50 aws developer associate practice exam Practice Questions: Question Bank 2025

A developer is writing code that stores user-uploaded images in an Amazon S3 bucket. The developer wants newly uploaded objects to be encrypted automatically without changing the application code. Which solution meets this requirement with the LEAST effort?

An application running on Amazon EC2 instances needs to call Amazon DynamoDB. The team wants to avoid storing long-term AWS access keys on the instances. What is the recommended approach?

A Lambda function needs to retrieve a database password at runtime. The password must be encrypted at rest and access should be controlled with IAM policies. Which AWS service is best suited for storing and retrieving this secret?

A developer is using AWS CloudFormation to deploy an application stack. The developer wants to prevent accidental deletion of a production DynamoDB table when the stack is deleted. What should the developer do?

A serverless application uses Amazon API Gateway and AWS Lambda. Clients occasionally receive 502 errors from the API. CloudWatch metrics show Lambda throttles during traffic spikes. What change will MOST directly reduce the throttling?

A microservice publishes events to an Amazon SQS standard queue. A downstream Lambda function processes messages but the team notices occasional duplicate processing. The team needs to ensure each message is processed only once. Which solution best meets this requirement?

A developer must grant an external CI system permission to upload artifacts to a specific Amazon S3 bucket. The developer wants to avoid storing long-term AWS access keys and instead use temporary credentials. Which approach is MOST appropriate?

A team uses AWS CodeDeploy to deploy a new version of an application to an Auto Scaling group of Amazon EC2 instances. The team wants to minimize downtime and ensure traffic is only routed to healthy instances after deployment. Which CodeDeploy deployment configuration should the team use?

A Lambda function reads items from a DynamoDB table and occasionally times out. The function is configured with a 10-second timeout. CloudWatch Logs show the function spends most of its time waiting on DynamoDB responses during bursts of traffic. The team wants to reduce latency and improve throughput without increasing the timeout. Which solution is BEST?

A team deploys a new Lambda function version and uses an alias named "prod". They want to gradually shift 10% of production traffic to the new version, monitor error rates, and quickly roll back if errors increase. Which approach meets these requirements with the LEAST operational overhead?

A developer is building an AWS Lambda function that must access a private Amazon RDS database in a VPC. The function is timing out when trying to connect. Which change is MOST likely required for the Lambda function to reach the database?

A web application uses Amazon Cognito user pools for authentication. The backend API must verify that incoming requests contain a valid token issued for the user pool. Which approach is the BEST practice for token verification?

A developer needs to grant an AWS Lambda function permissions to read a single object prefix in an Amazon S3 bucket. Which solution follows the principle of least privilege?

A serverless application publishes messages to an Amazon SNS topic. An Amazon SQS queue subscribed to the topic sometimes receives duplicate messages, causing downstream processing to run twice. Which solution MOST effectively addresses this issue?

A developer is deploying an application with AWS CodeDeploy to an Auto Scaling group of Amazon EC2 instances. During deployments, user traffic must not be served by instances until the application health checks pass. Which CodeDeploy configuration should the developer use?

A Lambda function writes records to an Amazon DynamoDB table. During traffic spikes, the function receives ProvisionedThroughputExceededException errors. The team wants to minimize changes to application code and reduce throttling. What should the developer do?

A developer wants to store application secrets (database password, API key) securely and enable automatic rotation with minimal operational overhead. Which solution is BEST?

A developer is configuring an Amazon API Gateway REST API with a Lambda authorizer. After deployment, clients intermittently receive 401 responses even though their tokens are valid. The authorizer code is correct. What is a COMMON cause and the BEST fix?

A team uses AWS CodePipeline to deploy a Lambda-based application. They need to deploy the same build artifact to multiple AWS accounts (dev, test, prod) with approvals between stages. Which approach is MOST appropriate?

A microservice processes events from an Amazon Kinesis Data Stream using AWS Lambda. The service must handle occasional poison-pill records without blocking processing of later records in the same shard, and the team wants to retain failed records for later analysis. Which solution BEST meets these requirements?

A Lambda function reads messages from an Amazon SQS standard queue. The function times out intermittently, and the same message is processed multiple times, causing duplicate writes to a database. What is the MOST appropriate way to prevent duplicates at the application level?

A developer wants to securely store an external API key used by an AWS Lambda function. The key must be rotated periodically without redeploying the function code. Which solution BEST meets these requirements?

A developer is building a REST API using Amazon API Gateway and AWS Lambda. The API is publicly accessible but should only be callable from a single-page application (SPA) hosted at https://app.example.com. Which API Gateway feature should the developer configure to allow the browser to call the API?

A Lambda function in a VPC needs to connect to a third-party HTTPS endpoint on the internet. The function times out when calling the endpoint. VPC subnets are private and do not have public IP addresses. What change is required to allow outbound internet access?

A company uses AWS CodeDeploy to deploy an application to Amazon EC2 instances in an Auto Scaling group. The application requires a schema migration step to run exactly once per deployment before traffic is shifted. Which approach BEST meets this requirement?

