Amazon Practice Questions, Discussions & Exam Topics by our Authors
A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company's organization in AWS Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3...
To meet the requirement of preventing Amazon S3 objects from being shared with IAM identities outside of the company's organization in AWS Organizations, the security engineer is creating and deploying a Service Control Policy (SCP). Let's review each option:
Option A: Deny the S3: action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of {aws:PrincipalOrgID}.
- Analysis: The condition `aws:ResourceOrgID` checks the organization ID associated with the resource (in this case, an S3 bucket), and `aws:PrincipalOrgID` checks the organization ID of the IAM principal (the user or role making the request). The condition ensures that the action can only be performed if the resource and the principal belong to the same AWS Organization. This is the correct approach because it directly restricts actions on S3 objects to only IAM identities that belong to the same organization.
- Reason for Selection: This is the most appropriate solution because it ensures that the S3 actions are only allowed when both the IAM principal and the S3 resource belong to the same organization, effectively preventing sharing with external entities.
Option B: Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals.
- Analysis: The action `S3:PutAccountPublicAccessBlock` is used to manage the account-level public access block configuration, but this does not directly address the concern of preventing S3 objects from being shared with external IAM identities. The `aws:PrincipalArn` condition is intended to filter based on the ARN of the IAM principal, but this option is not sufficient to prevent external sharing of S3 objects.
- Reason for Rejection: This option is more related to managing public access settings rather than ensuring that only internal IAM principals can access or share S3 object...
Author: Ahmed97 · Last updated Jun 27, 2026
A security engineer is implementing authentication for a multi-account environment by using federated access with SAML 2.0. The security engineer has configured AWS IAM Identity Center as an identity provider (IdP). The security engineer also has created IAM roles to grant access to the AWS accounts.
A federated user reports an authentication failure when the u...
To troubleshoot the federated authentication issue in a multi-account environment using SAML 2.0 with AWS IAM Identity Center, let's break down the available options:
Option A: Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.
- Analysis: Reviewing the SAML IdP logs is critical for identifying potential issues in the SAML assertion or any misconfigurations in the identity provider (IdP). This can help pinpoint if the SAML assertion is correctly formatted and if the correct roles and permissions are included. Checking AWS CloudTrail helps to trace the API calls made by the federated user and can provide insight into what exactly failed during the authentication or authorization process. These steps would give a comprehensive overview of both the IdP and AWS sides of the authentication process.
- Reason for Selection: This approach is operationally efficient because it combines reviewing both IdP logs (for issues with the authentication process) and AWS CloudTrail logs (to verify that the correct roles and permissions are being applied on the AWS side). It directly addresses the need to troubleshoot authentication failures by looking at both the source of the authentication and the subsequent AWS API calls.
Option B: Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.
- Analysis: Reviewing the SAML IdP logs is essential, but using the IAM policy simulator is less efficient for troubleshooting federated access because the simulator is designed to test permissions for IAM users, not federated users. The simulator does not fully replicate the federated login process and may not catch issues related to the SAML assertion or role mappings that are specific to federated access.
- Reason for Rejection: The IAM policy simulator is not as effective in troubleshooting federated login issues since it does not simulate the full federated authentication and authorization process. It’s ...
Author: FrostFalcon88 · Last updated Jun 27, 2026
A company stores sensitive data in an Amazon S3 bucket. The company encrypts the data at rest by using server-side encryption with Amazon S3 managed keys (SSE-S3).
A security engineer must prevent any m...
To meet the requirement of preventing any modifications to the data in the Amazon S3 bucket, let's evaluate the available options:
Option A: Configure S3 bucket policies to deny DELETE and PUT object permissions.
- Analysis: Configuring S3 bucket policies to explicitly deny the `DELETE` and `PUT` object actions would prevent users from modifying or deleting objects in the bucket. While this approach will prevent data modifications, it is not foolproof because users with higher-level permissions (e.g., admins) could still modify the policy or bypass this restriction.
- Reason for Rejection: While this approach can work to restrict PUT and DELETE actions, it is not as secure as other solutions that ensure data immutability, such as S3 Object Lock. Bucket policies can be modified by users with the appropriate permissions, making this approach less secure for preventing all modifications.
Option B: Configure S3 Object Lock in compliance mode with S3 bucket versioning enabled.
- Analysis: S3 Object Lock in compliance mode provides immutability for objects in an S3 bucket, meaning that once an object is locked, it cannot be deleted or modified until the retention period expires (if set). When S3 bucket versioning is enabled, previous versions of objects are preserved, ensuring that no modifications can be made to the objects, even by users with administrative permissions. This solution ensures data integrity and prevents any unauthorized changes.
- Reason for Selection: This solution is the most robust for ensuring that the data is protected from modification. S3 Object Lock in compliance mode guarantees that no modifications or deletions can occur, even by administrators, making it the ideal solution to prevent cha...
Author: Aria · Last updated Jun 27, 2026
A company is developing a new serverless application that uses AWS Lambda functions. The company uses AWS CloudFormation to deploy the Lambda functions.
The company's developers are trying to debug a Lambda function that is deployed. The developers cannot debug the Lambda function because the Lambda function is not logg...
In this scenario, the goal is to ensure that the Lambda function can log its output to Amazon CloudWatch Logs for debugging. The issue appears to be that the Lambda function is not logging output to CloudWatch Logs. Let's go through each option to determine which ones would help resolve this issue.
A) Check the role that is defined in the CloudFormation template and is passed to the Lambda function. Ensure that the role has a trust policy that allows the sts:AssumeRole action by the service principal lambda.amazonaws.com.
- Explanation: This option is related to the trust policy of the role. It ensures that AWS Lambda can assume the role to execute the function. However, this step focuses more on permissions related to the Lambda function's ability to execute, not directly related to CloudWatch Logs permissions.
- Rejection: The issue described is not related to the Lambda function assuming the role but rather to the function's permissions to log data to CloudWatch. Therefore, this is not the correct solution for logging issues.
B) Check the execution role that is configured in the CloudFormation template for the Lambda function. Ensure that the execution role has the necessary permissions to write to CloudWatch Logs.
- Explanation: This option is the most relevant. Lambda functions need an execution role with the appropriate permissions to interact with other AWS services, including CloudWatch Logs. The execution role must have a policy allowing actions like `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` in order to write logs to CloudWatch.
- Selected because: This directly addresses the issue of logging by ensuring the Lambda function has the correct permissions to interact with CloudWatch Logs. This is a critical step for debugging Lambda functions.
C) Check the Lambda function configuration in the CloudFormation template. Ensure that the Lambda function has an AWS X-Ray tracing configuration that is set to Active mode or PassThrough mode.
- Explanation: AWS X-Ray is ...
Author: Maya2022 · Last updated Jun 27, 2026
A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2 Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new finding.
The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function also sends the message to the application's API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the Lambda function as the target.
After the EventBridge rule is implemented, the c...
To solve the problem with the least operational effort, let's analyze each option:
A) Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.
- Explanation: This option suggests modifying the Lambda function itself to filter out Amazon Inspector alerts by matching patterns in the events. While this would work, it requires custom code development and maintenance, which introduces operational overhead. This approach also risks missing updates to Amazon Inspector alerts or additional findings that require suppression logic.
- Rejection: This approach involves additional custom code and requires ongoing maintenance as patterns may change. Therefore, it's not the most efficient solution in terms of operational effort.
B) Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.
- Explanation: Security Hub custom actions allow you to define how findings are processed, but they do not offer an easy way to filter out Amazon Inspector findings specifically from being sent to EventBridge. Custom actions are meant for user-driven tasks and are not the best fit for excluding specific findings automatically from being processed by EventBridge.
- Rejection: This solution is not well-suited for automated filtering at the event level, making it more complex than necessary and requiring additional manual steps for filtering.
C) Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to `!= arn:aws:securityhub:us-west-2::product/aws/inspector`.
- Explanation: This solution inv...
Author: VioletCheetah55 · Last updated Jun 27, 2026
A company's security policy requires all Amazon EC2 instances to use the Amazon Time Sync Service. AWS CloudTrail trails are enabled in all of the company's AWS accounts. VPC flow logs are enabled for all VPCs.
A security engineer must identify any EC2 instances that...
To meet the security policy requirements, we need to identify Amazon EC2 instances attempting to use Network Time Protocol (NTP) servers on the internet. Let's break down each option:
A) Monitor CloudTrail logs for API calls to non-standard time servers.
- Explanation: CloudTrail logs capture API calls made within an AWS account, but it does not specifically log NTP-related actions. EC2 instances using NTP servers typically do not generate specific API calls that would be logged by CloudTrail.
- Rejection: CloudTrail will not capture NTP traffic as API calls to non-standard time servers. This option is not suitable because it focuses on API calls, not network traffic.
B) Monitor CloudTrail logs for API calls to the Amazon Time Sync Service.
- Explanation: CloudTrail logs can track API calls to AWS services, including the Amazon Time Sync Service. However, the requirement is to identify EC2 instances using external NTP servers, not AWS-managed time services. EC2 instances using the Amazon Time Sync Service wouldn't violate the security policy.
- Rejection: This option would not help in identifying instances using non-Amazon NTP servers, which is the core issue here.
C) Monitor VPC flow logs for traffic to non-standard time servers.
- Explanation: VPC Flow...
Author: Vivaan · Last updated Jun 27, 2026
A company has a multi-account strategy that uses an organization in AWS Organizations with all features enabled. The company has enabled trusted access for AWS Account Management. New accounts are provisioned through AWS Control Tower Account Factory.
The company must ensure that all new accounts in the or...
To determine the best solution with the least development effort, let’s evaluate the provided options based on the requirement of ensuring that all new accounts automatically become AWS Security Hub member accounts.
Option A: Enable Security Hub in the organization’s management account. Create an AWS Step Functions workflow. Create an Amazon EventBridge rule to invoke the workflow when a CreateAccount event occurs.
Analysis:
- This option is highly customizable and offers full control over the process. However, it involves creating a Step Functions workflow, which can add complexity and require more development and maintenance. Additionally, you would need to ensure that the EventBridge rule triggers correctly for the `CreateAccount` event and that the workflow handles enabling Security Hub for each new account.
