AWS Cloud Practitioner Exam Simulator Questions Answers

Which AWS service lets you build pre-migration cost estimates to compare with on-premises spend?

• ❏ A. AWS Cost Explorer

• ❏ B. AWS Trusted Advisor

• ❏ C. AWS Pricing Calculator

• ❏ D. AWS Migration Evaluator

Which statement best describes Elastic Load Balancing?

• ❏ A. AWS Global Accelerator

• ❏ B. Distributes requests across targets (EC2, containers, IPs) and only routes to healthy ones

• ❏ C. Amazon Route 53

• ❏ D. Amazon CloudFront

Which AWS service provides automated best practice checks and recommendations for cost, performance, and service quotas across 3 accounts?

• ❏ A. AWS Health Dashboard

• ❏ B. Trusted Advisor

• ❏ C. AWS Well-Architected Tool

• ❏ D. Amazon CloudWatch

Which AWS services have a global scope (not tied to a Region)? (Choose 2)

• ❏ A. Amazon S3

• ❏ B. AWS IAM

• ❏ C. AWS KMS

• ❏ D. Amazon CloudFront

• ❏ E. Amazon RDS

Which AWS Well-Architected best practice is supported by decomposing a monolith into microservices so each can scale and deploy independently?

• ❏ A. Automate change management

• ❏ B. Adopt event-driven architecture

• ❏ C. Design services to be loosely coupled

• ❏ D. Offload undifferentiated heavy lifting

Where do you provide a startup script so it runs automatically on an EC2 instance’s first boot?

• ❏ A. AWS Systems Manager Run Command

• ❏ B. EC2 instance user data

• ❏ C. Instance metadata

• ❏ D. EC2 launch template tags

Which AWS feature lets you tag resources so costs can be allocated by project in billing reports?

• ❏ A. AWS Cost Categories

• ❏ B. AWS Budgets

• ❏ C. AWS cost allocation tags

• ❏ D. AWS Trusted Advisor

Which AWS service provides near real-time log indexing, search, aggregations, and dashboards for operational analytics, delivering insights within 90 seconds for about 5 million events per hour?

• ❏ A. Amazon Kinesis Data Analytics

• ❏ B. Amazon CloudWatch Logs

• ❏ C. Amazon OpenSearch Service

• ❏ D. Amazon Athena

When securing the AWS account root user, which action should be avoided?

• ❏ A. Enable MFA for the root user

• ❏ B. Create an IAM admin user and stop using root

• ❏ C. Attempt to strip admin rights from the root user

• ❏ D. Remove or disable root access keys and secure credentials

Which AWS service lets you upload code for automatic provisioning, deployment, and scaling while still allowing access to the underlying servers?

• ❏ A. AWS App Runner

• ❏ B. AWS Elastic Beanstalk

• ❏ C. Amazon EC2

• ❏ D. AWS Lambda

All AWS exam questions come from the AWS Practitioner Udemy course and certificationexams.pro

Which AWS service centrally connects multiple VPCs in a hub-and-spoke model?

• ❏ A. VPC peering connection

• ❏ B. AWS Transit Gateway service

• ❏ C. AWS PrivateLink

• ❏ D. AWS Site-to-Site VPN

Which AWS service continuously records resource configuration changes and can trigger notifications for governance and compliance?

• ❏ A. Amazon EventBridge

• ❏ B. AWS Config service

• ❏ C. AWS Security Hub

• ❏ D. AWS CloudTrail

Which AWS service lets you create new AWS accounts via API and centrally govern them from one place?

• ❏ A. Amazon Lightsail

• ❏ B. AWS Control Tower

• ❏ C. AWS Organizations service

• ❏ D. Amazon QuickSight

Which EC2 option provides physical host visibility (sockets and cores) to support BYOL per-core licensing and audits?

• ❏ A. Reserved Instances

• ❏ B. Dedicated Instances

• ❏ C. EC2 Dedicated Hosts

• ❏ D. On-Demand Instances

Which serverless AWS service provides ETL and a centralized data catalog to prepare S3 data for later SQL analytics?

• ❏ A. Amazon Athena

• ❏ B. AWS Glue

• ❏ C. AWS Glue DataBrew

• ❏ D. Amazon Redshift

Which IAM actions follow AWS best practices? (Choose 2)

• ❏ A. Share the root user credentials for urgent billing tasks

• ❏ B. Grant least privilege by scoping policies to each role

• ❏ C. Enable MFA for all users but keep root access keys active

• ❏ D. Use IAM roles with temporary credentials for cross-account access

• ❏ E. Create long-term access keys for EC2 workloads instead of roles

Which benefits are typical of using Amazon RDS compared to self-managed on-premises databases? (Choose 2)

• ❏ A. Rapid scaling without hardware procurement

• ❏ B. Full OS control of DB hosts and custom agents

• ❏ C. Simplified HA using Multi-AZ and read replicas

• ❏ D. Cross-Region or cross-AZ replication is free

• ❏ E. Costs are guaranteed lower than on premises

Which AWS cloud advantage best enables rapid, frequent releases (about every 4 days) and shorter lead time for changes?

• ❏ A. Reliability

• ❏ B. Cloud agility

• ❏ C. Cost optimization

• ❏ D. Elasticity

Which AWS services provide Regional, multi-AZ availability by default? (Choose 2)

• ❏ A. Amazon RDS

• ❏ B. Amazon EFS

• ❏ C. AWS DynamoDB

• ❏ D. Amazon EBS

• ❏ E. Instance Store

Which AWS service lets you download SOC, PCI, and ISO compliance reports directly in the console without a support case?

