Forem: Minoltan Issack

AWS Cloud Practitioner Questions | Security & Encryption

Minoltan Issack — Tue, 14 Apr 2026 11:26:56 +0000

Question 1:

To enable In-flight Encryption (In-Transit Encryption), we need to have ........................

Answer (2) : The correct answer, "an HTTPS endpoint with an SSL certificate," is right because HTTPS encrypts data in transit, ensuring security. HTTPS cannot be used without an SSL certificate, which verifies the server's identity. Other options are incorrect if they lack encryption or proper security measures. SSL certificates are essential for establishing trust and secure communication. This ensures data integrity and confidentiality during transmission.

Question 2:

Server-Side Encryption means that the data is sent encrypted to the server.

Answer (2) : Server-Side Encryption means the data is encrypted by the server after it's received, not while it's being sent. The statement is false because encryption during transmission is handled by protocols like TLS, known as in-flight encryption. Server-Side Encryption specifically refers to encrypting stored data, ensuring it is protected at rest. Other options that suggest encryption during transfer would refer to client-side or in-transit encryption, not server-side. This distinction helps ensure data security both in transit and at rest.

Question 3:

In Server-Side Encryption, where do the encryption and decryption happen?

Answer (1): The correct answer, "Both Encryption and Decryption happen on the server," is right because server-side encryption manages encryption keys and processes on the server side, meaning the server handles both tasks. The other options are incorrect because they involve the client performing encryption or decryption, which isn't the case with server-side encryption. In server-side encryption, the user doesn't have access to the keys, so they cannot encrypt or decrypt data themselves. This setup ensures secure handling of data by the server.

Question 4:

In Client-Side Encryption, the server must know our encryption scheme before we can upload the data.

Answer (1): In client-side encryption, the server acts as a "blind" storage provider and does not need to know the encryption scheme or keys to store the data. The data is fully encrypted before it leaves your device, ensuring the server only manages opaque blobs of information without any insight into the underlying cryptographic methods.

Question 5:

You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …

Answer (2) : AWS provides managed keys that can be used for encryption without creating your own KMS keys. You only need to create custom keys if you have specific security requirements. The other options are incorrect because creating your own keys is optional, not mandatory, to enable encryption for services like EBS, S3, or RDS. AWS Managed Keys simplify the process and are ready to use. Therefore, creating KMS keys in advance is not a required step.

Question 6:

AWS KMS supports both symmetric and asymmetric KMS keys.

Answer (1): AWS KMS supports both symmetric and asymmetric keys. Symmetric keys are used for encryption and decryption with a single key. Asymmetric keys involve a key pair (RSA or ECC) used for encryption/decryption or signing/verification. The other option, "False," is incorrect because KMS indeed supports both types of keys. This allows flexible cryptographic operations for different security needs.

Question 7:

When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ……………

Answer (2) : Automatic Rotation is enabled on a KMS key, it rotates every 12 months by default. The "90 days" option is incorrect because AWS does not rotate keys that frequently by default. The other options, "2 years" and "3 years," are incorrect because they exceed the standard rotation period set by AWS, which is one year. This rotation frequency balances security and operational consistency.

Question 8:

You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can't use it. How would you solve this problem?

Answer (2) : KMS keys are customer-managed or AWS-managed, and sharing the AMI alone does not grant access to the encryption key. The other accounts must also have permission to use the CMK to access the encrypted snapshot. The first option, "logout and login," is incorrect because credential refresh doesn't resolve key sharing issues. The third option, "you can't share an encrypted AMI," is incorrect because encrypted AMIs can be shared if the CMK permissions are properly configured. Sharing the CMK ensures the other account can decrypt and use the AMI.

Question 9:

You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 6 months. What should you do?

Answer (1): AWS KMS supports automatic key rotation every year. However, since your policy requires rotation every 6 months, you need to manually rotate the key or create a new one, as automatic rotation is annual. Using AWS Managed Keys isn't suitable because their rotation is automatic but on a quarterly basis, and they don't allow custom retention periods. Manually creating and rotating keys gives control over the exact 6-month schedule. The other options do not meet the specific 6-month rotation requirement.

Question 10:

What should you use to control access to your KMS CMKs?

Answer (1) : They directly define and control access permissions for each CMK. "KMS IAM Policy" is incorrect because IAM policies manage permissions at the user or role level, not specific to each key. "AWS GuardDuty" is incorrect as it is a security threat detection service, not an access control tool. "KMS Access Control List (KMS ACL)" is incorrect because KMS does not support ACLs for controlling access. Key policies are the primary method for managing access to KMS CMKs.

Question 11:

You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure?

Answer (3): It keeps the sensitive data secure while allowing the Lambda to access it securely during execution. Embedding the password in the code is insecure because it can be easily exposed if the code is accessed. Having it as plaintext environment variable is also insecure as it's visible in plain text within environment settings. Encrypting it and decrypting at runtime ensures the password remains protected at rest and only accessible in memory during execution. This approach balances security and accessibility effectively.

Question 12:

You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?

Answer (2): It allows secure storage of secrets with built-in version tracking, enabling you to see historical values. "AWS KMS" can rotate encryption keys but doesn't track or store different secret values over time. "Amazon S3" offers versioning and encryption but is not specifically designed for secret management or audit tracking of secret values. SSM Parameter Store provides dedicated secret management with version history, making it the best fit.

Question 13:

Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?

Answer (2): It provides 24/7 support for DDoS attacks and offers cost reimbursement assistance through AWS's DDoS Response Team. "AWS WAF" helps protect web applications from common web exploits but does not offer 24/7 support or billing reimbursement. "AWS Shield" provides basic DDoS protection but lacks the dedicated support and cost reimbursement features of Shield Advanced. "AWS DDoS OpsTeam" is not a service but a support team; the appropriate service is AWS Shield Advanced.

Question 14:

You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What's the best place to store them to maintain control and version history?

Answer (4): It securely stores configuration values with version control, making it easy to update and track changes at runtime. "Amazon DynamoDB" is a NoSQL database suitable for application data but isn't mainly designed for configuration management or versioning. "Amazon S3" can store files and version data, but it's less ideal for sensitive configuration values due to lack of built-in secret management features. "Amazon EBS" provides block storage for EC2 instances and is not suitable for managing or versioning configuration data externally.

Question 15:

AWS GuardDuty scans the following data sources, EXCEPT …………….

Answer (4): AWS GuardDuty does not directly scan CloudWatch Logs data sources; it primarily analyzes other specific logs. "CloudTrail Logs" are monitored because they record API activity for security analysis. "VPC Flow Logs" document network traffic, which GuardDuty analyzes for suspicious activity. "DNS Logs" are also scanned since they help detect malicious domain requests. GuardDuty focuses on certain data sources, and CloudWatch Logs are not one of them.

Question 16:

You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?

Answer (2): It allows you to create custom rules to block common web application attacks like SQL Injection and Cross-Site Scripting. "AWS Shield" provides protection against DDoS attacks but does not specifically target application-layer threats. "AWS Security Hub" is a centralized security management service and does not directly protect against web attacks. "AWS GuardDuty" detects malicious activity but is focused on threat detection rather than web application protection.

Question 17:

You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?

Answer (3) : It automatically analyzes EC2 instances for security vulnerabilities and provides detailed findings and recommendations. "AWS Shield" focuses on protecting against DDoS attacks and does not analyze OS vulnerabilities. "Amazon GuardDuty" detects threats and malicious activity but does not perform vulnerability assessments. "AWS Config" monitors configuration compliance but does not provide detailed vulnerability analysis or recommendations.

Question 18:

What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?

Answer (1) : It securely stores database passwords and provides automatic rotation, reducing manual management. "AWS KMS" is a key management service and does not store or rotate passwords directly. "AWS SSM Parameter Store" can store passwords but lacks built-in automatic rotation features. Secrets Manager is specifically designed for secret management and automated credential rotation.

Question 19:

Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?

Answer (4): It centrally manages security policies across multiple AWS accounts, including Security Groups and Shield Advanced. "AWS GuardDuty" detects security threats but does not handle centralized management of security groups or Shield. "AWS Config" monitors resource compliance, but it does not manage security policies across accounts. It tracks changes but doesn't enforce security rules centrally.

Question 20:

Which AWS service helps you protect your sensitive data stored in S3 buckets?

Answer(3) : It uses machine learning to identify and protect sensitive data in S3 buckets. "AWS KMS" is a key management service that encrypts data but does not identify or classify sensitive information in S3. "Amazon GuardDuty" detects security threats but doesn't specifically protect or identify sensitive data. "Amazon Shield" focuses on DDoS protection and does not manage or analyze data stored in S3.

Question 21:

An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this?

Answer (1) : Lambda is not designed for client-side encryption of database data. "Using Aurora Client-side Encryption and CloudHSM" is incorrect because while CloudHSM provides hardware security, it is not specifically integrated for client-side encryption in this context. "Using Lambda Client-side Encryption and CloudHSM" is incorrect because Lambda alone doesn't handle client-side encryption for databases, and CloudHSM is not tailored for this use case.

Question 22:

You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work?

Answer (3): You need to configure permissions for both the source KMS key (kms:Decrypt) and the target KMS key (kms:Encrypt) so that S3 replication can access and use them properly. The other options are incorrect because replication is supported, no support ticket is needed, and the source and target keys do not have to be the same. Proper permissions are necessary for encryption and decryption during replication.

Question 23:

You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one?

Answer (2) : allows you to receive notifications 30 days before the certificate expires. Linking ACM to a third-party provider like Let's Encrypt does not provide automated notifications from AWS. Using monthly expiration events or CloudWatch alarms won't give you the timely warning needed 30 days in advance. EventBridge is suitable for scheduled, daily checks, ensuring proactive renewal alerts.

Question 24:

You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?

Answer (1) : ACM certificates for CloudFront distributions must be created in the us-east-1 region, as AWS only supports CloudFront-related certificates there. "us-west-2" is incorrect because ACM certificates in this region cannot be used directly with CloudFront or Edge-Optimized API Gateway. "ap-southeast-1" is incorrect since it's not the region for ACM certificates used with CloudFront. "Both us-east-1 and us-west-2" is incorrect because only us-east-1 supports ACM certificates for CloudFront distributions.

Question 25:

You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so?

