Practice Questions

Question 1

An ad-tech startup is building a metrics ingestion API with Amazon API Gateway and AWS Lambda. Across 12 Lambda functions written in Python 3.11, the team must reuse five internal libraries and custom classes maintained by a central platform team (about 15 MB when compressed). The security team requires production deployments to pull artifacts only from an approved registry; Amazon ECR is approved, but build jobs are not allowed to upload artifacts to S3 in the production account. A solutions architect must simplify deployments for all functions and maximize code reuse with minimal packaging complexity. Which approach meets these requirements?

Question Analysis

Core Concept: This question tests AWS Lambda deployment packaging choices (ZIP vs container images), code reuse strategies (layers vs shared base images), and supply-chain controls (approved artifact registries such as Amazon ECR). It also implicitly tests Lambda limits and operational simplicity across multiple functions. Why the Answer is Correct: Option D best satisfies all constraints: the security team requires production deployments to pull artifacts only from an approved registry (ECR is approved), and build jobs cannot upload artifacts to S3 in the production account. Lambda container image support allows each function’s deployment package to be an OCI image stored in ECR, eliminating the need to place ZIPs or layer artifacts into S3 in the production account. Code reuse is achieved by standardizing on a common base image that contains the 15 MB compressed internal libraries and shared classes; each function image then adds only its handler code. This approach minimizes packaging complexity for 12 functions because the shared dependencies are managed once in the base image and inherited consistently. Key AWS Features: - AWS Lambda container image support (up to 10 GB image size) with images stored in Amazon ECR. - Docker multi-stage builds and a shared base image pattern to maximize reuse and reduce duplication. - ECR repository policies, image scanning, immutable tags, and lifecycle policies to meet governance and security requirements. - CI/CD can build and push images to ECR, and deployments update the Lambda function image URI/digest. Common Misconceptions: A and B may look attractive because Lambda layers are the classic reuse mechanism. However, Lambda layers are not created “from a Docker image in ECR” in the way described; layers are published as ZIP archives (typically uploaded to Lambda, often sourced from S3 during deployment tooling). Additionally, A violates the “approved registry” requirement by using S3 as the artifact store, and B incorrectly assumes ECR can directly back a layer. C is incorrect because Lambda cannot reference a running ECS/Fargate container as a layer; layers are static artifacts, not network-attached runtime dependency services. Exam Tips: When you see “approved registry = ECR” and restrictions on S3 artifact uploads, strongly consider Lambda container images. Use layers for ZIP-based functions, but for strict registry-based supply chain controls and simplified dependency reuse, a shared base image in ECR is often the cleanest pattern. Also remember: Lambda layers are ZIP-based, while Lambda container images are pulled from ECR.

Question 2

(Select 3)

A travel-tech company operates a partner webhook ingestion API on Amazon API Gateway with a Regional endpoint and an AWS Lambda backend that calls a third-party risk-scoring REST API using an API key stored in AWS Secrets Manager encrypted with a customer managed key in AWS Key Management Service (AWS KMS), persists and reads records from an Amazon DynamoDB global table, and is currently deployed only in us-east-1; the company must change the API components so the workload runs active-active across us-east-1, eu-west-1, and ap-southeast-2 with the least operational overhead—Which combination of changes will meet these requirements? (Choose three.)

Question Analysis

Core Concept: This question tests designing an active-active, multi-Region API on API Gateway + Lambda, and handling multi-Region dependencies (Secrets Manager and KMS) with minimal operational overhead. It also implicitly checks understanding of what is and is not “multi-Region” for API Gateway and KMS. Why the Answer is Correct: To run active-active in us-east-1, eu-west-1, and ap-southeast-2, you must deploy the Regional API Gateway and Lambda in each Region and provide a global entry point that routes clients to healthy endpoints. Option A accomplishes this using a custom domain in Route 53 mapped to each Regional API endpoint and a routing policy (multivalue) that can return multiple healthy endpoints. Because the Lambda function reads an API key from Secrets Manager encrypted with a customer managed KMS key, you must ensure the secret is available in each Region and can be decrypted locally. Secrets Manager supports secret replication across Regions, but each replica uses a KMS key in that Region. The lowest-overhead approach is to use a KMS multi-Region customer managed key (Option B) with replicas in each Region, then replicate the secret and select the appropriate KMS key per replica (Option C). This avoids manual secret copying and simplifies key management consistency. Key AWS Features: - API Gateway Regional endpoints are Region-scoped; multi-Region requires separate deployments. - Route 53 custom domain + health checks + multivalue (or other policies like latency/failover) provides global routing. - AWS KMS multi-Region keys allow consistent key material replicated to other Regions (still separate key ARNs per Region). - Secrets Manager cross-Region replication keeps secret value synchronized and supports per-Region KMS encryption. Common Misconceptions: - Assuming API Gateway has a “multi-Region option” to attach multiple Lambda backends (it does not; deployments are per Region). - Thinking you can “convert” an existing single-Region CMK into a multi-Region key (you must create a new multi-Region key). - Manually copying secrets seems simple but increases operational overhead and drift risk. Exam Tips: For active-active multi-Region, look for: (1) deploy compute/API per Region, (2) global DNS routing with health checks, (3) replicate state/secrets/keys appropriately. Remember: KMS multi-Region keys must be created as multi-Region from the start, and Secrets Manager replication is the managed, low-ops method versus manual duplication.