- Rejected due to high development effort and complexity. It’s over-engineered for this use case.
Option B: Enable Security Hub in the organization’s management account. Wait for all new accounts to complete automatic onboarding.
Analysis:
- Security Hub provides an automatic onboarding process for new accounts when Security Hub is enabled in the organization’s management account. This would require minimal manual intervention and does not require any custom development. As soon as the new accounts are created, they are automatically onboarded into Security Hub.
- Selected as the simplest and least development-intensive solution. It directly satisfies the requirement without extra configuration or development work.
Option C: Enable Security Hub in the organization’s management account. Create an AWS Lambda function to enable Security Hub for new accounts. Invoke the Lambda function by using an AWS Cont...
Author: Amelia · Last updated Jun 27, 2026
A company uses Amazon Elastic Kubernetes Service (Amazon EKS) clusters to run its Kubernetes-based applications. The company uses Amazon GuardDuty to protect the applications.
EKS Protection is enabled in GuardDuty. However, the corresponding GuardDuty feature is not monitorin...
To ensure that GuardDuty is monitoring Kubernetes-based applications running on Amazon Elastic Kubernetes Service (EKS), we need to identify the appropriate solution based on the options provided. Let's evaluate each option:
Option A: Enable VPC flow logs for the VPC that hosts the EKS clusters.
Analysis:
- VPC flow logs capture information about the IP traffic going to and from network interfaces in the VPC. While VPC flow logs can be useful for monitoring network traffic, they do not directly help GuardDuty monitor Kubernetes-based applications themselves.
- Rejected because enabling VPC flow logs alone doesn't specifically integrate with GuardDuty for Kubernetes application monitoring. VPC flow logs are not focused on monitoring application-specific activities.
Option B: Assign the CloudWatchEventsFullAccess AWS managed policy to the EKS clusters.
Analysis:
- The CloudWatchEventsFullAccess policy grants permissions for publishing events to CloudWatch Events, but it does not directly impact GuardDuty’s monitoring capabilities. GuardDuty relies on specific data sources like VPC flow logs, DNS logs, or CloudTrail to detect threats and anomalies.
- Rejected because this policy doesn't align with the need to enable GuardDuty monitoring of Kubernetes-based applications in EKS.
Option C: Ensure that the AmazonGuardDutyFullAccess AWS managed policy is attached to the GuardDuty service role.
Analysis:
- The `AmazonGuardDutyFullAccess` policy is related to managing GuardDuty'...
Author: Ava · Last updated Jun 27, 2026
A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a di...
To determine the best solution that satisfies the company's requirements for logging object-level activity in Amazon S3 buckets and validating the integrity of the log files with a digital signature, let’s evaluate each option:
Option A: Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
Analysis:
- AWS CloudTrail can log object-level activity for S3 buckets by enabling data events for S3. This captures object-level operations like `GetObject`, `PutObject`, and others.
- CloudTrail also supports log file validation, which ensures that the integrity of the log files is maintained by applying a digital signature to the log files.
- Selected because it fully meets the requirements: it logs object-level activity through CloudTrail data events and validates the integrity of the log files via digital signatures.
Option B: Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.
Analysis:
- This solution logs access to objects within S3 but only captures server access logs, not object-level activity such as `PutObject` or `GetObject` events.
- Server access logs are more general and do not include details like object-level operations or the ability to validate the integrity of the log files with a digital signature.
- Rejected because it only logs server access events (like request and response data) but does not meet the requirement for logging object-level activity or validating log integrity.
Option C: Create an ...
Author: CrystalWolfX · Last updated Jun 27, 2026
A company has a new web-based account management system for an online game. Players create a unique username and password to log in to the system.
The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system.
The company's security team finds that the system was the target of a credential stuffing attack. Credentials that were exposed in other breaches were used to try to log in to the system.
The security team must impleme...
To reduce the chance of a successful credential stuffing attack and minimize the impact on legitimate users, we need to implement solutions that help detect and block malicious login attempts while keeping the user experience for legitimate users intact. Let's evaluate each option to determine which actions will meet these requirements:
Option A: Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address.
Analysis:
- This option suggests tracking successful login attempts per IP address using CloudWatch metrics. While this can help identify patterns of potential attacks (e.g., many successful logins from a single IP), it doesn’t proactively mitigate credential stuffing attacks.
- Rejected because it focuses on monitoring rather than actively defending against credential stuffing. While monitoring is important, it's reactive and doesn't directly reduce the likelihood of an attack.
Option B: Add the account takeover prevention (ATP) AWS managed rule group to the web ACL. Configure the rule group to inspect login requests to the system. Block any requests that have the `awswaf:managed:aws:atp:signal:credential_compromised` label.
Analysis:
- The Account Takeover Prevention (ATP) rule group is specifically designed to detect and mitigate credential stuffing attacks. The ATP rule group inspects login attempts and blocks requests that match certain patterns associated with compromised credentials (such as those exposed in past breaches).
- Selected because it directly addresses the problem of credential stuffing by using AWS WAF’s managed rule group for account takeover prevention. It helps block malicious login attempts from users using exposed credentials without impacting legitimate users.
Option C: Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in.
Analysis:
- While a CAPTCHA can be effective in preventing automated attacks, it could negatively impact the user experience by requiring all users (even legitimate ones) to solve the CAPTCHA each t...
Author: Amelia · Last updated Jun 27, 2026
A company runs workloads on Amazon EC2 instances. The company needs to continually monitor the EC2 instances for software vulnerabilities and must display the findings in AWS Security Hub. The company must...
To meet the company's requirements of continually monitoring EC2 instances for software vulnerabilities and displaying the findings in AWS Security Hub without installing agents on the instances, we need a solution that can scan EC2 instances for vulnerabilities without relying on agent installation. Let's evaluate each option:
Option A: Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub.
Analysis:
- Amazon Inspector provides vulnerability scanning for EC2 instances and can be integrated with Security Hub to send findings. Hybrid scanning mode allows for both agent-based and agentless scanning, which means it can scan EC2 instances without installing an agent if hybrid scanning is enabled.
- This solution meets the requirement of monitoring EC2 instances for software vulnerabilities without needing agents and integrates the findings into Security Hub.
- Selected because it directly addresses the requirement by using Amazon Inspector's agentless scanning mode and integrates with Security Hub for continuous monitoring.
Option B: Use Security Hub to enable the AWS Foundational Security Best Practices standard. Wait for Security Hub to generate the findings.
Analysis:
- The AWS Foundational Security Best Practices standard in Security Hub provides security checks related to best practices but does not specifically address vulnerability scanning of EC2 instances for software vulnerabilities. It includes checks for configurations, not direct vulnerability assessments.
- Rejected because it doesn’t specifically monitor for software vulnerabilities or provide continuous scanning of EC2 instances.
Option C: Enable Amazon GuardDuty....
Author: Abigail · Last updated Jun 27, 2026
A company runs a custom online gaming application. The company uses Amazon Cognito for user authentication and authorization.
A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that ...
The company needs a solution for implementing fine-grained authorization in its custom application, leveraging the user attributes that exist in Amazon Cognito. Let's evaluate each option based on the requirements:
Option A: Create a set of IAM roles and IAM policies. Configure the Cognito identity pool to assign users to the IAM roles.
Analysis:
- IAM roles and policies are a standard solution for authorization, and Cognito supports assigning users to IAM roles based on their identity. This allows the system to control access to AWS resources based on the user's identity attributes. The roles can have fine-grained access control policies attached to them, and you can use Cognito identity pool attributes to define which roles users are assigned to.
- Selected because this approach leverages Cognito’s identity pool for role-based access control and fine-grained authorization using user attributes. It is the most direct solution for implementing fine-grained authorization in AWS while using Cognito.
Option B: Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source. Map Cognito access tokens to the Verified Permissions schema.
Analysis:
- Amazon Verified Permissions is a service for managing fine-grained authorization policies in applications. It allows you to create, store, and manage policies, and can be used with external identity providers like Cognito. However, integrating it with Cognito requires configuring a mapping between Cognito’s access tokens and the Verified Permissions schema. While this is a valid solution, it introduces an additional layer of complexity and cost, which might be unnecessary if a simpler solution (like Option A) can meet the requirements.
- Rejected because although it’s a valid approach, it is more complex and involves extra setup, which may not be necessary for the current use case. Option A is simpler and more directly integrated with Cognito.
Option C: Create customer managed permissions by usin...
Author: Amira99 · Last updated Jun 27, 2026
A company wants to automate the creation of a security report. The company has an AWS Lambda function that gathers data from Amazon Inspector findings stored in AWS Security Hub in the us-west-2 Region. The Lambda function then needs to create a daily report by using an Amazon EventBridge schedule.
A security engineer discovers that the Lambda function is failing to create the rep...
To address the issue of the Lambda function failing to create the security report, the Lambda function needs the appropriate permissions to access Amazon Inspector findings stored in AWS Security Hub. The security engineer must implement a solution with least privilege access.
Analysis of Options:
A) Create a resource-based policy that allows Security Hub access to the ARN of the Lambda function.
- Reason for Rejection: This option would allow Security Hub to invoke the Lambda function, but the Lambda function itself needs permissions to access Security Hub and Amazon Inspector. A resource-based policy on Security Hub doesn't solve the problem of allowing the Lambda function to retrieve findings from Security Hub and Amazon Inspector. Thus, this is not the appropriate solution.
B) Attach the AWSSecurityHubReadOnlyAccess AWS managed policy to the Lambda function’s execution role.
- Reason for Rejection: The `AWSSecurityHubReadOnlyAccess` policy grants read-only access to AWS Security Hub, but it may not provide the required permissions for accessing Amazon Inspector findings, such as `inspector:Describe` or `inspector:List`. The solution needs to focus on both Security Hub and Amazon Inspector, ensuring the Lambda function can retrieve and report findings. This policy is too broad because it focuses only on Security Hub and doesn't cover the necessary permissions for Amazon Inspector.
