📝 Practice Test 4 — All Domains Mixed#

Time: 130 minutes | Questions: 65 | Domain: All Domains

Question 1#

A company is designing a disaster recovery strategy with an RPO of 15 minutes and an RTO of 1 hour. Which strategy meets these requirements?

A) Backup and restore with daily snapshots B) Pilot Light with data replication every 15 minutes C) Warm Standby with synchronous replication D) Multi-Site active-active

Question 2#

A company needs to securely store TLS certificates for use with CloudFront. Which service should be used?

A) AWS KMS B) AWS Certificate Manager (ACM) C) IAM D) Secrets Manager

Question 3#

An application reads data from a DynamoDB table that experiences sudden traffic spikes. The table is using provisioned capacity. What should be done to handle the spikes without errors?

A) Switch to On-Demand capacity mode B) Increase the provisioned RCUs and WCUs to the peak level C) Add a Global Secondary Index D) Enable DynamoDB Streams

Question 4#

A company wants to implement a serverless architecture for processing uploads to S3. What is the correct order of services?

A) S3 → Lambda → SQS → DynamoDB B) S3 → SNS → SQS → EC2 C) S3 → SQS → Lambda → DynamoDB D) S3 → EventBridge → EC2 → RDS

Question 5#

A company has EC2 instances in a private subnet that need to access Amazon S3. What is the MOST secure and cost-effective way to provide this access?

A) NAT Gateway in a public subnet with routes to S3 B) VPC Gateway Endpoint for S3 C) Internet Gateway with a route to S3 D) VPC Peering to another account with S3

Question 6#

A web application behind an ALB experiences slower response times under load. The application reads from RDS. What combination of services would improve performance? (Select TWO)

A) Add more EC2 instances via Auto Scaling B) Add ElastiCache for database query caching C) Disable the ALB health checks D) Move to a single AZ E) Increase RDS IOPS

Question 7#

An organization needs to apply a “deny all” policy to prevent deletion of CloudTrail logs across all accounts in an AWS Organization. Which mechanism should be used?

A) IAM policy on each account B) SCP (Service Control Policy) at the organization root C) S3 bucket policy on the CloudTrail bucket D) CloudTrail trail configuration

Question 8#

A company runs a critical application on EC2 behind an ALB. They want to be notified immediately if any EC2 instance fails its health check. How should this be configured?

A) CloudWatch alarm on the ALB’s HealthyHostCount metric B) CloudTrail event for EC2 instance termination C) AWS Config rule for EC2 instance status D) VPC Flow Logs analysis

Question 9#

Which storage option provides the highest IOPS for a single EC2 instance running a database?

A) S3 B) EBS io2 Block Express C) EFS D) Instance Store

Question 10#

A company wants to migrate a legacy application from on-premises to AWS with minimal changes. Which migration strategy is BEST?

A) Rehost (Lift and Shift) B) Replatform C) Refactor D) Replace

Question 11#

Which AWS service can detect and alert on suspicious API activity, such as a user launching instances in an unusual region?

A) GuardDuty B) Config C) CloudTrail Insights D) Inspector

Question 12#

A company has a stateful web application that stores user sessions locally on each EC2 instance. They want to scale horizontally without losing session data. What should they do?

A) Enable sticky sessions on the ALB B) Move session data to ElastiCache C) Use an NLB instead of an ALB D) Increase EC2 instance sizes

Question 13#

A company needs to analyze terabytes of data in S3 using SQL queries without setting up any servers. Which service should be used?

A) Redshift B) EMR C) Athena D) RDS

Question 14#

An organization needs to allow a third-party auditor read-only access to their AWS account for a limited time. What is the BEST approach?

A) Create an IAM user with read-only access and share credentials B) Use IAM Identity Center (SSO) to grant temporary access C) Create a cross-account IAM role with read-only policy and share the role ARN D) Make all resources public

Question 15#

A company needs to connect 10 VPCs together in a hub-and-spoke topology. Which service should be used?

