Preliminary Test

20 QUESTIONS, 40~60 MINUTES

Module 2 - Objectives

Mock test of 20 randomized questions whose objective is to measure your

current skills

• Time is not measured, even if you can set a target between 40 minutes
(time allowed for certification) and 60 minutes (+ 50% additional time)
• Score 1 point for each correct complete question. A question that is half
well answered is marked 0.

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2
Question P.1 – MOD6, DOM3
A developer works in an environment with multiple AWS accounts that have AWS Lambda functions processing the
same 100 KB payloads. The developer wants to centralize the point of origin of the payloads to one account and have
all the Lambda functions be invoked whenever the initiating event occurs in the parent account.
How can the developer design the workflow in the MOST efficient way, so all the multi-account Lambda functions
get invoked when the event occurs?

A. Create a Lambda function in the parent account and use cross-account IAM roles with the
AWS Security Token Service (AWS STS) AssumeRole API call to make AWS Lambda invoke
the API call to invoke all the cross-account Lambda functions.
B. Subscribe all the multi-account Lambda functions to an Amazon SNS topic and make a
SNS Publish API call with the payload to the SNS topic.
C. Set up an Amazon SQS queue with the queue policy permitting the ReceiveMessage action
for multi-account Lambda functions. Then send the payload to the SQS queue using the
sqs:SendMessage permission and poll the queue using multi-account Lambda functions.
D. Use a worker on an Amazon EC2 instance to poll for the payload event. Invoke all Lambda
functions using the Lambda Invoke API after using cross-account IAM roles with the AWS
Security Token Service (AWS STS) AssumeRole API call.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3
Question P.1 – MOD6, DOM3
A developer works in an environment with multiple AWS accounts that have AWS Lambda functions processing the
same 100 KB payloads. The developer wants to centralize the point of origin of the payloads to one account and have
all the Lambda functions be invoked whenever the initiating event occurs in the parent account.
How can the developer design the workflow in the MOST efficient way, so all the multi-account Lambda functions
get invoked when the event occurs?

A. Create a Lambda function in the parent account and use cross-account IAM roles with the
AWS Security Token Service (AWS STS) AssumeRole API call to make AWS Lambda invoke
the API call to invoke all the cross-account Lambda functions.
B. Subscribe all the multi-account Lambda functions to an Amazon SNS topic and make a
SNS Publish API call with the payload to the SNS topic.
C. Set up an Amazon SQS queue with the queue policy permitting the ReceiveMessage action
for multi-account Lambda functions. Then send the payload to the SQS queue using the
sqs:SendMessage permission and poll the queue using multi-account Lambda functions.
D. Use a worker on an Amazon EC2 instance to poll for the payload event. Invoke all Lambda
functions using the Lambda Invoke API after using cross-account IAM roles with the AWS
Security Token Service (AWS STS) AssumeRole API call.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 4
Question P.2 – MOD11, DOM3
A large company has its application components distributed across multiple AWS accounts. The company
needs to collect and visualize trace data across these accounts.
What should be used to meet these requirements?

A. AWS X-Ray
B. Amazon CloudWatch
C. Amazon VPC flow logs
D. Amazon Elasticsearch Service

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 5
Question P.2 – MOD11, DOM3
A large company has its application components distributed across multiple AWS accounts. The company
needs to collect and visualize trace data across these accounts.
What should be used to meet these requirements?

A. AWS X-Ray
B. Amazon CloudWatch
C. Amazon VPC flow logs
D. Amazon Elasticsearch Service

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 6
Question P.3 – MOD1, DOM5
A startup s photo-sharing site is deployed in a VPC. An ELB distributes web traffic across two subnets. ELB session stickiness is
configured to use the AWS-generated session cookie, with a session TTL of 5 minutes. The webserver Auto Scaling Group is
configured as: min-size=4, max-size=4.
The startups preparing for a public launch, by running load-testing software installed on a single EC2 instance running in us-west-2.
After 60 minutes of load-testing, the webserver logs show:

Which recommendations can help ensure load-testing HTTP requests are evenly distributed across the four webservers? (Choose
TWO.)