• ❏ A. AWS Security Hub

• ❏ B. AWS Audit Manager

• ❏ C. AWS Artifact Reports

• ❏ D. AWS Certificate Manager

Which AWS service provides a managed Hadoop cluster for processing 30 TB of data each night?

• ❏ A. AWS Glue

• ❏ B. AWS Batch

• ❏ C. Amazon EMR service

• ❏ D. AWS Step Functions

In AWS CAF, which phase assesses capability gaps and aligns readiness for adopting AWS?

• ❏ A. Launch

• ❏ B. Align phase

• ❏ C. Envision

• ❏ D. Operate

Which AWS page provides a public, global view of AWS service status across all Regions without sign-in?

• ❏ A. AWS Config

• ❏ B. AWS Health Dashboard – Your account health

• ❏ C. AWS Health Dashboard – Service health

• ❏ D. Amazon CloudWatch

Which AWS service provides a guided workflow for sizing, configuring, and automatically deploying infrastructure for SQL Server Always On and SAP HANA?

• ❏ A. AWS CloudFormation

• ❏ B. AWS Launch Wizard

• ❏ C. AWS Compute Optimizer

• ❏ D. AWS Application Migration Service

Which statements about IAM users and groups are correct? (Choose 2)

• ❏ A. Users are auto-added to a default group

• ❏ B. Groups contain only users; no nesting

• ❏ C. New users automatically get access keys

• ❏ D. Groups can be nested

• ❏ E. A user can be in multiple groups

All AWS exam questions come from the AWS Practitioner Udemy course and certificationexams.pro

Which AWS service provides a durable message queue to decouple producers and consumers for asynchronous processing, allowing retrieval when workers are offline and handling bursts of about 25,000 messages per second?

• ❏ A. Amazon Kinesis Data Streams

• ❏ B. Amazon Simple Queue Service

• ❏ C. Amazon SNS

• ❏ D. Amazon EventBridge

Which EC2 pricing option offers significant savings for continuous, non-interruptible workloads?

• ❏ A. Capacity Reservations

• ❏ B. Spot Instances

• ❏ C. Standard Reserved Instances

• ❏ D. On-Demand Instances

For an AWS Site-to-Site VPN to a VPC, what is the AWS-side VPN termination point?

• ❏ A. Transit Gateway

• ❏ B. Customer Gateway

• ❏ C. Virtual Private Gateway (VGW)

• ❏ D. NAT Gateway

Which AWS Well-Architected pillar guides selecting instance types, sizes, and storage to use compute resources efficiently as demand changes?

• ❏ A. Reliability Pillar

• ❏ B. Performance Efficiency pillar

• ❏ C. Sustainability Pillar

• ❏ D. Cost Optimization Pillar

Under the AWS Shared Responsibility Model for Amazon RDS for PostgreSQL, which task is the customer responsible for?

• ❏ A. Applying database engine patches in RDS

• ❏ B. Securing physical access to AWS facilities

• ❏ C. Patching the host operating system

• ❏ D. Configuring database encryption and KMS keys

Which AWS offering provides automated, best-practice deployments of popular open-source stacks on AWS within 20 minutes?

• ❏ A. AWS Service Catalog

• ❏ B. AWS Launch Wizard

• ❏ C. AWS Partner Solutions Deploy

• ❏ D. AWS CodeDeploy

For a serverless web backend, which AWS services act as the API entry point and run the application code without managing servers? (Choose 2)

• ❏ A. Amazon DynamoDB

• ❏ B. AWS Lambda functions

• ❏ C. Amazon S3

• ❏ D. Amazon API Gateway service

• ❏ E. AWS Step Functions

Which AWS service issues short-lived, limited-privilege credentials for programmatic access without sharing long-term keys, for about 45 minutes to a few hours?

• ❏ A. Amazon Cognito

• ❏ B. AWS IAM Identity Center

• ❏ C. AWS STS

• ❏ D. AWS IAM Roles Anywhere

Which disaster recovery strategy is most cost-effective when an RPO of 8 hours is acceptable?

• ❏ A. Warm standby

• ❏ B. Backup & restore

• ❏ C. AWS Elastic Disaster Recovery

• ❏ D. Pilot light

Which AWS feature enforces organization-wide maximum permissions to restrict services and API actions across accounts, even if local admins grant broader access?

• ❏ A. AWS Control Tower

• ❏ B. AWS Organizations SCPs

• ❏ C. IAM permission boundaries

• ❏ D. AWS Identity Center

The correct option is AWS Pricing Calculator. It is the self service tool for building itemized pre migration cost estimates for proposed architectures so you can compare projected AWS charges with current on premises spend.

AWS Pricing Calculator lets you model resource choices such as compute, storage, and networking and it provides detailed monthly and upfront cost breakdowns and exportable estimates that you can share with stakeholders. Use this tool when the question asks about estimating costs before workloads are deployed.

AWS Cost Explorer is incorrect because it analyzes and forecasts costs based on existing AWS usage and not for estimating costs before workloads are deployed.

AWS Trusted Advisor is incorrect because it focuses on best practice checks and optimization recommendations for resources that are already deployed and it does not provide upfront pricing estimates.

AWS Migration Evaluator is incorrect because it performs data collection and deep analysis to produce migration assessment reports and it is not a quick calculator for immediate price estimation.

When a question asks about building an itemized estimate before moving systems to AWS pick AWS Pricing Calculator. For questions about current spend or trends think about AWS Cost Explorer.

The correct choice is Distributes requests across targets (EC2, containers, IPs) and only routes to healthy ones. Elastic Load Balancing spreads incoming traffic across registered targets and continuously checks their health so that requests are sent only to healthy endpoints.