A) VPC Peering (full mesh) B) AWS Transit Gateway C) Direct Connect D) VPN CloudHub

Question 16#

A company needs to deploy a containerized microservices application. They want to handle service discovery, load balancing, and health checks automatically. Which service should be used?

A) ECS with Service Discovery and Cloud Map B) EC2 with Route53 C) Lambda with API Gateway D) Elastic Beanstalk

Question 17#

A company runs a web application on EC2 instances. They want to protect against common web exploits like SQL injection and cross-site scripting. Which service should be used?

A) Network ACLs B) Security Groups C) AWS WAF D) AWS Shield Advanced

Question 18#

A company runs a production DynamoDB table with auto scaling enabled. The table experiences a sudden spike in write traffic that exceeds the maximum configured capacity. What happens to the excess write requests?

A) They are throttled with a ProvisionedThroughputExceededException B) They are queued and processed when capacity becomes available C) The table automatically extends beyond the maximum capacity D) They are redirected to a standby table

Question 19#

A company needs to run a MongoDB-compatible database on AWS with managed backup and monitoring. Which service should be used?

A) DynamoDB B) DocumentDB C) RDS for MongoDB D) Neptune

Question 20#

A company runs a high-traffic application that uses Lambda to process API requests. During peak hours, the function experiences increased cold starts. Which solution reduces cold starts?

A) Increase Lambda memory B) Enable provisioned concurrency C) Increase Lambda timeout D) Use a dead-letter queue

Question 21#

A company needs to migrate 500 TB of data from their on-premises data center to S3. The data is stored on a NAS appliance. The migration must be completed within 30 days. The internet connection is 1 Gbps. Which approach is MOST practical?

A) AWS DataSync over the internet B) Multiple Snowball Edge devices C) Direct Connect with multiple 10 Gbps connections D) S3 Transfer Acceleration

Question 22#

A company needs to implement session persistence for a web application behind an ALB. What should be configured?

A) Enable stickiness (session affinity) on the ALB target group B) Use an NLB instead of an ALB C) Configure Route53 latency-based routing D) Enable cross-zone load balancing

Question 23#

A company runs a database on an EC2 instance with an EBS gp2 volume. The database requires 5,000 IOPS consistently. The current volume provides 2,000 IOPS. Which option provides the REQUIRED IOPS at the LOWEST cost?

A) Add more storage to increase baseline IOPS B) Switch to a gp3 volume with 5,000 provisioned IOPS C) Switch to an io2 volume with 5,000 IOPS D) Use instance store

Question 24#

A company uses CloudFront to serve content from an S3 bucket. They want to serve private content to specific users only. Which combination of services should be used?

A) S3 bucket policy with IP restrictions B) CloudFront signed URLs with an origin access identity (OAI) C) S3 pre-signed URLs without CloudFront D) WAF IP set to allow specific users

Question 25#

An organization runs a fleet of EC2 instances across multiple AWS accounts. They need to centrally manage patch compliance across all instances. Which service provides this capability?

A) Systems Manager Patch Manager B) AWS Config C) Amazon Inspector D) GuardDuty

Question 26#

A company needs to send high-volume transactional emails (order confirmations, password resets) to their customers. Which service is designed for this use case?

A) SNS B) SES C) SQS D) EventBridge

Question 27#

A company runs a containerized application on ECS with Fargate. The application needs to store persistent data that must persist beyond the lifecycle of the container. Which storage option should be used?

A) EFS with ECS volume mounts B) EBS volume attached to the task C) Instance Store D) S3 mounted via FUSE

Question 28#

A company runs a production database on RDS for MySQL. They need to run heavy analytics queries that scan terabytes of data. The analytics should not impact production performance. What should be configured?

A) Enable Multi-AZ B) Create an RDS read replica for analytics C) Use ElastiCache for query caching D) Enable RDS Performance Insights

Question 29#

Which AWS service automatically discovers and provides recommendations for migrating on-premises workloads to AWS?