A. Launch and run the load-tester EC2 instance from us-east-1 instead.
B. Re-configure the load-testing software to re-resolve DNS for each web request.
C. Use a 3rd-party load-testing service which offers globally-distributed test clients.
D. Configure ELB and Auto Scaling to distribute across us-west-2a and us-west-2c.
E. Configure ELB session stickiness to use the app-specific session cookie.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 7
Question P.3 – MOD1, DOM5
A startup s photo-sharing site is deployed in a VPC. An ELB distributes web traffic across two subnets. ELB session stickiness is
configured to use the AWS-generated session cookie, with a session TTL of 5 minutes. The webserver Auto Scaling Group is
configured as: min-size=4, max-size=4.
The startups preparing for a public launch, by running load-testing software installed on a single EC2 instance running in us-west-2.
After 60 minutes of load-testing, the webserver logs show:

Which recommendations can help ensure load-testing HTTP requests are evenly distributed across the four webservers? (Choose
TWO.)

A. Launch and run the load-tester EC2 instance from us-east-1 instead.
B. Re-configure the load-testing software to re-resolve DNS for each web request.
C. Use a 3rd-party load-testing service which offers globally-distributed test clients.
D. Configure ELB and Auto Scaling to distribute across us-west-2a and us-west-2c.
E. Configure ELB session stickiness to use the app-specific session cookie.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 8
Question P.4 – MOD12, DOM5
A development team uses AWS Elastic Beanstalk to deploy a Java-based web application. The team
wants to ensure that the changes to the source code and the configuration are always deployed on new
instances. The team configures the Elastic Beanstalk environment to use immutable updates. However, an
error occurs the first time a change is deployed with the new update policy.
What is the MOST likely cause of this issue?

A. Immutable updates are not supported for Java-based applications.

B. The account has reached its on-demand instance limit.
C. Immutable updates are only supported for m4.large and larger instance types.
D. The developer must also modify the .ebextensions/immutable-updates.config file
to enable immutable updates.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 9
Question P.4 – MOD12, DOM5
A development team uses AWS Elastic Beanstalk to deploy a Java-based web application. The team
wants to ensure that the changes to the source code and the configuration are always deployed on new
instances. The team configures the Elastic Beanstalk environment to use immutable updates. However, an
error occurs the first time a change is deployed with the new update policy.
What is the MOST likely cause of this issue?

A. Immutable updates are not supported for Java-based applications.

B. The account has reached its on-demand instance limit.
C. Immutable updates are only supported for m4.large and larger instance types.
D. The developer must also modify the .ebextensions/immutable-updates.config file
to enable immutable updates.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 10
Question P.5 – MOD6, DOM5
A developer tested an application locally and then deployed it to AWS Lambda. While testing the
application remotely, the Lambda function fails with an access denied message.
How can this issue be addressed?

A. Update the Lambda function's execution role to include the missing permissions.
B. Update the Lambda function's resource policy to include the missing permissions.
C. Include an IAM policy document at the root of the deployment package and
redeploy the Lambda function.
D. Redeploy the Lambda function using an account with access to the
AdministratorAccess policy.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 11
Question P.5 – MOD6, DOM5
A developer tested an application locally and then deployed it to AWS Lambda. While testing the
application remotely, the Lambda function fails with an access denied message.
How can this issue be addressed?

A. Update the Lambda function's execution role to include the missing permissions.
B. Update the Lambda function's resource policy to include the missing permissions.
C. Include an IAM policy document at the root of the deployment package and
redeploy the Lambda function.
D. Redeploy the Lambda function using an account with access to the
AdministratorAccess policy.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 12
Question P.6 – MOD12, DOM4
An application contains two components: one component to handle HTTP requests, and another
component to handle background processing tasks. Each component must scale independently. The
developer wants to deploy this application using AWS Elastic Beanstalk.
How should this application be deployed, based on these requirements?