A developer configures an Amazon DynamoDB table with a partition key of customerId. Most traffic comes from a single customer, and the application is receiving ProvisionedThroughputExceededException errors even though overall table usage is low. What is the MOST likely cause?

A serverless application uses Amazon S3 event notifications to invoke a Lambda function when objects are uploaded. The function must process only files with the suffix .json and ignore all other uploads. Which configuration should be used?

A Lambda function needs to call an AWS service API (for example, DynamoDB) and must be prevented from accessing any other AWS resources. What is the BEST practice to enforce this requirement?

A team deploys a new version of a Lambda function using weighted aliases for gradual rollout. After shifting 10% of traffic to the new version, they see an increase in errors and want to immediately route all traffic back to the previous version without changing client code. What should they do?

A developer uses Amazon API Gateway with a Lambda authorizer to validate JWTs. During load testing, the authorizer is invoked for nearly every request, increasing latency. Tokens are valid for 15 minutes. Which change will MOST reduce authorizer invocations while maintaining security?

A developer is writing an AWS Lambda function that reads objects from an S3 bucket. The function works in development but fails in production with an AccessDenied error when calling GetObject. The developer confirmed the IAM role has s3:GetObject permissions. What is the MOST likely cause?

A team uses Amazon API Gateway REST API with an AWS Lambda proxy integration. They want to add request validation to reject requests missing required fields before invoking Lambda. Which API Gateway feature should they use?

A developer needs to securely provide a third-party service temporary access to upload objects to a specific prefix in an S3 bucket without sharing AWS credentials. What should the developer generate?

A developer is deploying a new version of an application to AWS Elastic Beanstalk and wants to minimize downtime during deployments. Which Elastic Beanstalk deployment policy should the developer choose?

A Lambda function processes messages from an SQS queue. The same message is occasionally processed twice, causing duplicate writes to a DynamoDB table. The team needs to prevent duplicates without changing SQS semantics. Which solution is BEST?

A CI/CD pipeline uses AWS CodeBuild to build a container image and push it to Amazon ECR. The push fails with an authorization error, even though the CodeBuild project runs successfully. What is the MOST likely fix?

An application stores sensitive configuration values in AWS Systems Manager Parameter Store as SecureString parameters encrypted with a customer managed KMS key. The application runs on Amazon ECS and fails to read the parameters with an access denied error. Which change is required?

A developer deploys a Lambda function into private subnets of a VPC. The function needs to call the Amazon DynamoDB API, but calls time out. The VPC has no NAT gateway. What is the BEST solution?

A Lambda function is invoked asynchronously and occasionally fails due to transient downstream errors. The team wants failed events to be captured for later analysis and replay without changing application code. Which solution meets the requirement?

A company has multiple AWS accounts and wants a centralized way to manage and audit fine-grained access to their S3 data lake. They need to grant permissions to IAM roles across accounts at the table/prefix level and audit access centrally. Which approach is BEST?

A developer is building an AWS Lambda function that needs to read an API key from AWS Systems Manager Parameter Store. The team wants the key encrypted at rest and decrypted only at runtime with least operational overhead. Which approach should the developer use?

A developer needs to trigger a Lambda function whenever a new object is created in an S3 bucket. What is the simplest solution?

A developer is testing a new version of a Lambda function and wants to route 10% of traffic to the new version while keeping 90% on the current version, with the ability to roll back quickly. Which Lambda feature should be used?

An application uses Amazon API Gateway (REST API) with a Lambda integration. Clients occasionally receive 502 errors. CloudWatch logs show the Lambda function timing out. What change is most likely to reduce these errors without changing client behavior?

A CI/CD pipeline deploys an AWS CloudFormation stack that includes an AWS Lambda function. The deployment fails with an error indicating the Lambda code package is too large for direct upload. What should the developer do to resolve this?

A Lambda function writes items to a DynamoDB table. Under load, the function intermittently receives ProvisionedThroughputExceededException errors. The table uses provisioned capacity. What is the best way to improve write success with minimal code change?

A developer needs to allow an application running on Amazon EC2 to call an AWS service API. The security team prohibits storing long-term AWS access keys on instances. What should the developer use?

A serverless workflow uses Amazon SQS to queue jobs and a Lambda function to process messages. During a downstream outage, messages are retried repeatedly and some become stuck, increasing costs and delaying newer jobs. The team needs a durable way to isolate and inspect failing messages without blocking the queue. What should be implemented?

A Lambda function running in a VPC needs to call an external third-party HTTPS API on the internet. The function times out when calling the API. The VPC has private subnets only and no existing egress configuration. Which solution will restore outbound internet access while keeping the function in private subnets?

A company uses Amazon Cognito user pools for authentication. A mobile app calls an API Gateway endpoint that uses a Lambda authorizer to validate tokens. The security team wants to remove custom token validation code and use a managed, scalable authorization mechanism. What should the developer do?