Answer (4) : AWS Firewall Manager allows centralized management of security policies, such as Security Groups and WAF rules, across multiple AWS accounts in an organization. It simplifies enforcement and updates, especially after security incidents.
Others are incorrect because:

AWS GuardDuty is primarily for threat detection, not policy management.
Amazon Shield provides DDoS protection but doesn't manage Security Groups or WAF rules.
Amazon Inspector assesses security vulnerabilities but doesn't handle centralized rule management.

To stay informed on the latest technical insights and tutorials, connect with me on Medium, LinkedIn, and Dev.to. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have. All blogs in this series will be optimized, fine-tuned, developed, and updated in a timely manner to reflect the latest AWS changes, exam updates, and real-world best practices.

AWS Cloud Practitioner Questions | RDS, Aurora, & ElastiCache

Minoltan Issack — Sun, 12 Apr 2026 08:11:16 +0000

Question 1:

Amazon RDS supports the following databases, EXCEPT:

Answer (1): Amazon RDS does not support MongoDB. Instead, RDS supports other databases such as MySQL, MariaDB, and Microsoft SQL Server. This helps you understand which databases are compatible with Amazon RDS and clarifies that MongoDB is not included in this managed service.

Question 2:

You're planning for a new solution that requires a MySQL database that must be available even in case of a disaster in one of the Availability Zones. What should you use?

Answer: (3) Multi-AZ deployments in Amazon RDS automatically create a synchronous standby replica of your database in a different Availability Zone. This setup provides high availability and durability, ensuring that if one AZ experiences a failure or disaster, the database remains available in the other AZ without manual intervention. In contrast, Read Replicas are mainly used for scaling read operations rather than disaster recovery, as they are asynchronous and may not provide immediate failover support in case of an AZ failure. Enabling Multi-AZ is the recommended approach for disaster recovery within a single region to ensure continuous availability.

Question 3:

We have an RDS database that struggles to keep up with the demand of requests from our website. Our million users mostly read news, and we don't post news very often. Which solution is NOT adapted to this problem?

Answer: (2) "RDS Multi-AZ" provides high availability and automatic failover in case of an Availability Zone failure. It ensures durability but does not improve read performance. "Read Replicas" are designed for scaling read operations, not for disaster recovery. "ElastiCache" improves read speed by caching data, not by providing database failover. Therefore, Multi-AZ is correct for high availability, while the others focus on scaling and caching.

Question 4:

You have set up read replicas on your RDS database, but users are complaining that upon updating their social media posts, they do not see their updated posts right away. What is a possible cause for this?

Answer (2) : Read Replicas use asynchronous replication, which can cause delays, leading to eventual consistency, so users might not see their updates immediately. Multi-AZ provides high availability and automatic failover but doesn't improve read scalability. ElastiCache speeds up read access by caching data but does not handle database replication or failover. Therefore, for ensuring data consistency, Read Replicas' asynchronous nature makes them less immediate. The other options serve different purposes like high availability or caching.

Question 5:

Which RDS (NOT Aurora) feature when used does not require you to change the SQL connection string?

Answer (1): Multi-AZ maintains the same connection string because it automatically handles failover to the standby replica without requiring connection string changes. In contrast, Read Replicas have their own endpoints and DNS names, so applications need to be updated to connect to them directly. Multi-AZ provides high availability but not read scaling. Read Replicas support read scalability but require configuration changes in the application. Therefore, Multi-AZ does not require changes to the connection string.

Question 6:

Your application running on a fleet of EC2 instances managed by an Auto Scaling Group behind an Application Load Balancer. Users have to constantly log back in and you don't want to enable Sticky Sessions on your ALB as you fear it will overload some EC2 instances. What should you do?

Answer (3): Storing session data in ElastiCache allows multiple EC2 instances to access user sessions quickly and efficiently, supporting stateless application design. RDS could store session data but offers lower performance compared to ElastiCache, which is optimized for fast access. Using your own load balancer doesn't address session management and can lead to complexity. EBS volumes are not suitable for shared session storage across instances due to limitations and performance concerns. Therefore, ElastiCache is the best choice for managing user sessions without sticky sessions.

Question 7:

An analytics application is currently performing its queries against your main production RDS database. These queries run at any time of the day and slow down the RDS database which impacts your users' experience. What should you do to improve the users' experience?

Answer (1): Setting up a Read Replica allows analytics queries to run independently, so they won't slow down the main database. Multi-AZ is mainly for high availability and automatic failover, not for offloading read workloads. Running queries at night limits real-time performance and doesn't address ongoing query impacts during the day. Read Replicas improve performance by distributing read traffic, making the user experience better. The other options do not effectively handle the problem of heavy, ongoing query load.

Question 8:

You would like to ensure you have a replica of your database available in another AWS Region if a disaster happens to your main AWS Region. Which database do you recommend to implement this easily?

Answer (4): Aurora Global Database is designed for disaster recovery across regions by allowing replicas in multiple AWS regions. RDS Read Replicas are limited to the same region and don't support cross-region disaster recovery. RDS Multi-AZ is for high availability within a single region and does not provide cross-region replication. Aurora Read Replicas are regional but do not have the global multi-region capability. Aurora Global Database is the best option for multi-region disaster recovery.

Question 9:

How can you enhance the security of your ElastiCache Redis Cluster by allowing users to access your ElastiCache Redis Cluster using their IAM Identities (e.g., Users, Roles)?

Answer (2): Using IAM Authentication allows users to securely access ElastiCache Redis with their IAM identities, enabling fine-grained access control and auditability. Redis Authentication relies on a password, which is less integrated with AWS identity management. Security Groups control network traffic but do not handle user authentication directly. IAM Authentication is specifically designed for integrating AWS user identities with ElastiCache for better security. The other options do not provide direct IAM-based user access control.

Question 10:

Your company has a production Node.js application that is using RDS MySQL 5.6 as its database. A new application programmed in Java will perform some heavy analytics workload to create a dashboard on a regular hourly basis. What is the most cost-effective solution you can implement to minimize disruption for the main application?

Answer (2): Creating a Read Replica in a different AZ allows the analytics workload to run without affecting the main database's performance. This minimizes disruption for the primary application while handling heavy analytics separately. Enabling Multi-AZ only provides high availability and automatic failover, not workload separation. Running analytics on the source database could slow down the main application and cause performance issues. Using a cross-AZ Read Replica is the most cost-effective and suitable solution for this scenario.

Question 11:

You would like to create a disaster recovery strategy for your RDS PostgreSQL database so that in case of a regional outage the database can be quickly made available for both read and write workloads in another AWS Region. The DR database must be highly available. What do you recommend?

Answer (2): Creating a read replica in a different region provides a backup that can be quickly promoted during a regional outage, ensuring high availability. Enabling Multi-AZ on the main database improves local availability but does not protect against regional failures. Creating a read replica in the same region with Multi-AZ doesn't provide cross-region disaster recovery. The "Enable Multi-Region" option does not exist in RDS; cross-region replication must be set up manually. The correct approach is to create a read replica in the target region for effective disaster recovery.

Question 12:

You have migrated the MySQL database from on-premises to RDS. You have a lot of applications and developers interacting with your database. Each developer has an IAM user in the company's AWS account. What is a suitable approach to give access to developers to the MySQL RDS DB instance instead of creating a DB user for each one?

Answer (3): Enabling IAM Database Authentication allows developers to access the RDS MySQL instance using their IAM credentials, simplifying user management. It eliminates the need to create individual database users and passwords for each developer. By default, IAM users do not have direct access to RDS databases without this feature enabled. Using Amazon Cognito is primarily for user authentication in mobile or web applications, not for direct database access. The correct choice streamlines access control while maintaining security via IAM.

Question 13:

Which of the following statement is true regarding replication in both RDS Read Replicas and Multi-AZ?

Answer (2): Read Replicas use asynchronous replication, which allows data to be copied to the replica with a slight delay, suitable for scaling and offloading read traffic. Multi-AZ deployments use synchronous replication, ensuring data is written to both the primary and standby instances simultaneously for high availability. The other options incorrectly state both use asynchronous or synchronous replication, which is not accurate. Synchronous replication in Multi-AZ provides data consistency during failover. Therefore, the correct answer accurately reflects the different replication methods used.

Question 14:

How do you encrypt an unencrypted RDS DB instance?

Answer (3): The correct method involves creating a snapshot, copying it with encryption enabled, and restoring the instance from this encrypted snapshot, as encryption cannot be directly enabled on an existing unencrypted RDS instance. The first option, encrypting directly from the console without snapshotting, is not possible because RDS does not support on-the-fly encryption of running instances. The second option, stopping the database before snapshotting, is unnecessary; snapshots can be created while the database is running. Restoring from an encrypted snapshot applies encryption to the new instance, which is the correct approach. This process ensures data encryption without downtime or complex configurations.

Question 15:

For your RDS database, you can have up to ............ Read Replicas.

Answer (2): The correct answer is 15, which is the maximum number of Read Replicas allowed for an RDS database, providing scalable read capacity. The choice of 5 is too low and limits scalability unnecessarily. The option of 7 is also below the maximum limit, so it does not represent the highest possible replicas. The limit is set to 15 for most database engines, allowing significant read scaling. Therefore, 15 is the correct maximum number allowed by AWS.

Question 16:

Which RDS database technology does NOT support IAM Database Authentication?

Answer (2): Oracle does not support IAM Database Authentication, so it cannot leverage AWS IAM for database access. PostgreSQL and MySQL, on the other hand, do support IAM authentication, enabling secure, centralized access management through IAM roles. The other options, "PostgreSQL" and "MySQL," support IAM, making them incorrect choices for this question. Oracle's architecture and authentication methods differ, which is why it does not integrate with IAM-based authentication. Therefore, Oracle is the correct answer as it does not support IAM Database Authentication.

Question 17:

You have an un-encrypted RDS DB instance and you want to create Read Replicas. Can you configure the RDS Read Replicas to be encrypted?

Answer (1): You cannot create encrypted Read Replicas from an un-encrypted RDS DB instance because encryption must be enabled at the source instance before replication. AWS does not allow converting or encrypting a Read Replica after it has been created from an unencrypted source. To have an encrypted Read Replica, you must first encrypt the source database through snapshot and restore procedures. This restriction ensures data at rest remains encrypted and secure. Therefore, the correct answer is "No."

Question 18:

An application running in production is using an Aurora Cluster as its database. Your development team would like to run a version of the application in a scaled-down application with the ability to perform some heavy workload on a need-basis. Most of the time, the application will be unused. Your CIO has tasked you with helping the team to achieve this while minimizing costs. What do you suggest?

