📝 Practice Test 3 — All Domains Mixed#

Time: 130 minutes | Questions: 65 | Domain: All Domains

Question 1#

A company needs to store application logs for 7 years to meet compliance requirements. The logs are accessed rarely (2-3 times per year) and retrieval can take up to 12 hours. Which S3 storage class is MOST cost-effective?

A) S3 Standard B) S3 Standard-IA C) S3 Glacier Deep Archive D) S3 One Zone-IA

Question 2#

An EC2 instance running a database needs a block storage device that provides up to 64,000 IOPS. Which EBS volume type should be used?

A) gp3 B) io2 Block Express C) st1 D) sc1

Question 3#

A company wants to encrypt data in transit between its on-premises data center and AWS. Which service should be used?

A) AWS KMS B) Site-to-Site VPN C) AWS Certificate Manager D) S3 SSE-KMS

Question 4#

A company runs a containerized application on ECS with Fargate. They want to store sensitive configuration data (database passwords, API keys) securely. Which service should be used?

A) Parameter Store B) Secrets Manager C) KMS D) IAM

Question 5#

An application uses S3 to store user-uploaded images. When a new image is uploaded, it needs to be processed (thumbnail generation, metadata extraction). Which approach minimizes latency and operational overhead?

A) Scheduled Lambda function that polls S3 every minute B) S3 event notification that triggers a Lambda function C) EC2 instance running a service to watch for new files D) SQS queue that Lambda polls periodically

Question 6#

A company needs to provide temporary, time-limited access to an S3 object for a customer. What is the MOST secure way?

A) Make the object public B) Share the S3 URL directly C) Generate a pre-signed URL D) Grant IAM access to the customer

Question 7#

Which of the following are valid use cases for Amazon ElastiCache? (Select TWO)

A) Storing user session data B) Long-term data archival C) Database read caching D) Data warehousing E) Relational database primary storage

Question 8#

A company’s application running on EC2 needs to access DynamoDB without traversing the internet. What is the MOST secure and cost-effective solution?

A) NAT Gateway in a public subnet B) VPC Gateway Endpoint for DynamoDB C) Internet Gateway D) VPC Peering to DynamoDB

Question 9#

A company has a message processing workload that requires messages to be processed in order. There are also dependent messages that must be deleted if the parent message fails. Which service should be used?

A) SQS Standard Queue B) SQS FIFO Queue C) SNS Topic D) Kinesis Data Streams

Question 10#

A company needs to monitor the CPU utilization of EC2 instances and trigger an Auto Scaling event when utilization exceeds 80% for 5 minutes. Which services are required? (Select TWO)

A) CloudWatch Alarm B) CloudTrail C) Auto Scaling policy D) Config E) VPC Flow Logs

Question 11#

A company needs to transfer 100 TB of data from their on-premises data center to AWS. The internet connection is slow and unreliable. What is the FASTEST way to transfer this data?

A) AWS DataSync over the internet B) AWS Snowball Edge C) Site-to-Site VPN D) Direct Connect

Question 12#

Which components are part of the AWS Global Infrastructure? (Select TWO)

A) Availability Zones B) Virtual Private Cloud (VPC) C) Edge Locations D) Security Groups E) Subnets

Question 13#

A company has a production RDS database and wants to run analytics queries without impacting production performance. What should they do?

A) Enable Multi-AZ B) Create a read replica C) Increase the instance size D) Enable Performance Insights

Question 14#

An application generates 10 TB of log files daily. The data is analyzed in real-time for anomalies. Which service should ingest the data?

A) Amazon S3 B) Amazon Kinesis Data Streams C) Amazon SQS D) Amazon RDS

Question 15#

A company wants to enforce that all S3 buckets have encryption enabled. Which AWS service can automatically detect and report non-compliant buckets?

A) GuardDuty B) AWS Config C) CloudTrail D) Trusted Advisor

Question 16#

A company runs a web application on EC2 behind an ALB. The application stores and retrieves small objects (1-10 KB) frequently. The current architecture uses an RDS database and is experiencing high read latency. Which service would provide the LOWEST latency for reading this data?

A) ElastiCache for Redis B) DynamoDB Accelerator (DAX) C) S3 with CloudFront D) RDS read replicas

Question 17#

A company needs to establish a dedicated, private, high-bandwidth connection between their on-premises data center and AWS. Which service should be used?

A) Site-to-Site VPN B) AWS Direct Connect C) VPC Peering D) Transit Gateway

Question 18#

An application runs on EC2 instances in an Auto Scaling group. The application needs to process a batch of work when each instance starts. What should be configured?

