C) Enable CORS on Lambda (D) Use
CloudFront
Answer: B - If using API Gateway, you must Enable CORS on the resources/methods to
allow browsers to call the API from a different domain.
Q111. Which buildspec.yml phase is used to install dependencies? (A) pre_build (B)
build (C) install (D) post_build
Answer: C - The `install` phase is dedicated to installing package dependencies
(e.g. `npm install`, `pip install`).
Q112. Handle "Hot Partitions" in DynamoDB caused by a bad Partition Key design. (A)
Increase WCU (B) Use DAX (C) Improve Key Design (add random suffix/sharding) (D) Use S3
Answer: C - The root cause of hot partitions is uneven data distribution. The fix is
to choose a better Partition Key or use "Write Sharding".
Q113. Authenticate users to your API Gateway using a 3rd party (e.g. Auth0) token.
(A) IAM Authorizer (B) Cognito User Pool Authorizer (C) Lambda Authorizer (Custom) (D) Resource
Policy
Answer: C - Lambda Authorizers (formerly Custom Authorizers) allow you to validate
bearer tokens from any 3rd party provider using custom logic.
Q114. Trace an item change in DynamoDB and trigger a Lambda function. (A) Kinesis
Data Streams (B) DynamoDB Streams (C) CloudWatch Events (D) SNS
Answer: B - DynamoDB Streams captures a time-ordered sequence of item modifications
(INSERT, MODIFY, DELETE) which can trigger Lambda.
Q115. Your Lambda function needs to process items from a Kinesis Data Stream in
order. (A) Use FIFO Queue (B) Kinesis guarantees order per Shard (C) Use Step Functions (D) Use SQS
Answer: B - Kinesis guarantees order *within a shard*. Lambda processes records from
each shard sequentially.
Q116. Which deployment strategy shifts traffic 10% every 10 minutes? (A) Canary (B)
Linear (C) All-at-Once (D) Blue/Green
Answer: B - Linear deployment shifts traffic in equal increments over a set time
(e.g. "Linear10PercentEvery10Minutes"). Canary is usually a small step then jump.
Q117. X-Ray: You want to add custom data to a trace that you can *search* and filter
by (e.g. "GameID"). (A) Metadata (B) Annotations (C) Segments (D) Subsegments
Answer: B - "Annotations" are key-value pairs indexed for use with filter
expressions. "Metadata" is not indexed.
Q118. Optimize DynamoDB cost for a table with infrequent, unpredictable access. (A)
Provisioned Capacity (B) On-Demand Capacity (C) Reserved Capacity (D) Auto Scaling
Answer: B - On-Demand capacity is best for unpredictable ("spiky") or infrequent
workloads as you pay only for what you use (per request).
Q119. Secure your S3 bucket so ONLY CloudFront can access it (prevent direct
access). (A) Signed URLs (B) Origin Access Control (OAC) / Identity (OAI) (C) Bucket Policy (D) WAF
Answer: B - Configuring CloudFront OAC (recommended) or OAI and updating the S3
Bucket Policy restricts access to only the CloudFront distribution.
Q120. Which CLI command allows you to assume an IAM Role? (A) aws iam create-role
(B) aws sts assume-role (C) aws get-session-token (D) aws configure
Answer: B - `aws sts assume-role` returns the temporary security credentials
(AccessKey, SecretKey, SessionToken) for the role.
Q121. Serverless "Choreography" pattern: Services communicate via events without a
central coordinator. (A) Step Functions (B) EventBridge (C) Batch (D) SWF
Answer: B - EventBridge (Event Bus) enables the "Choreography" pattern where
services publish/subscribe to events loosely decoupled. (Step Functions is "Orchestration").
Q122. Encrypt environment variables in a Lambda function helper. (A) Use KMS (B) Use
S3 (C) Use RDS (D) Use Base64
Answer: A - Lambda environment variables are encrypted at rest by default, but you
can use "Helpers" to encrypt sensitive vars using a specific KMS key.