C) Grant the Lambda funct...
Author: Ishaan · Last updated Jun 27, 2026
A company must retain backup copies of Amazon RDS DB instances and Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the backup copies in data centers that are several hundred miles a...
To meet the requirement of retaining backup copies of Amazon RDS DB instances and Amazon EBS volumes in data centers several hundred miles apart, the solution must ensure reliable backup management with minimal operational overhead. Let's analyze the options based on this criterion.
Analysis of Options:
A) Configure AWS Backup to create the backups according to the needed schedule. In the backup plan, specify multiple Availability Zones as backup destinations.
- Reason for Rejection: While this option provides backup scheduling using AWS Backup, specifying multiple Availability Zones within the same region doesn't meet the requirement of storing backups in data centers several hundred miles apart. Multiple Availability Zones are still within the same region and do not ensure geographical redundancy across distant locations. Hence, this option doesn't fulfill the geographic separation requirement.
B) Configure Amazon Data Lifecycle Manager to create the backups. Configure the Amazon Data Lifecycle Manager policy to copy the backups to an Amazon S3 bucket. Enable replication on the S3 bucket.
- Reason for Rejection: Amazon Data Lifecycle Manager is specifically for managing Amazon EBS snapshot lifecycles. Although this option handles EBS snapshots well and copying them to S3 with replication across regions is a good strategy for geographic redundancy, it doesn't cover Amazon RDS instances. The solution doesn't address RDS backup retention, which is a critical part of the requirement. Therefore, it’s incomplete for the overall need.
C) Configure AWS Backup to create the backu...
Author: William · Last updated Jun 27, 2026
A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs.
How can the security enginee...
To address the situation of unusually high traffic from a specific IP address without blocking the IP address entirely, we need a solution that can control and rate-limit traffic based on the request rate, without completely denying access. Let’s analyze the options based on these criteria:
Analysis of Options:
A) Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.
- Reason for Rejection: Routing traffic to a static webpage does not address the problem of rate limiting the traffic. This method would simply divert traffic from the IP address to a static page but would not reduce the volume of requests. The issue is not with the content served but with the traffic volume itself. Therefore, this option doesn't effectively manage or limit the request rate from the IP.
B) Implement a rate-based rule with AWS WAF.
- Selected Option: AWS WAF (Web Application Firewall) provides the ability to create rate-based rules to limit the number of requests from a particular IP address. By configuring a rate limit (e.g., allowing a specific number of requests per minute), AWS WAF can block excessive requests without completely blocking the IP. It will only trigger the limit if the rate is exceeded, effectively controlling traffic spikes while allowing legitimate traffic to continue. This solution is tailored for the scenario where we want to limit the ...
Author: Arjun · Last updated Jun 27, 2026
A company runs workloads that are spread across hundreds of Amazon EC2 instances. During a recent security incident, an EC2 instance was compromised and ran malware code until the company manually terminated the instance.
The company is now using Amazon GuardDuty to detect malware on EC2 instances. A security engineer needs to implement a solution that automates a response when GuardDuty determines that an instance is in...
To automate the response when Amazon GuardDuty detects that an EC2 instance is infected, the solution must efficiently isolate the instance, mitigate the risk, and comply with the AWS Well-Architected Framework's guidance on incident response. Let's examine the options and determine the most effective approach.
Analysis of Options:
A) Configure AWS Systems Manager Run Command to run when a GuardDuty scan determines that an instance is infected. Use Run Command to remove all network adapters from the operating system of the infected instance. Use Run Command to also add a tag of “Infected” to the instance.
- Reason for Rejection: While using AWS Systems Manager Run Command can execute tasks on the EC2 instance, removing network adapters from the operating system could cause operational issues and doesn’t fully isolate the instance from the network. The "Infected" tag can help with identification, but removing network adapters might not be the most effective way to stop malicious activity. This approach could also be difficult to manage and may lead to unforeseen consequences in the instance's behavior.
B) Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to delete all elastic network interfaces that are associated with the instance. Program the Lambda function to also add a tag of “Infected” to the instance.
- Reason for Rejection: Deleting elastic network interfaces (ENIs) associated with the EC2 instance would effectively disconnect the instance from the network, which can be an effective isolation strategy. However, deleting ENIs could create operational challenges, such as disrupting communication with other services, requiring re-attachment or re-creation of ENIs later. Although tagging the instance as "Infected" is useful for tracking, this approach might not be the most scalable or efficient in all environments, especially for handling large numbers of instances.
C) Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lamb...
Author: Samuel · Last updated Jun 27, 2026
A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.
The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also...
To improve the security of a subnet with the given requirements, we need to consider how network ACLs work. Network ACLs (Access Control Lists) in AWS are stateless, meaning they need to explicitly allow both inbound and outbound traffic if it's needed. In this case, the goal is to allow outbound traffic for TLS (port 443) and deny inbound traffic for MySQL (port 3306).
Key Requirements:
- Allow outbound traffic on port 443 (for TLS).
- Deny inbound traffic on port 3306 (for MySQL).
Analysis of Options:
A) Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
- Reason for Rejection: This option allows traffic on port 443 inbound, which is incorrect since the requirement only specifies allowing outbound traffic to the internet (on port 443). It also denies port 3306 inbound, which is correct, but allowing port 443 inbound is unnecessary and does not meet the specified security requirements. The mistake lies in the inbound rule 100.
B) Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
- Reason for Rejection: This option denies port 3306 inbound, which is correct. However, the inbound rule 200 allows traffic on a wide port range (1024-65535), which could inadvertently allow unwanted traffic into the subnet. This is a broader rule than necessary and does not meet the requirement of securing the subnet properly. The outbound rule 100 is correct, but th...
Author: Daniel · Last updated Jun 27, 2026
A company hosts its microservices application on Amazon Elastic Kubernetes Service (Amazon EKS). The company has set up continuous deployments to update the application on demand.
A security engineer must implement a solution to provide automatic detection of anomalies in application logs in near real time....
To address the need for automatic detection of anomalies in application logs with real-time notifications to the security team, the solution should efficiently collect and analyze logs, detect anomalies quickly, and trigger alerts in near real-time.
Analysis of Options:
A) Configure Amazon CloudWatch Container Insights to collect and aggregate EKS application logs. Create a CloudWatch alarm to monitor for anomalies. Configure the alarm to launch an AWS Lambda function to alert the security team when anomalies are detected.
- Reason for Rejection: While Amazon CloudWatch Container Insights provides detailed monitoring and logging for EKS workloads, anomaly detection is not a native feature of CloudWatch alarms. CloudWatch alarms are used to track specific metrics or thresholds, but they do not inherently detect anomalies in logs. While using a Lambda function for notification is a valid approach, the anomaly detection capability is lacking, so this option is not ideal.
B) Configure Amazon EKS to send application logs to Amazon CloudWatch. Create a CloudWatch alarm based on a log group metric filter. Specify anomaly detection as the threshold type. Configure the alarm to use Amazon Simple Notification Service (Amazon SNS) to alert the security team.
- Selected Option: This option is the best fit for the scenario:
- CloudWatch Logs can collect application logs from Amazon EKS.
- Metric filters in CloudWatch can be set to detect specific patterns in the logs, such as unusual error rates or specific log entries indicative of an anomaly.
- Anomaly detection within CloudWatch is an advanced feature that allows the service to automatically identify anomalous behavior in the log data.
- When an anomaly is detected, Amazon SNS can trigger alerts to notify the security team, providing near real-time notifications.
- This solution is tightly integrated with CloudWatch and is well-suited for real-time log analysis and anomaly detection with minimal operational overhead.
...
Author: David · Last updated Jun 27, 2026
A company is migrating container workloads from a data center to Amazon Elastic Container Service (Amazon ECS) clusters. The company must implement a solution to detect potential threats in the workloads and to improve ...
When migrating container workloads to Amazon ECS, the company needs a solution that specifically detects potential threats within the workloads and improves the security posture of the container clusters. Let's evaluate each option in terms of meeting these requirements.
Analysis of Options:
A) Configure Amazon Inspector on the VPC that is running the ECS clusters.
- Reason for Rejection: While Amazon Inspector can be used to assess the security of EC2 instances and their configurations, it does not specifically cater to the detection of threats within containers or ECS workloads. It is more geared toward assessing EC2 and other resources. This does not fully address the need for continuous threat detection specifically within ECS clusters and containerized applications. It is useful for vulnerability scanning but does not focus on runtime threat detection in containers.
B) Enable Amazon GuardDuty Runtime Monitoring on the ECS clusters.
- Selected Option: Amazon GuardDuty is a continuous security monitoring service that can detect unusual or potentially unauthorized activity within AWS accounts and workloads. When GuardDuty Runtime Monitoring is enabled for ECS, it actively monitors the runtime behavior of containers, detecting anomalies and threats such as privilege escalation, unauthorized access, or network anomalies within the containerized workloads.
- Why it's selected: GuardDuty Runtime Monitoring is specifically designed for continuous monitoring of container workloads in Amazon ECS. It will directly address the company's need to detect potential threats in container workloads, improving the security postu...
Author: Sofia · Last updated Jun 27, 2026
A security engineer needs to implement a solution to determine whether a company's Amazon EC2 instances are being used to mine cryptocurrency. The solution must provide notifications of cryptocurrency-related activity to an Amaz...
To address the requirement of detecting cryptocurrency-related activity on Amazon EC2 instances and sending notifications, the solution should focus on continuous monitoring, threat detection, and integration with notification services like Amazon SNS.
Analysis of Options:
A) Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.
- Reason for Rejection: While AWS Config can track configuration changes and compliance, it is not inherently designed for real-time detection of threats such as cryptocurrency mining activities. It may not effectively monitor network-level activity (such as DNS queries) or runtime behavior in a way that is specific to detecting cryptocurrency mining. Additionally, using AWS Config to trigger alerts for such activities would be complex and may not provide immediate threat detection, making it less suitable for this scenario.
B) Enable Amazon GuardDuty. Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is associated with cryptocurrency-related activity.