Answer (3): Aurora Serverless automatically scales capacity up or down based on workload, making it cost-effective for infrequent and variable usage, which matches the team's needs. Using a global database is more suited for multi-region replication and not cost-efficient for small, infrequent workloads. An RDS database or running Aurora on EC2 would require maintaining resources constantly, increasing costs when the app is unused. Shutting down EC2 instances only addresses compute, not the database cost, and is less flexible than Aurora Serverless. Therefore, Aurora Serverless best minimizes costs while handling variable workloads.

Question 19:

How many Aurora Read Replicas can you have in a single Aurora DB Cluster?

Answer (3): Aurora natively supports both MySQL and PostgreSQL, making it compatible with those database engines. Aurora does not support MariaDB, Oracle, or MS SQL Server directly; these are separate from Aurora's supported engines. MariaDB is similar but not officially supported as an Aurora engine. Oracle and MS SQL Server are proprietary databases and are not compatible with Aurora. Therefore, "MySQL and PostgreSQL" is the correct answer, supporting Aurora's capabilities.

Question 20:

Amazon Aurora supports both …………………….. databases.

Answer (2): Aurora supports only MySQL and PostgreSQL engines, making it compatible with both. MariaDB is not supported by Aurora, so you can't use it directly. Oracle and MS SQL Server are proprietary databases with different architectures, so they are not compatible with Aurora. Aurora is designed to work specifically with MySQL and PostgreSQL for seamless integration. Therefore, "MySQL and PostgreSQL" is correct because only these two are supported by Aurora.

Question 21:

You work as a Solutions Architect for a gaming company. One of the games mandates that players are ranked in real-time based on their score. Your boss asked you to design then implement an effective and highly available solution to create a gaming leaderboard. What should you use?

Answer (4): ElastiCache for Redis with Sorted Sets is ideal for real-time ranking because it allows fast, in-memory updates and retrievals of ordered data, making leaderboards highly responsive and available. RDS for MySQL can store data, but it's slower for real-time updates and querying, which is critical for gaming leaderboards. Amazon Aurora provides high availability but isn't optimized for the ultra-low latency and real-time ranking needed here. ElastiCache for Memcached offers fast caching but lacks built-in support for ordered data types like Sorted Sets. Therefore, Redis Sorted Sets are the best fit for creating a highly available, real-time gaming leaderboard.

Question 22:

You need full customization of an Oracle Database on AWS. You would like to benefit from using the AWS services. What do you recommend?

Answer (2): RDS Custom for Oracle provides full customization options on AWS, allowing more control over the database environment, including access to the underlying OS and configurations. RDS for Oracle offers managed service with limited customization, suitable for standardized use cases but not full control. Deploying Oracle on EC2 gives complete customization but requires managing the infrastructure and maintenance yourself, which is less optimized than RDS Custom. RDS Custom strikes a balance by providing control while reducing administrative overhead. Therefore, RDS Custom for Oracle is the best choice for full customization with managed AWS services.

Question 23:

You need to store long-term backups for your Aurora database for disaster recovery and audit purposes. What do you recommend?

Answer (2): Perform On Demand Backups allows you to manually create backups that can be stored for as long as needed for disaster recovery and audits. Automated Backups have a maximum retention period of 35 days, which is insufficient for long-term storage. Aurora Database Cloning creates copies of the database but does not serve as a long-term backup solution. On Demand Backups give you control over backup retention duration beyond the automated retention period. Therefore, performing on-demand backups is best for long-term storage needs.

Question 24:

Your development team would like to perform a suite of read and write tests against your production Aurora database because they need access to production data as soon as possible. What do you advise?

Answer (4): Using Aurora Cloning creates a fast, separate copy of the database for testing without impacting production. Creating a Read Replica allows read-only access but isn't suitable for write testing or immediate data access. Testing directly against the production database risks affecting live users and data integrity. Making a DB Snapshot and restoring it is slower and unnecessary when cloning provides a quicker, safer option. Therefore, Aurora Cloning is the best choice for testing without affecting production performance or data.

Question 25:

You have 100 EC2 instances connected to your RDS database and you see that upon a maintenance of the database, all your applications take a lot of time to reconnect to RDS, due to poor application logic. How do you improve this?

Answer (4): Using RDS Proxy helps manage database connections efficiently, reducing connection time during failovers or maintenance. Fixing all the applications is impractical and time-consuming. Disabling Multi-AZ removes high availability features, risking longer downtime during failover. Enabling Multi-AZ improves availability but doesn't address connection interruptions during maintenance. Therefore, RDS Proxy is best for maintaining persistent connections and minimizing disruption.

AWS Cloud Practitioner Questions | IAM Advanced

Minoltan Issack — Sun, 22 Mar 2026 06:01:39 +0000

Question 1:

You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up?

Answer (3): By creating an AWS Organization with separate Organizational Units (OUs) for Prod and Dev, and applying a Service Control Policy (SCP) on the Prod OU, you effectively enforce compliance in your production environment while allowing flexibility for experimentation in development. This setup aligns with your regulatory requirements by ensuring only vetted services are accessible in production.

Question 2:

You are managing the AWS account for your company, and you want to give one of the developers access to read files from an S3 bucket. You have updated the bucket policy to this, but he still can't access the files in the bucket. What is the problem?

{

    "Version": "2012-10-17",

    "Statement": [{

        "Sid": "AllowsRead",

        "Effect": "Allow",

        "Principal": {

            "AWS": "arn:aws:iam::123456789012:user/Dave"

        },

        "Action": "s3:GetObject",

        "Resource": "arn:aws:s3:::static-files-bucket-xxx"

     }]

}

Answer (3): The permission specified in the bucket policy only grants access to the bucket itself, not to the objects within it. By changing the resource to "arn:aws:s3:::static-files-bucket-xxx/*," you allow access to the individual files, which is necessary for object-level permissions.

Question 3:

You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?

Answer (2): By selecting "Using AWS Organizations SCP," you correctly identified the most effective way to restrict access to specific AWS services across multiple accounts, as Service Control Policies provide a centralized method for managing permissions within your organization. This aligns with your goal of implementing governance and compliance measures across your AWS accounts effectively.

Question 4:

Which of the following IAM condition key you can use only to allow API calls to a specified AWS region?

Answer (4): It specifically allows or denies API calls based on the region specified in the request, aligning perfectly with the requirement of controlling access to a specified AWS region. This understanding helps you effectively manage permissions and enforce regional restrictions in your AWS environment.

Question 5:

When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use

Answer (2): Using a resource-based policy for EventBridge allows you to define permissions directly on the Lambda function, while an identity-based policy is appropriate for Kinesis Data Streams, as it manages permissions based on the IAM role or user accessing the service. This distinction is key for correctly configuring permissions in AWS.

AWS Cloud Practitioner Questions | Networking & VPC

Minoltan Issack — Sat, 21 Feb 2026 10:35:24 +0000

Question 1:

What does this CIDR 10.0.4.0/28 correspond to?

Answer (1): CIDR notation "/28" indicates a subnet with 16 available IP addresses, ranging from the starting address 10.0.4.0 to 10.0.4.15, as only the last four bits change in this subnet. Great job understanding how CIDR notation works!

Question 2:

You have a corporate network of size 10.0.0.0/8 and a satellite office of size 192.168.0.0/16. Which CIDR is acceptable for your AWS VPC if you plan on connecting your networks later on?

Answer (2): It fits within the private IP address range and does not overlap with your existing networks, which is essential for proper routing and connectivity in your AWS VPC. This choice also adheres to the maximum CIDR size requirement in AWS, ensuring effective network management.

How to get the answer: A Step-by-Step Guide

1. Identify the "Taken" Space
First, look at the private IP ranges already in use. According to RFC 1918, there are three main blocks reserved for private networks:

10.0.0.0/8: (Used by your Corporate Network)
172.16.0.0/12: (Available)
192.168.0.0/16: (Used by your Satellite Office)

2. Apply the Rule of Non-Overlap
If you choose a VPC range that sits inside the 10.x.x.x or 192.168.x.x space, your routers won't know where to send a packet.

Example: If your VPC is 10.0.1.0/24 and your Corporate network is 10.0.0.0/8, the Corporate network contains the VPC range. When a computer in the office tries to talk to the VPC, it might think that IP address is just down the hall in the office rather than across the VPN/Direct Connect to AWS.

3. Select from the Remaining Private Space
Since the 10.x and 192.168.x blocks are occupied, the 172.16.0.0/12 block is your rest candidate, but a common choice is 172.16.0.0/16, which provides 65,536 IP addresses - plenty for most VPC needs.

Note : A /12 is significantly larger than a /16. In networking, the smaller the prefix number, the larger the network. A /12 contains sixteen /16 networks. AWS simply won't let you type 172.16.0.0/12 into the console.

Question 3:

You plan on creating a subnet and want it to have at least capacity for 28 EC2 instances. What's the minimum size you need to have for your subnet?

Answer (3): The minimum size you need is a ** /26 **. While a /27 provides 32 total addresses, once AWS takes its 5 reserved IPs, you are left with only 27 usable slots. Since you need 28, you must move up to the next binary step, which is a /26.

The Calculation
If you need 28 instances, your total IP requirement is:

28 (for your EC2 instances)
+ 5 (AWS Reserved IPs)
= 33 Total IP addresses required.

Now, we look at CIDR notation (which works in powers of 2) to find the smallest block that fits at least 33 addresses:

Question 4:

Security Groups operate at the ................. level while NACLs operate at the ................. level.

Answer (1): Security Groups operate at the instance level while NACLs operate at the subnet level.

Question 5:

You have attached an Internet Gateway to your VPC, but your EC2 instances still don't have access to the internet. What is NOT a possible issue?

Answer (3): Security groups in AWS are stateful, meaning that if an outgoing request is allowed, the corresponding inbound response will also be allowed, making this option not applicable to your EC2 instances' internet access issue. Keep up the great work understanding security groups!

Question 6:

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?

Answer (3): It is the best option for providing seamless internet access to your EC2 instances in private subnets while minimizing administrative overhead, as it automatically scales with your traffic demands. This choice aligns perfectly with your goal of efficient and hassle-free network management.

Why the other answers are wrong:

1. Egress-Only Internet Gateway (EOIGW)

The Flaw: Egress-Only IGWs are strictly for IPv6 traffic.
Why it fails here: Your question specifically asks for IPv4 access. IPv4 and IPv6 use entirely different protocols for "hiding" private instances. An EOIGW cannot translate IPv4 addresses.

