Answer: B

Explanation: Storing session state in local instance memory is not scalable or resilient. The best solution is to use an external state store like Amazon ElastiCache (Redis or Memcached), which allows any instance to retrieve the session data. Sticky sessions (A) can help but sessions are lost if an instance fails. A Network Load Balancer (C) doesn't address session storage. Adding more instances (D) worsens the problem.

Answer: C

Explanation: SSE-C allows customers to provide and manage their own encryption keys. AWS handles the encryption/decryption process but does not store the keys. SSE-S3 (A) uses AWS-managed keys. SSE-KMS with AWS managed keys (B) still has AWS controlling the key material. SSE-C is the most direct answer where the company fully controls the keys.

Answer: C

Explanation: Amazon SQS FIFO Queue provides exactly-once processing and preserves message order. Messages are not lost because SQS is durable. SQS Standard (B) provides at-least-once delivery. SNS (A) is a pub/sub service without queuing for retry. Kinesis (D) is designed for streaming data, not simple queue processing.

Answer: B

Explanation: A NAT Gateway must be placed in a public subnet and allows instances in private subnets to initiate outbound internet connections. The private subnet route table must have a route pointing to the NAT Gateway. Placing the NAT Gateway in a private subnet (C) would not work because it needs internet access itself. An Internet Gateway on a private subnet (A) would make it public. VPC Peering (D) is for connecting VPCs, not internet access.

Answer: A

Explanation: S3 Glacier Instant Retrieval is designed for data that is rarely accessed but requires millisecond retrieval. It offers lower storage costs than Standard-IA for data accessed less than once per quarter. The lifecycle policy moves data after 30 days and deletes after 120 days. Standard-IA (B) is more expensive than Glacier Instant Retrieval for rarely accessed data. Glacier Deep Archive (C) has retrieval times of hours. Intelligent-Tiering (D) has monitoring fees.

Answer: A

Explanation: An Auto Scaling Group with CloudWatch Alarms is the standard solution for EC2 auto-scaling. CloudWatch monitors CPU utilization and triggers the ASG to scale in or out. ELB (B) distributes traffic but doesn't make scaling decisions. AWS Config (C) is a configuration compliance service. CloudFormation (D) is infrastructure as code and doesn't auto-scale dynamically.

Answer: B

Explanation: Amazon Aurora automatically scales storage from 10 GB to 128 TB in 10 GB increments as needed. It supports Multi-AZ by default with up to 15 read replicas across multiple AZs. Amazon RDS (A) requires manual storage scaling. DynamoDB (C) is a NoSQL database. Redshift (D) is a data warehouse.

Answer: C

Explanation: IAM roles with cross-account trust relationships allow users from one AWS account to assume a role in another account, following least privilege without sharing long-term credentials. Creating IAM users (A) is harder to manage. Sharing access keys (B) is a security risk. Making the bucket public (D) is insecure.

Answer: B

Explanation: IAM roles attached to EC2 instances provide temporary security credentials through the instance metadata service. The application can call AWS APIs without hard-coded credentials. This is the AWS best practice. Storing keys in environment variables (A) or hard-coding (D) risks credential exposure. Secrets Manager (C) is better than hard-coding but still requires initial credentials to access.

Answer: A

Explanation: AWS DMS supports ongoing replication using Change Data Capture (CDC) that continuously replicates data changes from the source to the target database. This minimizes downtime. AWS Backup (B) is for backup/restore. DataSync (C) is for file storage migration. Snowball (D) is for offline bulk data transfer.

Answer: B

Explanation: Amazon CloudFront is a CDN that caches both static and dynamic content at edge locations globally, reducing latency for users worldwide. Global Accelerator (A) improves availability using the AWS global network but is better for non-HTTP applications. Route 53 latency routing (C) routes users to the nearest region but doesn't cache content. ELB (D) operates within a region.

Answer: B

Explanation: Amazon EFS provides a shared NFS file system that can be mounted by multiple EC2 instances simultaneously across multiple AZs. EBS (A) can only be attached to one instance at a time. S3 (C) is object storage, not a traditional file system. FSx for Windows (D) is for Windows workloads using SMB protocol.

Answer: C

Explanation: Spot Instances use spare EC2 capacity at discounts of up to 90% compared to On-Demand pricing. They can be interrupted with a 2-minute notice, which is acceptable for fault-tolerant batch jobs that can be checkpointed and restarted. On-Demand (A) is more expensive. Reserved (B) requires commitment. Dedicated Hosts (D) are for compliance/licensing requirements.