- Selected Option: Amazon GuardDuty is an ideal solution for this scenario:
- GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized activity within an AWS environment, including cryptocurrency mining. GuardDuty has built-in threat intelligence feeds, such as detecting anomalous network behavior, unusual traffic patterns, and activity associated with known cryptocurrency mining domains or IP addresses.
- GuardDuty is specifically designed to detect cryptocurrency mining and other malicious activity on EC2 instances.
- By using EventBridge, you can automatically trigger alerts to an SNS topic whenever GuardDuty creates a finding related to cryptocurrency mining. This provides real-time monitoring and notifications.
- Why it's selected: GuardDuty is designed to ...
Author: Kai99 · Last updated Jun 27, 2026
A company controls user access by using IAM users and groups in AWS accounts across an organization in AWS Organizations. The company uses an external identity provider (IdP) for workforce single sign-on (SSO).
The company needs to implement a solution to provide a single management portal to access accounts wit...
To provide a single management portal for user access across an organization in AWS, while using an external identity provider (IdP) for single sign-on (SSO), the solution should integrate with both AWS Organizations and an external IdP to manage user access across multiple AWS accounts seamlessly.
Let's evaluate the options:
A) Enable AWS IAM Identity Center. Specify the external IdP as the identity source.
- Selected Option: AWS IAM Identity Center (formerly AWS SSO) is designed for exactly this use case. It allows you to provide SSO across AWS accounts and applications. By specifying the external IdP as the identity source, you can integrate the IdP with IAM Identity Center, which will enable users to log in using their existing credentials. IAM Identity Center provides a single management portal to access all accounts within AWS Organizations, fulfilling both the user access and external IdP federation requirements.
- Why it's selected: This option is specifically designed to handle federated access for users from an external IdP, offering centralized access management across AWS accounts within an AWS Organization.
B) Enable federation with AWS Identity and Access Management (IAM). Specify the external IdP as the identity source.
- Reason for Rejection: While IAM Federation allows users to authenticate via an external IdP, it does not provide a centralized management portal for accessing multiple AWS accounts in AWS Organizations. IAM federation only allows users to access individual AWS resources but does not provide the single management portal to access multiple AWS accounts or support SSO across accounts. Therefore, while this option provides federation, it does ...
Author: Layla · Last updated Jun 27, 2026
A company must create annual snapshots of Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the snapshots for 10 years. The company will use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and snapshots.
The encryption keys must be rotated automatically every year. Snapshots that were created in previous ye...
To meet the requirement of automatically rotating the encryption keys every year while ensuring that snapshots created in previous years remain readable after key rotation, the company must select the right type of KMS key. Here's a breakdown of the key options and how they align with the requirements:
Key Factors:
1. Automatic Key Rotation: KMS must support automatic rotation of encryption keys.
2. Snapshot Readability After Rotation: The encryption keys used for snapshots created in previous years must remain valid and accessible even after automatic key rotation.
3. Key Management: The company must retain control over the key's lifecycle and handle the key rotation.
Option Breakdown:
A) Asymmetric AWS Managed KMS Keys with Key Material Created by AWS KMS:
- Explanation: Asymmetric keys are typically used for tasks involving encryption and decryption operations that require different keys (public and private keys). AWS managed KMS keys automatically rotate every year, but they are not designed for this kind of use case where the key needs to be rotated yearly for block storage like EBS snapshots.
- Why Rejected: Asymmetric encryption is not necessary for encrypting EBS snapshots because EBS volumes use symmetric encryption. Additionally, asymmetric keys do not directly support reading previously encrypted data with rotated keys in the way symmetric keys do. This would result in challenges for accessing older snapshots.
- Key Rotation: While automatic rotation is supported, asymmetric keys are not intended for the scenario requiring continuous snapshot access.
B) Symmetric Customer Managed KMS Keys with Key Material Created by AWS KMS:
- Explanation: Symmetric keys are appropriate for EBS volume encryption and snapshots. AWS KMS supports automatic key rotation for symmetric customer-managed keys every year, which satisfies the requirement of rotating keys yearly. The company has control over the key's lifecycle, and automatic rotation ensures that newer snapshots are encrypted with the latest key, while older sna...
Author: Ella · Last updated Jun 27, 2026
A company has hundreds of AWS accounts and uses AWS Organizations. The company plans to create many different IAM roles and policies for its product team, security team, and platform team. Some IAM policies will be shared across teams.
A security engineer needs to implement a solution to logically group together the IAM roles of each...
To solve the problem, we need to group IAM roles logically by team, with the additional requirement that only the platform team can delegate IAM permissions to AWS services.
Key Factors:
1. Logical Grouping of IAM Roles: We need to group IAM roles by team (product, security, platform) in a way that is scalable and manageable.
2. Delegation of IAM Permissions: Only the platform team should be allowed to delegate IAM permissions to AWS services, i.e., only they should have the ability to use `iam:PassRole`.
3. Using AWS Organizations: The solution must work in the context of AWS Organizations and SCPs (Service Control Policies), which apply restrictions across multiple AWS accounts.
Option Breakdown:
A) Set up an IAM path with the IAM roles for each team. Deploy an SCP that denies the iam:PassRole permission to all entities except the IAM path of the platform team.
- Explanation: This option involves using IAM paths to logically group IAM roles by team (e.g., `/platform/`, `/product/`, `/security/`). SCPs are then deployed to restrict the `iam:PassRole` permission to roles under the `platform` path.
- Why Selected: This solution meets the requirement because IAM paths can logically group roles by team, and SCPs can be used to limit `iam:PassRole` to roles that belong to the platform team. This is the most direct approach to restricting the platform team to only delegate IAM permissions while allowing other teams to have necessary permissions.
- Key Rotation and Delegation: The SCP would effectively block other teams from passing roles, ensuring that only the platform team has the `iam:PassRole` permission.
B) Apply different tags for each team to the IAM roles. Deploy an SCP that denies the sts:AssumeRole permission to all entities except the roles of the platform team.
- Explanation: This option uses tags to group IAM roles and restricts `sts:AssumeRole` via an SCP. Th...
Author: Maya · Last updated Jun 27, 2026
A company's developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizatio...
Key Factors to Consider:
- Preventing unauthenticated Lambda functions: The goal is to ensure that Lambda function URLs in production are not configured to allow unauthenticated access (i.e., ensuring that only authenticated users or services can invoke them).
- Using AWS Organizations: The solution needs to leverage AWS Organizations to enforce the policy across accounts.
- No additional work for developers: Developers should not need to do additional manual configuration, so the solution should be automated as much as possible.
Option Breakdown:
A) Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.
- Explanation: CORS allows a web application from one domain to request resources from another domain, but this is not directly related to preventing unauthenticated access. It is more about cross-domain access control, not about enforcing authentication for Lambda function URLs.
- Why Rejected: This option does not address the need to block unauthenticated access to Lambda functions in production environments. The issue here is ensuring proper authentication (AWS IAM) for the Lambda function URLs, not controlling CORS behavior.
B) Use an AWS WAF delegated administrator account to view and block unauthenticated access to function URLs in production accounts, based on the OU of accounts that are using the functions.
- Explanation: AWS WAF is a web application firewall that can block traffic based on certain conditions. While it could be used to block unauthenticated traffic, using WAF to restrict unauthenticated access is not the most efficient way to manage authentication requirements at the Lambda function URL level.
- Why Rejected: This approach introduces additional complexity, requiring WAF rules to manage unauthenticated access. The requirement is to use a more direct method to control Lambda function URL configurations and prevent unauthenticated access through AWS Organizations and IAM policies, which...
Author: Ahmed97 · Last updated Jun 27, 2026
A company is implementing new compliance requirements to meet customer needs. According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solutio...
Key Requirements:
1. Detect Unencrypted DB Instances or Clusters: The solution needs to detect Amazon RDS DB instances or clusters that are created without encryption.
2. Generate Email Alerts: The solution should notify the relevant stakeholders via email when an unencrypted DB instance or DB cluster is created.
3. Terminate Unencrypted Resources: The solution must terminate the unencrypted DB instance or DB cluster immediately after detection.
Option Breakdown:
A) Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
- Explanation: This option uses AWS Config to monitor the compliance of the RDS instances and DB clusters. When a rule detects unencrypted storage, it triggers an automatic remediation action. This action publishes an SNS message, which invokes a Lambda function that deletes the unencrypted resource.
- Why Selected: This is a highly operationally efficient solution because:
- Automated Detection: AWS Config can continuously monitor the configuration of the RDS resources.
- Automatic Remediation: The remediation action automatically deletes the unencrypted DB instance or DB cluster.
- Email Notification: The SNS topic can be configured with an email delivery target to notify relevant stakeholders about the unencrypted resource.
- End-to-End Automation: The whole process is automated without requiring manual intervention, which ensures operational efficiency.
B) Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
- Explanation: This option also uses AWS Config to detect unencrypted RDS instances and clusters but requires manual remediation. When an unencrypted resource is detected, the remediation action must be triggered manually to invoke the Lambda function.
- Why Rejected: While this approach is similar to Option A, it introduces a manual step in the process, which reduces operational efficiency. The requirement is for an automated solution, and manual remediation introduces unnec...
Author: CrystalWolfX · Last updated Jun 27, 2026
A company uses AWS Organizations to manage an organization that consists of three workload OUs. Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.
The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deplo...
To troubleshoot the issue of insufficient IAM permissions during the CloudFormation stack update, let's break down the reasoning for each option:
A) Review the AWS CloudTrail logs in the account in the Production OU. Search for any failed API calls from CloudFormation during the deployment attempt.
- CloudTrail logs can provide valuable insight into the exact API calls made by CloudFormation, and why they may have failed. In this case, reviewing the CloudTrail logs could show which permissions were lacking when attempting the deployment. This can help identify the specific IAM permission or AWS service issue that caused the failure.
- Why not reject? This step is a logical first step in investigating the specific error, and could provide more detailed information. It helps identify the "why" behind the issue (e.g., a missing permission or misconfigured role). So, this is a useful first step.