2. NAT Instances

The Flaw: These are DIY (Do-It-Yourself) virtual machines. Why it fails here: * High Administration: You are responsible for managing the EC2 instance, patching the OS, and configuring the NAT software (like iptables).
Poor Scaling: If your traffic exceeds the instance's bandwidth, you have to manually upgrade the instance size (vertical scaling) or set up a complex fleet (horizontal scaling). It does not scale "seamlessly" like a NAT Gateway does.
Single Point of Failure: Unless you set up a high-availability script, if that one instance crashes, your entire private subnet loses internet access.

Question 7:

VPC Peering has been enabled between VPC A and VPC B, and the route tables have been updated for VPC A. But, the EC2 instances cannot communicate. What is the likely issue?

Answer (2): In VPC Peering, both VPCs need updated route tables to allow communication between them; neglecting VPC B's route table can block traffic. This understanding highlights the importance of proper configuration in networking setups on AWS.

Question 8:

You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do?

Answer (3): It enables you to access multiple VPCs across different regions from your corporate data center, providing a seamless connection. This choice effectively aligns with the objective of optimizing network connectivity in multi-region architectures.

Question 9:

When using VPC Endpoints, what are the only two AWS services that have a Gateway Endpoint available?

Answer (3): These are the only AWS services that support a Gateway Endpoint, which allows private connections to your VPC without using public IPs. This understanding is crucial for efficiently managing secure connections in your AWS architecture.

Question 10:

AWS reserves 5 IP addresses each time you create a new subnet in a VPC. When you create a subnet with CIDR 10.0.0.0/24, the following IP addresses are reserved, EXCEPT ....................

Answer (4): AWS reserves the first four IP addresses (10.0.0.0 to 10.0.0.3) in a subnet for specific functions, meaning 10.0.0.4 is the first usable address and not reserved. This understanding is key when managing IP addresses within your VPC's subnets.

The Reserved List for 10.0.0.0/24
For this specific subnet, the reserved addresses are:

10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS for mapping to Amazon Provided DNS.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address (AWS does not support broadcast, but it reserves this address anyway).

Question 11:

You have 3 VPCs A, B, and C. You want to establish a VPC Peering connection between all the 3 VPCs. What should you do?

Answer (2): Because VPC Peering does not support transitive relationships, meaning each VPC must be directly peered with every other VPC to enable communication. This understanding is crucial for establishing effective connections among multiple VPCs in your AWS environment.

Question 12:

How can you capture information about IP traffic inside your VPCs?

Answer (1): Because this feature allows you to capture and analyze IP traffic data for network interfaces in your VPC, essential for monitoring network activity and auditing connections. Understanding this capability aligns with your learning objective of effectively managing and securing your AWS network infrastructure.

Question 13:

If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a .................. connection.

Answer (2): It supports connections specifically at 500 Mbps, making it the appropriate choice for establishing your desired Direct Connect connection to AWS. This understanding aligns well with your learning about optimizing network performance within your AWS architecture.

Question 14:

When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection?

Answer (4): Because these are the essential components needed to establish a Site-to-Site VPN connection between your on-premises datacenter and the AWS Cloud. This understanding aligns with your goal of mastering AWS networking and ensuring secure communication between environments.

Question 15:

Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend?

Answer (2): It allows you to establish secure communications between multiple on-premises sites over the public Internet using a hub-and-spoke model. This solution aligns perfectly with your objective of ensuring reliable backup connectivity for your environments during potential outages.

Question 16:

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?

Answer (3): It provides a dedicated, private connection between your on-premises datacenter and AWS, ensuring consistent performance without passing through the public Internet. This aligns perfectly with your goal of establishing a reliable and secure network infrastructure.

Wrong Choices

1. AWS Site-to-Site VPN
Think of this as the "Fast and Affordable" alternative to Direct Connect. It creates an encrypted tunnel between your on-premises data center and your AWS VPC using the Public Internet.
2. AWS PrivateLink
PrivateLink is fundamentally different. It isn't a "network-to-network" connection; it is a "Service-to-Service" connection. It allows you to expose a specific service (like a database or a third-party API) to another VPC or on-premises network without ever using an Internet Gateway, NAT Gateway, or Peering.
4. Amazon EventBridge
EventBridge is often a "distractor" answer when you are asked about establishing a network connection. The reason EventBridge is not the answer for a "dedicated connection" or "private network link" is a matter of Layer and Purpose.

Question 17:

Using a Direct Connect connection, you can access both public and private AWS resources.

Answer (1): You can indeed access both public resources, like AWS S3 buckets, and private resources, such as EC2 instances in a Virtual Private Cloud (VPC). This understanding reinforces your knowledge of how to optimize secure connectivity to AWS resources.

Question 18:

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel's maximum limit of 1.25 Gbps. What should you do?

Answer (3): It allows you to scale multiple Site-to-Site VPN connections and aggregate traffic efficiently, overcoming the 1.25 Gbps limit of a single IPsec tunnel. This choice showcases your understanding of how Transit Gateway can enhance connectivity and performance in AWS networking.

Question 19:

You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?

Answer (3): You chose the appropriate solution to increase the number of available IPv4 addresses, allowing you to launch your EC2 instance successfully. This action directly addresses the issue of address depletion in your VPC while maintaining your current network configuration.

Question 20:

A web application backend is hosted on EC2 instances in private subnets fronted by an Application Load Balancer in public subnets. There is a requirement to give some of the developers access to the backend EC2 instances but without exposing the backend EC2 instances to the Internet. You have created a bastion host EC2 instance in the public subnet and configured the backend EC2 instances Security Group to allow traffic from the bastion host. Which of the following is the best configuration for bastion host Security Group to make it secure?

Answer (2): Ensured that SSH access to the bastion host is secure, allowing developers to manage backend EC2 instances without exposing them to the internet. This configuration supports your learning objective of implementing secure access to resources in AWS environments.

Question 21:

A company has set up a Direct Connect connection between their corporate data center to AWS. There is a requirement to prepare a cost-effective secure backup connection in case there are issues with this Direct Connect connection. What is the most cost effective and secure solution you recommend?

Answer (3): By selecting "Setup a Site-to-Site VPN connection as a backup," you chose a cost-effective solution that provides a secure alternative in case the primary Direct Connect connection fails. This approach ensures continuous connectivity while balancing security and cost, aligning well with the goal of maintaining reliable access to AWS resources.

Question 22:

Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7?

Answer (1): The service designed to protect and control traffic in your VPC across multiple layers, ensuring robust security for your cloud resources. This aligns with your learning objective of understanding traffic management and security within AWS environments.

Question 23:

A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR 192.168.0.0/18. How do you configure the EC2 instances' security group to ensure only the ALB can access them on port 80?

Answer (3): By choosing "Add an Inbound Rule with port 80 and ALB's Security Group as the source," you ensured that only the Application Load Balancer can communicate with your EC2 instances, significantly enhancing your security posture. This aligns with your learning objective of understanding VPC traffic management and the importance of using security groups for precise access control.

AWS Cloud Practitioner Questions | High availability & Scalability

Minoltan Issack — Wed, 11 Feb 2026 09:59:53 +0000

Question 1:

Scaling an EC2 instance from r4.large to r4.4xlarge is called .....................

Correct Answer: (2) Scaling an EC2 instance from a smaller size (r4.large) to a larger one (r4.4xlarge) is an example of upgrading the resources of a single instance, which defines vertical scalability. This concept focuses on increasing the capacity of existing hardware rather than adding more instances.

Question 2:

Running an application on an Auto Scaling Group that scales the number of EC2 instances in and out is called .....................

Correct Answer: (1) Running an application on an Auto Scaling Group involves adding or removing instances to handle changes in demand, which perfectly exemplifies the concept of horizontally scaling by increasing capacity through multiple instances rather than upgrading a single instance's resources.

Question 3:

Elastic Load Balancers provide a .......................

Correct Answer: (2) Elastic Load Balancers provide a constant endpoint for your application, allowing you to manage changes in the underlying infrastructure without affecting how your users connect to your services. This ensures reliability and accessibility, aligning with best practices in application scalability.

Question 4:

You are running a website on 10 EC2 instances fronted by an Elastic Load Balancer. Your users are complaining about the fact that the website always asks them to re-authenticate when they are moving between website pages. You are puzzled because it's working just fine on your machine and in the Dev environment with 1 EC2 instance. What could be the reason?

Correct Answer: (3) Sticky Sessions enabled on the Elastic Load Balancer, user requests may be routed to different EC2 instances, causing loss of session data and prompting re-authentication. This feature ensures that users are consistently directed to the same instance, maintaining their session state as they navigate the website.

Question 5:

You are using an Application Load Balancer to distribute traffic to your website hosted on EC2 instances. It turns out that your website only sees traffic coming from private IPv4 addresses which are in fact your Application Load Balancer's IP addresses. What should you do to get the IP address of clients connected to your website?

Correct Answer: (2) To get the client IP address from the X-Forwarded-For header" is correct because the Application Load Balancer (ALB) uses this header to forward the original client's IP address to your EC2 instances, enabling accurate tracking of user traffic. This capability is essential for effective logging, analytics, and security measures on your site.

Question 6:

You hosted an application on a set of EC2 instances fronted by an Elastic Load Balancer. A week later, users begin complaining that sometimes the application just doesn't work. You investigate the issue and found that some EC2 instances crash from time to time. What should you do to protect users from connecting to the EC2 instances that are crashing?

Correct Answer: (1) This feature allows the Elastic Load Balancer to automatically monitor the health of your EC2 instances. By doing so, it prevents routing traffic to any instances that are unhealthy or crashed, ensuring a better experience for your users.

Question 7:

You are working as a Solutions Architect for a company and you are required to design an architecture for a high-performance, low-latency application that will receive millions of requests per second. Which type of Elastic Load Balancer should you choose?

Correct Answer: (2) It is designed to handle millions of requests per second, delivering the highest performance and lowest latency, making it ideal for high-performance applications. This choice aligns with the objective of optimizing application efficiency in demanding environments.

Question 8:

Application Load Balancers support the following protocols, EXCEPT:

Correct Answer: (3) Application Load Balancers are specifically designed to support application-layer protocols such as HTTP, HTTPS, and WebSocket, but do not support transport-layer protocols like TCP. This distinction is crucial for understanding how different load balancers operate based on the protocols they manage.