Question 3

A media analytics startup needs to migrate its third-party thumbnail rendering engine to AWS; the vendor provides a supported Docker image from a public registry that can run in any number of containers, the company has 12 content categories (Kids, Sports, News, etc.) and wants each category to run its own isolated set of containers with a small custom configuration (category-specific environment variables and S3 prefix filters) so that each container processes only that category, peak load requires up to 50 simultaneous containers per category with jobs that last 3–5 minutes and do not need persistent storage, finance requires per-category cost allocation using tags on the running units, and the operations team needs the ability to scale resources cost-effectively purely based on the number of running containers with the least possible operational overhead; which solution meets these requirements?

Question 4

A healthcare analytics firm operates a HIPAA-compliant internal web application in AWS eu-central-1; the firm has a 1 Gbps AWS Direct Connect private VIF from its Frankfurt data center to a VPC where the application runs on Amazon EC2 instances across three Availability Zones behind an internal Application Load Balancer (ALB); staff access the app from the on-premises network over HTTPS, with TLS terminated at the ALB, and the ALB uses multiple target groups with path-based routing for /api, /images, and /admin. The network team is deploying an on-premises next-generation firewall that only permits outbound traffic to an allow list of destination IP addresses, and the firm must keep TLS termination and routing on the ALB without changing the application. Which solution enables continued access from on premises while meeting the allow list requirement with static IP addresses?

Question 5

A digital ticketing company is modernizing its checkout application that currently runs a monolithic, load-balanced Amazon EC2 fleet serving the static web frontend, checkout/database APIs, and payment orchestration logic; the company wants a fully decoupled, serverless-first architecture that can process an average of 10,000 checkouts per hour with bursts up to 30,000 within 10 minutes, retain any failed checkout events for at least 7 days for later replay, independently scale each component, and minimize operational costs by eliminating server management. Which solution will meet these requirements?

Want to practice all questions on the go?

Download Cloud Pass for free — includes practice tests, progress tracking & more.

Question 6

A video annotation company is re-platforming a Docker-based tagging service to AWS that requires a shared POSIX-compliant NFSv4 mount at /data concurrently accessible by up to 200 tasks across two Availability Zones, must scale on demand, encrypt data at rest, control access with IAM, and must not require provisioning or managing any servers or cluster infrastructure; which solution meets these requirements?

Question Analysis

Core Concept: This question tests choosing the correct serverless container compute plus shared POSIX file storage for many concurrent tasks across multiple Availability Zones. The key services are Amazon ECS on AWS Fargate (no server/cluster management) and Amazon EFS (managed NFSv4, multi-AZ, elastic). Why the Answer is Correct: The workload requires a shared POSIX-compliant NFSv4 mount at /data that can be concurrently accessed by up to 200 tasks across two AZs, scales on demand, encrypts at rest, and controls access with IAM—without provisioning or managing servers. Amazon EFS is a fully managed, elastic NFS file system that supports NFSv4.1, provides POSIX semantics, and is designed for concurrent access from many clients across multiple AZs. ECS Fargate removes the need to manage EC2 instances or an ECS cluster’s underlying capacity. EFS can be mounted directly from Fargate tasks via task definition volume configuration, meeting the “no servers” requirement. Key AWS Features: - EFS multi-AZ availability: EFS stores data redundantly across multiple AZs in a Region, enabling concurrent access from tasks in different AZs. - Elastic scaling: EFS automatically scales throughput/storage with demand (and can use throughput modes as needed). - Encryption: EFS supports encryption at rest (KMS) and in transit (TLS). - IAM access control: EFS supports IAM authorization for NFS clients (when using EFS mount helper/IAM integration) and EFS Access Points to enforce a specific POSIX identity and root directory, which is ideal for mounting at /data with consistent permissions. - Fargate integration: ECS task definitions can specify EFS volumes and mount points without managing instances. Common Misconceptions: FSx for Lustre is also a shared POSIX file system, but it is optimized for HPC and typically integrated with S3; it’s not the standard choice for NFSv4 shared storage for containers and does not align as cleanly with the IAM/EFS access point pattern commonly tested. EC2 launch type options may appear viable because EFS works well there, but they violate the requirement to avoid provisioning/managing servers. EBS Multi-Attach is block storage with strict constraints and is not an NFS shared file system. Exam Tips: When you see “shared POSIX, NFSv4, multi-AZ, many concurrent containers, serverless/no infrastructure management,” map it to “ECS Fargate + EFS (Access Points + encryption + IAM/TLS).” Reserve FSx for Lustre for HPC/high-performance scratch and EBS for single-instance (or limited multi-attach) block storage, not shared NFS mounts.