B) Remove all the SCPs that are attached to the Production OU. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
- Removing all the SCPs is a drastic step. While it could allow the CloudFormation API calls to go through, it isn't a targeted or safe approach, especially since the other OUs (Development and Testing) aren't facing the same issue. This could have unintended security consequences, and it's important to narrow down the specific SCP or permission causing the issue.
- Why reject? Removing all SCPs is an excessive action that might violate security best practices and unnecessarily opens up access for all accounts in the Production OU. This is not the most effective or secure troubleshooting step.
C) Confirm that the role used by CloudFormation has sufficient permissions to create,...
Author: Ahmed · Last updated Jun 27, 2026
A company hosts a web-based application that captures and stores sensitive data in an Amazon DynamoDB table. The company needs to implement a solution that provides end-to-end data protection and the abil...
To ensure end-to-end data protection and the ability to detect unauthorized changes to sensitive data in a DynamoDB table, let’s evaluate each of the options:
A) Use an AWS Key Management Service (AWS KMS) customer managed key. Encrypt the data at rest.
- Explanation: AWS KMS allows for encryption at rest, protecting data stored in DynamoDB. However, this only covers encryption while the data is at rest. It doesn’t address data in transit or provide a mechanism to detect unauthorized changes to the data. Although KMS can prevent unauthorized access by encrypting the data, it doesn’t provide end-to-end protection or data integrity verification for changes.
- Why reject: While it secures data at rest, this solution doesn't address detecting unauthorized changes or provide protection for data in transit. End-to-end protection and data change detection are not fully addressed by KMS alone.
B) Use AWS Private Certificate Authority. Encrypt the data in transit.
- Explanation: AWS Private Certificate Authority (PCA) is used to manage and issue certificates for secure communication. It ensures data is encrypted in transit between clients and servers. However, PCA only addresses data in transit, not data at rest, and it doesn’t address the detection of unauthorized changes in the data stored in DynamoDB.
- Why reject: While it handles encryption in transit, this option doesn't provide end-to-end encryption or data integrity for data at rest, and it doesn't detect unauthorized changes within the DynamoDB table.
C) Use the DynamoDB Encryption Client. Use client-side encryption. Sign the table items.
- Explanation: The DynamoDB Encryption Client provides client-side encryption, meaning data...
Author: Liam123 · Last updated Jun 27, 2026
A company is developing an ecommerce application on AWS. The company wants to make sure that the application can handle sudden increases in traffic.
The company uses AWS CodePipeline for its CI/CD process. The company must implement a solution to integrate automated load testing into the CI/CD pipeline to validate the application's performance. The solution must ...
Let’s carefully analyze the scenario and each option to determine which meets the requirements with the least operational overhead.
---
Requirements Recap
1. Ecommerce application on AWS.
2. Must handle sudden traffic spikes → needs load testing.
3. CI/CD is handled with AWS CodePipeline.
4. Automated load testing must be integrated into the pipeline.
5. Deployment to production should only happen if performance thresholds are met.
6. Least operational overhead → minimal server management, simpler orchestration.
---
Option A: Elastic Beanstalk + Load Test Tools + Lambda + EventBridge
Pros:
Elastic Beanstalk handles deployment, scaling, and load balancing → less operational overhead.
Integrated monitoring can be done using CloudWatch + Lambda.
Cons:
Elastic Beanstalk is primarily for application deployment, not running ephemeral load tests.
Running load tests inside Elastic Beanstalk can be cumbersome.
Requires custom orchestration via Lambda and EventBridge → adds complexity.
Not designed for integrating automated load tests into CI/CD natively.
Use case scenario: Elastic Beanstalk is great for simple web apps that need auto-scaling, but not ideal for ephemeral CI/CD load tests.
---
Option B: Fargate tasks + ECS + Lambda + CodePipeline custom actions
Pros:
Fargate is serverless container runtime → no servers to manage.
Containers can run ephemeral load tests easily.
ECS + Fargate can scale up for test workloads and terminate after the test → minimal overhead.
Lambda can analyze results and integrate with CodePipeline.
Custom actions in CodePipeline allow gating deployment based on test results.
Cons:
Slightly more complex to set up ECS tasks and custom CodePipeline actions.
But this is manageable and fits the serverless philosophy.
Use case scenario: Perfect for ephemeral load testing as part of CI/CD, especially for apps requiring scalable, on-demand tests.
---
Option C: EC2 + Step Functions + EventBridge + Lambda
Pros:
Can run any load test scripts, full control.
Cons:
Requires managing EC2 instances → high operational overhead.
Step ...
Author: Sam · Last updated Jun 14, 2026
A company needs to update its order processing application to improve resilience and availability. The application requires a stateful database and uses a single-node Amazon RDS DB instance to store customer orders and transaction history. ...
Let’s carefully analyze this AWS scenario. The company currently uses a single-node RDS DB instance for storing orders and transaction history. The requirements are high availability (HA) and resilience, and the database is stateful. Each option will be evaluated against these requirements.
---
Option A: Migrate to DynamoDB global tables and use Route 53 for failover
Pros: DynamoDB is highly available, globally distributed, and can scale automatically.
Cons: This is a NoSQL database, while the current application likely uses a relational database (RDS). Migrating from RDS to DynamoDB would require significant application changes because relational schemas, joins, and transactional consistency differ.
Use Case: Best for applications that can move to NoSQL and require multi-region replication.
Reason for rejection: The question assumes the need to keep a stateful relational DB, so this is not suitable.
---
Option B: EC2 instances in multiple AZs with EBS Multi-Attach
Pros: EC2 + EBS is flexible; theoretically, you can create your own HA database cluster.
Cons:
EBS Multi-Attach allows multiple EC2 instances to attach to the same EBS volume, but only for certain workloads (like clustered file systems or Oracle RAC). Standard relational DB engines like MySQL or PostgreSQL cannot safely run on Multi-Attach volumes due to data corruption risks.
Managing HA manually (replication, failover, backups) becomes complex.
Use Case: Custom HA workloads that cannot use RDS.
Reason for rejection: This is unsupported for standard RDS en...
Author: NightmareDragon2025 · Last updated Jun 14, 2026
A company has application code in an AWS CodeConnections compatible Git repository. The company wants to configure unit tests to run when pull requests are opened. The company wants to ensure that the test status is visible in pull requests when the tests are completed. The company wants to save output data files that the tests...
Let's carefully analyze this AWS scenario step by step. The requirements are:
1. Run unit tests when pull requests (PRs) are opened.
2. Ensure test status is visible in pull requests.
3. Save output data files from tests to an S3 bucket.
We are asked which combination of solutions will meet these requirements. Let’s evaluate each option.
---
A) Create an IAM service role to allow access to the resources that are required to run the tests. ✅
Analysis:
CodeBuild or CodePipeline requires permissions to access S3, Git repositories, and other AWS services.
Creating an IAM service role is necessary to give the build/test jobs the permissions they need.
Usage scenario: Whenever CodeBuild or CodePipeline interacts with AWS resources like S3, an IAM service role is required.
Conclusion: Selected.
---
B) Create a pipeline in AWS CodePipeline that has a test stage. Create a trigger to run the pipeline when pull requests are created or updated. Add a source action to report test results. ❌
Analysis:
While CodePipeline can orchestrate builds, CodePipeline does not directly integrate with pull requests for automatic triggers. Pull request events are better handled by CodeBuild with webhooks.
Reporting test results to PRs is handled by CodeBuild status reporting, not CodePipeline.
Usage scenario: This would be appropriate if the goal was a full deployment pipeline triggered manually or via commits, not specifically PR-based testing.
Conclusion: Rejected.
---
C) Create an AWS CodeBuild project to run the tests. Enable...
Author: Chloe · Last updated Jun 14, 2026
A software development team is implementing a CI/CD pipeline for its web application. The team is using AWS CodeBuild to compile Java-based source code and to run unit tests.
The team needs to store the artifa...
Let’s carefully analyze the scenario and each option. The key requirement is: store artifacts produced by an AWS CodeBuild project in a CI/CD pipeline for a web application.
---
Key factors for reasoning:
1. Artifact storage in CodeBuild: CodeBuild supports Amazon S3 as the native artifact storage. It does not natively support storing build outputs directly to EBS or EFS without additional custom setup.
2. IAM/Access control: The CodeBuild project needs permissions to write artifacts to the storage location. Typically, this is handled via the CodeBuild service role.
3. Use-case scenarios for storage types:
S3: Ideal for storing build artifacts, sharing across stages in CI/CD pipelines, and long-term storage. Native integration with CodeBuild.
EFS: Good for persistent file storage and sharing across multiple EC2 instances, but not typically used for CI/CD artifact output.
EBS: Tied to a specific EC2 instance, not sharable across instances or services directly. Not practical for CI/CD artifact storage.
---
Evaluate each option:
A) Create an S3 bucket. Configure it as artifact output location, update buildspec, configure bucket policy for the CodeBuild project’s resource access role.
Pros: Uses S3 (correct storage type). Artifact output location and buildspec are configured.
Cons: Mentions “project’s resource access role” instead of CodeBuild service role, which is slightly...
Author: ShadowWolf101 · Last updated Jun 14, 2026
A company uses AWS Organizations to manage multiple AWS accounts. The accounts are in an OU that has a policy attached to allow all actions. The company is migrating several Git repositories to a specified AWS CodeConnections supported Git provider. The Git repositories manage AWS CloudFormation stacks for application infrastructure that the company deploys across multiple AWS Regions.
The company wants a DevOps team to integrate CodeConnections into the CloudFormation stacks. The DevOps team must ensur...
Let’s go through this carefully. The key requirements are:
1. Limit integration to a specified Git provider → company staff must only integrate with the chosen Git provider.
2. High availability across multiple AWS Regions → deployments must work regionally.
3. CloudFormation stacks are used to manage infrastructure.
4. Use AWS CodeConnections-supported Git provider.
Now let's evaluate each option:
---
A) Add a new SCP statement to the OU that denies the CodeConnections `CreateConnections` action where the provider type is not the specified Git provider. ✅
Reasoning: SCPs (Service Control Policies) in AWS Organizations are used to restrict what actions accounts can perform.