Question 9:

Application Load Balancers can route traffic to different Target Groups based on the following, EXCEPT:

Correct Answer: (1) Application Load Balancers do not route traffic based on geographic location; instead, they can route based on criteria like URL Path and Hostname. This distinction helps clarify how ALBs function in managing traffic efficiently.

Question 10:

Registered targets in a Target Groups for an Application Load Balancer can be one of the following, EXCEPT:

Correct Answer: (2) Registered targets in an Application Load Balancer's Target Groups can only include EC2 Instances, Private IP Addresses, and Lambda Functions, but not other load balancers. This distinction highlights the specific roles each service plays within the AWS ecosystem.

Question 11:

For compliance purposes, you would like to expose a fixed static IP address to your end-users so that they can write firewall rules that will be stable and approved by regulators. What type of Elastic Load Balancer would you choose?

Correct Answer: (2) It allows you to attach an Elastic IP address, providing a stable and fixed static IP for compliance purposes, which is essential for your end-users. This capability makes it an ideal choice for ensuring consistency in firewall rules and regulatory approval.

Question 12:

You want to create a custom application-based cookie in your Application Load Balancer. Which of the following you can use as a cookie name?

Correct Answer: (2) it is a valid cookie name you can define for your custom application-based cookies in an Application Load Balancer, while the other options are reserved names used by AWS. This distinction helps ensure you create custom cookies effectively for managing user sessions in your application.

Question 13:

You have a Network Load Balancer that distributes traffic across a set of EC2 instances in us-east-1. You have 2 EC2 instances in us-east-1b AZ and 5 EC2 instances in us-east-1e AZ. You have noticed that the CPU utilization is higher in the EC2 instances in us-east-1b AZ. After more investigation, you noticed that the traffic is equally distributed across the two AZs. How would you solve this problem?

Correct Answer: (1) It ensures that traffic is distributed evenly across all your EC2 instances in different Availability Zones, helping to balance the CPU utilization among them. This effectiveness directly addresses the issue of uneven resource usage in your load-balanced environment.

Question 14:

Which feature in both Application Load Balancers and Network Load Balancers allows you to load multiple SSL certificates on one listener?

Correct Answer: (2) It is the feature that allows multiple SSL certificates to be bound to a single listener in both Application Load Balancers and Network Load Balancers. This capability enables you to host multiple secure domains on the same IP address, making it efficient and cost-effective for managing SSL certificates.

Question 15:

You have an Application Load Balancer that is configured to redirect traffic to 3 Target Groups based on the following hostnames: users.example.com, api.external.example.com, and checkout.example.com. You would like to configure HTTPS for each of these hostnames. How do you configure the ALB to make this work?

Correct Answer: (3) SNI allows you to assign multiple SSL certificates to different hostnames on the same Application Load Balancer listener, making it possible to securely configure HTTPS for all your specified domains efficiently. This aligns with your learning objective of understanding how to manage SSL certificates in a load-balanced environment.

Question 16:

You have an application hosted on a set of EC2 instances managed by an Auto Scaling Group that you configured both desired and maximum capacity to 3. Also, you have created a CloudWatch Alarm that is configured to scale out your ASG when CPU Utilization reaches 60%. Your application suddenly received huge traffic and is now running at 80% CPU Utilization. What will happen?

Correct Answer: (1) The maximum capacity of your Auto Scaling Group is set to 3, which means it cannot scale beyond this limit regardless of the increased CPU utilization. This reinforces your understanding of Auto Scaling Group configurations and their constraints.

Question 17:

You have an Auto Scaling Group fronted by an Application Load Balancer. You have configured the ASG to use ALB Health Checks, then one EC2 instance has just been reported unhealthy. What will happen to the EC2 instance?

Correct Answer: (3) Auto Scaling Group (ASG) uses Application Load Balancer (ALB) health checks to monitor instance health. When an instance is marked unhealthy by the ALB, the ASG terminates it and launches a new instance to maintain the desired capacity and reliability.

Question 18:

Your boss asked you to scale your Auto Scaling Group based on the number of requests per minute your application makes to your database. What should you do?

Correct Answer: (1) Standard CloudWatch metrics do not capture requests per minute for database connections. This approach allows you to effectively monitor your application's needs and scale the Auto Scaling Group accordingly, aligning with your objective of understanding dynamic scaling based on application performance.

Question 19:

An application is deployed with an Application Load Balancer and an Auto Scaling Group. Currently, you manually scale the ASG and you would like to define a Scaling Policy that will ensure the average number of connections to your EC2 instances is around 1000. Which Scaling Policy should you use?

Correct Answer: (3) It allows you to automatically adjust the number of EC2 instances in your Auto Scaling Group to maintain a specific metric, such as the average number of connections, close to your target of 1000. This approach effectively simplifies scaling based on real-time performance metrics, aligning directly with your objective of automating resource management.

Question 20:

You have an ASG and a Network Load Balancer. The application on your ASG supports the HTTP protocol and is integrated with the Load Balancer health checks. You are currently using the TCP health checks. You would like to migrate to using HTTP health checks, what do you do?

Correct Answer: (2) The Network Load Balancer (NLB) is capable of using HTTP health checks, which are more tailored for applications supporting the HTTP protocol. This ensures more accurate monitoring of application availability and performance.

Question 21:

You have a website hosted in EC2 instances in an Auto Scaling Group fronted by an Application Load Balancer. Currently, the website is served over HTTP, and you have been tasked to configure it to use HTTPS. You have created a certificate in ACM and attached it to the Application Load Balancer. What you can do to force users to access the website using HTTPS instead of HTTP?

Correct Answer: (2) By configuring the Application Load Balancer to redirect HTTP to HTTPS, you ensure that all traffic to your website is securely encrypted, enhancing user privacy and site security. This action directly meets the learning objective of effectively managing web application traffic and implementing security best practices within AWS environments.

AWS Use Cases | Enhanced Streak System for Game Portal with Leaderboards & Rewards

Minoltan Issack — Mon, 01 Dec 2025 17:04:50 +0000

Introduction to Streaks

A streak is a consecutive count of days (or actions) a user performs a specific activity without breaking the chain. Streaks are commonly used in:

Habit-tracking apps (e.g., Duolingo, Headspace)
Gaming (daily login rewards, consecutive wins)
Fitness apps (workout consistency)
E-learning platforms (daily learning goals)

How AWS Helps Implement Streaks

AWS provides serverless and scalable solutions to track streaks efficiently:

AWS Lambda → Runs streak logic (increment, reset, reward checks) DynamoDB → Stores user streak data (last activity, current streak count)
API Gateway → Exposes APIs for frontend (web/mobile apps)
Amazon Cognito (Optional) → Handles user authentication
AWS CDK → Easy Deployment

Use Cases for Streaks & Implementation Steps

1. Daily Login Streaks (Gaming/Fitness Apps)

Goal: Reward users for logging in daily.

Implementation Steps:

1. Set Up DynamoDB Table

Table: UserStreak
Partition Key: userId (String)
Sort Key: streakType
Attributes: currentStreak, lastLogin, longestStreak

2. Create streakTrack Lambda Function

Checks if the user logged in today → skip
If logged in yesterday → increment streak
If missed a day → reset streak

import { UpdateItemCommand, GetItemCommand } from "@aws-sdk/client-dynamodb";
import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
import { ddbClient } from "./client";

const TABLE_NAME = process.env.STREAK_TABLE_NAME;
const MAX_FREEZE_DAYS = 2;

export const handler = async (event) => {
  try {
    const { userId } = JSON.parse(event.body);
    if (!userId) {
      return { statusCode: 400, body: JSON.stringify({ error: "userId is required" }) };
    }

    const today = new Date().toISOString().split("T")[0];
    const yesterday = new Date();
    yesterday.setDate(yesterday.getDate() - 1);
    const yesterdayStr = yesterday.toISOString().split("T")[0];

    // ✅ Get current streak and freeze days
    const { currentStreak, lastLogin, freezeDaysRemaining } = await getUserData(userId);

    // ✅ If already logged in today
    if (lastLogin === today) {
      return success({ message: "Already logged in today", currentStreak, freezeDaysRemaining });
    }

    let newStreak = 1;
    let newFreeze = freezeDaysRemaining;

    // ✅ Case 1: Consecutive login (yesterday)
    if (lastLogin === yesterdayStr) {
      newStreak = currentStreak + 1;
    } 
    // ✅ Case 2: Missed days but has freeze days → use one
    else if (freezeDaysRemaining > 0) {
      newStreak = currentStreak; // keep streak intact
      newFreeze = freezeDaysRemaining - 1; // use one freeze day
    }

    // ✅ Update DB
    await updateUserData(userId, today, newStreak, newFreeze);

    return success({
      message: freezeDaysRemaining > 0 && lastLogin !== yesterdayStr ? 
        "Missed day covered by a freeze day" : "Streak updated",
      currentStreak: newStreak,
      freezeDaysRemaining: newFreeze
    });

  } catch (err) {
    console.error("Error:", err);
    return { statusCode: 500, body: JSON.stringify({ error: err.message }) };
  }
};

// 🔹 Get user streak & freeze data
async function getUserData(userId) {
  const { Item } = await ddbClient.send(new GetItemCommand({
    TableName: TABLE_NAME,
    Key: marshall({ userId, streakType: "daily" }), // using same PK as freeze
  }));

  if (!Item) return { currentStreak: 0, lastLogin: null, freezeDaysRemaining: 0 };

  const data = unmarshall(Item);
  return {
    currentStreak: data.currentStreak || 0,
    lastLogin: data.lastLogin || null,
    freezeDaysRemaining: data.freezeDaysRemaining || 0
  };
}

// 🔹 Update streak and freeze count
async function updateUserData(userId, today, newStreak, newFreeze) {
  await ddbClient.send(new UpdateItemCommand({
    TableName: TABLE_NAME,
    Key: marshall({ userId, streakType: "daily" }),
    UpdateExpression: "SET currentStreak = :cs, lastLogin = :dt, freezeDaysRemaining = :fd",
    ExpressionAttributeValues: marshall({
      ":cs": newStreak,
      ":dt": today,
      ":fd": newFreeze
    })
  }));
}

// 🔹 Helper success response
function success(body) {
  return {
    statusCode: 200,
    headers: { "Access-Control-Allow-Origin": "*" },
    body: JSON.stringify(body)
  };
}