A. Deploy the application in a single Elastic Beanstalk environment.

B. Deploy each component in a separate Elastic Beanstalk environment.
C. Use multiple Elastic Beanstalk environments for the HTTP component, but one
environment for the background task component.
D. Use multiple Elastic Beanstalk environments for the background task component,
but one environment for the HTTP component.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 13
Question P.6 – MOD12, DOM4
An application contains two components: one component to handle HTTP requests, and another
component to handle background processing tasks. Each component must scale independently. The
developer wants to deploy this application using AWS Elastic Beanstalk.
How should this application be deployed, based on these requirements?

A. Deploy the application in a single Elastic Beanstalk environment.

B. Deploy each component in a separate Elastic Beanstalk environment.
C. Use multiple Elastic Beanstalk environments for the HTTP component, but one
environment for the background task component.
D. Use multiple Elastic Beanstalk environments for the background task component,
but one environment for the HTTP component.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 14
Question P.7 – MOD12, DOM4
A company experienced partial downtime during the last deployment of a new application. AWS Elastic
Beanstalk split the environment's Amazon EC2 instances into batches and deployed a new version one
batch at a time after taking them out of service. Therefore, full capacity was not maintained during
deployment.
The developer plans to release a new version of the application, and is looking for a policy that will
maintain full capacity and minimize the impact of the failed deployment.
Which deployment policy should the developer use?

A. Immutable
B. All at Once
C. Rolling
D. Rolling with an Additional Batch

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 15
Question P.7 – MOD12, DOM4
A company experienced partial downtime during the last deployment of a new application. AWS Elastic
Beanstalk split the environment's Amazon EC2 instances into batches and deployed a new version one
batch at a time after taking them out of service. Therefore, full capacity was not maintained during
deployment.
The developer plans to release a new version of the application, and is looking for a policy that will
maintain full capacity and minimize the impact of the failed deployment.
Which deployment policy should the developer use?

A. Immutable
B. All at Once
C. Rolling
D. Rolling with an Additional Batch

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 16
Question P.8 – MOD9, DOM2
An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS
queue. A requirement for the application is that all messages must be encrypted at rest.
Developers are instructed to use methods that allow for centralized key management and minimize
possible support requirements whenever possible.
Which of the following solutions supports these requirements?

A. Encrypt individual messages by using client-side encryption with customer

managed keys, then write to the SQS queue.
B. Encrypt individual messages by using SQS Extended Client and the Amazon S3
encryption client.
C. Create an SQS queue, and encrypt the queue by using sewer-side encryption with
AWS KMS.
D. Create an SQS queue, and encrypt the queue by using client-side encryption.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 17
Question P.8 – MOD9, DOM2
An application running on multiple Amazon EC2 instances pulls messages from a standard Amazon SQS
queue. A requirement for the application is that all messages must be encrypted at rest.
Developers are instructed to use methods that allow for centralized key management and minimize
possible support requirements whenever possible.
Which of the following solutions supports these requirements?

A. Encrypt individual messages by using client-side encryption with customer

managed keys, then write to the SQS queue.
B. Encrypt individual messages by using SQS Extended Client and the Amazon S3
encryption client.
C. Create an SQS queue, and encrypt the queue by using sewer-side encryption with
AWS KMS.
D. Create an SQS queue, and encrypt the queue by using client-side encryption.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 18
Question P.9 – MOD5, DOM4
A company is developing a serverless ecommerce web application. The application needs to make
coordinated, all-or-nothing changes to multiple items in the company's inventory table in Amazon
DynamoDB.
Which solution will meet these requirements?

A. Enable transactions for the DynamoDB table. Use the BatchWriteItem operation
to update the items.
B. Use the TransactWriteItems operation to group the changes. Update the items in
the table.
C. Set up a FIFO queue using Amazon SQS. Group the changes in the queue. Update
the table based on the grouped changes.
D. Create a transaction table in an Amazon Aurora DB cluster to manage the
transactions. Write a backend process to sync the Aurora DB table and the
DynamoDB table.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 19
Question P.9 – MOD5, DOM4
A company is developing a serverless ecommerce web application. The application needs to make
coordinated, all-or-nothing changes to multiple items in the company's inventory table in Amazon
DynamoDB.
Which solution will meet these requirements?

