AWS Solutions Architect Associate Quiz

You deliver static S3 content through CloudFront and must prevent users from accessing S3 directly. Which design is appropriate?

Answer:

OAC and a bucket policy allow CloudFront to retrieve content while the S3 bucket remains private.

Operators in another AWS account need temporary monitoring access to production. Which approach avoids sharing long-term access keys?

Answer:

Cross-account IAM roles are a standard way to grant least-privilege access with temporary credentials.

ECS tasks need database credentials that must not be embedded in code and should rotate periodically. Which design is appropriate?

Answer:

Secrets Manager with an ECS task role supports controlled retrieval and rotation without embedding secrets in images.

Sensitive S3 data must use a customer-managed key with separate key administrators and data users. Which service is central?

Answer:

KMS customer-managed keys support separation of key administration and cryptographic use through key policies and IAM.

You want to protect a public web application from SQL injection and known malicious request patterns in front of an ALB. Which service should you use?

Answer:

AWS WAF inspects and controls HTTP/HTTPS requests using web ACLs and managed rules.

EC2 instances in private subnets need S3 access without traversing the internet or a NAT Gateway. Which option is appropriate?

Answer:

Associating an S3 Gateway Endpoint with route tables provides S3 connectivity over the AWS network.

A web application must continue during a single-AZ failure. Which EC2-tier design is appropriate?

Answer:

An ALB with a multi-AZ Auto Scaling group can continue routing traffic to healthy instances in available AZs.

You need higher availability for RDS for MySQL with automatic failover after primary failure. Which option is appropriate?

Answer:

RDS Multi-AZ maintains a synchronous standby and provides automatic failover.

You need to decouple an order API from downstream work and absorb temporary delays or failures. Which design is appropriate?

Answer:

SQS decouples intake from processing, while a DLQ isolates messages that repeatedly fail.

A web application runs in two Regions, and DNS should switch to the standby only when the primary Region fails. Which option is appropriate?

Answer:

Failover routing defines primary and secondary records and switches responses based on health checks.

Critical S3 objects must be replicated to another Region for regional disaster recovery. Which feature is required?

Answer:

S3 replication requires Versioning. CRR replicates objects to a bucket in another Region.

You need low-latency global delivery of images from S3 while reducing origin load. Which service is appropriate?

Answer:

CloudFront uses edge caches to deliver content with low latency and reduce requests to S3.

A DynamoDB workload has very frequent reads of the same data and requires microsecond response times. Which service should be considered?

Answer:

DAX is a DynamoDB-compatible in-memory cache that accelerates read-heavy workloads.

Linux EC2 instances across multiple AZs need a concurrently mounted shared file system that scales capacity automatically. Which service is appropriate?

Answer:

EFS is a managed NFS file system for multiple Linux clients, supporting multi-AZ access and elastic capacity.

You need to ingest real-time events from many devices and feed multiple processing consumers. Which service is appropriate?

Answer:

Kinesis Data Streams ingests high-throughput streaming data for processing by multiple consumers.

Aurora read traffic is growing. You need to scale reads horizontally without changing the writer. Which option is appropriate?

Answer:

Aurora Replicas and the reader endpoint distribute read connections across replicas.

S3 logs become rarely accessed after 30 days and must be deleted after seven years. Which feature supports cost optimization?

Answer:

S3 Lifecycle automates storage-class transitions and deletion after the required retention period.

Steady compute usage across EC2 and Fargate is expected for more than a year, while flexibility across instance choices is desired. Which pricing option is appropriate?

Answer:

Compute Savings Plans discount eligible EC2, Fargate, and Lambda usage in exchange for a consistent spend commitment.

An image metadata update runs only a few times per day and finishes in seconds. You want to avoid paying for idle servers. Which option is appropriate?

Answer:

For short, infrequent event processing, Lambda usage-based billing avoids idle server cost.

A private-subnet data workload frequently accesses S3, causing rising NAT Gateway processing charges. Which improvement is appropriate?

Answer:

An S3 Gateway Endpoint keeps S3 traffic off the NAT Gateway, providing private access while reducing NAT processing cost.

An app on EC2 must access S3. What is the most secure way to provide credentials?

Answer:

An IAM role supplies and rotates temporary credentials automatically, avoiding embedded long-lived keys.

You need stateless allow/deny rules at the subnet level. Which feature fits?

Answer:

NACLs apply stateless allow/deny at the subnet boundary; security groups are stateful and instance-level.

You must encrypt data at rest and centrally manage and rotate keys. Which service fits?

Answer:

KMS creates, manages, and rotates encryption keys and integrates with many services such as S3 and EBS.

You want to store DB credentials securely with automatic rotation. Which service fits?

Answer:

Secrets Manager stores secrets encrypted and can automatically rotate credentials for supported databases.

Which is the recommended baseline principle for IAM permission design?

Answer:

Following least privilege, granting only required actions limits the blast radius of any compromise.

You want higher RDS availability during maintenance or failures. Which configuration fits?

Answer:

Multi-AZ keeps a standby in another AZ and fails over automatically, improving availability.

You want EC2 capacity to scale automatically with load. Which service fits?

Answer:

Auto Scaling adjusts instance count by metrics or schedule, balancing availability and cost efficiency.

You want to distribute traffic across EC2 instances and remove unhealthy ones. Which service fits?

Answer:

ELB distributes load to healthy targets based on health checks, improving availability.

In Route 53 you want automatic switching to a standby when the primary is down. Which feature fits?

Answer:

Failover routing uses health-check results to switch to the secondary automatically on failure.

You want to decouple components and buffer sudden request spikes. Which service fits?

Answer:

SQS holds messages in a queue, decoupling producers and consumers and absorbing load spikes.

For a read-heavy app, you want to reduce DB load and speed up responses. Which service fits?

Answer:

ElastiCache (Redis/Memcached) serves frequent data from in-memory cache, reducing database load.

You want low-latency delivery of content to global users. Which service fits?

Answer:

CloudFront caches and serves content from edge locations near users for low latency.

You want to scale read traffic on RDS. Which approach fits?

Answer:

Read replicas offload read queries, scaling read-heavy workloads.

You want faster uploads of large files to S3 from distant regions. Which feature fits?

Answer:

Transfer Acceleration routes uploads through optimized CloudFront edge paths to speed long-distance transfers.

When you need very high, consistent IOPS beyond gp3, which EBS volume type fits?

Answer:

io1/io2 let you provision the exact IOPS needed, suited to databases demanding high, steady IOPS.

You want the lowest cost for interruptible, restartable batch jobs. Which purchase option fits?

Answer:

Spot uses spare capacity at deep discounts but can be interrupted, ideal for fault-tolerant workloads.

You want a discount on steady EC2/Fargate usage while keeping flexibility. Which fits?

Answer:

Savings Plans give discounts for committing to a usage amount, applying flexibly across instance types.

You want old logs to move automatically to cheaper archival storage after a period. Which feature fits?

Answer:

Lifecycle rules transition objects to Glacier or expire them after a period, optimizing storage cost.

You want to optimize storage cost for data with unpredictable access, without operational effort. Which storage class fits?

Answer:

Intelligent-Tiering moves objects between tiers automatically based on access, optimizing cost without manual work.

You want to control NAT egress cost from private subnets while keeping availability. Which approach fits?

Answer:

Gateway endpoints keep S3/DynamoDB traffic off NAT, cutting data-processing charges, while NAT Gateway stays highly available.