This option directly ensures that staff cannot create connections to any Git provider except the specified one, satisfying the security requirement.
Use scenario: When you need to enforce that only a specific Git provider is used across multiple accounts.
---
B) Add a new SCP statement to the OU that allows the CodeConnections `CreateConnections` action where the provider type is the specified Git provider. ⚠️
Reasoning: SCPs are "deny by default," so you don’t need to explicitly allow an action if no deny exists.
This is redundant if the OU already allows all actions (as stated in the problem).
Use scenario: Only needed if the OU or account had restrictive SCPs and you needed to explicitly allow something.
Conclusion: Not strictly necessary here.
---
C) Use CodeConnections to configure a single CodeConnections connection to each Git repository. ⚠️
Reasoning: CodeConnections are regional resources.
Using a single connection in one region won’t work for high availability across multiple regions.
Use scenario: If deployment is only in...
Author: Sofia · Last updated Jun 14, 2026
A DevOps engineer updates an AWS CloudFormation stack to add a nested stack that includes several Amazon EC2 instances. When the DevOps engineer attempts to deploy the updated stack, the nested stack fails...
Let’s analyze this carefully step by step. The scenario is: a CloudFormation stack update fails when adding a nested stack that includes EC2 instances. The goal is to determine the cause of failure. We are asked to evaluate AWS options, explain reasoning, and identify the correct one.
---
Option A:
> Use the CloudFormation detect root cause capability for the failed stack to analyze the failure and return the event that is the most likely cause for the failure.
Analysis:
AWS CloudFormation does not have a "detect root cause" capability. This is not a real feature. While CloudFormation does provide events for stack operations, there’s no automatic root cause detection.
Verdict: ❌ Rejected
---
Option B:
> Query failed stacks by specifying the root stack as the ParentId property. Examine the StackStatusReason property for all returned stacks to determine the reason the nested stack failed to deploy.
Analysis:
Nested stacks are actually independent stacks created by the root stack.
Each nested stack has a StackStatus and StackStatusReason.
By querying the nested stacks via the ParentId (root stack ID), you can see why the nested stack failed, e.g., resource creation failure, permissions, or invalid parameters.
This is direct, accurate, and supported by AWS.
Scenario for use: When a nested stack fails, and you want precise failure reasons from CloudFormation itself without additional logging.
Verdict: ✅ Correct option
---
Option C:
> Activate AWS Systems Manager for the AWS account where the application runs. Use the AWS Systems Manager Automation AWS-SupportTrouble...
Author: Max · Last updated Jun 14, 2026
A DevOps team operates an integration service that runs on an Amazon EC2 instance. The DevOps team uses Amazon Route 53 to manage the integration service's domain name by using a simple routing record. The integration service is stateful and uses Amazon Elastic File System (Amazon EFS) for data storage and state storage. The integration service does not support load balancing between multiple nodes.
The DevOps team deploys the integration service on a new EC2 instance...
Let’s carefully analyze this AWS scenario step by step.
Scenario Key Points
1. Integration service is stateful and uses Amazon EFS for storage.
2. The service does not support load balancing between multiple nodes.
3. A warm standby EC2 instance is deployed to reduce downtime.
4. The team wants automatic failover to the standby EC2 instance.
5. Using Route 53 for DNS management.
So, the solution must support automatic failover for a single active instance, without trying to split traffic across nodes (because the service cannot be load-balanced).
---
Option Analysis
Option A
Weighted routing with primary at 100, standby at 0, health checks enabled.
How it works:
The primary handles all traffic (weight 100), standby gets 0.
If the primary fails the health check, Route 53 stops sending traffic to it, and the standby takes over automatically.
Pros:
Simple failover using Route 53 health checks.
Avoids load balancing, which is important for stateful services.
Suitable for a warm standby scenario.
Cons:
None for this use case.
✅ Works perfectly.
---
Option B
Weighted routing with primary at 99, standby at 1, health checks e...
Author: Scarlett · Last updated Jun 14, 2026
A company hosts several applications in an AWS account. Each application sends logs to its own log group in Amazon CloudWatch. The company's CloudWatch costs for ingestion are increasing.
A DevOps engineer needs to identify which applications are the source of ...
Let’s carefully analyze each option based on the requirement: identify which applications are causing increased CloudWatch logging costs in the most operationally efficient way. Key factors include operational efficiency, accuracy in identifying log sources, and cost visibility.
---
Option A: Use CloudWatch metrics to create a custom expression that identifies the CloudWatch log groups that receive the most data
Pros:
CloudWatch automatically collects metrics like `IncomingBytes` for each log group.
Custom expressions can aggregate or rank log groups by ingestion volume.
Operationally efficient because it leverages existing CloudWatch metrics without additional tools.
Cons:
None significant in this context; this is a direct method to link costs to log groups.
Best scenario:
When you need a quick, ongoing view of which log groups are consuming the most data, directly mapping to costs.
✅ Feasible and operationally efficient. Strong candidate.
---
Option B: Use Amazon CloudWatch Logs Insights to create a query for the application log groups to identify the number of log groups that received data during a specific time period
Pros:
Allows detailed querying of logs for troubleshooting or patterns.
Cons:
Logs Insights does not directly show ingestion volume per log group, only counts or patterns in logs.
Requires writing queries per log group, which is less operationally efficient for cost analysis.
Best scenario:
When analyzing content of logs or specific...
Author: Harper · Last updated Jun 14, 2026
A company has an AWS account named PipelineAccount. The account manages a pipeline in AWS CodePipeline. The account uses an IAM role named CodePipeline_Service_Role and produces an artifact that is stored in an Amazon S3 bucket. The company uses a customer managed AWS KMS key to encrypt objects in the S3 bucket.
A DevOps engineer wants to configure the pipeline to use an AWS CodeDeploy application in an AWS account named CodeDeployAccount to deploy the produced artifact.
The DevOps engineer updates the KMS key policy to grant the CodeDeployAccount account permission to use the key. The DevOps engineer configures an IAM role named DevOps_Role in the CodeDeployAccount account that has access to ...
Let's carefully analyze this AWS cross-account pipeline scenario and the provided options. I’ll break it down step by step.
---
Scenario Recap:
1. PipelineAccount has:
A CodePipeline using `CodePipeline_Service_Role`.
An S3 bucket storing artifacts encrypted with a customer-managed KMS key.
2. CodeDeployAccount has:
A CodeDeploy application.
`DevOps_Role` to allow pipeline deployment.
EC2 instance role that will access the S3 bucket and KMS key in PipelineAccount.
3. Actions already done:
KMS key policy updated to allow CodeDeployAccount to use it.
DevOps_Role exists in CodeDeployAccount with permissions for CodeDeploy.
EC2 instance role updated for access to S3 bucket & KMS key in PipelineAccount.
4. Goal:
Pipeline in PipelineAccount produces artifacts in S3 and deploys them using CodeDeploy in CodeDeployAccount.
---
Key Factors to Consider:
1. Cross-account S3 access:
The EC2 instance in CodeDeployAccount needs access to the artifact in the S3 bucket (PipelineAccount).
Therefore, the S3 bucket policy must grant CodeDeployAccount access (not PipelineAccount again).
2. Cross-account role assumption:
CodePipeline in PipelineAccount must assume DevOps_Role in CodeDeployAccount to deploy artifacts.
This requires:
`DevOps_Role` having a trust policy allowing PipelineAccount to assume it.
`CodePipeline_Service_Role` having permissions to assume DevOps_Role.
3. Incorrect approaches:
Giving DevOps_Role permission to assume CodePipeline_Service_Role (Option B) is wrong — the...
Author: Joseph · Last updated Jun 14, 2026
A company has multiple development teams in separate business units that work in a single shared AWS account. All Amazon EC2 resources that users create in the account must include tags that specify which user created the resources. The tagging must occur within the first hour of resource creation.
A DevOps engineer needs to add tags to new resources that include the ID of the user that created the resource and the appropriate cost center ID. The DevOps engineer configures an AWS Lambda function to use the cos...
Let's break this down carefully. The goal is:
Every EC2 resource must be tagged with the user ID and cost center ID within 1 hour of creation.
Lambda will apply the tags using cost center mappings.
CloudTrail is already set up and logging events to an S3 bucket.
We need a solution that triggers the Lambda function when a new EC2 resource is created, so that the function can apply the tags automatically and quickly.
---
Evaluate the options:
A) Create an S3 event notification on the S3 bucket to invoke the Lambda function for `s3:ObjectTagging:Put` events. Enable bucket versioning on the S3 bucket.
Problem: `s3:ObjectTagging:Put` events trigger when tags are applied to objects in S3, not when EC2 resources are created.
Relevance: This option is not relevant because EC2 resource creation does not trigger S3 object tagging events.
Conclusion: ❌ Reject.
---
B) Enable server access logging on the S3 bucket. Create an S3 event notification on the S3 bucket for `s3:ObjectTagging:` events.
Problem: Server access logging logs S3 access operations (GET, PUT, etc.) and creating a tagging event on S3 only tracks S3 object tagging.
Relevance: This does not capture EC2 resource creation events, so Lambda won't be triggered.
Conclusion: ❌ Reject.
---
C) Enable AWS Config in the account. Configure the `required-tags` AWS managed rule to check and update the required tags.
Pros: AWS Config can audit whether resources have required tags...
Author: Oscar · Last updated Jun 14, 2026
A company is developing code and wants to use semantic versioning. The company's DevOps team needs to create a pipeline for compiling the code. The team also needs to manage versions of the compiled code. If the code uses any open source librarie...
Let’s carefully analyze each option against the requirements:
Requirements:
1. Use semantic versioning for the compiled code.
2. Compile/build the code in a pipeline.
3. Manage versions of the compiled code.
4. Cache open source libraries during the build.
5. Solution must be in AWS.
---
Option A: CodeArtifact + CodeBuild
Setup:
CodeArtifact repository (can manage versions and store artifacts).
CodeBuild project builds code and publishes the artifact.
CodeBuild authenticates with CodeArtifact and caches dependencies.