3.Create streakFreeze Lambda Function

import { GetItemCommand, UpdateItemCommand } from "@aws-sdk/client-dynamodb";
import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
import { ddbClient } from "./client.js";

const STREAK_TABLE_NAME = process.env.STREAK_TABLE_NAME;

export const handler = async (event) => {
    try {
        const { userId } = await validateAndParseInput(event.body);

        const { freezeDaysRemaining, itemExists } = await getCurrentFreezeDays(userId);

        if (freezeDaysRemaining >= 2) {
            return formatErrorResponse(400, "Maximum freeze days (2) already reached");
        }

        const updatedFreeze = await updateFreezeDays(userId, freezeDaysRemaining, itemExists);

        return {
            statusCode: 200,
            headers: { "Access-Control-Allow-Origin": "*" },
            body: JSON.stringify({
                status: "success",
                freezeDaysRemaining: updatedFreeze
            })
        };

    } catch (error) {
        console.error("handler: ", error);
        return formatErrorResponse(400, error.message);
    }
};

async function validateAndParseInput(body) {
    const payload = JSON.parse(body);
    const { userId } = payload;

    if (!userId) {
        throw new Error("Missing required field: userId");
    }

    return { userId };
}

async function getCurrentFreezeDays(userId) {
    const { Item } = await ddbClient.send(new GetItemCommand({
        TableName: STREAK_TABLE_NAME,
        Key: marshall({ userId, streakType: "daily" }),
        ProjectionExpression: "freezeDaysRemaining"
    }));

    return {
        freezeDaysRemaining: Item ? unmarshall(Item).freezeDaysRemaining || 0 : 0,
        itemExists: !!Item
    };
}

async function updateFreezeDays(userId, currentFreezeDays, itemExists) {
    const updateParams = {
        TableName: STREAK_TABLE_NAME,
        Key: marshall({ userId, streakType: "daily" }),
        UpdateExpression: "SET freezeDaysRemaining = :newVal",
        ExpressionAttributeValues: marshall({ ":newVal": currentFreezeDays + 1 }),
        ReturnValues: "ALL_NEW"
    };

    if (!itemExists) {
        // For new records, set additional default values
        updateParams.UpdateExpression = "SET freezeDaysRemaining = :newVal, currentStreak = :zero, longestStreak = :zero, lastActivity = :empty";
        updateParams.ExpressionAttributeValues = marshall({
            ":newVal": 1,
            ":zero": 0,
            ":empty": ""
        });
    }

    const { Attributes } = await ddbClient.send(new UpdateItemCommand(updateParams));
    return unmarshall(Attributes).freezeDaysRemaining;
}

function formatErrorResponse(statusCode, message) {
    return {
        statusCode,
        headers: { "Access-Control-Allow-Origin": "*" },
        body: message
    };
}

4. Set Up API Gateway

POST /streak/track → Triggers Lambda
POST /streak/freeze

5. Frontend Integration

Call API when user logs in
Display streak count

Example Explanation

Initial Conditions

currentStreak = 3
freezeDaysRemaining = 1
lastLogin = 2025-07-28

✅ Case 1: User logs in on 2025–07–29 (yesterday was last login)

Lambda receives event: { "userId": "1134" }
It checks lastLogin === yesterday (2025-07-28) → ✅ yes.
No freeze day is used.
currentStreak = 4, freezeDaysRemaining = 1
Response:

{
  "message": "Streak updated",
  "currentStreak": 4,
  "freezeDaysRemaining": 1
}

✅ Case 2: User skips 2025–07–29, logs in on 2025–07–30

Missed one day (2025–07–29)

Lambda checks: lastLogin = 2025-07-28, today = 2025-07-30
lastLogin !== yesterday, so normally streak would reset.
But freezeDaysRemaining > 0 → ✅ use one freeze.
currentStreak stays 3, freezeDaysRemaining = 0
Response:

{
  "message": "Missed day covered by a freeze day",
  "currentStreak": 3,
  "freezeDaysRemaining": 0
}

✅ Case 3: User skips 2025–07–31, logs in on 2025–08–01

Missed two consecutive days and has no freeze left

Lambda checks: lastLogin = 2025-07-28, today = 2025-08-01
lastLogin !== yesterday, and freezeDaysRemaining = 0
No freeze day available → streak resets to 1
currentStreak = 1, freezeDaysRemaining = 0
Response:

{
  "message": "Streak updated",
  "currentStreak": 1,
  "freezeDaysRemaining": 0
}

✅ Case 4: User later earns a freeze day (via freeze API)

User calls /streak/freeze with { "userId": "1134", "action": "add" }
Freeze Lambda increments freezeDaysRemaining but caps it at 2.

{
  "status": "success",
  "freezeDaysRemaining": 1
}

✅ Case 5: User tries to manually use a freeze

Calls /streak/freeze with { "userId": "1134", "action": "use" }
Lambda checks: freezeDaysRemaining > 0 → ✅ yes, decreases by 1.
If already 0, returns error:

{ "error": "No freeze days remaining" }

🔥 How This Works Together

1. Streak Lambda

Auto-consumes freeze only when needed (user missed a day).
Never lets streak reset unnecessarily if freeze is available.

2. Freeze Lambda

Adds freeze days when rewarded.
Allows manual usage (optional) if needed.

2. Consecutive Wins Streak (Gaming Leaderboards)

Goal: Track players’ winning streaks and reward top performers.
Implementation Steps:

1. DynamoDB Table

UserStreak
PK: userId
Sort Key: streakType
Attributes: currentWinStreak, maxWinStreak, lastWinDate

2. Lambda Function

After a game ends, check if the player won
Increment streak if last game was a win
Reset if lost

import { GetItemCommand, UpdateItemCommand } from "@aws-sdk/client-dynamodb";
import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
import { ddbClient } from "./client.js";

const TABLE_NAME = process.env.STREAK_TABLE_NAME;

export const handler = async (event) => {
  try {
    const { userId, won } = JSON.parse(event.body);

    if (!userId || won === undefined) {
      return formatResponse(400, { error: "userId and won (true/false) are required" });
    }

    const today = new Date().toISOString().split("T")[0];
    const yesterday = new Date();
    yesterday.setDate(yesterday.getDate() - 1);
    const yesterdayStr = yesterday.toISOString().split("T")[0];

    // Get current game streak data
    const { currentWinStreak, maxWinStreak, lastWinDate } = await getGameStreak(userId);

    let newWinStreak = currentWinStreak;
    let newMaxWinStreak = maxWinStreak;

    if (won) {
      // If last game was yesterday, continue streak, else reset to 1
      newWinStreak = lastWinDate === yesterdayStr ? currentWinStreak + 1 : 1;

      // Update max streak
      if (newWinStreak > maxWinStreak) {
        newMaxWinStreak = newWinStreak;
      }

      // Update DynamoDB
      await updateGameStreak(userId, today, newWinStreak, newMaxWinStreak);
    } else {
      // Player lost → reset current streak
      newWinStreak = 0;
      await updateGameStreak(userId, today, newWinStreak, maxWinStreak);
    }

    return formatResponse(200, {
      message: won ? "Game won streak updated" : "Game lost, streak reset",
      currentWinStreak: newWinStreak,
      maxWinStreak: newMaxWinStreak
    });

  } catch (err) {
    console.error("Error updating game streak:", err);
    return formatResponse(500, { error: err.message });
  }
};

// 🔹 Get current streak from DynamoDB
async function getGameStreak(userId) {
  const { Item } = await ddbClient.send(new GetItemCommand({
    TableName: TABLE_NAME,
    Key: marshall({ userId, streakType: "game" }),
    ProjectionExpression: "currentWinStreak, maxWinStreak, lastWinDate"
  }));

  if (!Item) {
    return { currentWinStreak: 0, maxWinStreak: 0, lastWinDate: null };
  }

  const data = unmarshall(Item);
  return {
    currentWinStreak: data.currentWinStreak || 0,
    maxWinStreak: data.maxWinStreak || 0,
    lastWinDate: data.lastWinDate || null
  };
}

// 🔹 Update streak in DynamoDB
async function updateGameStreak(userId, today, currentWinStreak, maxWinStreak) {
  await ddbClient.send(new UpdateItemCommand({
    TableName: TABLE_NAME,
    Key: marshall({ userId, streakType: "game" }),
    UpdateExpression: "SET currentWinStreak = :cws, maxWinStreak = :mws, lastWinDate = :ld",
    ExpressionAttributeValues: marshall({
      ":cws": currentWinStreak,
      ":mws": maxWinStreak,
      ":ld": today
    }),
    ReturnValues: "UPDATED_NEW"
  }));
}

// 🔹 Helper response formatter
function formatResponse(statusCode, body) {
  return {
    statusCode,
    headers: { "Access-Control-Allow-Origin": "*" },
    body: JSON.stringify(body)
  };
}

✅ Example Flow
🟢 Case 1: User wins consecutive games

lastWinDate: 2025–07–30
today: 2025–07–31
Result: currentWinStreak = 3, maxWinStreak = 3

🔴 Case 2: User loses

won: false
Result: currentWinStreak = 0, maxWinStreak stays as it was.

Conclusion

Streaks are a powerful engagement tool, and AWS makes implementation easy:
✅ Serverless & Scalable (Lambda + DynamoDB)
✅ Real-Time Updates (API Gateway)
✅ Reward Integration (Lambda + DynamoDB)
✅ Cost-Effective (Pay-per-use pricing)

Next Steps:

Start with a basic daily login streak
Expand to game win streaks and habit tracking
Add rewards & leaderboards for higher engagement

Advance on Streaks

1. Milestone Offers (Risk/Reward)

When users hit milestones (e.g., 7 days), give them a choice:

Option A: Continue safely (streak grows normally)
Option B: Gamble (“Break your streak now for 3x rewards!”)

2. Smart Streak Logic

Tracks timezone-aware daily activity
Handles edge cases (midnight checks, server delays)

3. Leaderboard Logic

Add reward for higher in the leaderboard

For CDK Implementation — My Reposiotry

To stay informed on the latest technical insights and tutorials, connect with me on Medium, LinkedIn and Dev.to. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have.