A) User data scripts B) Lifecycle hooks with a custom action C) CloudWatch Events D) SQS queue for pending work

Question 19#

Which AWS service provides a fully managed container orchestration service compatible with Kubernetes?

A) ECS B) EKS C) Fargate D) ECR

Question 20#

A company wants to give their data scientists a way to run Jupyter notebooks on managed infrastructure. Which service should be used?

A) EMR B) SageMaker C) Athena D) Redshift

Question 21#

A company needs to store backups of on-premises data in AWS. The backup software supports the S3 protocol. Which service provides a hybrid storage gateway for this purpose?

A) AWS Storage Gateway — File Gateway B) AWS Storage Gateway — Volume Gateway C) AWS Storage Gateway — Tape Gateway D) AWS DataSync

Question 22#

A company runs an application on EC2 instances that need to access an S3 bucket. The application also needs to access a corporate data center via VPN. The EC2 instances are in private subnets. What is the MINIMUM number of route tables needed?

A) 1 B) 2 C) 3 D) 4

Question 23#

A company uses CloudFront to distribute content globally. They want to implement a content restriction policy that blocks users from specific countries. Which feature should be used?

A) Geo-restriction B) Signed URLs C) WAF geo-match conditions D) Origin Access Control

Question 24#

An organization needs to share resources between two VPCs in different AWS accounts. The VPCs must communicate using private IP addresses. Which solution should be used?

A) VPC Peering B) Internet Gateway C) NAT Gateway D) Direct Connect

Question 25#

Which statement best describes the AWS shared responsibility model?

A) AWS is responsible for everything in the cloud B) The customer is responsible for everything in the cloud C) AWS is responsible for security OF the cloud; the customer is responsible for security IN the cloud D) Security is equally shared for all aspects

Question 26#

A company needs to archive data from S3 Standard to Glacier Deep Archive after 90 days and delete after 7 years. What should be configured?

A) S3 Object Lock B) S3 Lifecycle policy C) S3 Batch Operations D) S3 Replication

Question 27#

A company runs a production database on RDS for SQL Server. They need to test an application change against a copy of the production database without impacting production. What is the MOST efficient way to create a test copy?

A) Take a manual snapshot of the production DB and restore as a new instance B) Create a read replica and promote it C) Enable Multi-AZ and use the standby instance D) Export the database to S3 and import into a new instance

Question 28#

A company needs to send alerts to an operations team when specific CloudWatch metrics cross a threshold. Which service should receive the CloudWatch alarm action?

A) SQS B) SNS C) SES D) EventBridge

Question 29#

Which AWS service can be used to create a visual dashboard of AWS resource health and performance?

A) CloudWatch Dashboards B) QuickSight C) AWS Config D) Trusted Advisor

Question 30#

A company runs a web application that needs to read and write to a shared file system from multiple EC2 instances concurrently. The file system must be accessible across AZs. Which service should be used?

A) EBS Multi-Attach B) Amazon EFS C) Instance Store D) S3

Question 31#

A company runs a Lambda function that processes messages from an SQS queue. The SQS queue receives 10,000 messages per second, but the Lambda function can only process 1,000 per second. How should this be handled?

A) Increase the Lambda function memory B) Use SQS extended client library C) Configure SQS event source mapping with batch size and reserved concurrency D) Reduce the SQS queue retention period

Question 32#

A company needs to ensure that an EC2 instance can reach the internet for software updates but cannot be reached from the internet. Which architecture should be used?

A) EC2 in a public subnet with a security group allowing outbound traffic B) EC2 in a private subnet with a NAT Gateway in a public subnet C) EC2 in a private subnet with an Internet Gateway D) EC2 in a public subnet with a network ACL blocking inbound traffic

Question 33#

Which AWS service allows you to centrally manage access to multiple AWS accounts and provide single sign-on (SSO)?

A) IAM B) Organizations C) IAM Identity Center D) Cognito

Question 34#

A company runs a fleet of EC2 instances that process financial transactions. All instances must run on physically isolated hardware. Which placement group strategy should be used?

A) Cluster Placement Group B) Spread Placement Group C) Partition Placement Group D) No placement group needed

Question 35#

A company needs to manage public TLS/SSL certificates for their website hosted on AWS. Which service automatically renews certificates?

A) AWS Certificate Manager (ACM) B) AWS KMS C) IAM D) Secrets Manager

Question 36#

A company needs to store configuration data that is shared across multiple EC2 instances. The data must be encrypted and versioned. The data is updated several times per day. Which service provides these capabilities at the LOWEST cost?