Q123. Which Elastic Beanstalk deployment policy requires NO downtime and maintains
full capacity? (A) All at once (B) Rolling (C) Rolling with additional batch (D) Immutable
Answer: C - "Rolling with additional batch" launches a new batch of instances first,
ensuring capacity never drops below 100% during deployment.
Q124. Store the state of a user's shopping cart session (Speed is priority). (A) S3
(B) ElastiCache (Redis) (C) Glacier (D) EFS
Answer: B - Redis is the standard for in-memory session stores (shopping carts)
requiring sub-millisecond access.
Q125. A developer accidentally committed a 500MB file to CodeCommit. How to fix? (A)
git rm (B) git filter-branch (or BFG Repo-Cleaner) (C) Delete repo (D) Ignore
Answer: B - To completely remove a large file from git history (to reduce repo
size), you must use `git filter-branch` or the BFG tool.
Q126. You need to route API Gateway traffic to different versions of Lambda (v1, v2)
based on a "canary" weight. (A) Use Lambda Aliases (B) Use Route 53 (C) Use ALB (D) Use CloudFront
Answer: A - Lambda Aliases support "Traffic Shifting" (routing weights) between two
function versions.
Q127. Which S3 Bucket Policy Principle grants access to "Anyone"? (A) "Principal":
"Everyone" (B) "Principal": "*" (C) "Principal": "Public" (D) "Principal": "Anonymous"
Answer: B - A wildcard `*` in the Principal field means any anonymous user (Public
Access).
Q128. Handle duplicate messages in an SQS Standard Queue. (A) They don't happen (B)
Use Idempotency in the consumer (C) Use FIFO (D) Delete queue
Answer: B - Standard Queues guarantee "At-Least-Once" delivery (duplicates
possible). The application must handle idempotency (converting duplicates to no-op).
Q129. Instrument your application code to send custom metrics to CloudWatch. (A)
Embedded Metric Format (EMF) (B) CloudTrail (C) X-Ray (D) VPC Flow Logs
Answer: A - CloudWatch Embedded Metric Format (EMF) allows generating custom metrics
from logs asynchronously, avoiding API blocking.
Q130. You need to run a Docker container for 15 minutes to process a file. (A)
Lambda (B) Fargate (ECS) Task (C) EC2 Reserved (D) AppRunner
Answer: B - Lambda has a 15-minute timeout. If the job runs exactly or slightly
over, Fargate Tasks are safer and still serverless.
Q131. Which API Gateway type is lowest cost and optimized for Lambda? (A) REST API
(B) HTTP API (C) WebSocket API (D) Private API
Answer: B - HTTP APIs are designed to be lighter, faster, and cheaper (up to 71%)
than REST APIs for serverless workloads.
Q132. What file defines the SAM (Serverless Application Model) infrastructure? (A)
buildspec.yml (B) template.yaml (C) appspec.yml (D) serverless.json
Answer: B - SAM uses a `template.yaml` (extension of CloudFormation) to define
functions, APIs, and tables.
Q133. Limit a specific tenant to 50 requests/sec on your API. (A) Usage Plans & API
Keys (B) WAF (C) Shield (D) IAM
Answer: A - API Gateway Usage Plans (linked to API Keys) allow granular throttling
and quotas per client/tenant.
Q134. Ensure CodePipeline stops if a test fails. (A) It does automatically (B)
Manual intervention (C) SNS (D) CloudWatch
Answer: A - If any action (like CodeBuild running tests) fails, the Pipeline stops
execution at that stage.
Q135. Your app needs to support "Sticky Sessions" (Session Affinity). (A) ALB (B)
NLB (C) Route 53 (D) Global Accelerator
Answer: A - Application Load Balancers (ALB) verify session cookies to route the
user to the same target instance.
Q136. Monitor the deep internals of your Java app (JVM heap, garbage collection,
threads). (A) CloudWatch Default (B) CloudWatch Application Insights / Profiler (C) CloudTrail (D)
Config
Answer: B - Application Insights / FindBugs / Profiler provide deep runtime
visibility into code performance (Java, Python, etc.).