A) AWS Migration Hub B) AWS Application Discovery Service C) AWS Database Migration Service D) AWS Server Migration Service

Question 30#

A company wants to implement a chat application that requires real-time, two-way communication between users. Which service should be used?

A) API Gateway REST API B) API Gateway WebSocket API C) ALB with WebSocket support D) SQS with long polling

Question 31#

A company runs an application on EC2 instances that generates log files. They need to export these logs to a centralized log analytics platform. Which agent should be installed on the EC2 instances?

A) CloudWatch Agent B) Systems Manager Agent C) Inspector Agent D) X-Ray Agent

Question 32#

A solutions architect is designing a cost-effective architecture for a data lake on S3. The data will be accessed with varying frequency over time. Which S3 storage class is MOST cost-effective for data with unknown or changing access patterns?

A) S3 Standard B) S3 Intelligent-Tiering C) S3 Standard-IA D) S3 One Zone-IA

Question 33#

A company needs to ensure that traffic between EC2 instances in the same subnet is inspected by a firewall appliance. Which AWS service should be used?

A) Network ACLs B) Security Groups C) Gateway Load Balancer D) AWS WAF

Question 34#

A company runs a critical application on EC2 instances behind an ALB. They want to use machine learning to detect and mitigate DDoS attacks automatically. Which service should be used?

A) AWS WAF B) AWS Shield Advanced C) GuardDuty D) Network ACLs

Question 35#

A company needs to process credit card payments and must comply with PCI DSS. Which AWS service helps automate PCI DSS compliance validation?

A) AWS Artifact B) AWS Config C) AWS Audit Manager D) GuardDuty

Question 36#

A company needs to store documents that must be immutable and cannot be modified or deleted by any user, including the root user. The retention period is 5 years. Which S3 feature should be used?

A) S3 Versioning B) S3 Object Lock in compliance mode C) S3 Object Lock in governance mode D) S3 MFA Delete

Question 37#

A company runs a web application that requires database storage. The application experiences unpredictable read/write patterns. The company wants to minimize operational overhead. Which database solution is MOST suitable?

A) RDS MySQL with provisioned IOPS B) DynamoDB with on-demand capacity C) Aurora Serverless v2 D) Redshift

Question 38#

A company runs a stateless web application on EC2 instances behind an ALB. The traffic is predictable: high during business hours (8 AM to 6 PM) and low at night. Which scaling approach is MOST cost-effective?

A) Target tracking scaling policy based on CPU B) Scheduled scaling to increase capacity before business hours and decrease after C) Simple scaling policy D) Manual scaling

Question 39#

A company needs to securely connect 50 VPCs across multiple regions. The connections must be centrally managed and support transitive routing. Which service should be used?

A) VPC Peering (full mesh) B) Transit Gateway with inter-region peering C) Direct Connect Gateway D) VPN CloudHub

Question 40#

A company runs a web application that uses an ALB. The security team requires that all requests be logged, including source IP, request path, and latency. How should this be configured?

A) Enable ALB access logs and store them in S3 B) Enable VPC Flow Logs C) Enable CloudTrail for ELB events D) Use CloudWatch detailed monitoring

Question 41#

A company runs a batch processing job on EC2 instances that takes 3 hours to complete. The job must complete within a 4-hour window. The job can be interrupted and resumed from checkpoints. Which purchasing option provides the LOWEST cost?

A) On-Demand Instances B) Spot Instances with a persistent request C) Standard Reserved Instances D) Dedicated Hosts

Question 42#

A company needs to run containerized microservices across a cluster of EC2 instances. They want to manage the container orchestration control plane themselves for maximum flexibility. Which service should be used?

A) ECS with EC2 launch type B) ECS with Fargate C) EKS with managed node groups D) Self-managed Kubernetes on EC2

Question 43#

A company uses DynamoDB with provisioned capacity for a table that experiences steady traffic but occasional spikes during promotions. They want to avoid throttling during spikes without over-provisioning. What should be configured?