AWS Use Cases | Spin Wheel | How big companies manage prize giveaways and prevent duplication at scale using AWS serverless

Minoltan Issack — Sun, 30 Nov 2025 16:41:30 +0000

Introduction

Imagine the thrill of a spin-to-win promotion on your favorite e-commerce site. The wheel spins, the music builds, and for a few seconds, you’re on the edge of your seat, hoping for that big prize. For businesses, these gamified promotions are a goldmine: they drive immense user engagement, collect valuable data, and can significantly boost sales. But behind the scenes, managing such a giveaway for millions of eager users isn’t about luck — it’s about a robust, scalable architecture. The wrong approach can turn a successful campaign into a financial disaster, leaving you with an empty prize chest and a legion of frustrated customers.

This blog post will take you on a journey behind the curtain of a high-traffic spin-wheel promotion. We’ll explore the serious technical challenges that even the biggest companies face and, most importantly, show you how they build a bulletproof system using AWS Serverless to manage prize giveaways at scale and prevent a critical flaw: prize duplication.

The Problem in Simple Terms

Think of it like this: you have a single, highly-coveted prize — say, a brand new phone. You’ve announced that the first person to win on the spin wheel gets it.

Now, imagine thousands of people are all spinning the wheel at the same exact time. In the chaos of this high traffic, two different users (let’s call them Alice and Bob) hit the “spin” button within a fraction of a second of each other.

The problem, known as a race condition, occurs when your system’s prize check and prize deduction aren’t fast enough. The system might check for the phone, see that it’s available, and decide to award it to Alice. But before it can finalize that decision and remove the phone from the inventory, the system also checks for Bob, sees the same phone is available, and awards it to him as well.

The result? The system mistakenly gives the same prize to both Alice and Bob. This leads to frustrated customers, lost revenue, and a serious blow to your brand’s credibility. It’s the digital equivalent of two people trying to grab the last item on a shelf at the exact same time, but in this case, both of them walk away with it.

Our Solution in Simple Terms

So, how do big companies fix this problem? They don’t rely on luck. They use a special kind of database operation that acts like a digital bodyguard, ensuring a prize can only ever be claimed once.

Imagine our prize is the single, brand-new phone. When you spin the wheel and win, your request goes to a serverless program (an AWS Lambda function). This program doesn’t just check if the prize is there — it tries to claim it in a single, un-interruptible step.

This is the key. The program says to the database: “Give me this phone, but only if it’s still available.”

If the phone is available, the database immediately gives it to you and updates its records so no one else can see it. This all happens so fast and so securely that no other person’s request can get in the way.
If, however, another person (like Bob from our example) tried to claim the phone at the same time, their request would be denied instantly because the database would see that the prize count is now zero.

This special “all-or-nothing” command is what big companies use. It ensures that even with millions of spins, the system will never give out the same prize twice. You get your immediate result, and the company’s prize inventory stays perfectly accurate, keeping everyone happy.

The Grand Architecture: The Full Picture

This spin wheel module is designed as an independent, reusable component that can be integrated into any existing system (e.g., e-commerce, gaming app) via API calls. It uses AWS serverless services for scalability and low maintenance. You can also leverage my CDK implementation to easily deploy your application.

Key features:

1. Independence: The module exposes a REST API endpoint via API Gateway. Your existing system can call it with a user_id (authenticated via API key, JWT, or Cognito — I don’t use authorization for simplicity).

2. Race Condition Handling: Uses DynamoDB’s atomic conditional updates (optimistic locking) to prevent over-allocation of prizes or extra spins under high concurrency.

3. Prize Logic:

Each prize has a configurable weight (relative probability).
Overall prize winning probability (e.g., 0.3 for 30% chance of winning any prize) is configurable. Logic: First, generate a random number; if it’s less than overall_win_prob, select a prize based on weighted random; else, return “no prize”.
Prize stock is decremented atomically only if won and available.

4. Token Eligibility: Configurable max_spins (default 2) per user. Tracks spins_remaining in DynamoDB and token expiry date.

Step-by-step AWS setup

Step 1: Set Up DynamoDB Table

Use on-demand capacity for all tables to handle variable traffic.
For single table Approach we are using SpinWheel as the table name using PK is the partition key and SK is the sort key for the minimal maintenance.

1. Create global table

2. Create Config Record (for global configs):

Example Item:

{
  "PK": "GLOBAL",
  "SK": "CONFIG",
  "overall_win_prob": 0.3,
  "max_spins": 2,
  "token_expire_at": "2025-08-24T12:00:00Z",
  "last_updated": "2025-08-26T12:00:00Z"
}

3. Create Prize Record

Example Items:

[
   {
      "PK":"PRIZE",
      "SK":"12345678",
      "name":"Mobile Phone",
      "initial_stock": 100,
      "available_stock":95
      "weight":10,
      "last_updated":"2025-08-26T12:00:00Z",
      "active":true
   },
   {
      "PK":"PRIZE",
      "SK":"18765432",
      "name":"Bag",
      "initial_stock": 1000,
      "available_stock":905
      "weight":50,
      "last_updated":"2025-08-25T12:00:00Z",
      "active":true
   },
   {
      "PK":"PRIZE",
      "SK":"28765432",
      "name":"1 Million",
      "initial_stock": 10,
      "available_stock":5
      "weight":1,
      "last_updated":"2025-08-24T12:00:00Z",
      "active":false
   }
]

4. Token Record (for token history)
Example Item:

Note: The initial record will update when the user reads the token before the spin wheel click

[
{
  "PK": "PRIZE_TOKEN",
  "SK": "12345kd2k249dmm3sd", // token
  "spins_remaining": 0,
  "expire_at": "2025-08-26T12:00:00Z", 
  "prizes_won": [
    { 
      "id": "12345678",
      "name": "Mobile",
      "spin_timestamp": "2025-08-26T12:00:00Z",
      "chanceAt": 1
    }
   ]
},
{
  "PK": "PRIZE_TOKEN",
  "SK": "45645kd2k249dmm3sd",
  "spins_remaining": 2,
  "expire_at": "2025-08-26T12:00:00Z",
  "prizes_won": []
},
,
{
  "PK": "PRIZE_TOKEN",
  "SK": "12345df2k249dmm3sd",
  "spins_remaining": 0,
  "expire_at": "2025-08-26T12:00:00Z",
  "prizes_won": []
}
]

Step 2: Set Up Lambda Function

A. Set Up Dependencies and Environment

Use Node.js 20.x runtime.
Dependencies: @aws-sdk/client-dynamodb (for DynamoDB operations).
No extra installs needed (crypto is built-in).
Env Vars: TABLE_NAME (e.g., “SpinWheel”).

B. Add Permission for the lambda

Go to claimSpinWheelRole (I AM role config)

Edit the permission

Add the permissions to access dynamo DB
Replace the account id

{
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:UpdateItem"
      ],
      "Resource": "arn:aws:dynamodb:*:<your-account-id>:table/SpinWheel"
}

C. Upload the zip file with node modules

You can locally create the index.js file and install needed dependency using npm command.

Initialize a Node.js Project: Create a new directory for your Lambda function and initialize a Node.js project.


mkdir spin-wheel-lambda
cd spin-wheel-lambda
npm init -y

Install @aws-sdk/client-dynamodb: Install the AWS SDK DynamoDB client.

npm install @aws-sdk/client-dynamodb

Verify package.json: After installation, your package.json should look like this:

{
  "name": "spin-wheel-lambda",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "type": "module",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@aws-sdk/client-dynamodb": "^3.645.0"
  }
}

Note: The version (3.645.0) may vary; use the latest stable version available at the time of installation.
consider this — “type”: “module”

Create ddbClient.js

import {DynamoDBClient} from "@aws-sdk/client-dynamodb";

const REGION= "ap-southeast-1";
export const ddbClient = new DynamoDBClient({ region: REGION });

Create index.js

import { ddbClient } from "./ddbClient.js";

Create a ZIP File

zip -r spin-wheel-lambda.zip index.js ddbClient.js node_modules package.json package-lock.json

Upload the file to created lambda function

Replace the lambda function


import { GetItemCommand, QueryCommand, TransactWriteItemsCommand } from "@aws-sdk/client-dynamodb";
import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
import { ddbClient } from "./ddbClient.js";

const ERROR_MESSAGES = {
    INVALID_TOKEN: 'Invalid token or no spins remaining',
    NO_PRIZE: 'No prizes available'
};
export const handler = async (event) => {
    const token = event.queryStringParameters?.token;

    try {
        const configItem = await loadConfig();
        const prizes = await loadEligiblePrizes();
        if (prizes.length === 0) {throw new Error("No prizes available");}

        const tokenItem = await checkTokenEligibility(token);
        if (!tokenItem || tokenItem.spins_remaining <= 0) {throw new Error(ERROR_MESSAGES.INVALID_TOKEN);}

        const overallWinProb = configItem.overall_win_prob;
        const result = await generateOutcomeAndUpdate(token, tokenItem.spins_total, tokenItem.spins_remaining, tokenItem.version, prizes, overallWinProb);

        return {
            statusCode: 200,
            headers: { 'Access-Control-Allow-Origin': '*' },
            body: JSON.stringify({
                outcome: result.outcome,
                prize: result.prizeWon,
                spins_remaining: tokenItem.spins_remaining - 1
            }),
        };