Answer: B

Explanation: AWS Budgets allows you to set cost and usage thresholds and receive alerts (via SNS or email) when those thresholds are breached or forecasted to be breached. CloudTrail (A) is for API call logging. AWS Config (C) monitors resource configurations. GuardDuty (D) is for threat detection.

Answer: B

Explanation: Amazon Cognito User Pools provides user authentication and supports federation with social identity providers like Google, Facebook, and Amazon. IAM Identity Center (A) is for workforce SSO. Directory Service (C) is for Microsoft AD integration. Cognito Identity Pools (D) provides temporary AWS credentials to authenticated users but relies on User Pools for authentication.

Answer: B

Explanation: RDS Read Replicas allow creation of read-only copies that serve read traffic, offloading the primary instance. They use asynchronous replication. Multi-AZ standbys (A) are for failover only and cannot serve read traffic in RDS MySQL. ElastiCache (C) caches query results but requires application changes. Increasing instance size (D) doesn't distribute load.

Answer: C

Explanation: Instance Store (ephemeral storage) is physically attached to the host computer and provides very high I/O performance. Data is lost when the instance stops or terminates. For temporary computation data, this is acceptable. EBS gp3 (A) is persistent with lower peak performance than instance store. EFS (B) is a network file system with higher latency. S3 (D) is object storage.

Answer: C

Explanation: AWS Network Firewall provides stateful firewall rules including domain-based filtering (domain allow/block lists). Security Groups (A) and Network ACLs (B) work with IP addresses and ports, not domain names. AWS WAF (D) is for HTTP/HTTPS web application protection placed in front of ALB or CloudFront.

Answer: C

Explanation: AWS Fargate is a serverless compute engine for containers that works with ECS and EKS. You don't need to provision or manage servers. ECS with EC2 (A) requires managing EC2 instances. EKS with managed node groups (B) still requires managing EC2 nodes. ECR (D) is a container registry, not a compute service.

Answer: C

Explanation: Amazon Redshift is a petabyte-scale data warehouse designed for complex analytical queries (OLAP). It uses columnar storage and massively parallel processing (MPP). RDS (A) and Aurora (D) are OLTP relational databases not optimized for petabyte-scale analytics. DynamoDB (B) is a NoSQL database not suitable for complex SQL analytics.

Answer: B

Explanation: Canary deployment routes a small percentage of traffic (e.g., 5-10%) to the new version while the majority uses the old version. Traffic gradually shifts if no issues are detected. Blue/Green (A) switches all traffic at once between two environments. Rolling (C) gradually replaces old instances with new ones. In-place (D) updates existing instances directly.

Answer: B

Explanation: A Site-to-Site VPN requires a Virtual Private Gateway (VGW) on the AWS side and a Customer Gateway (CGW) representing the on-premises VPN device. The VGW is attached to the VPC. Direct Connect (C) is a dedicated network connection, not VPN. NAT Gateway (D) is for internet access.

Answer: B

Explanation: Amazon SNS (Simple Notification Service) is a pub/sub messaging service that can fan out messages to multiple subscribers simultaneously including email, SMS, mobile push, Lambda, SQS, and HTTP endpoints. SQS (A) is a point-to-point queue. EventBridge (C) is for event routing between services. Step Functions (D) orchestrates workflows.

Answer: B

Explanation: S3 Cross-Region Replication (CRR) automatically replicates objects to a destination bucket in a different AWS Region. It requires versioning on both source and destination buckets. Transfer Acceleration (A) speeds up uploads. Versioning alone (C) is required for CRR but doesn't replicate across regions by itself. Multi-Part Upload (D) is for large file uploads.

Answer: B

Explanation: Amazon EFS integrates with Fargate and allows tasks to mount a shared, persistent file system. EFS data persists beyond the task lifecycle. Fargate doesn't expose host access (A). Local Fargate filesystem (C) is ephemeral and lost when the task stops. EBS volumes (D) cannot be directly attached to Fargate tasks.

Answer: B

Explanation: AWS CloudFormation is the native IaC service that defines AWS infrastructure as JSON or YAML templates. It supports drift detection, change sets, and rollback on failure. Systems Manager (A) manages operational tasks. CodeDeploy (C) is for application deployment. OpsWorks (D) is a configuration management service using Chef/Puppet.