A) Switch to on-demand capacity mode B) DynamoDB auto scaling with higher max capacity C) Create a Global Secondary Index D) Enable DynamoDB Streams

Question 44#

A company runs a global application that serves users from multiple regions. They want to distribute traffic to the nearest regional endpoint with automatic failover. Which Route53 routing policy should be used?

A) Latency-based with health checks B) Geolocation C) Weighted D) Simple

Question 45#

A company needs to orchestrate multiple Lambda functions as part of a business workflow. The workflow involves conditional branching, parallel execution, and error handling. Which service should be used?

A) SQS B) SNS C) Step Functions D) EventBridge

Question 46#

A company runs a database on an RDS instance. They need to reduce storage costs for the database. The current storage utilization is 60%. Which approach reduces costs?

A) Switch from gp2 to gp3 volume type (lower per-GB cost) B) Delete old data from the database C) Migrate to a larger instance type D) Enable Multi-AZ

Question 47#

A company runs an e-commerce platform that stores product images in S3. The images must be resized to multiple dimensions when uploaded. Which architecture is MOST efficient?

A) S3 event notification → Lambda → S3 (resized images) B) EC2 instance that polls S3 and resizes images C) SQS queue for image processing tasks D) EMR cluster for batch image processing

Question 48#

A company needs to allow customers to upload files directly to an S3 bucket from a web browser without exposing AWS credentials. Which approach should be used?

A) S3 pre-signed URLs generated by the application server B) S3 bucket policy allowing public uploads C) IAM user credentials embedded in the web application D) CloudFront signed URLs

Question 49#

A solutions architect needs to design a system that can process 1,000 transactions per second. Each transaction requires a write to a database and a notification to another service. Which architecture meets these requirements?

A) EC2 writes to RDS, then sends SNS notification B) API Gateway → Lambda → DynamoDB (write) + SNS (notification) C) SQS queue → Lambda → RDS D) Kinesis → Lambda → Redshift

Question 50#

A company runs a critical application on EC2 instances. They want to test the application’s behavior during an AZ failure. Which service can simulate this failure?

A) AWS Fault Injection Simulator (FIS) B) CloudWatch Synthetics C) Route53 health checks D) AWS Config

Question 51#

A company needs to create isolated subnets within a VPC for different application tiers (web, app, database). Each tier should have different security rules. What is the BEST practice for securing traffic between tiers?

A) Use separate VPCs for each tier B) Use security groups to control traffic between subnets C) Use internet gateways between subnets D) Use a single security group for all tiers

Question 52#

A company runs a web application on EC2 instances. The application serves static assets (HTML, CSS, JS) and dynamic API responses. They want to reduce latency for global users. Which solution is MOST effective?

A) CloudFront with the ALB and S3 as origins B) Global Accelerator with the ALB as endpoint C) Route53 latency-based routing to multiple regions D) S3 Transfer Acceleration

Question 53#

A company uses CloudFormation to deploy infrastructure. They need to manage the same template across multiple environments (dev, test, prod) with different parameter values. What should be used?

A) CloudFormation templates with parameters and parameter files B) Multiple CloudFormation templates for each environment C) CloudFormation StackSets D) CloudFormation nested stacks

Question 54#

A company needs to run SQL queries on streaming data with sub-second latency. Which service should be used?

A) Kinesis Data Analytics B) Kinesis Data Firehose C) Redshift Spectrum D) Athena

Question 55#

A company runs a database on EC2 with an EBS volume. The database requires consistent, low-latency performance with up to 10,000 IOPS. Which EBS volume type should be used?

A) gp3 with provisioned IOPS B) st1 (Throughput Optimized) C) sc1 (Cold HDD) D) io1 with 10,000 IOPS

Question 56#

A company wants to implement a serverless event-driven architecture where changes in one service trigger actions in another service. Which service acts as the event bus?

A) SQS B) EventBridge C) SNS D) Step Functions

Question 57#

A company runs a production ECS Fargate service. They want to ensure zero-downtime deployments when updating the task definition. What should be configured?