Q137. Which IAM Policy element creates an "Exception" to a statement? (A) NotAction
/ NotResource / NotPrincipal (B) Exception (C) Deny (D) Allow
Answer: A - `NotResource` allows the policy to apply to "everything EXCEPT this".
(e.g. Allow * on NotResource: ProductionBucket).
Q138. Efficiently query S3 data using "S3 Select". (A) It retrieves the whole object
(B) It filters data *on the S3 server side* sending back only the result (C) It uses Athena (D) It
uses Redshift
Answer: B - S3 Select improves performance by filtering CSV/JSON content within S3,
transferring less data over the network.
Q139. Automate the creation of a "Dev" environment every morning. (A) CloudFormation
(B) Console click (C) EBS Snapshots (D) Route 53
Answer: A - Infrastructure as Code (CloudFormation/CDK) is the standard for
ephemeral environment creation.
Q140. Which database supports Graph data (relationships)? (A) RDS (B) Neptune (C)
DynamoDB (D) DocumentDB
Answer: B - Amazon Neptune is a fully managed Graph database (social networks,
recommendation engines).
Q141. Your Lambda reads from a Kinesis Stream. You get
"ProvisionedThroughputExceededException". (A) Increase Lambda memory (B) Increase Kinesis Shards (C)
Reduce Lambda timeout (D) Configure Retry
Answer: B - Throughput is bound by shards (1MB/sec write, 2MB/sec read). To scale
up, you must "Reshard" (split shards) to increase capacity.
Q142. A developer needs to upload a 5GB file to S3 effectively. (A) PUT Object (B)
Multipart Upload (C) Zip it (D) Email it
Answer: B - Multipart Upload is recommended for >100MB and *required* for singular
objects >5GB (though S3 limit is 5TB, simple PUT tops out at 5GB).
Q143. Decouple a monolithic app. Order Service must accept orders even if Inventory
Service is down. (A) REST API (B) SQS Queue (C) Direct Call (D) Shared DB
Answer: B - A queue buffers the requests. The Inventory service can process them
when it recovers.
Q144. Which tool allows you to debug Lambda locally? (A) AWS SAM CLI (B) AWS Console
(C) CloudShell (D) CodeStar
Answer: A - `sam local invoke` and `sam local start-api` allow testing Lambda/API
Gateway locally using Docker.
Q145. Store user session state for an app scaling across multiple regions. (A)
DynamoDB Global Tables (B) S3 (C) EBS (D) Instance Store
Answer: A - Global Tables provide multi-master replication, ideal for session state
that needs to follow the user globally.
Q146. Secure your API key in a mobile app. (A) Hardcode it (B) Store in S3 (C) You
can't secure it fully on client; use Cognito/Authentication flow instead (D) Use WAF
Answer: C - Anything on a mobile device can be extracted. The best practice is to
exchange user credentials (Cognito) for temporary AWS keys.
Q147. Perform "Blue/Green" deployment on ECS. (A) CodeDeploy (B) CodeBuild (C)
CodeCommit (D) CloudTrail
Answer: A - CodeDeploy can completely manage traffic shifting (Blue/Green) for ECS
services and Lambda functions.
Q148. Optimistic Locking in DynamoDB prevents overwrites. It uses: (A) Version
Number attribute (B) Timestamp (C) Read Locks (D) Global Lock
Answer: A - You pass a condition `attribute_exists` checking a Version Number. If
the version on server > version you have, the write fails.
Q149. "Cold Start" in Lambda is mitigated by: (A) Provisioned Concurrency (B) More
Memory (C) Keep-warm scripts (D) Ignoring it
Answer: A - Provisioned Concurrency keeps a specified number of environments
initialized and ready to respond in double-digit ms.
Q150. Which CLI pagination option handles large output? (A) --no-paginate (B)
--starting-token / --max-items (C) --filter (D) --zip
Answer: B - To handle large lists, you use `--max-items` to limit page size and
`--starting-token` (NextToken) to fetch the next page.