Answer: B

Explanation: Amazon RDS Proxy manages database connection pooling, allowing the application to scale without overwhelming the database with too many direct connections. Aurora Auto Scaling (A) helps with read replicas but doesn't directly address connection exhaustion. ElastiCache (C) reduces database load but doesn't manage connections. Increasing max_connections (D) has limits based on instance memory.

Answer: B

Explanation: AWS CloudTrail records all API calls made to AWS services, including the caller's identity, time, source IP, request parameters, and response. CloudWatch (A) monitors metrics and logs but doesn't record API calls. AWS Config (C) records resource configuration changes. GuardDuty (D) uses CloudTrail data for threat detection.

Answer: B

Explanation: Lambda functions can be configured to run inside a VPC by specifying the VPC, subnets, and security groups. This allows Lambda to access resources in private subnets like RDS. VPC endpoints (A) are for accessing AWS services privately, not RDS. Making RDS public (C) is a security risk. API Gateway proxy to RDS (D) adds unnecessary complexity.

Answer: A

Explanation: Amazon SQS is ideal for asynchronous inter-service communication in microservices architectures, providing decoupling and resilience. AppSync (B) is a GraphQL service. API Gateway (C) is for synchronous HTTP APIs. Direct Connect (D) is for dedicated network connectivity to AWS.

Answer: B

Explanation: AWS Secrets Manager is designed for storing and automatically rotating secrets like database credentials. It integrates natively with RDS, Redshift, and DocumentDB for automatic rotation. Parameter Store (A) can store secrets but lacks built-in automatic rotation. KMS (C) manages encryption keys. IAM roles (D) provide AWS service access, not database credentials.

Answer: B

Explanation: AWS WAF (Web Application Firewall) protects web applications from common exploits including SQL injection and XSS by inspecting HTTP/HTTPS requests and blocking malicious traffic. AWS Shield (A) protects against DDoS attacks. GuardDuty (C) is a threat detection service. Network Firewall (D) provides network-level protection.

Answer: B

Explanation: Amazon CloudWatch Metric Alarms monitor specific metrics like CPUUtilization over a specified period and trigger actions when thresholds are breached. CloudTrail with EventBridge (A) is for API events, not metric monitoring. AWS Config (C) monitors configuration compliance. Inspector (D) is for vulnerability assessment.

Answer: D

Explanation: CloudFront serves static and dynamic content from global edge locations. AWS Shield Advanced provides enhanced DDoS protection with 24/7 DRT support, real-time attack diagnostics, and cost protection during DDoS events. Shield Standard (A) is free but provides basic protection only. Global Accelerator (B) is for routing. Route 53 + ELB (C) doesn't provide CDN.

Answer: C

Explanation: Warm Standby maintains a scaled-down but fully functional version of the production environment in the DR region. With near-real-time replication, RPO of 5 minutes is achievable and scaling up to meet traffic can be done within 15 minutes. Backup and Restore (A) typically has RTO/RPO of hours. Pilot Light (B) has slower RTO as core services need to be started. Multi-Site Active/Active (D) offers near-zero RTO/RPO but is more expensive.

Answer: C

Explanation: Amazon DynamoDB is a fully managed NoSQL database that provides single-digit millisecond performance at any scale. It's optimized for simple key-value and document lookups. RDS PostgreSQL (A) and Aurora (D) are relational databases. Redshift (B) is a data warehouse for analytics.

Answer: B

Explanation: An S3 bucket policy with a condition denying requests where aws:SecureTransport is false enforces HTTPS for all S3 API calls. This works through corporate proxies as long as they allow HTTPS. Transfer Acceleration (A) speeds up uploads but doesn't enforce HTTPS. VPN (C) or Direct Connect (D) are for network connectivity.

Answer: B

Explanation: Using SQS between S3 events and Lambda enables retry logic. If Lambda fails, the message returns to the queue and is retried. After configured failures, messages go to a DLQ for investigation. Direct S3 to Lambda (A) has limited retry. SNS (C) doesn't persist messages for retry. CloudWatch Events (D) is for scheduled or service events.

Answer: B

Explanation: AWS Glue Data Catalog is a centralized metadata repository storing table definitions and schemas for data in S3. It integrates with Athena, Redshift Spectrum, and EMR. Athena (A) is a query service that uses the Glue catalog. Redshift Spectrum (C) queries S3 data but needs a catalog. QuickSight (D) is a BI visualization tool.