Distributes requests across targets (EC2, containers, IPs) and only routes to healthy ones describes how Elastic Load Balancing operates. It supports targets such as EC2 instances, containers, and IP addresses and it performs health checks so unhealthy targets are removed from rotation which improves availability and fault tolerance for applications.

AWS Global Accelerator is not a data plane load balancer. It uses the AWS global network and anycast to direct users to the optimal regional endpoint and it often fronts load balancers but it does not distribute individual requests across registered targets in your VPC.

Amazon Route 53 is a DNS service that offers routing policies and health checks at the DNS layer. It does not perform per request distribution to backend targets the way Elastic Load Balancing does.

Amazon CloudFront is a content delivery network that caches and serves content from edge locations. It is designed for edge delivery and caching and it does not balance traffic among compute targets inside your VPC.

When a choice mentions distribute requests across targets or send traffic only to healthy targets choose Elastic Load Balancing. If the wording emphasizes DNS or global anycast routing consider Route 53 or Global Accelerator instead.

The correct choice is Trusted Advisor which provides automated best practice checks and recommendations for cost optimization performance and service quotas across accounts.

Trusted Advisor runs automated checks across your AWS environment and returns actionable recommendations for cost performance security fault tolerance and service quotas. It highlights opportunities for savings and warns about quota limits and it can operate across multiple accounts when used with AWS Organizations and the appropriate support level.

AWS Health Dashboard is incorrect because it focuses on service health events and operational alerts rather than proactive best practice checks for cost or quota recommendations.

AWS Well-Architected Tool is incorrect because it guides structured workload reviews against architecture pillars but it does not perform automated account wide checks for costs or service quotas.

Amazon CloudWatch is incorrect because it collects metrics logs and alarms to monitor performance and trigger actions but it does not provide prescriptive best practice recommendations for cost performance and quotas the way Trusted Advisor does.

Match keywords like best practice checks cost performance and service quotas to the service that gives prescriptive recommendations across accounts.

The correct choices are AWS IAM and Amazon CloudFront. These two services operate with a global scope and are not tied to a single Region.

AWS IAM is account wide and global so users roles and policies are managed at the account level rather than in a specific Region. IAM entities can be used across Regions and with many AWS services without creating regional copies.

Amazon CloudFront is a global content delivery network that uses distributed edge locations and a single global control plane. You do not select a Region when creating a CloudFront distribution and content is served from edge locations around the world.

Amazon S3 is incorrect because S3 buckets are created in a chosen Region and data resides in that Region despite the global bucket namespace.

AWS KMS is incorrect because KMS keys and cryptographic operations are regionally scoped and multi Region keys are implemented as distinct regional replicas.

Amazon RDS is incorrect because RDS instances and databases are provisioned within selected Regions and Availability Zones and are therefore regional resources.

When a question refers to global scope think of services managed at the account level or delivered through a worldwide network. If you must pick a Region when creating a resource the service is usually regional.

Design services to be loosely coupled is correct because decomposing a monolith into microservices reduces dependencies so each service can scale change deploy and fail independently.

Design services to be loosely coupled is the Well Architected principle that directly supports independent scaling and deployment of components. Building loosely coupled services improves resilience and agility because teams can iterate and recover without coordinating large, monolithic releases.

Automate change management is incorrect because that option refers to pipelines and operational automation rather than the architectural goal of decoupling services.

Adopt event driven architecture is not the best answer because it is a useful pattern that can help decouple components but the question asks for the explicit Well Architected best practice which is loose coupling.

Offload undifferentiated heavy lifting is incorrect because it concerns using managed services to reduce operational burden rather than the structural principle behind splitting a monolith into microservices.

Look for phrases like independent scaling and independent deployments on the exam because they usually point to the principle of loose coupling.

EC2 instance user data is correct because it is provided at launch and configured to run automatically on the instance first boot.

EC2 instance user data is executed during the initial boot sequence so it is ideal for bootstrapping tasks such as installing packages and configuring the operating system. On Linux the data is typically processed by cloud-init and on Windows it is processed by the EC2Config and EC2Launch services which ensure scripts run at first boot.

AWS Systems Manager Run Command is incorrect because it is intended to run commands on managed instances after they are already running and it does not guarantee execution during the initial boot sequence.

Instance metadata is incorrect because it only provides read only information about the instance and credentials and it cannot be used to inject or execute startup scripts.

EC2 launch template tags is incorrect because tags are used for labeling and organization and they are not executable. Launch templates can include EC2 instance user data but the tags themselves will not run scripts.

When the question mentions first boot or bootstrap choose EC2 instance user data. Use Run Command for actions that must run after the instance is already up and use metadata only to read instance details.

AWS cost allocation tags is the correct option because they let you assign consistent key value tags to resources and then activate those tags for cost allocation so billing reports can be filtered and grouped by project.

You use AWS cost allocation tags by applying tags to resources and then activating the desired user defined or AWS generated tags in the Billing and Cost Management console. After activation the tags appear in Cost Explorer and cost reports so costs can be filtered and grouped for chargeback and showback at the project level.

AWS Cost Categories is incorrect because it groups and organizes existing cost data using rules and dimensions such as accounts or tags and it does not apply tags to resources. It depends on tags or other dimensions you already have instead of labeling resources for allocation.

AWS Budgets is incorrect because it creates alerts and tracks spend against thresholds and it does not tag resources or attribute costs by project. Budgets are for monitoring and alerting rather than labeling resources for reporting.

AWS Trusted Advisor is incorrect because it provides guidance and best practice checks and it does not provide tag based cost allocation. Trusted Advisor helps optimize and secure resources but it does not manage billing tag activation or cost grouping.