Q151. Connect your on-premise data center to VPC using both Direct Connect (Primary)
and VPN (Backup). (A) Use Transit Gateway or VGW (B) Use only VPN (C) Use two Direct Connects (D)
Use Internet
Answer: A - This is a classic Hybrid HA pattern. If DX fails, BGP routing fails over
to the Site-to-Site VPN.
Q152. Improve CloudFront performance for dynamic content (PUT/POST) that cannot be
cached. (A) S3 Transfer Acceleration (B) CloudFront Dynamic Caching (C) Lambda@Edge (D) Use
CloudFront as a fast proxy using AWS backbone
Answer: D - Even without caching, CloudFront accelerates dynamic content by routing
traffic over the optimized AWS global network (shielding from public internet jitter).
Q153. Multi-Region Disaster Recovery with RTO < 15 mins. (A) Backup & Restore (B)
Pilot Light (C) Warm Standby (D) Active-Active
Answer: C - Warm Standby keeps a scaled-down version of the app running.
Scaling it up takes minutes, fitting the <15 min RTO. (Pilot Light usually takes
longer).
Q154. You need to migrate 200 TB of data to S3 but can't use a physical
device (Security policy). You have a 10Gbps Direct Connect. (A) Snowball (B) DataSync
(C) S3 Console (D) FTP
Answer: B - AWS DataSync is an online transfer service optimized to
maximize saturation of the 10Gbps DX link for large transfers.
Q155. Resolve DNS queries from your On-premise network for AWS private
hosted zones. (A) Route 53 Inbound Resolver Endpoint (B) Route 53 Outbound Resolver
Endpoint (C) Conditional Forwarder (D) Public Zone
Answer: A - The Inbound Endpoint allows on-premise DNS servers to
forward queries to Route 53 for AWS private domains.
Q156. Microservices architecture. Service A needs to call Service B.
Discovery should be dynamic. (A) Hardcode IP (B) AWS Cloud Map / Route 53 (C) Text file
(D) Excel
Answer: B - AWS Cloud Map allows services to register themselves and
others to discover them via API or DNS (Service Discovery).
Q157. Securely access AWS services from an EC2 instance in a private
subnet, keeping traffic private. (A) NAT Gateway (B) VPC Endpoint (Interface or Gateway)
(C) Egress-Only IGW (D) VPN
Answer: B - VPC Endpoints are the most secure way for private access.
(Gateway for S3/Dynamo, Interface for others).
Q158. Which routing policy routes traffic to the endpoint with the
lowest network latency? (A) Geolocation (B) Geoproximity (C) Latency (D) Weighted
Answer: C - Latency routing measures the round-trip time from the user
to the AWS region and routes to the fastest one.
Q159. Create a specialized firewall rule to block traffic from a
specific country (e.g. Embargoed nation) for the *entire* VPC. (A) Security Group (B)
WAF (C) Network Firewall (D) NACL
Answer: C - AWS Network Firewall provides stateful, managed network
protection for your VPC, including domain/IP filtering (Suricata compatible). NACL is
too simple (no geo), WAF is Layer 7 only.
Q160. Share a Directory Service (Microsoft AD) across multiple accounts.
(A) AD Connector (B) Simple AD (C) Directory Sharing (D) Trust Relationship
Answer: C - AWS Managed Microsoft AD allows you to share the directory
with other AWS accounts (Seamless Domain Join).
Q161. Migrate a VMware vSphere setup to AWS "As-is" (Lift & Shift)
quickly. (A) EC2 Import (B) VMware Cloud on AWS (C) DMS (D) Re-platform
Answer: B - VMC on AWS allows you to run your VMware stack directly on
bare-metal AWS infrastructure without changing code or tooling.