A) Rolling update deployment type with minimum healthy percent of 100 and maximum of 200 B) Blue/green deployment with CodeDeploy C) Canary deployment with gradual traffic shifting D) External deployment with health checks

Question 58#

A company needs to monitor memory utilization of their EC2 instances. Memory is not reported in the standard CloudWatch metrics. How should this be configured?

A) Install the CloudWatch agent on the EC2 instances to collect memory metrics B) Enable EC2 detailed monitoring C) Use VPC Flow Logs to infer memory usage D) Use AWS Config to report memory status

Question 59#

A company needs to migrate 10 TB of SQL Server databases from on-premises to Amazon RDS for SQL Server with minimal downtime. Which combination of services should be used?

A) AWS DataSync + S3 B) AWS DMS with ongoing replication C) AWS Server Migration Service D) Snowball Edge

Question 60#

A company runs a web application that requires the client’s IP address to be preserved and passed to the backend instances for logging. Which load balancer preserves the source IP address by default?

A) ALB B) NLB C) Both ALB and NLB D) Neither ALB nor NLB

Question 61#

A company needs to implement a global file system that can be accessed from both on-premises servers and EC2 instances. The file system should use the NFS protocol. Which service should be used?

A) EFS with AWS Direct Connect or VPN B) FSx for Windows File Server C) S3 with Storage Gateway File Gateway D) EBS with Multi-Attach

Question 62#

An application runs on EC2 instances and needs to access an S3 bucket in another AWS account. What should be configured?

A) S3 bucket policy granting cross-account access to the EC2 instance’s IAM role B) IAM policy on the EC2 instance role allowing cross-account access C) VPC Peering between accounts D) NAT Gateway in the S3 account

Question 63#

A company runs a critical database on RDS for PostgreSQL. They need to ensure that database changes are replicated to a secondary region for disaster recovery. What should be configured?

A) Cross-region read replicas B) Multi-AZ in the primary region C) Database Migration Service with ongoing replication D) Export database to S3 and copy to secondary region

Question 64#

A company runs a web application on EC2 instances. They want to implement health checks that verify the application is working correctly, not just that the EC2 instance is running. What should be configured?

A) ALB health checks with a custom path (e.g., /health) B) EC2 status checks C) CloudWatch alarm on CPU utilization D) Route53 health checks

Question 65#

A company needs to implement a caching layer for their DynamoDB table to reduce read costs and latency. The table has a mix of frequently accessed and rarely accessed items. Which caching solution is MOST appropriate?

A) ElastiCache for Redis with Lazy Loading B) DynamoDB Accelerator (DAX) C) CloudFront D) S3 as a cache layer