A) DynamoDB B) Secrets Manager C) Systems Manager Parameter Store D) S3

Question 37#

A company runs an application on EC2 instances behind an ALB. The application must support HTTP/2 and gRPC protocols. Which load balancer type supports these features?

A) Network Load Balancer B) Application Load Balancer C) Gateway Load Balancer D) Classic Load Balancer

Question 38#

A company wants to enforce that all new IAM users created in their account must have multi-factor authentication (MFA) enabled. How should this be enforced?

A) IAM password policy B) IAM policy that denies access if MFA is not configured C) AWS Config rule D) Service Control Policy

Question 39#

A company runs a web application that uses S3 to store user-generated content. The application must serve content privately to authenticated users only. Which architecture is MOST secure and scalable?

A) S3 bucket with public read access and CloudFront B) Signed URLs generated by the application using AWS SDK C) IAM users for each application user D) S3 bucket policy granting access to all authenticated users

Question 40#

A solutions architect needs to design a system for processing real-time stock market data. The system must handle 100,000 messages per second with low latency. Which service should ingest the data?

A) SQS Standard Queue B) SQS FIFO Queue C) Kinesis Data Streams D) SNS Topic

Question 41#

A company has deployed a web application on EC2 instances in multiple AZs behind an ALB. The security team requires that all traffic between the ALB and EC2 instances be encrypted. How should this be configured?

A) Use an NLB instead of ALB B) Configure HTTPS listeners on the ALB and install certificates on EC2 instances C) Use a VPN connection between ALB and EC2 D) Use a VPC peering connection

Question 42#

A company runs a critical application on EC2 instances. The application must maintain the same performance regardless of underlying hardware changes. Which instance type should be used?

A) t3 (Burstable) B) m5 (General Purpose) C) c5n (dedicated tenancy) D) z1d (High frequency)

Question 43#

A company needs to provide a way for developers to deploy updates to their applications with minimal risk. They want to deploy a new version to a portion of the target group and gradually shift traffic. Which deployment type supports this?

A) Blue/Green deployment B) Canary deployment C) Rolling deployment D) All-at-once deployment

Question 44#

A company runs an RDS database with automated backups enabled. They accidentally delete a table. How can the data be recovered?

A) Restore from the latest automated backup to a new DB instance B) Use the RDS console to undelete the table C) Enable Multi-AZ to failover to the standby D) Use a read replica to recover the data

Question 45#

A company needs to ensure that a specific EBS snapshot can be recovered quickly to minimize RTO. Which EBS feature should be enabled?

A) Fast Snapshot Restore (FSR) B) EBS Multi-attach C) EBS Encryption D) EBS Elastic Volumes

Question 46#

A company runs a global SaaS application with customers in North America, Europe, and Asia. The application needs to route users to the nearest healthy endpoint. Which Route53 routing policy should be used?

A) Geolocation B) Latency C) Weighted D) Failover

Question 47#

A company wants to compare the costs of different AWS services and get recommendations to reduce spending. Which tool provides these capabilities?

A) AWS Budgets B) AWS Cost Explorer C) Trusted Advisor D) AWS Compute Optimizer

Question 48#

An application requires a relational database with automated failover, read replicas, and up to 128 TB of storage. Which service meets these requirements?

A) RDS MySQL B) Aurora MySQL C) DynamoDB D) Redshift

Question 49#

A company needs to analyze network traffic patterns in their VPC to troubleshoot connectivity issues. Which service provides this information?

A) CloudTrail B) VPC Flow Logs C) AWS Config D) CloudWatch Metrics

Question 50#

An application running on EC2 needs to access an S3 bucket frequently. The EC2 instance is in a private subnet with a NAT Gateway. What is the MOST cost-effective way to optimize this access?

A) Use S3 Transfer Acceleration B) Create a VPC Gateway Endpoint for S3 C) Use an S3 proxy on the NAT Gateway D) Move the EC2 instance to a public subnet

Question 51#

A company runs a critical application on EC2 instances in an Auto Scaling group. The application needs to drain connections before instances are terminated. What should be configured?

A) Lifecycle hooks with a custom action to drain connections B) ALB connection draining C) Increase the health check grace period D) Use an NLB instead of an ALB

Question 52#

Which AWS service can be used to orchestrate multi-step workflows, such as processing orders or managing approval workflows?

A) Lambda B) Step Functions C) EventBridge D) SQS

Question 53#

A company needs to provide temporary security credentials for users of their mobile application. Which service should be used?