When a question mentions tag resources and allocate costs by project choose cost allocation tags and remember to activate the tags in the Billing and Cost Management console before they appear in reports.

The correct choice is Amazon OpenSearch Service because it provides near real time log indexing search aggregations and dashboards that are purpose built for operational analytics and can ingest and visualize millions of events per hour within tight time windows.

Amazon OpenSearch Service is a managed OpenSearch offering that delivers an index centric search engine with full text and structured search support aggregations and built in OpenSearch Dashboards. This architecture enables low latency indexing and fast interactive queries which aligns with the 90 second insight objective and the scale of about five million events per hour.

Amazon Kinesis Data Analytics is not correct because it focuses on continuous stream processing and stateful computation with SQL or Apache Flink and it does not provide an indexed search engine or native dashboards for exploratory log analytics.

Amazon CloudWatch Logs is not correct because it is oriented toward log storage monitoring and Logs Insights queries rather than an index centric search and analytics platform and it is less suited for high volume low latency exploratory analytics with rich aggregations and visualizations.

Amazon Athena is not correct because it is a serverless query service for data in Amazon S3 and it does not offer near real time indexed search or built in dashboards for operational log analytics.

When a question mentions near real time indexed search and interactive dashboards map that to Amazon OpenSearch Service. For continuous stream processing think Kinesis Data Analytics and for ad hoc SQL on S3 think Athena.

Attempt to strip admin rights from the root user is the action to avoid because the root user is immutable and always retains full permissions across the AWS account.

You cannot remove or reduce the root user permissions and attempts to do so will fail and create a false sense of security. Hardening the root user therefore focuses on minimizing its use and adding protections such as multi factor authentication and deleting any long lived access keys rather than trying to change its inherent privileges.

The option Enable MFA for the root user is recommended because adding multi factor authentication directly improves account security and reduces risk when the root user must be used.

The option Create an IAM admin user and stop using root is a best practice because it lets daily tasks run under an account with limited privileges while preserving the root user for rare account management actions.

The option Remove or disable root access keys and secure credentials is also recommended because root access keys should not be used and they should be deleted if they exist to reduce the attack surface.

Always assume the root user cannot have its permissions removed and favor enabling MFA and creating an IAM admin user for routine administration.

AWS Elastic Beanstalk is correct because it lets you upload your application package and it provisions EC2 instances and sets up load balancing and autoscaling for you while still allowing access to the underlying servers for operating system level tuning and troubleshooting.

Elastic Beanstalk automates common provisioning and operational tasks and it manages application environments for standard platforms while preserving the option to SSH into instances and adjust configurations. You can supply configuration files and platform hooks to customize deployment behavior and you retain control of the underlying EC2 instances when you need OS access.

AWS App Runner is incorrect because it abstracts infrastructure and does not provide access to the underlying servers or operating system. AWS App Runner is designed for fully managed service deployments where you do not log into instances.

Amazon EC2 is incorrect because it provides raw virtual servers and you must build and maintain your own deployment and scaling automation. Amazon EC2 gives full control but it does not automatically perform the application level provisioning described in the question.

AWS Lambda is incorrect because it is a serverless compute service that runs functions and it does not give access to underlying servers. AWS Lambda focuses on function level execution rather than provisioning and managing servers you can log into.

Focus on whether the service offers server access and also automates provisioning and scaling. If both are true then Elastic Beanstalk is the likely answer.

AWS Transit Gateway service is correct because it provides a centralized hub and spoke architecture that connects multiple VPCs at scale and simplifies routing among them.

AWS Transit Gateway service is purpose built for multi VPC connectivity and supports transitive routing so spokes can communicate without a mesh of individual connections. It reduces the number of peerings and the complexity of route tables and scales more easily as the number of VPCs grows.

VPC peering connection is incorrect because peering is nontransitive and only links two VPCs directly. That approach forces a full mesh as VPC count increases and becomes hard to manage.

AWS Site-to-Site VPN is incorrect because it is mainly used to connect on premises networks to AWS over the internet and it is not intended as a central hub to interconnect many VPCs within AWS.

AWS PrivateLink is incorrect because it exposes specific services privately via interface endpoints and does not provide general VPC to VPC routing across many networks.

Focus on keywords such as hub and spoke and many VPCs to pick AWS Transit Gateway on exam questions.

AWS Config service is the correct option because it continuously records and stores resource configuration states and evaluates them against rules for compliance while providing notifications when changes or noncompliance are detected.

AWS Config service maintains detailed configuration history and timelines that are useful for governance and audits. It evaluates resources against configurable rules and can publish notifications or integrate with other services so that teams are alerted to configuration changes or violations.

Amazon EventBridge is not correct because it routes and processes events and triggers actions but it does not maintain resource configuration state or perform configuration compliance evaluations on its own.

AWS Security Hub is not correct because it aggregates and prioritizes security findings rather than continuously recording detailed resource configuration changes or enforcing configuration rules.

AWS CloudTrail is not correct because it logs API activity and provides an audit trail of calls but it does not store the current configuration state history or evaluate resources against configuration rules for compliance.

When the question mentions configuration state, history, rules, or timeline pick the service that records configurations continuously and evaluates compliance.

The correct choice is AWS Organizations service because it exposes APIs such as CreateAccount for programmatic account creation and it enables centralized governance with service control policies, consolidated billing, and organizational units.

AWS Organizations service provides the CreateAccount API to create accounts programmatically and it lets you apply policies across accounts using service control policies. It also supports consolidated billing and hierarchical organization using organizational units which helps central governance and management at scale.