A. Enable transactions for the DynamoDB table. Use the BatchWriteItem operation
to update the items.
B. Use the TransactWriteItems operation to group the changes. Update the items in
the table.
C. Set up a FIFO queue using Amazon SQS. Group the changes in the queue. Update
the table based on the grouped changes.
D. Create a transaction table in an Amazon Aurora DB cluster to manage the
transactions. Write a backend process to sync the Aurora DB table and the
DynamoDB table.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 20
Question P.10 – MOD8, DOM4

How can a developer use a debugger for AWS Lambda code that is deployed with AWS Serverless
Application Model (AWS SAM)?

A. Download the Lambda code locally and use the AWS CLI to execute it
B. Use the Lambda console to connect the debugger
C. Use AWS SAM to invoke a function locally in debug mode
D. Connect a third-party-compatible integrated development environment (IDE) to
the Lambda debugger endpoint

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 21
Question P.10 – MOD8, DOM4

How can a developer use a debugger for AWS Lambda code that is deployed with AWS Serverless
Application Model (AWS SAM)?

A. Download the Lambda code locally and use the AWS CLI to execute it
B. Use the Lambda console to connect the debugger
C. Use AWS SAM to invoke a function locally in debug mode
D. Connect a third-party-compatible integrated development environment (IDE) to
the Lambda debugger endpoint

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 22
Question P.11 – MOD9, DOM5

An application takes longer than expected to process an Amazon SQS message.

What should the developer do to the application so that other instances do not pick up the same message?

A. Make a ReceiveMessage call to get the same message again from the queue
B. Issue a DeleteMessage call to delete the message from the queue
C. Use SendMessage to pass the message to the dead letter queue
D. Send a ChangeMessageVisibility call to extend VisibilityTimeout

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 23
Question P.11 – MOD9, DOM5

An application takes longer than expected to process an Amazon SQS message.

What should the developer do to the application so that other instances do not pick up the same message?

A. Make a ReceiveMessage call to get the same message again from the queue
B. Issue a DeleteMessage call to delete the message from the queue
C. Use SendMessage to pass the message to the dead letter queue
D. Send a ChangeMessageVisibility call to extend VisibilityTimeout

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 24
Question P.12 – MOD7, DOM3

A developer is building a WebSocket API using Amazon API Gateway. The payload sent to this API is
JSON that includes an action key. This key can have three different values: create, update, and remove.
The developer must integrate with different routes based on the value of the action key of the incoming
JSON payload.
How can the developer accomplish this task with the LEAST amount of configuration?

A. Deploy the WebSocket API to three stages for the respective routes: create,
update, and remove
B. Create a new route key and set the name as action
C. Set the value of the route selection expression to action
D. Set the value of the route selection expression to $request.body.action

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 25
Question P.12 – MOD7, DOM3

A developer is building a WebSocket API using Amazon API Gateway. The payload sent to this API is
JSON that includes an action key. This key can have three different values: create, update, and remove.
The developer must integrate with different routes based on the value of the action key of the incoming
JSON payload.
How can the developer accomplish this task with the LEAST amount of configuration?

A. Deploy the WebSocket API to three stages for the respective routes: create,
update, and remove
B. Create a new route key and set the name as action
C. Set the value of the route selection expression to action
D. Set the value of the route selection expression to $request.body.action

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 26
Question P.13 – MOD1, DOM2

A development team is creating a new application designed to run on AWS. While the test and production
environments will run on Amazon EC2 instances, developers will each run their own environment on
their laptops.
Which of the following is the simplest and MOST secure way to access AWS services from the local
development machines?