Pros / How it meets requirements:
CodeBuild handles the compilation/build. ✅
CodeArtifact stores the compiled artifacts and supports semantic versioning. ✅
CodeArtifact allows upstream repositories, so open source libraries can be cached locally. ✅
This is a standard pattern for DevOps CI/CD in AWS. ✅
Verdict: Fully meets all requirements.
---
Option B: CodeDeploy + EFS
Setup:
CodeDeploy uploads semantic versions to EFS.
Problems:
CodeDeploy does not build code; it deploys pre-built artifacts. ❌
EFS is just a file system, not a versioned artifact repository. ❌
No caching of dependencies is built-in. ❌
Verdict: Doesn’t meet requirements for building, versioning, or caching.
Scenario where used: Best for deploying built applications to EC2 or on-prem, not for building or versioning....
Author: Olivia · Last updated Jun 14, 2026
A company uses a pipeline in AWS CodePipeline to deploy an application. The company created an AWS Fault Injection Service (AWS FIS) experiment template to test the resiliency of the application. A DevOps engineer need...
Let’s carefully analyze this AWS scenario step by step.
Scenario:
A company has an AWS CodePipeline for deploying an application.
They also have an AWS Fault Injection Simulator (FIS) experiment template.
The requirement is to integrate the FIS experiment into the pipeline so it runs as part of the deployment process.
We need to determine which option is the most appropriate for triggering FIS experiments directly from CodePipeline.
---
Option A: Configure a new stage in the pipeline with an AWS FIS action
Key factors:
AWS CodePipeline does not natively have an AWS FIS action type.
There’s no direct integration out-of-the-box between CodePipeline and FIS.
Verdict: Not feasible because you cannot directly add an FIS action in a pipeline stage.
---
Option B: Create an Amazon EventBridge scheduler
Key factors:
EventBridge can start FIS experiments.
But triggering the EventBridge scheduler from a pipeline requires an extra step, e.g., a Lambda function or custom action.
This adds unnecessary complexity for something that could be done more directly.
Scenario where used: Best for scheduled experiments independent of pipeline execution (like running chaos tests every night).
Verdict: Not ideal for pipeline integration.
---
Opti...
Author: Alexander · Last updated Jun 14, 2026
A DevOps engineer is creating a CI/CD pipeline to build container images. The engineer needs to store container images in Amazon Elastic Container Registry (Amazon ECR) and scan the images for common vulnerabilities. The CI/CD pipeline must be resilien...
Let’s carefully analyze the requirements and the options.
---
Key Requirements:
1. CI/CD pipeline builds container images.
2. Images must be stored in Amazon ECR.
3. Scan images for vulnerabilities.
4. Pipeline must be resilient to outages in upstream source container repositories (i.e., cache upstream images).
Key AWS features relevant here:
ECR private repository: Stores your images privately; supports image scanning.
ECR public repository: Public-facing images; supports pull-through cache rules to cache upstream public images.
Pull-through cache: Allows ECR to cache images from upstream public registries (like Docker Hub), providing resilience if the upstream registry is down.
Replication rules: ECR private replication is for replicating images between AWS regions or accounts, not for caching upstream public images.
---
Option Analysis
---
Option A
> Create an ECR private repository in the private registry. Scan images when pushed. Configure a replication rule in the private registry to replicate images from upstream repositories.
❌ Problem:
Replication rules do NOT pull images from upstream public registries; they replicate images between AWS accounts or regions only.
Will not provide resilience to upstream repository outages.
✅ Could work for storing and scanning private images, but fails the resilience requirement.
Scenario where this works: Multi-region or multi-account image replication.
---
Option B
> Create an ECR public repository in the public registry to cache images from upstream repositories. Creat...
Author: Andrew · Last updated Jun 14, 2026
A company is running its ecommerce website on AWS. The website is currently hosted on a single Amazon EC2 instance in one Availability Zone. A MySQL database runs on the same EC2 instance.
The company needs to eliminate single points of failure in the architecture to improve the website's a...
Let's analyze the problem carefully.
Current setup:
Single EC2 instance in one AZ
MySQL database on the same instance
Single points of failure: both web server and database
Requirement:
Eliminate single points of failure
Improve availability and resilience
Minimal changes to the website (important!)
---
Option A:
AWS Fargate containers (serverless container service)
Database: DynamoDB (NoSQL)
API Gateway
Analysis:
Pros: Highly available, serverless, scalable
Cons: Requires rewriting the application to work with DynamoDB (NoSQL) instead of MySQL. API Gateway would require changing how requests are handled.
Key factor: Minimal configuration changes requirement → this option is not suitable, because migrating from MySQL to DynamoDB is a big change.
---
Option B:
EC2 instances across multiple AZs
Auto Scaling group behind ALB
Database: Amazon Aurora Multi-AZ
CloudFront for content delivery
Analysis:
Pros:
EC2 web servers are deployed in multiple AZs → eliminates single point of failure for the application
Auto Scaling ensures resilience
ALB handles routing and failover automatically
Aurora Multi-AZ provides MySQL-compatible database with automatic failover → minimal database changes
CloudFront improves content delivery but op...
Author: Deepak · Last updated Jun 14, 2026
A company is developing a microservices-based application on AWS. The application consists of AWS Lambda functions and Amazon Elastic Container Service (Amazon ECS) services that need to be deployed frequently.
A DevOps engineer needs to implement a consistent deployment solution across all components of the application. The solution must automate the deployments, minim...
Let's break down the problem and evaluate each option carefully. The key requirements are:
Key factors to consider:
1. Consistent deployment across Lambda and ECS – One tool that supports both is ideal.
2. Automated deployments – Should minimize manual steps.
3. Minimize downtime during updates – Requires canary or blue/green deployments.
4. Manage configuration data – Either AWS Systems Manager Parameter Store or Secrets Manager can be used.
5. Least development effort – Should avoid complex orchestration unless necessary.
---
Option A: AWS CloudFormation + Secrets Manager
Pros:
CloudFormation can define and provision Lambda and ECS resources.
Secrets Manager can manage sensitive configuration data.
Cons:
Using stack updates with resource replacement will replace resources during updates, which causes downtime.
CloudFormation alone doesn’t natively handle safe deployment strategies like canary or blue/green for Lambda and ECS.
Best scenario: Good for infrastructure provisioning where downtime is acceptable or updates are infrequent.
Verdict: ❌ Rejected because it doesn’t minimize downtime and requires manual strategies for safe deployments.
---
Option B: AWS CodeDeploy + Systems Manager Parameter Store
Pros:
CodeDeploy supports Lambda canary deployments and ECS blue/green deployments, which minimize downtime.
Works consistently across both Lambda and ECS services.
Parameter Store can manage configuration data.
Autom...
Author: Carlos Garcia · Last updated Jun 14, 2026
A company is implementing a CI/CD pipeline for an application by using AWS CodePipeline and AWS CodeBuild. The company needs a solution to run unit tests and automatically generate code coverage reports before any code is deployed to production. The CI/CD pip...
Let’s carefully evaluate each option against the requirements:
Requirements recap:
Run unit tests and generate code coverage reports before deployment.
Automatically fail the pipeline if code coverage < 80%.
Use AWS CI/CD services (CodePipeline, CodeBuild).
---
Option A: Lambda function + EventBridge
How it works: Lambda runs tests and generates reports; EventBridge monitors coverage and fails pipeline.
Issues / Rejection reasoning:
Lambda is not ideal for running full test suites, especially if the tests take longer or require a build environment.
EventBridge runs on a schedule, not inline with CodePipeline stages. The pipeline cannot automatically fail mid-execution based on coverage; it would need a separate monitoring step.
Adds unnecessary complexity.
✅ Can be used for monitoring periodic code coverage, but not suitable for inline CI/CD test gating.
---
Option B: Step Functions workflow
How it works: Step Functions orchestrates tests and coverage, and fails if coverage < 80%.
Issues / Rejection reasoning:
Step Functions is primarily for orchestration of multiple tasks. While possible, running unit tests and coverage directly in Step Functions is non-standard.
CodePipeline does not have a native Step Functions action for test gating; you'd need a custom action or Lambda, which complicates things.
✅ Could be used for orchestrating complex multi-step processes, but overkill for simple unit tests and coverag...
Author: Abigail · Last updated Jun 14, 2026
A company has a web application that publishes logs that contain metadata for transactions, with a status of success or failure for each log. The logs are in JSON format. The application publishes the logs to an Amazon CloudWatch Logs log group.
The company wants to create a dashboard that di...
Let's break down the problem carefully and analyze each option. Key requirements:
The company has JSON logs with transaction metadata and status.
The goal is a dashboard showing the number of successful transactions.
The requirement emphasizes least operational overhead.
---
Option A: Amazon OpenSearch Service (OpenSearch Dashboards)
How it works: Logs are sent via a subscription filter to OpenSearch, where you can query them and build dashboards.
Pros: Full-text search, complex queries, customizable dashboards.
Cons / Operational overhead:
You have to provision and maintain an OpenSearch cluster (scaling, patching, backups).
More complex than CloudWatch metrics for simple counts.
Use case: Best if you need complex search and analytics, not just simple metrics.
Verdict: Overkill for counting successful transactions.
---
Option B: CloudWatch subscription filter → Lambda → Custom metric → Dashboard
How it works: Logs are sent to Lambda via a subscription filter. Lambda parses logs and publishes a custom CloudWatch metric for successes. Dashboard visualizes this metric.
Pros: Works for JSON logs, flexible logic in Lambda.
Cons / Operational overhead:
You have to manage Lambda code and deployment.
Lambda costs apply if logs are high-volume.
Use case: Needed if metric calculation is complex or requires transformations.
Verdict: Works, but more operational overhead than necessary for a simple success count.
---
Option C: CloudWatch metric filter →...
Author: Andrew · Last updated Jun 14, 2026
A company uses Amazon API Gateway and AWS Lambda functions to implement an API. The company uses a pipeline in AWS CodePipeline to build and deploy the API. The pipeline contains a source stage, build stage, and deployment stage.