AWS Control Tower is not correct because it provides a landing zone and an Account Factory to orchestrate account provisioning, but it does not replace the Organizations APIs for general programmatic account creation. AWS Organizations service is used under the hood by Control Tower to provision and govern accounts.

Amazon Lightsail is not correct because it focuses on simplified virtual servers and related resources rather than creating or governing AWS accounts across an organization.

Amazon QuickSight is not correct because it is a business intelligence and visualization service and it does not create or manage AWS accounts.

When a question mentions programmatically create accounts and centralized governance choose the service that exposes account APIs and supports service control policies rather than a landing zone tool.

EC2 Dedicated Hosts is the correct option because it assigns a physical server to your account and exposes the host socket and core counts needed for per-core BYOL tracking and vendor audits.

EC2 Dedicated Hosts reserves an entire physical server so you can see host identifiers and the number of sockets and cores. This visibility lets you map licenses to physical capacity and provide accurate information during vendor audits while also giving you placement control at the host level.

Reserved Instances are a pricing discount and do not grant dedicated hardware or host level visibility for sockets and cores.

Dedicated Instances run on single tenant hardware but they do not expose host identifiers or explicit socket and core counts because the hypervisor still manages placement, so they are not suitable for per-core BYOL or audits.

On-Demand Instances refer to a consumption model where you pay per use and they do not provide dedicated host control or the hardware visibility required for per-core licensing.

When a question mentions BYOL or per-core licensing think about tenancy that exposes sockets and cores rather than pricing models.

AWS Glue is correct because it is a serverless ETL service that includes the AWS Glue Data Catalog and centralizes metadata for objects stored in Amazon S3 so you can discover, clean, and transform data for later SQL analytics with services such as Amazon Athena and Amazon Redshift.

AWS Glue provides automated crawlers to populate the Data Catalog and it runs serverless ETL jobs to transform and move data without you managing servers. The catalog stores table definitions and schema metadata so analytics engines can read the same centralized metadata and query S3 data consistently.

Amazon Athena is incorrect because it is a serverless query service that runs SQL directly on S3 but it does not perform ETL orchestration or maintain a centralized metadata catalog by itself.

AWS Glue DataBrew is incorrect because it focuses on visual no code data preparation for analysts and data scientists and it does not replace a full ETL service plus a central catalog for automated pipelines.

Amazon Redshift is incorrect because it is a managed data warehouse used to store and query data and it is not a serverless ETL engine or a metadata catalog. Redshift consumes prepared data rather than preparing and cataloging it.

Look for phrases like serverless ETL and centralized data catalog when the question mentions preparing S3 data for SQL analytics and then eliminate options that only query or store data.

All AWS exam questions come from the AWS Practitioner Udemy course and certificationexams.pro

The correct choices are Grant least privilege by scoping policies to each role and Use IAM roles with temporary credentials for cross-account access.

Applying Grant least privilege by scoping policies to each role limits permissions to what is required for a specific job and it reduces the blast radius of any compromised identity. Scoping policies to roles also simplifies management and auditing of permissions across teams and services.

Using Use IAM roles with temporary credentials for cross-account access avoids long lived secrets and it provides time limited access that can be rotated automatically. Roles with temporary credentials are the recommended pattern for cross account scenarios and for workloads running on AWS.

The option Share the root user credentials for urgent billing tasks is incorrect because the root user must never be shared or used for routine tasks and billing permissions should be delegated to specific IAM identities.

The option Enable MFA for all users but keep root access keys active is incorrect because best practice is to delete root access keys entirely and to enable MFA on the root user to protect the account.

The option Create long-term access keys for EC2 workloads instead of roles is incorrect because EC2 instance profiles and roles supply temporary credentials and they avoid the risk of embedded long lived keys on instances.

When in doubt choose answers that emphasize least privilege and temporary credentials and avoid answers that recommend sharing the root account or using long lived access keys.

The correct options are Rapid scaling without hardware procurement and Simplified HA using Multi-AZ and read replicas.

Amazon RDS removes the need to provision and manage physical database hardware and it lets you change instance sizes and storage without waiting for new servers so scaling is faster than on premises. RDS also provides built in high availability through a synchronous Multi AZ standby for automated failover and it supports asynchronous read replicas to offload read traffic and scale reads.

The option Full OS control of DB hosts and custom agents is incorrect because RDS is a managed service and AWS controls the underlying operating system so customers do not get shell access to install custom agents or modify system packages on the DB hosts.

The option Cross-Region or cross-AZ replication is free is incorrect because replication and read replicas consume additional instances and network bandwidth and those resources can incur data transfer and instance charges.

The option Costs are guaranteed lower than on premises is incorrect because total cost depends on workload patterns, instance and storage choices, and usage and there is no universal guarantee that managed service costs will always be lower than an on premises deployment.

Watch for absolute words in choices and remember that managed services trade host level control for faster operations and built in HA.

Cloud agility is correct because it directly enables rapid and frequent releases and it shortens lead time for changes by allowing teams to provision resources and iterate quickly.

Cloud agility is realized through on demand resources, managed services, automation, continuous integration and continuous delivery pipelines and infrastructure as code which let teams experiment and deploy small changes often.

Elasticity is about scaling resources up or down to match demand and it does not inherently make development cycles faster.

Reliability focuses on resilient and consistent operations and on recovery from failures and it does not directly address how quickly teams can release new features.

Cost optimization aims to reduce spend and to improve efficiency and it does not directly enable a faster release cadence.

When a question asks about faster releases or shorter lead time pick the option that emphasizes agility or features such as on demand provisioning and CI CD integration.