A. Use an IAM role to assume a role and execute API calls using the role.
B. Create an IAM user to be shared with the entire development team; provide the
development team with the access key.
C. Create an IAM user for each developer on the team; provide each developer with
a unique access key.
D. Set up a federation through an Amazon Cognito user pool.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 27
Question P.13 – MOD1, DOM2

A development team is creating a new application designed to run on AWS. While the test and production
environments will run on Amazon EC2 instances, developers will each run their own environment on
their laptops.
Which of the following is the simplest and MOST secure way to access AWS services from the local
development machines?

A. Use an IAM role to assume a role and execute API calls using the role.
B. Create an IAM user to be shared with the entire development team; provide the
development team with the access key.
C. Create an IAM user for each developer on the team; provide each developer with
a unique access key.
D. Set up a federation through an Amazon Cognito user pool.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 28
Question P.14 – MOD12, DOM1

A developer wants to ensure the Amazon EC2 instances in AWS Elastic Beanstalk execute a certain set of
commands before the application is ready to use.
Which Elastic Beanstalk feature will allow the developer to accomplish this?

A. Rolling update
B. Immutable update
C. User data
D. .ebextensions

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 29
Question P.14 – MOD12, DOM1

A developer wants to ensure the Amazon EC2 instances in AWS Elastic Beanstalk execute a certain set of
commands before the application is ready to use.
Which Elastic Beanstalk feature will allow the developer to accomplish this?

A. Rolling update
B. Immutable update
C. User data
D. .ebextensions

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 30
Question P.15 – MOD7, DOM1

A developer is planning to use an Amazon API Gateway and AWS Lambda to provide a REST API. The
developer will have three distinct environments to manage: development, test, and production.
How should the application be deployed while minimizing the number of resources to manage?

A. Create a separate API Gateway and separate Lambda function for each
environment in the same Region.
B. Assign a Region for each environment and deploy API Gateway and Lambda to
each Region.
C. Create one API Gateway with multiple stages with one Lambda function with
multiple aliases.
D. Create one API Gateway and one Lambda function, and use a REST parameter to
identify the environment.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 31
Question P.15 – MOD7, DOM1

A developer is planning to use an Amazon API Gateway and AWS Lambda to provide a REST API. The
developer will have three distinct environments to manage: development, test, and production.
How should the application be deployed while minimizing the number of resources to manage?

A. Create a separate API Gateway and separate Lambda function for each
environment in the same Region.
B. Assign a Region for each environment and deploy API Gateway and Lambda to
each Region.
C. Create one API Gateway with multiple stages with one Lambda function with
multiple aliases.
D. Create one API Gateway and one Lambda function, and use a REST parameter to
identify the environment.
© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 32
Question P.16 – MOD9, DOM3

A developer is creating an application to process a large number of requests. Requests must be processed
in order, and each request should be processed only once.
How should Amazon SQS be deployed to achieve this?

A. Configure First in First out (FIFO) delivery in a standard Amazon SQS queue to
process requests.
B. Use an SQS FIFO queue to process requests.
C. Use the SetOrder attribute to ensure sequential request processing.
D. Convert the standard queue to a FIFO queue by renaming the queue to use the
.fifo suffix.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 33
Question P.16 – MOD9, DOM3

A developer is creating an application to process a large number of requests. Requests must be processed
in order, and each request should be processed only once.
How should Amazon SQS be deployed to achieve this?

A. Configure First in First out (FIFO) delivery in a standard Amazon SQS queue to
process requests.
B. Use an SQS FIFO queue to process requests.
C. Use the SetOrder attribute to ensure sequential request processing.
D. Convert the standard queue to a FIFO queue by renaming the queue to use the
.fifo suffix.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 34
 Question P.17 – MOD10, DOM3
You have a web application leveraging an Elastic Load Balancer (ELB) In front of the web servers deployed using an
Auto Scaling Group Your database is running on Relational Database Service (RDS) The application serves out
technical articles and responses to them in general there are more views of an article than there are responses to the
article. On occasion, an article on the site becomes extremely popular resulting in significant traffic Increases that
causes the site to go down.
What could you do to help alleviate the pressure on the infrastructure while maintaining availability during these
events? (Choose THREE.)