Answer: C

Explanation: Route 53 Failover routing with health checks monitors the primary endpoint and automatically routes traffic to the secondary endpoint if the primary becomes unhealthy. Weighted routing (A) distributes traffic by weight. Latency-based (B) routes to the lowest latency endpoint. Geolocation (D) routes based on user location.

Answer: B

Explanation: Custom IAM policies with specific Allow statements for required actions and explicit Deny for delete actions implement least privilege. Explicit Deny overrides any Allow statements. PowerUserAccess (A) gives too broad access. SCPs (C) are for AWS Organization accounts. Permission boundaries (D) set maximum permissions but don't automatically restrict to specific resources.

Answer: C

Explanation: DynamoDB supports eventually consistent (default) and strongly consistent reads. Setting ConsistentRead = true in GetItem, Query, or Scan ensures the most recent data. Strong reads consume twice the read capacity of eventually consistent reads. TransactGetItems (B) is for ACID transactions. DynamoDB Streams (D) is for change data capture.

Answer: C

Explanation: AWS Security Hub aggregates, organizes, and prioritizes security findings from AWS security services and third-party tools across multiple accounts. CloudTrail (A) is for API logging. CloudWatch (B) is for monitoring metrics. Amazon Detective (D) helps investigate security incidents but doesn't aggregate findings.

Answer: B

Explanation: Connection Draining (Deregistration Delay in ALB) allows the load balancer to stop sending new requests to a deregistering instance while allowing existing in-flight connections to complete. The default delay is 300 seconds. Health Check Grace Period (A) is for new instances. Lifecycle hooks (C) pause termination but don't specifically handle in-flight requests. Cross-Zone Load Balancing (D) distributes traffic across zones.

Answer: C

Explanation: AWS CloudHSM provides dedicated HSMs. Using CloudHSM as a custom key store for AWS KMS means keys are generated and never leave the HSM. SSE-S3 (A) and SSE-KMS with AWS managed keys (B) use AWS-controlled HSMs. SSE-C (D) requires the customer to manage keys externally and pass them with each request.

Answer: B

Explanation: In a three-tier architecture, the web tier is in a public subnet (accessible from internet via ALB) while application and database tiers are in private subnets (not directly accessible from internet). All tiers in public subnets (A) exposes the database. All tiers private (C) means the web tier can't receive direct internet traffic. Option D is backwards.

Answer: C

Explanation: Amazon SQS FIFO queues preserve message order and ensure each message is processed exactly once. Lambda can poll FIFO queues and process messages in order per message group. SQS Standard (B) doesn't guarantee order. S3 Events (A) and SNS (D) don't guarantee delivery order.

Answer: B

Explanation: AWS Lambda charges only for actual execution time and is ideal for variable traffic with idle periods. No cost during idle. It scales automatically. A 24/7 EC2 instance (A) wastes money during idle periods. Reserved Instances (C) require paying even when idle. Spot Instances (D) can be interrupted and are better for batch workloads.

Answer: C

Explanation: At 100 Mbps, transferring 50 TB would take approximately 46 days. AWS Snowball Edge is a physical device loaded with data and shipped to AWS, completing the transfer much faster. DataSync (A) and Transfer Acceleration (B) still use the internet connection. Direct Connect (D) setup takes weeks.

Answer: C

Explanation: SCPs can restrict maximum available permissions for accounts in an organization. An SCP can deny cloudtrail:StopLogging and cloudtrail:DeleteTrail actions for all accounts, preventing anyone from disabling CloudTrail. IAM policies (A) can be overridden by account admins. Config rules (B) detect but don't prevent. CloudFormation StackSets (D) deploy resources but don't prevent manual changes.

Answer: B

Explanation: DynamoDB Accelerator (DAX) is a fully managed in-memory caching service for DynamoDB that delivers up to 10x performance improvement. Increasing read capacity units (A) improves throughput but not latency. Aurora (C) is a relational database. Global Tables (D) are for multi-region replication.

Answer: C

Explanation: An S3 Gateway VPC Endpoint allows EC2 instances in private subnets to access S3 directly through the AWS private network without internet access. Gateway endpoints for S3 and DynamoDB are free. NAT Gateway (A) routes through the internet. Internet Gateway (B) requires a public IP. Direct Connect (D) is for on-premises connectivity.