Amazon EFS and AWS DynamoDB are correct because both services are Regional and they automatically distribute and replicate data across multiple Availability Zones within a region by default to provide high availability.

Amazon EFS is a managed network file system that spans Availability Zones so file data is accessible from instances in different AZs and the service manages redundancy and replication for you.

AWS DynamoDB is a fully managed NoSQL database that stores data redundantly across multiple AZs in a region to provide durability and availability without extra configuration.

Amazon RDS is incorrect because a DB instance is created in a single AZ by default and you must enable the Multi-AZ deployment option to get synchronous standby replicas and automated failover.

Amazon EBS is incorrect because EBS volumes are scoped to a single Availability Zone and they do not replicate across AZs by default.

Instance Store is incorrect because instance store is ephemeral local storage attached to a single EC2 host in one AZ and it does not persist or replicate across AZs.

Read the phrase by default and pick services that natively replicate across AZs like Amazon EFS and AWS DynamoDB rather than AZ scoped storage such as Amazon EBS or Instance Store.

AWS Artifact Reports is correct because it is the console based self service portal where you can view and download AWS compliance reports and agreements such as SOC PCI DSS and ISO without opening a support case.

AWS Artifact provides access to AWS third party audit reports and compliance documentation that you can retrieve directly from the console for your audits and assessments. The service is focused on delivering vendor supplied reports and agreements rather than collecting your own assessment evidence.

AWS Security Hub is incorrect because it centralizes security findings and best practice checks across accounts and tools and it does not host or provide AWS third party compliance audit reports for download.

AWS Audit Manager is incorrect because it helps you collect evidence and assess your workloads against control frameworks and it is not the source for AWS third party SOC or ISO reports that you download from AWS.

AWS Certificate Manager is incorrect because it manages TLS and SSL certificates and it does not provide compliance documentation or third party audit reports.

If a question mentions download SOC PCI ISO reports or no support case then think of AWS Artifact as the place to get vendor compliance reports rather than Audit Manager or Security Hub.

Amazon EMR service is the correct option because it provides a fully managed Hadoop and Spark environment that provisions, scales, and manages clusters for high volume batch processing such as nightly processing of 30 TB of data.

Amazon EMR service manages cluster lifecycles and integrates with Amazon S3 and EC2. It supports auto scaling and the use of Spot Instances to help control cost. These features make Amazon EMR service suitable for large nightly jobs because it can provision the resources needed and then tear them down when processing finishes.

AWS Glue is a serverless ETL service that provides a Data Catalog and Spark based jobs and it is optimized for ETL workflows rather than provisioning and managing a full Hadoop cluster, so it is not the right choice for a managed Hadoop cluster.

AWS Batch schedules and runs batch jobs on managed compute resources and it does not provision or operate Hadoop clusters, so it is not the correct service for a managed Hadoop environment.

AWS Step Functions coordinates workflows and state machines and it does not provide the Hadoop compute or cluster management needed for processing tens of terabytes overnight, so it is not the correct option.

Match keywords to services and focus on the phrase Hadoop cluster or provision and manage to select the right answer. Think EMR for managed Hadoop and Spark clusters.

The correct choice is Align phase.

The Align phase is where organizations assess capability gaps across people, process, and governance and then create plans to bring readiness into alignment for successful cloud adoption.

The Envision option is incorrect because it focuses on defining the vision and business outcomes rather than performing readiness gap analysis.

The Launch option is incorrect because it focuses on initial deployments and pilots that follow alignment work rather than assessing gaps and aligning readiness.

The Operate option is incorrect because it is not a named phase in the AWS CAF and it describes ongoing operations rather than the readiness assessment step.

Map keywords to phases and remember that capability gaps and readiness point to the Align phase.

The correct choice is AWS Health Dashboard – Service health. This public page provides a global view of current and recent AWS service availability across all Regions without requiring sign-in.

The AWS Health Dashboard – Service health page is the public status endpoint that lists regional and service specific incidents and advisories so you can see AWS wide events without logging in. It shows current and recent availability across Regions and is intended for broadly visible service status rather than personalized account events.

The option AWS Health Dashboard – Your account health is incorrect because it is personalized to a specific account and it requires sign-in to display events that impact that account rather than the public global status.

The option Amazon CloudWatch is incorrect because CloudWatch monitors metrics, logs, and alarms for your own resources and applications and it does not provide a public AWS wide service status page.

The option AWS Config is incorrect because AWS Config records configuration history and compliance for resources in your account and it does not report global AWS service health.

Watch for the words public, global, across Regions, and no sign-in to identify the public Service health page.

The correct option is AWS Launch Wizard because it provides a guided workflow to size, configure, and automatically deploy infrastructure for enterprise applications such as Microsoft SQL Server Always On and SAP HANA.

AWS Launch Wizard walks users through workload specific choices and it generates the underlying deployment artifacts so teams get consistent CloudFormation templates and automated provisioning while benefiting from application aware sizing and configuration guidance.

AWS CloudFormation is incorrect because it provisions infrastructure from templates but it does not offer workload specific, step by step sizing guidance or a wizard tailored to SQL Server Always On or SAP HANA.

AWS Compute Optimizer is incorrect because it analyzes resource usage and recommends instance sizes but it does not deploy or configure application stacks or provide a guided deployment workflow.

AWS Application Migration Service is incorrect because it focuses on rehosting existing servers to AWS to accelerate migrations and it does not provide a greenfield, guided wizard for sizing and deploying SQL Server Always On or SAP HANA.

When a question mentions guided sizing or a wizard for named enterprise workloads such as SQL Server Always On or SAP HANA choose AWS Launch Wizard rather than general infrastructure or optimization tools.