A) IAM Users B) Cognito Identity Pools C) IAM Roles D) STS

Question 54#

A company runs a Lambda function that performs CPU-intensive image processing. The function currently has 1,280 MB of memory and completes in 10 seconds. The company wants to reduce execution time and potentially cost. What should be adjusted?

A) Increase the memory allocation (which also increases CPU allocation) B) Decrease the memory allocation to reduce cost C) Increase the timeout D) Use provisioned concurrency

Question 55#

A company uses AWS Organizations with multiple accounts. They need to define common tags (CostCenter, Environment) for all resources created in member accounts. Which service should enforce this?

A) AWS Config B) Service Catalog C) IAM D) Tag Policies

Question 56#

A company runs a Docker-based application on EC2 instances. They want to migrate to a managed container service with the least operational overhead. Which service should be used?

A) ECS with EC2 launch type B) ECS with Fargate C) EKS with managed node groups D) Elastic Beanstalk with Docker

Question 57#

A company needs to monitor failed API calls in their AWS account to detect security issues. Which service logs this information?

A) CloudWatch Logs B) AWS CloudTrail C) AWS Config D) VPC Flow Logs

Question 58#

An application uses S3 to store files. The application must ensure that once a file is written, it cannot be modified or deleted by any user, including the root user. Which S3 feature provides this protection?

A) S3 Versioning B) S3 Object Lock in compliance mode C) S3 Object Lock in governance mode D) S3 MFA Delete

Question 59#

A company runs a batch processing job on EC2 instances that takes 2 hours to complete. The job runs once per week and can tolerate interruptions. What is the MOST cost-effective compute option?

A) On-Demand EC2 instances B) Spot Instances C) Reserved Instances D) Dedicated Hosts

Question 60#

A company uses CloudFront to distribute content from an S3 bucket. They need to restrict access so that users can only access content through CloudFront and not directly from S3. Which solution should be used?

A) S3 bucket policy that denies direct access B) Origin Access Control (OAC) and an S3 bucket policy that only allows CloudFront C) CloudFront signed URLs D) S3 Block Public Access

Question 61#

A company runs a web application on EC2 instances. They want to offload SSL/TLS termination to reduce the load on their instances. Which service should be used?

A) CloudFront B) ALB C) NLB D) Global Accelerator

Question 62#

A company needs to create a new RDS instance that is a point-in-time copy of their production database. The copy must be available within 2 hours. Which approach is FASTEST?

A) Create a read replica from the production DB and promote it B) Restore from the latest automated backup to a new instance C) Export the production DB to S3 using DataSync and import to a new instance D) Take a manual snapshot and restore to a new instance

Question 63#

A company needs to isolate a development environment from a production environment within a single AWS account. Both environments use different subnets. Which mechanism provides the STRONGEST isolation?

A) Different security groups for dev and prod B) Different network ACLs for dev and prod subnets C) Separate VPCs for dev and prod D) Different route tables for dev and prod subnets

Question 64#

A company runs an application on EC2 instances that need to access DynamoDB. The EC2 instances are in a private subnet with a NAT Gateway. The company wants to reduce NAT Gateway data processing costs. What should be done?

A) Create a VPC Gateway Endpoint for DynamoDB B) Move the EC2 instances to public subnets C) Use SQS instead of DynamoDB D) Increase the NAT Gateway capacity

Question 65#

A company needs to store sensitive configuration data such as database passwords and API keys. The data must be automatically rotated every 30 days. Which service should be used?