Answer: B

Explanation: AWS Application Migration Service (MGN) is designed to simplify migration of physical servers, virtual machines, and cloud instances to AWS. It continuously replicates source servers and allows non-disruptive testing before cutover. DMS (A) is for database migration. DataSync (C) is for file transfer. Snowball (D) is for bulk data transfer.

Answer: A

Explanation: S3 Block Public Access at the account level overrides any bucket-level ACL settings that would grant public access. When enabled across all accounts (via SCP enforcement or per account), it prevents any bucket from becoming public. AWS Config (B) detects but doesn't prevent. Bucket policies (C) must be set per bucket. IAM policies (D) can be bypassed by the root account.

Answer: B

Explanation: AWS Systems Manager Parameter Store is designed for storing configuration data. It supports hierarchical storage, versioning, and IAM access control. It's cost-effective for configuration parameters (free for standard parameters). Secrets Manager (A) is better for frequently rotated secrets. S3 (C) is for object storage. CodePipeline (D) is for CI/CD.

Answer: B

Explanation: AWS Transit Gateway acts as a regional hub connecting multiple VPCs and on-premises networks, simplifying architecture by eliminating complex VPC peering meshes. VPC Peering (A) is point-to-point and doesn't scale well. Virtual Private Gateway (C) is for individual VPC-to-VPN connections. PrivateLink (D) is for private service connectivity.

Answer: B

Explanation: Externalizing session state to ElastiCache (Redis) allows any instance to serve any user's session, enabling seamless auto-scaling without session loss. Sticky sessions (A) create session affinity but sessions are lost if the instance terminates. Instance store (C) is lost on termination. Option D prevents scaling and costs more.

Answer: B

Explanation: Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to S3, Redshift, and Elasticsearch. It automatically scales for high-volume data streams. SQS (A) is a message queue not designed for high-volume streaming to S3. EventBridge (C) is for event routing. AWS Batch (D) is for batch jobs.

Answer: B

Explanation: Creating an IAM role with SecurityAudit managed policy and a trust relationship with the auditor's AWS account allows auditors to assume the role using their own credentials. No long-term credential sharing, access can be revoked by modifying the trust policy. Creating IAM users (A, C) requires sharing credentials. Sharing root credentials (D) is never acceptable.

Answer: B

Explanation: The SNS fan-out pattern publishes a message to SNS and multiple SQS queues subscribe. Each service reads from its own dedicated SQS queue, providing decoupling, independent scaling, and per-service failure handling. Sequential API Gateway calls (A) creates tight coupling. Direct Lambda invocations (C) are synchronous. Shared SQS queue (D) means only one service gets each message.

Answer: B

Explanation: Amazon Athena is a serverless interactive query service that runs SQL queries directly on data stored in S3 using standard SQL. You pay only for queries run. No data loading is required. RDS (A) and Redshift (C) require loading data. Glue ETL (D) is for data transformation, not querying.

Answer: B

Explanation: Spanning 3 AZs with a minimum of 3 instances (one per AZ) ensures that if one AZ fails, the application continues running in the other 2 AZs. With only 2 AZs (A), if one fails you have a single instance remaining. Cross-region ALB (C) is complex. Enhanced Networking (D) improves networking performance, not availability.

Answer: B

Explanation: S3 Replication allows configuring Replica Ownership to specify who owns the replicated objects. By default, the destination bucket owner owns replicas. Configuring the ownership settings ensures replica objects have appropriate access controls. Versioning (A) is required for replication but doesn't control ownership. Object Lock (C) is for immutability. Lifecycle policies (D) manage object transitions.

Answer: B

Explanation: Centralizing logs in an S3 bucket and using Amazon Athena for serverless queries is cost-effective and doesn't require provisioning servers. You pay only for queries and S3 storage. CloudWatch Logs (A) can be expensive for large volumes. ELK on EC2 (C) requires server management. Redshift (D) requires loading data and cluster management.

Answer: C

Explanation: For workloads with consistent 2+ years of usage, Reserved Instances with a 3-year term All Upfront or Compute Savings Plans provide the highest discount (up to 72% compared to On-Demand). On-Demand (A) has no discount. Spot Instances (B) can be interrupted. 1-year No Upfront Savings Plans (D) offer less discount than 3-year All Upfront. For steady-state workloads, committing to 3 years with upfront payment maximizes savings.