The correct statements are Groups contain only users; no nesting and A user can be in multiple groups.

IAM groups are flat collections that hold user identities only and do not support hierarchical nesting which is why Groups contain only users; no nesting is correct. A single IAM user can be assigned to more than one group which lets permissions from multiple group policies combine and that is why A user can be in multiple groups is correct.

The option Users are auto-added to a default group is incorrect because AWS does not place new users into any group automatically and administrators must add users to groups manually when needed.

The option New users automatically get access keys is incorrect because access keys are not created by default and they must be generated explicitly when programmatic access is required.

The option Groups can be nested is incorrect since IAM does not support nested groups and grouping is intentionally flat on AWS IAM.

Remember that IAM groups are flat and that users may belong to multiple groups. Also recall that there is no default group for new users and that access keys must be created explicitly.

Amazon Simple Queue Service is correct because it is a managed, durable message queue that decouples producers and consumers and supports at least once delivery, visibility timeouts, dead letter queues, and can scale to very high throughput so it can handle bursts around 25,000 messages per second.

SQS lets consumers be offline and later poll the queue to retrieve messages because messages persist until they are deleted or until the retention period ends. Standard queues provide high throughput and at least once delivery and FIFO queues add ordering and exactly once processing when required.

Amazon Kinesis Data Streams is built for ordered, sharded streaming ingestion and real time processing and it is not a traditional queue with per message deletion and visibility timeouts.

Amazon SNS uses push based publish and subscribe patterns and it does not offer consumer pull or per consumer retrieval semantics like a queue.

Amazon EventBridge is an event bus for routing and integration and while it can archive and replay events it is not a durable, consumer polling message queue.

Look for keywords such as decouple, durable queue, retrieve later and workers offline and map them to SQS on the exam

Standard Reserved Instances are the correct choice for continuous, non-interruptible workloads because they deliver significant discounts when you commit to a one or three year term for predictable steady state EC2 usage.

Reserved Instances lower your hourly rate in exchange for a long term commitment and this makes them ideal for always on services where interruptions are not acceptable. Once you purchase the reservation you save compared to On-Demand Instances for the same capacity and you keep capacity costs predictable.

If the question emphasizes flexibility across compute services or combining discounts with other services consider Savings Plans as an alternative because they offer similar savings with greater flexibility across EC2, Fargate, and Lambda.

Spot Instances are deeply discounted but can be interrupted with little notice and so they are not suitable for non interruptible continuous workloads.

On-Demand Instances provide maximum flexibility with no long term commitment but they are the most expensive option for always on usage and so they are not the best choice for steady state cost savings.

Capacity Reservations guarantee capacity in an availability zone but they do not provide the discounted pricing of reservations and you generally pay On Demand rates while holding capacity.

Watch for keywords such as steady state, continuous, predictable, and one or three year commitment to indicate Reserved Instances. Consider Savings Plans when the question asks about cross service flexibility.

Virtual Private Gateway (VGW) is correct because a Site to Site VPN that connects directly to a single VPC terminates on a VGW attached to that VPC.

The typical setup creates an Customer Gateway to represent the on premises device and a Virtual Private Gateway on the AWS side and then establishes the VPN connection between them. The VGW resides as the VPC side termination point and routes traffic between the VPC and the remote network.

Transit Gateway is not correct for a single VPC termination because while it can terminate VPNs via VPN attachments it serves as a regional hub and is used for multi VPC or hub and spoke scenarios rather than as a VPC specific endpoint.

Customer Gateway is incorrect because it models the on premises endpoint and is created to represent the customer side and it does not exist inside the VPC so it cannot be the AWS side termination point.

NAT Gateway is unrelated to VPN termination because it provides outbound internet access for resources in private subnets and does not handle VPN tunnels.

When a question asks for the VPC side termination think Virtual Private Gateway for a single VPC and think Transit Gateway when the scenario describes a hub and spoke or multiple VPCs.

Performance Efficiency pillar is correct because it guides choosing instance types sizes storage and scaling strategies to use compute resources efficiently as demand changes.

The Performance Efficiency pillar covers selecting the right instance families and sizes and choosing appropriate storage and scaling approaches so applications meet performance requirements while adapting to changing load.

Reliability Pillar is focused on resilience fault tolerance and recovery and it does not center on selecting instance types or sizing for performance efficiency.

Sustainability Pillar aims to reduce environmental impact through efficient design and operations and it does not primarily provide guidance on performance oriented instance or storage choices.

Cost Optimization Pillar emphasizes managing and reducing expenditure and it focuses on cost effective purchasing and rightsizing rather than on optimizing for performance efficiency.

When a question mentions choosing instance types sizes storage or scaling to get the most performance from resources think Performance Efficiency. If it stresses reducing spend think Cost Optimization. If it highlights resilience think Reliability.

The correct answer is Configuring database encryption and KMS keys. In managed services such as Amazon RDS AWS handles the underlying infrastructure and the managed software layers while customers remain responsible for protecting their data and choosing encryption and key management settings.

Configuring database encryption and KMS keys is the customer responsibility because AWS does not make per customer decisions about data encryption or KMS key usage. Enabling encryption at rest for an RDS instance and creating and managing the related AWS KMS keys and IAM policies are actions that the customer controls.

The option Applying database engine patches in RDS is incorrect because AWS performs engine patching for RDS and applies updates during the maintenance window you select.

The option Securing physical access to AWS facilities is incorrect because AWS owns and secures its data centers and physical access controls fall under AWS responsibilities in the shared model.