A) Systems Manager Parameter Store B) AWS Secrets Manager C) AWS KMS D) IAM

📝 Answer Key
  1. C — Glacier Deep Archive is cheapest for rarely accessed data with 12-hr retrieval.
  2. B — io2 Block Express supports up to 256K IOPS, more than any other EBS type.
  3. B — Site-to-Site VPN encrypts data in transit between on-prem and AWS.
  4. B — Secrets Manager is designed for sensitive data with auto-rotation support.
  5. B — S3 event notifications trigger Lambda immediately on object creation.
  6. C — Pre-signed URLs provide time-limited, secure access without making objects public.
  7. A, C — ElastiCache is used for session storage and database read caching.
  8. B — VPC Gateway Endpoint for DynamoDB is free and keeps traffic within AWS network.
  9. B — FIFO queues guarantee order and support message groups.
  10. A, C — CloudWatch Alarm triggers Auto Scaling policy when CPU exceeds threshold.
  11. B — Snowball Edge physically ships the data, fastest for 100 TB over slow internet.
  12. A, C — Availability Zones (data centers) and Edge Locations (CDN) are global infrastructure.
  13. B — Read replicas allow analytics workloads without impacting the primary database.
  14. B — Kinesis Data Streams ingests real-time streaming data for immediate analysis.
  15. B — AWS Config rules can detect non-compliant resources (e.g., unencrypted S3 buckets).
  16. A — ElastiCache for Redis provides sub-millisecond latency for frequently accessed data.
  17. B — Direct Connect provides a dedicated, private, high-bandwidth connection.
  18. B — Lifecycle hooks perform custom actions before instances enter service.
  19. B — Amazon EKS is managed Kubernetes (Elastic Kubernetes Service).
  20. B — SageMaker provides managed Jupyter notebook instances for data science.
  21. C — Tape Gateway provides a virtual tape library that backup software can use with S3 protocol.
  22. B — Min 2 route tables: one for public subnets (IGW route), one for private subnets (NAT route).
  23. A — Geo-restriction in CloudFront blocks users from specific countries.
  24. A — VPC Peering connects VPCs across accounts using private IP addresses.
  25. C — AWS is responsible for security OF the cloud; customers for security IN the cloud.
  26. B — S3 Lifecycle policies automate transitions between storage classes and expiration.
  27. A — Snapshot and restore creates an independent copy without impacting production.
  28. B — SNS delivers CloudWatch alarm notifications via email, SMS, or other protocols.
  29. A — CloudWatch Dashboards create visual views of metrics and alarms.
  30. B — EFS provides shared NFS file system accessible from multiple EC2 instances across AZs.
  31. C — SQS event source mapping with appropriate batch size and reserved concurrency controls throughput.
  32. B — Private subnet + NAT Gateway provides outbound-only internet access.
  33. C — IAM Identity Center provides SSO across multiple AWS accounts.
  34. B — Spread placement group ensures instances run on physically separate hardware.
  35. A — ACM automatically renews TLS/SSL certificates.
  36. C — SSM Parameter Store provides encrypted, versioned configuration storage at no cost (standard params).
  37. B — ALB supports HTTP/2 and gRPC protocols natively.
  38. B — IAM policy with a condition for aws:MultiFactorAuthPresent denies access without MFA.
  39. B — Signed URLs generated by the application provide per-user, time-limited access.
  40. C — Kinesis Data Streams handles high-throughput, low-latency data ingestion.
  41. B — HTTPS listeners with certificates on EC2 encrypt traffic between ALB and instances.
  42. C — c5n instances offer consistent performance with dedicated tenancy option.
  43. B — Canary deployment shifts traffic gradually to the new version.
  44. A — Restore from automated backup to a new DB instance (PITR within retention period).
  45. A — Fast Snapshot Restore (FSR) enables instant boot from EBS snapshots.
  46. B — Latency-based routing directs users to the region with the lowest latency.
  47. B — Cost Explorer provides cost visualization and savings recommendations.
  48. B — Aurora MySQL provides Multi-AZ, up to 15 read replicas, and 128 TB auto-scaling storage.
  49. B — VPC Flow Logs capture IP traffic information for network analysis.
  50. B — VPC Gateway Endpoint for S3 is free and keeps traffic within AWS network.
  51. A — Lifecycle hooks allow custom actions like draining connections before termination.
  52. B — Step Functions orchestrates multi-step workflows with state machines.
  53. B — Cognito Identity Pools provide temporary AWS credentials for mobile users.
  54. A — Increasing memory also increases CPU allocation proportionally in Lambda.
  55. D — Tag Policies enforce consistent tags across accounts in AWS Organizations.
  56. B — ECS Fargate provides serverless containers with the least operational overhead.
  57. B — CloudTrail records all API calls, including failed ones, for auditing.
  58. B — S3 Object Lock in compliance mode prevents any user (including root) from modifying/deleting.
  59. B — Spot Instances provide the lowest cost for interruption-tolerant batch workloads.
  60. B — OAC restricts S3 access to CloudFront only via bucket policy.
  61. B — ALB supports SSL/TLS termination, offloading encryption from EC2 instances.
  62. D — Manual snapshot restore is faster than PITR for creating a new instance.
  63. C — Separate VPCs provide the strongest network isolation between environments.
  64. A — VPC Gateway Endpoint for DynamoDB eliminates NAT Gateway data processing costs.
  65. B — Secrets Manager provides automatic secret rotation at configurable intervals.

Score: ________ / 65

Backward 📝 Practice Test 2 📝 Practice Test 4 Forward