Question 7

(Select 3)

A research lab runs an MPI-based, tightly coupled seismic inversion workload on an AWS HPC cluster that writes millions of shared files to an Amazon EFS file system; the job met performance objectives with 120 EC2 compute nodes, but when the cluster scaled to 1,200 nodes the overall throughput and time-to-solution degraded significantly due to I/O and inter-node communication bottlenecks. Which combination of design choices should a solutions architect implement to maximize the HPC cluster’s performance? (Choose three.)

Question Analysis

Core Concept: This question tests AWS HPC design for tightly coupled MPI workloads at scale, focusing on low-latency networking and high-concurrency shared file system performance. The key services/concepts are placement/latency (single AZ), Elastic Fabric Adapter (EFA) for MPI, and using a parallel file system (Amazon FSx for Lustre) instead of Amazon EFS for extreme metadata and small-file I/O. Why the Answer is Correct: At 1,200 nodes, both inter-node communication and shared storage become dominant bottlenecks. (A) keeps all nodes in one Availability Zone, avoiding cross-AZ latency, jitter, and bandwidth constraints that are especially harmful to tightly coupled MPI collectives. (C) enables EFA on supported instance types, providing OS-bypass (via libfabric) and very low latency/high message rate networking that scales MPI performance far better than standard ENA networking. (F) replaces EFS with FSx for Lustre (scratch), a high-performance parallel file system designed for HPC with high aggregate throughput and metadata performance, well-suited to “millions of shared files” and high concurrent access. Key AWS Features: Single-AZ cluster placement reduces network variability and enables best use of cluster placement groups (commonly paired with HPC). EFA integrates with MPI stacks to improve latency and throughput for tightly coupled jobs. FSx for Lustre provides scalable throughput/IOPS and supports integration with Amazon S3 for durable data repositories (import/export), while using the Lustre file system as a fast scratch/work space. Common Misconceptions: Spreading across AZs (D) improves resiliency but typically degrades tightly coupled HPC performance due to added latency and reduced determinism. Adding ENIs (B) does not meaningfully improve MPI latency and is not a standard method to scale HPC interconnect performance; EFA is the purpose-built solution. Using a single instance with RAID0 EBS as “shared storage” (E) creates a severe single-node bottleneck and single point of failure and cannot serve 1,200 nodes with high metadata concurrency. Exam Tips: For tightly coupled MPI: prioritize low latency, low jitter, and high message rate (single AZ + EFA). For massive shared-file concurrency: choose a parallel file system (FSx for Lustre) over general-purpose NFS (EFS). Multi-AZ is usually a red flag for tightly coupled HPC performance questions unless the workload is loosely coupled or explicitly requires HA over performance.

Question 8

A pharmaceutical research firm must spin up short‑lived validation sandboxes for each tagged build; each sandbox is a single Amazon EC2 instance managed by an Auto Scaling group and must reach an on‑premises license server over TCP 8443 to report results. The firm needs to create and delete up to 30 sandboxes per business day, each lasting fewer than 3 hours, with no manual intervention and consistent connectivity to the on‑prem network (172.16.0.0/16). The company already operates an AWS Transit Gateway (tgw-0abc123def4567890) with a Site‑to‑Site VPN to its data center and wants the solution with the least operational overhead. Which approach best meets these requirements?

Question 9

A digital ticketing company runs microservices on Amazon EKS with Fargate profiles in eu-west-1, persists about 600 write transactions per second to an Amazon Aurora PostgreSQL cluster, and must fail over to a different AWS Region with an RPO ≤ 1 second and an RTO ≤ 15 minutes while minimizing ongoing operational overhead; which approach best meets these requirements?

Question 10

A telematics startup operates 2,500 delivery drones across two metro regions. Each drone publishes JSON telemetry (GPS, temperature, vibration) every 100 ms with an average record size of 1.5 KB. The company needs an AWS solution to ingest this continuous stream and deliver events in near-real time (end-to-end under 3 seconds) to a database that does not require fixed schemas so attributes can evolve without migrations. Which solution will meet these requirements?

Practice Test #2

Triple AI-Verified Answers & Explanations

Practice Questions

Success Stories(9)

Other Practice Tests

Practice Test #1

Practice Test #3

Practice Test #4

Practice Test #5

Start Practicing Now