The option Patching the host operating system is incorrect because AWS maintains the host OS for managed RDS instances and customers do not patch that layer.

When a question involves a managed service focus on whether the task affects customer data or service configuration versus infrastructure management and remember that KMS key choices are a customer responsibility.

More practice AWS exam questions can be found in my AWS Practitioner Udemy course and certificationexams.pro

AWS Partner Solutions Deploy is the correct option because it provides automated, best practice reference deployments that launch popular open source technologies on AWS in minutes and it matches the requirement for rapid standardized rollouts.

AWS Partner Solutions Deploy delivers AWS authored and partner authored reference architectures that automate provisioning and configuration so you get a working, production aligned environment quickly. These deployments were previously known as Quick Starts and they are designed to follow AWS best practices to speed adoption of common stacks.

AWS Launch Wizard focuses on guided and sized deployments for specific enterprise workloads such as SAP and Microsoft SQL Server and it does not provide a broad catalog of open source stack reference deployments.

AWS Service Catalog provides governance and distribution of preapproved products inside an organization and it does not itself supply turnkey AWS authored reference deployments for popular open source technologies.

AWS CodeDeploy automates application code deployments to compute resources and it is not intended to provision complete multi tier architectures or end to end reference stacks.

When a question mentions best practice architectures and deployment in minutes think of turnkey reference deployments such as Partner Solutions Deploy or Quick Starts and rule out tools that only handle code or governance.

Amazon API Gateway service and AWS Lambda functions are correct because API Gateway serves as the client facing API entry point and Lambda runs application code on demand without requiring server management.

When used together the Amazon API Gateway service accepts and routes HTTP requests and the AWS Lambda functions execute the business logic only when invoked. This pattern provides automatic scaling and removes the need to provision or patch servers while allowing integration with databases and other services for persistence and workflows.

Amazon DynamoDB is a managed NoSQL database that provides persistent storage and it does not act as the API front door or execute application code in response to HTTP requests.

Amazon S3 is object storage that can host static content and serve files to clients but it does not run server side application logic or provide API management features.

AWS Step Functions coordinates and orchestrates workflows across services and it does not normally serve as the client facing API entry point or directly execute code for incoming HTTP API calls.

When a question asks for the API front door think API Gateway and when it asks for running code without managing servers think Lambda.

The correct answer is AWS STS. AWS Security Token Service issues temporary limited privilege security credentials for IAM roles and federated users and it fits the requirement for short lived programmatic access that lasts roughly 45 minutes to a few hours without sharing long term access keys.

AWS STS lets applications assume roles or request session tokens and the credentials expire automatically which reduces the risk of credential leakage when compared to long term keys. STS supports APIs such as AssumeRole and GetFederationToken to grant scoped access for a limited duration and it is the central service for issuing temporary AWS credentials.

AWS IAM Identity Center is incorrect because it provides single sign on and centralized permission sets for workforce access and it is not the service that directly issues temporary API credentials for programmatic AWS access.

Amazon Cognito is incorrect because it focuses on application user authentication and issues tokens for app users and while it can integrate with STS it is not the general purpose service for issuing temporary IAM credentials for AWS programmatic access.

AWS IAM Roles Anywhere is incorrect because it enables certificate based access for external workloads and delegates to STS for temporary credentials and it is aimed at non AWS servers using X509 certificates rather than typical role assumption for short lived programmatic keys.

Watch for keywords like temporary, short lived, and no long term keys as they point to the service that issues session credentials.

The correct option is Backup & restore when an RPO of eight hours is acceptable.

Backup & restore is the most cost effective pattern because it relies on periodic backups stored at low ongoing cost and on rebuilding resources during recovery. This approach accepts a longer recovery time and therefore trades faster failover for minimal continuous expense, which fits an RPO measured in hours rather than minutes.

Warm standby is incorrect because it requires a continuously running, scaled down environment in the recovery Region and that ongoing compute cost is higher than simple backup storage.

AWS Elastic Disaster Recovery is incorrect because it is a service for continuous replication and rapid failover and not a low cost backup pattern. It typically supports faster recovery models and therefore incurs higher ongoing costs compared with simple backups.

Pilot light is incorrect because it keeps core components running in the recovery Region which increases ongoing cost relative to storing backups and restoring them when needed.

Match the acceptable RPO to disaster recovery patterns and pick backup and restore for multi hour RPOs to minimize ongoing cost.

The correct option is AWS Organizations SCPs. AWS Organizations SCPs set organization wide maximum permissions that apply at the organization, organizational unit, or account level and they still apply even if local administrators attempt to grant broader permissions.

AWS Organizations SCPs work by defining a permission filter that determines the maximum API actions and services that principals can use. They can centrally block services or specific API calls across member accounts and they do not grant permissions themselves. Instead they restrict what other policies and principals can allow, so a role or user cannot exceed the permissions that the SCP permits.

AWS Control Tower is not correct because Control Tower automates multi account setup and provides governance tooling and guardrails, and it relies on underlying mechanisms such as AWS Organizations SCPs rather than being the direct policy that enforces API level maximum permissions.

IAM permission boundaries are not correct because permission boundaries limit the effective permissions of individual IAM principals within a single account and they are not applied organization wide. An account administrator can also manage those boundaries so they do not provide the same cross account, top down maximum limits as AWS Organizations SCPs.

AWS Identity Center is not correct because Identity Center manages single sign on and permission sets for user access across accounts and applications and it does not impose organization wide maximum permission guardrails like AWS Organizations SCPs do.

When a question uses phrases like organization wide or maximum permissions think of SCPs. Remember that SCPs do not grant permissions and they only restrict what can be granted.