The company deploys the API without performing smoke tests. Soon after the deployment, the company observes multiple issues with the API. A security audit finds security vulnerabi...
Let’s carefully analyze the problem and the options.
---
Key Requirements:
1. Deployments of API using API Gateway + Lambda.
2. Currently, there are issues and security vulnerabilities in production.
3. Goal: Prevent these issues in the future.
4. Pipeline stages: source → build → deploy.
Implications:
Need pre-deployment testing (smoke tests) to catch functional issues early.
Need security scanning before production to prevent vulnerabilities.
CI/CD best practices:
Build stage: static code analysis and security scans.
Deployment stage: post-deployment tests (like smoke tests).
---
Option Analysis
---
Option A
> Create a smoke test script that returns an error code if the API fails. Run it in the deployment stage after deployment. Configure the deployment stage for automatic rollback.
✅ Pros:
Smoke test after deployment detects functional issues immediately.
Automatic rollback ensures production is not left in a broken state.
✅ Matches requirement to prevent broken API from staying live.
Scenario: Standard post-deployment verification with rollback.
---
Option B
> Same as A but configure deployment stage to fail if smoke test fails.
✅ This is essentially the same as A; failing the deployment does not automatically rollback unless explicitly configured.
⚠ Less safe than A because production might still have the broken API if rollback is not enabled.
Scenario: Failing deployment without rollback; works but doesn’t fully protect production.
→ Prefer Option A over B for production safety.
---
Option C
> Add an action in the build stage using Amazon Inspector to scan Lambda code. Fail build if an...
Author: Emma · Last updated Jun 14, 2026
A company is implementing a standardized security baseline across its AWS accounts. The accounts are in an organization in AWS Organizations.
The company must deploy consistent IAM roles and policies across all existing and future accounts ...
Let's carefully analyze this AWS scenario step by step.
Scenario Requirements:
Standardized security baseline across all AWS accounts.
Accounts are in AWS Organizations.
Must deploy consistent IAM roles and policies across all existing and future accounts.
Goal: most operational efficiency.
We need a solution that is:
1. Automated for existing and future accounts.
2. Centralized for ease of management.
3. Uses AWS best practices for cross-account deployments.
---
Option A: AWS Control Tower with Account Factory customization
Control Tower helps set up landing zones and enforces guardrails.
Account Factory can provision new accounts with predefined IAM roles and policies.
✅ Pros: Automatic baseline for new accounts.
❌ Cons: Does not automatically update existing accounts with new IAM roles/policies unless you manually update them or use lifecycle customization scripts.
Use case: Best when primarily managing new accounts creation and baseline enforcement. Not ideal for mass updates to existing accounts.
---
Option B: CloudFormation StackSets with service-managed permissions
StackSets with service-managed permissions integrate directly with AWS Organizations.
Can deploy a CloudFormation stack across all accounts in the org, including future accounts automatically.
✅ Pros: Automatic deployment to all existing and future accounts, fully managed permissions reduce manual overhead.
✅ Pros: Operationally efficient and scalable.
Use case: Best for centrally managing resources (like IAM roles and policies) across all accounts in AWS Organizations.
---
Option C: CloudFormation StackSets with self-managed permissions
Requires manual IAM roles in each member account for CloudFormation to assume.
❌ Cons: Labor-intensive to set up and maintain across multiple accounts.
❌ Cons: Must manage permissions manually; less operationally efficient.
✅ Pros: Works if you need custom permissions in isolated environments or can't use service-managed permissions.
Use ca...
Author: Amelia · Last updated Jun 14, 2026
A company is migrating its web application to AWS. The application uses WebSocket connections for real-time updates and requires sticky sessions.
A DevOps engineer must implement a highly available architecture for the application. The application must be accessible to users worl...
Let's carefully analyze this AWS architecture question step by step. The requirements are:
Requirements:
1. WebSocket connections for real-time updates.
2. Sticky sessions are required.
3. Highly available architecture.
4. Global accessibility with low latency.
5. Least operational overhead.
---
Option A: ALB in multiple regions with cross-zone load balancing + sticky sessions + Route 53 latency-based routing
Pros:
ALB supports WebSockets natively.
Sticky sessions can be configured using ALB cookies.
Cross-zone load balancing improves availability within a region.
Latency-based routing via Route 53 reduces latency globally.
Cons:
Operational overhead: Managing multiple ALBs across regions.
Sticky sessions are cookie-based; they work fine for HTTP/WebSocket but need global session awareness if deployed across regions.
Use case: Good for global applications requiring WebSocket support and session stickiness, but some complexity exists for multi-region sticky sessions.
---
Option B: NLB in multiple regions + cross-zone + sticky sessions + Route 53 geolocation routing
Pros:
NLB supports WebSockets at the TCP level.
Cross-zone load balancing is supported.
Geolocation routing can direct users to closest regions.
Cons:
NLB does not support cookie-based sticky sessions, only source IP-based.
Source IP stickiness may fail for users behind NAT or proxies.
NLB cannot terminate HTTP/WebSocket; must rely on TCP only, which limits flexibility.
Use case: Good for high-performance TCP traffic without complex session stickiness. Less suitable if sticky sessions are critical.
---
Option C: NLB with CloudFront + IP-based sticky sessions
Pros:
NL...
Author: Charlotte · Last updated Jun 14, 2026
A company has a workflow that generates a file for each of the company's products and stores the files in a production environment Amazon S3 bucket. The company's users can access the S3 bucket.
Each file contains a product ID. Product IDs for products that have not been publicly announced are prefixed with a specific UUID. Product IDs are 12 characters long. IDs for products that have not been publicly announces begin with the letter P.
Th...
Let's carefully analyze the problem and the options step by step.
Requirements Recap:
1. Each file contains a product ID (12 characters long).
2. Unannounced products have IDs that:
Begin with P
Are prefixed with a specific UUID
3. The company does NOT want unannounced product IDs to appear in the production S3 bucket.
4. Users can access the production S3 bucket, so sensitive data must never appear there.
The key factor here is preventing unannounced product IDs from reaching production at all. It's not just about finding and deleting them later.
---
Option Analysis
A) Staging bucket + Macie custom data identifier + copy only safe files to production
Workflow:
Files are generated in a staging bucket.
Use a custom Macie identifier to detect product IDs starting with the specific UUID.
Copy only files without findings to the production bucket.
Pros:
Sensitive data never reaches production, satisfying the requirement. ✅
Custom Macie identifier allows precise detection of unannounced product IDs. ✅
Cons:
Requires extra staging bucket and Macie job. But this is acceptable for security.
Use Case: Best when you need to filter sensitive data before it reaches production.
---
B) Macie custom data identifier in production bucket, then delete files
Workflow:
Files are already generated in production.
Run Macie job to detect unannounced product IDs.
Delete files that match.
Problem:...
Author: Lucas Carter · Last updated Jun 14, 2026
A company uses Amazon RDS for Microsoft SQL Server as its primary database for applications. The company needs to ensure high availability within and across AWS Regions.
An Amazon Route 53 CNAME record is configured for the database endpoint. The applications connect to the database endpoint. The company must redirect application traffic to a standby database duri...
Let’s carefully analyze the scenario and each option, step by step, using the key requirements:
Key requirements:
High availability within and across AWS Regions.
RPO < 1 minute → maximum data loss of < 1 minute.
RTO < 10 minutes → failover/recovery in < 10 minutes.
Applications use a Route 53 CNAME for DB endpoint → must redirect traffic during failover.
---
Option A
> Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster deployment that uses cross-Region read replicas. Use automation to promote the read replica to a standalone instance and to update the Route 53 record.
Analysis:
Multi-AZ DB cluster provides high availability within a Region automatically. Failover to the standby happens in seconds, meeting RTO < 10 min.
Cross-Region read replica allows disaster recovery in another Region. Promotion of a replica to a standalone instance is possible.
With automation to update the Route 53 record, traffic can redirect to the new primary.
RPO for cross-Region replicas is generally less than 1 minute, because replication is near real-time.
✅ This option meets all requirements: Multi-AZ for HA in Region, cross-Region replica for DR, automated failover with minimal downtime, and RPO < 1 min.
---
Option B
> Deploy an Amazon RDS for SQL Server Multi-AZ DB cluster. Set up automated snapshots to be copied to another Region every 5 minutes. Use AWS Lambda to restore the latest snapshot in the secondary Region during failover.
Analysis:
Multi-AZ provides high availability within a Region.
Cross-Region snapshots every 5 minutes → maximum RPO = 5 minutes, which fails the <1 minute RPO requirement.
Restoring snapshots in another Region takes longer than 10 minutes, failing the RTO < 10 min...
Author: Zara · Last updated Jun 14, 2026
A company wants to build a pipeline to update the standard AMI monthly. The AMI must be updated to use the most recent patches to ensure that launched Amazon EC2 instances are up to date. Each new AMI must be available to all AWS accounts in the company's organization in AWS Organizations.
The company needs to...
Let’s break this down carefully based on the requirements:
Requirements Recap:
1. Automatically update a standard AMI monthly.
2. AMI must include the most recent patches.
3. AMI must be shared with all AWS accounts in the organization.
4. The solution must be operationally efficient (minimal maintenance, automated).
---
Option Analysis
A) CodePipeline + CodeBuild + Lambda + CloudFormation template
Pros: CodePipeline can orchestrate AMI builds via CodeBuild. Lambda can schedule monthly execution.
Cons: Sharing the AMI via CloudFormation templates across accounts is not ideal, because CloudFormation templates do not automatically handle AMI sharing. Additional manual work is needed. Maintaining the pipeline and template updates monthly adds operational overhead.
Verdict: Not optimal for operational efficiency.
---
B) EC2 Image Builder
Pros:
Designed specifically for building, patching, and updating AMIs automatically.
Supports schedules, so monthly updates are easy.
Can distribute AMIs automatically to other AWS accounts within the organization.
Fully managed service → minimal operational overhead.
Cons: None significant; fits the exact requirements.
Verdict: Highly efficient and purpose-built for this scenario....