Q162. Cost Optimization: You have a stable workload but need flexibility
to change instance families later. (A) Standard RI (B) Convertible RI (C) Spot (D)
Savings Plan (Compute)
Answer: D - Compute Savings Plans offer similar discounts to Convertible
RIs but with much greater flexibility (move between Fargate, Lambda, EC2 families).
Q163. S3 Object Lock requires which feature to be enabled? (A)
Encryption (B) Versioning (C) Logging (D) MFA
Answer: B - Object Lock (WORM - Write Once Read Many) works on specific
version IDs, so Versioning is a prerequisite.
Q164. Control access to a specific API Gateway stage using IP
whitelisting. (A) Security Group (B) Resource Policy on API Gateway (C) NACL (D) IAM
Answer: B - API Gateway Resource Policies allow you to define Allow/Deny
rules based on source IP ranges (CIDR blocks).
Q165. Decouple a monolithic legacy app where the consumer is SLOWER than
the producer. (A) SNS (B) SQS (C) Kinesis (D) EventBridge
Answer: B - A Queue (SQS) is the classic buffer. It absorbs the burst
from the fast producer and lets the slow consumer process at its own pace.
Q166. A company needs to run thousands of batch computing jobs. (A) AWS
Batch (B) Lambda (C) Step Functions (D) Systems Manager
Answer: A - AWS Batch dynamically provisions the optimal quantity and
type of compute resources (e.g., CPU or memory optimized instances) based on volume.
Q167. Which service provides centralized backup management for EBS, RDS,
DynamoDB, EFS? (A) AWS Backup (B) S3 (C) Glacier (D) Snapshot Manager
Answer: A - AWS Backup is a policy-based service to centralize and
automate data protection across AWS services.
Q168. Grant a 3rd party auditor Read-Only access to your account. (A)
Creating IAM User + Keys (B) Cross-Account Role with External ID (C) Share Password (D)
Open SG
Answer: B - The secure pattern is: Create a Role in your account, trust
the Auditor's Account ID, and require an "External ID" (secret) to prevent Confused
Deputy problem.
Q169. Improve performance of global users uploading large videos to S3.
(A) S3 Transfer Acceleration (B) Multipart Upload (C) CloudFront (D) VPN
Answer: A - S3 Transfer Acceleration uses CloudFront Edge Locations to
route uploads to S3 over the AWS backbone network (faster than public internet).
Q170. Which disaster recovery strategy has the HIGHEST cost? (A) Backup
& Restore (B) Pilot Light (C) Warm Standby (D) Multi-Site Active/Active
Answer: D - Active/Active requires running full capacity in two regions
simultaneously (Double the cost).
Q171. A legacy app uses hardcoded IP addresses. You need to migrate to
cloud but keep IPs. (A) Bring Your Own IP (BYOIP) (B) EIP (C) NAT (D) VPN
Answer: A - BYOIP allows you to bring your own publicly routable IP
address range to AWS to avoid breaking hardcoded dependencies.
Q172. Securely connect multiple VPCs and On-premise locations with a
single hub. (A) Transit Gateway (B) VPC Peering (C) Direct Connect Gateway (D) VPN
CloudHub
Answer: A - Transit Gateway solves the "peering mesh" complexity problem
by acting as a central regional router.
Q173. Ensure your EKS cluster control plane logs are audited. (A) Enable
Control Plane Logging to CloudWatch (B) Check node logs (C) Check Pod logs (D) WireShark
Answer: A - You must explicitly enable "Control Plane Logging" (API
server, Audit, Authenticator) in EKS to send them to CloudWatch Logs.
Q174. Which service allows you to query logs in S3, CloudWatch, and JSON
files using SQL? (A) Athena (B) Redshift (C) RDS (D) Aurora
Answer: A - Athena is the serverless interactive query service for S3.
Q175. Prevent sensitive data from leaving the network (Data
Exfiltration) via DNS. (A) Route 53 Resolver DNS Firewall (B) WAF (C) Shield (D)
Security Group
Answer: A - Route 53 Resolver DNS Firewall lets you filter and block
outbound DNS queries to known malicious domains.