A. Leverage CloudFront for the delivery of the articles.

B. Add RDS read-replicas for the read traffic going to your relational database
C. Leverage ElastiCache for caching the most frequently used data.
D. Use SOS to queue up the requests for the technical posts and deliver them out of the
queue.
E. Use Route53 health checks to fail over to an S3 bucket for an error page.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 35
 Question P.17 – MOD10, DOM3
You have a web application leveraging an Elastic Load Balancer (ELB) In front of the web servers deployed using an
Auto Scaling Group Your database is running on Relational Database Service (RDS) The application serves out
technical articles and responses to them in general there are more views of an article than there are responses to the
article. On occasion, an article on the site becomes extremely popular resulting in significant traffic Increases that
causes the site to go down.
What could you do to help alleviate the pressure on the infrastructure while maintaining availability during these
events? (Choose THREE.)

A. Leverage CloudFront for the delivery of the articles.

B. Add RDS read-replicas for the read traffic going to your relational database
C. Leverage ElastiCache for caching the most frequently used data.
D. Use SOS to queue up the requests for the technical posts and deliver them out of the
queue.
E. Use Route53 health checks to fail over to an S3 bucket for an error page.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 36
Question P.18 – MOD8, DOM3

Which of the following statements about SWF are true? (Choose THREE.)

A. SWF tasks are assigned once and never duplicated

B. SWF requires an S3 bucket for workflow storage
C. SWF workflow executions can last up to a year
D. SWF triggers SNS notifications on task assignment
E. SWF uses deciders and workers to complete tasks
F. SWF requires at least 1 EC2 instance per domain

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 37
Question P.18 – MOD8, DOM3

Which of the following statements about SWF are true? (Choose THREE.)

A. SWF tasks are assigned once and never duplicated

B. SWF requires an S3 bucket for workflow storage
C. SWF workflow executions can last up to a year
D. SWF triggers SNS notifications on task assignment
E. SWF uses deciders and workers to complete tasks
F. SWF requires at least 1 EC2 instance per domain

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 38
Question P.19 – MOD11, DOM4

A Developer is creating a mobile application that will not require users to log in.
What is the MOST efficient method to grant users access to AWS resources?

A. Use an identity provider to securely authenticate with the application.

B. Create an AWS Lambda function to create an IAM user when a user accesses the
application.
C. Create credentials using AWS KMS and apply these credentials to users when
using the application.
D. Use Amazon Cognito to associate unauthenticated users with an IAM role that has
limited access to resources.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 39
Question P.19 – MOD11, DOM4

A Developer is creating a mobile application that will not require users to log in.
What is the MOST efficient method to grant users access to AWS resources?

A. Use an identity provider to securely authenticate with the application.

B. Create an AWS Lambda function to create an IAM user when a user accesses the
application.
C. Create credentials using AWS KMS and apply these credentials to users when
using the application.
D. Use Amazon Cognito to associate unauthenticated users with an IAM role that has
limited access to resources.

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 40
Question P.20 – MOD9, DOM4

A web application is using Amazon Kinesis Streams for clickstream data that may not be consumed for
up to 12 hours.
How can the Developer implement encryption at rest for data within the Kinesis Streams?

A. Enable SSL connections to Kinesis

B. Use Amazon Kinesis Consumer Library
C. Encrypt the data once it is at rest with a Lambda function
D. Enable server-side encryption in Kinesis Streams

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 41
Question P.20 – MOD9, DOM4

A web application is using Amazon Kinesis Streams for clickstream data that may not be consumed for
up to 12 hours.
How can the Developer implement encryption at rest for data within the Kinesis Streams?

A. Enable SSL connections to Kinesis

B. Use Amazon Kinesis Consumer Library
C. Encrypt the data once it is at rest with a Lambda function
D. Enable server-side encryption in Kinesis Streams

© 2021 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 42
 Thank you!

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 43