📝 Answer Key
  1. B — Pilot Light with 15-min data replication meets RPO=15min and RTO=1hr.
  2. B — ACM (AWS Certificate Manager) manages TLS certificates for CloudFront, ALB.
  3. A — On-Demand capacity handles unpredictable traffic spikes without throttling.
  4. A — S3 event → Lambda processing → SQS for decoupling → DynamoDB storage.
  5. B — VPC Gateway Endpoint for S3 is free, secure, and doesn’t require internet.
  6. A, B — Auto Scaling handles load; ElastiCache reduces DB query load.
  7. B — SCP at the organization root applies to all accounts, even root users.
  8. A — CloudWatch alarm on ALB HealthyHostCount metric triggers on health check failures.
  9. D — Instance Store provides the highest IOPS but is ephemeral.
  10. A — Rehost (Lift and Shift) migrates with minimal changes.
  11. C — CloudTrail Insights uses ML to detect unusual API activity patterns.
  12. B — ElastiCache provides a shared session store, making the app stateless.
  13. C — Athena queries S3 data using SQL with no infrastructure to manage.
  14. C — Cross-account IAM role with read-only policy is secure and auditable.
  15. B — Transit Gateway provides hub-and-spoke connectivity for many VPCs.
  16. A — ECS with Service Discovery (Cloud Map) auto-registers and discovers services.
  17. C — AWS WAF protects against SQL injection and XSS.
  18. A — Requests exceeding max capacity are throttled with ProvisionedThroughputExceededException.
  19. B — DocumentDB is MongoDB-compatible (not RDS for MongoDB, which doesn’t exist).
  20. B — Provisioned concurrency keeps functions warm and eliminates cold starts.
  21. B — Snowball Edge (multiple devices) physically transfers 500 TB faster than 1 Gbps (≈46 days).
  22. A — ALB stickiness (session affinity) routes users to the same target.
  23. B — gp3 provides 3,000 baseline IOPS; provisioning 5,000 total IOPS is cheaper than io2.
  24. B — CloudFront signed URLs + OAI restricts access to CloudFront only.
  25. A — Systems Manager Patch Manager centrally manages patching across instances.
  26. B — SES (Simple Email Service) is designed for sending transactional and marketing emails.
  27. A — EFS can be mounted to ECS Fargate tasks for persistent storage.
  28. B — Read replica offloads analytics queries without impacting the primary.
  29. B — Application Discovery Service discovers on-premises workloads for migration planning.
  30. B — API Gateway WebSocket API supports real-time, two-way communication.
  31. A — CloudWatch Agent collects logs and custom metrics from EC2 instances.
  32. B — S3 Intelligent-Tiering automatically optimizes costs for unknown/changing access patterns.
  33. C — Gateway Load Balancer enables deploying and scaling third-party appliances inline.
  34. B — Shield Advanced provides enhanced DDoS protection with ML-based mitigation.
  35. C — AWS Audit Manager automates evidence collection for PCI DSS compliance.
  36. B — S3 Object Lock in compliance mode prevents deletion/modification by any user.
  37. C — Aurora Serverless v2 automatically scales based on demand with minimal operational overhead.
  38. B — Scheduled scaling matches capacity to predictable traffic patterns at lowest cost.
  39. B — Transit Gateway with inter-region peering centrally connects VPCs across regions.
  40. A — ALB access logs (to S3) capture detailed request information.
  41. B — Spot Instances with persistent requests provide the lowest cost for checkpointable jobs.
  42. D — Self-managed Kubernetes gives maximum control over the control plane.
  43. B — Auto scaling with higher max capacity handles spikes without over-provisioning.
  44. A — Latency-based routing with health checks directs traffic to nearest healthy region.
  45. C — Step Functions orchestrates workflows with branching, parallel execution, and error handling.
  46. A — gp3 has lower per-GB cost than gp2 and provides baseline IOPS independent of size.
  47. A — S3 event → Lambda performs immediate image resizing serverlessly.
  48. A — Pre-signed URLs allow direct browser uploads without exposing AWS credentials.
  49. B — API Gateway → Lambda → DynamoDB + SNS provides serverless transaction processing.
  50. A — AWS Fault Injection Simulator (FIS) tests workload resilience by injecting failures.
  51. B — Security groups between tiers control traffic at the instance level.
  52. A — CloudFront with multiple origins (ALB for dynamic, S3 for static) optimizes global performance.
  53. A — CloudFormation parameters with parameter files enable multi-environment reuse.
  54. A — Kinesis Data Analytics runs SQL on streaming data with sub-second latency.
  55. A — gp3 with provisioned IOPS provides consistent performance at lower cost than io1.
  56. B — EventBridge acts as a central event bus for event-driven architectures.
  57. A — Rolling update with min healthy 100%, max 200% ensures zero downtime.
  58. A — CloudWatch agent collects custom metrics including memory utilization.
  59. B — AWS DMS supports ongoing replication for minimal downtime database migration.
  60. B — NLB preserves source IP addresses by default; ALB does not.
  61. A — EFS can be accessed from on-prem via Direct Connect or VPN.
  62. A — S3 bucket policy with cross-account access grants access to the IAM role.
  63. A — Cross-region read replicas replicate data to a secondary region for DR.
  64. A — ALB custom health check path verifies application-level health.
  65. B — DAX is purpose-built for DynamoDB caching, reducing read costs and latency.

Score: ________ / 65

Backward 📝 Practice Test 3 📝 Practice Test 5 Forward