    } catch (error) {
        console.error({ level: 'ERROR', message: 'Handler error', error });
        if (error.message === ERROR_MESSAGES.INVALID_TOKEN) {
            return {
                statusCode: 400,
                headers: { 'Access-Control-Allow-Origin': '*' },
                body: JSON.stringify({ message: error.message }),
            };
        }

        if (error.message === ERROR_MESSAGES.NO_PRIZE) {
            return {
                statusCode: 200,
                headers: { 'Access-Control-Allow-Origin': '*' },
                body: JSON.stringify({ outcome: 'no_prize', message: error.message }),
            };
        }
        return {
            statusCode: 500,
            headers: { 'Access-Control-Allow-Origin': '*' },
            body: JSON.stringify({ message: 'Internal error' }),
        };
    }
};

const loadConfig = async () => {
    const data = await ddbClient.send(new GetItemCommand({
        TableName: process.env.DYNAMO_TABLE_NAME,
        Key: marshall({ PK: 'GLOBAL', SK: 'CONFIG' })
    }));
    if (!data.Item) throw new Error('Config not found');
    return unmarshall(data.Item);
};


const loadEligiblePrizes = async () => {
    const data = await ddbClient.send(new QueryCommand({
        TableName: process.env.DYNAMO_TABLE_NAME,
        KeyConditionExpression: 'PK = :pk',
        FilterExpression: 'active = :true AND available_stock > :zero AND weight > :zero',
        ProjectionExpression: 'SK, #name, available_stock, weight, version',
        ExpressionAttributeNames: { '#name': 'name' },
        ExpressionAttributeValues: marshall({
            ':pk': 'PRIZE',
            ':true': true,
            ':zero': 0
        })
    }));
    return data.Items.map(item => unmarshall(item));
};

const checkTokenEligibility = async (token) => {
    const data = await ddbClient.send(new GetItemCommand({
        TableName: process.env.DYNAMO_TABLE_NAME,
        Key: marshall({ PK: 'PRIZE_TOKEN', SK: token })
    }));
    const item = data.Item ? unmarshall(data.Item) : null;
    if (!item || new Date(item.expire_at) <= new Date()) {
        return null;
    }
    return {
        spins_remaining: item.spins_remaining,
        spins_total: item.spins_total,
        version: item.version
    };
};


const generateOutcomeAndUpdate = async (token, spinsTotal, spinsRemaining, tokenVersion, prizes, overallWinProb) => {
    const result = calculateSpinOutcome(prizes, overallWinProb);
    const now = new Date().toISOString();
    const chanceAt = spinsTotal - spinsRemaining + 1;
    const transactItems = createTransactionItems(token, tokenVersion, spinsRemaining, result.prize, now, chanceAt);

    await ddbClient.send(new TransactWriteItemsCommand({ TransactItems: transactItems }));

    return {
        status: 'success',
        outcome: result.outcome,
        prizeWon: result.prize ? { id: result.prize.SK ,name:result.prize.name, spin_timestamp: now, chanceAt } : null
    };
};

const calculateSpinOutcome = (prizes, overallWinProb) => {
    if (Math.random() > overallWinProb) {
        return { outcome: 'no_prize', prize: null };
    }

    const totalWeight = prizes.reduce((sum, p) => sum + p.weight, 0);
    if (totalWeight === 0) {
        return { outcome: 'no_prize', prize: null };
    }

    let cumulative = 0;
    const randWeight = Math.random() * totalWeight;
    for (const prize of prizes) {
        cumulative += prize.weight;
        if (randWeight < cumulative) {
            return { outcome: 'win', prize };
        }
    }
    return { outcome: 'no_prize', prize: null }; // Fallback
};

const createTransactionItems = (token, tokenVersion, spinsRemaining, prize, now, chanceAt) => {
    const transactItems = [{
        Update: {
            TableName: process.env.DYNAMO_TABLE_NAME,
            Key: marshall({ PK: 'PRIZE_TOKEN', SK: token }),
            UpdateExpression: 'SET spins_remaining = spins_remaining - :one, version = version + :one',
            ConditionExpression: 'spins_remaining > :zero AND version = :currentVersion',
            ExpressionAttributeValues: marshall({
                ':one': 1,
                ':zero': 0,
                ':currentVersion': tokenVersion
            })
        }
    }];

    if (prize) {
        transactItems[0].Update.UpdateExpression += ', prizes_won = list_append(prizes_won, :prizeList)';
        transactItems[0].Update.ExpressionAttributeValues = {
            ...transactItems[0].Update.ExpressionAttributeValues,
            ...marshall({
                ':prizeList': [{
                    id: prize.SK,
                    name: prize.name,
                    spin_timestamp: now,
                    chanceAt: chanceAt
                }]
            })
        };
        transactItems.push({
            Update: {
                TableName: process.env.DYNAMO_TABLE_NAME,
                Key: marshall({ PK: 'PRIZE', SK: prize.SK }),
                UpdateExpression: 'SET available_stock = available_stock - :one, version = version + :one',
                ConditionExpression: 'available_stock > :zero AND active = :true AND version = :currentVersion',
                ExpressionAttributeValues: marshall({
                    ':one': 1,
                    ':zero': 0,
                    ':true': true,
                    ':currentVersion': prize.version
                })
            }
        });
    }
    return transactItems;
};

API Integration

1. Create Rest API

Give name

Create root resource

Create Post Method

Deploy API with stage

For Full Spin Wheel Module in CDK

Visit My GitHub

Conclusion

Running a spin-to-win promotion at scale is far more than just adding a flashy wheel to your website — it’s a complex engineering challenge. Without the right safeguards, race conditions, duplicate prizes, and user frustration can quickly turn what should be an exciting campaign into a business nightmare. By leveraging AWS Serverless components like DynamoDB, Lambda, API Gateway, and managing everything with CDK, we can design a system that is scalable, reliable, and cost-efficient. The key lies in atomic operations and transactional logic, ensuring that no matter how many users spin at the same time, your prize inventory stays accurate and your customers get a fair experience.

AWS Cloud Practitioner Questions | EC2 SAA Level

Minoltan Issack — Sun, 30 Nov 2025 08:24:10 +0000

Question 1:

You have launched an EC2 instance that will host a NodeJS application. After installing all the required software and configured your application, you noted down the EC2 instance public IPv4 so you can access it. Then, you stopped and then started your EC2 instance to complete the application configuration. After restart, you can't access the EC2 instance, and you found that the EC2 instance public IPv4 has been changed. What should you do to assign a fixed public IPv4 to your EC2 instance?

Correct Answer: (1) Allocating an Elastic IP provides a static public IPv4 address that remains associated with your EC2 instance, even when it is stopped and restarted, ensuring uninterrupted access to your application. This approach is important for maintaining reliable connectivity without the changes that occur with regular public IP addresses.

Question 2:

You have an application performing big data analysis hosted on a fleet of EC2 instances. You want to ensure your EC2 instances have the highest networking performance while communicating with each other. Which EC2 Placement Group should you choose?

Correct Answer: (2) It ensures that your EC2 instances are physically located close together, which enhances networking performance and reduces latency, making it ideal for high-performance applications like big data analysis. This setup allows your instances to communicate more efficiently, aligning perfectly with your application's needs.

Question 3:

You have a critical application hosted on a fleet of EC2 instances in which you want to achieve maximum availability when there's an AZ failure. Which EC2 Placement Group should you choose?

Correct Answer: (3) It effectively ensures that your EC2 instances are distributed across different physical hardware in multiple Availability Zones (AZs), maximizing availability during an AZ failure. This configuration provides redundancy and reduces the risk of downtime for your critical application.

Question 4:

Elastic Network Interface (ENI) can be attached to EC2 instances in another AZ.

Correct Answer: (2) Elastic Network Interfaces (ENIs) are restricted to a specific Availability Zone (AZ) and cannot be attached to EC2 instances in other AZs, ensuring that the networking structure remains stable and localized within that zone. This understanding is essential for correctly managing resources in AWS.

Question 5:

The following are true regarding EC2 Hibernate, EXCEPT:

Correct Answer: (1) EC2 Hibernate to function, the root volume must be an EBS volume that is encrypted. This understanding is crucial as it aligns with knowing the specific requirements for using hibernation with AWS EC2 instances.

AWS Cloud Practitioner Questions | EC2 Fundamentals

Minoltan Issack — Sat, 29 Nov 2025 10:32:18 +0000

Question 1:

Which EC2 Purchasing Option can provide you the biggest discount, but it is not suitable for critical jobs or databases?

Correct Answer: (3) They offer the largest discounts among EC2 Purchasing Options, making them cost-effective for non-critical workloads. However, they come with the risk of termination, which makes them less suitable for critical jobs or databases that require consistent availability.

Question 2:

What should you use to control traffic in and out of EC2 instances?

Correct Answer: (2) They are specifically designed to control inbound and outbound traffic at the EC2 instance level, allowing you to tailor access and enhance the security of your instances effectively. This understanding is crucial for managing network security within AWS.

Question 3:

How long can you reserve an EC2 Reserved Instance?

Correct Answer: (1) EC2 Reserved Instances can only be reserved for those two specific durations, ensuring you understand the fixed options available for long-term capacity planning within AWS. This knowledge is essential for effectively managing resource costs and availability.

Question 4:

You would like to deploy a High-Performance Computing (HPC) application on EC2 instances. Which EC2 instance type should you choose?

Correct Answer: (2) These EC2 instances are specifically tailored for compute-intensive tasks, making them ideal for High-Performance Computing (HPC) applications that require powerful processors and high performance. This choice aligns perfectly with your need for efficient processing in demanding workloads.

Question 5:

Which EC2 Purchasing Option should you use for an application you plan to run on a server continuously for 1 year?

Correct Answer: (1) They are specifically designed for long-term workloads, allowing you to reserve capacity for 1 or 3 years, ensuring consistency and cost-effectiveness for applications that need to run continuously. This choice effectively aligns with your need for a stable server environment over an extended period.

Question 6:

You are preparing to launch an application that will be hosted on a set of EC2 instances. This application needs some software installation and some OS packages need to be updated during the first launch. What is the best way to achieve this when you launch the EC2 instances?

Correct Answer: (3) Using EC2 User Data allows you to automatically execute a bash script on instance launch, streamlining the process of installing required software and updating OS packages without manual intervention. This method is efficient, especially for managing multiple instances, aligning well with best practices for cloud deployment.

Question 7:

Which EC2 Instance Type should you choose for a critical application that uses an in-memory database?

Correct Answer: (3) These EC2 instances are designed specifically for applications that require significant memory capacity, such as in-memory databases, enabling faster data access and processing. This aligns perfectly with your need for high performance in handling large data sets directly in memory.

Question 8:

You have an e-commerce application with an OLTP database hosted on-premises. This application has popularity which results in its database has thousands of requests per second. You want to migrate the database to an EC2 instance. Which EC2 Instance Type should you choose to handle this high-frequency OLTP database?

Correct Answer: (2) These EC2 instances are specifically designed to handle high, sequential read/write operations on large data sets, making them well-suited for high-frequency OLTP databases like your e-commerce application. This choice directly addresses the need for performance in handling thousands of requests per second efficiently.

Question 9:

Security Groups can be attached to only one EC2 instance.

Correct Answer: (1) Security Groups are designed to be flexible, allowing you to attach the same group to multiple EC2 instances within the same AWS Region or VPC, simplifying management and enhancing security consistency across instances. This understanding aligns with best practices in AWS architecture.

Question 10:

You're planning to migrate on-premises applications to AWS. Your company has strict compliance requirements that require your applications to run on dedicated servers. You also need to use your own server-bound software license to reduce costs. Which EC2 Purchasing Option is suitable for you?

Correct Answer: (2) They provide the required dedicated servers for compliance needs and allow you to use your existing server-bound software licenses, making them highly suitable for your situation. This choice emphasizes your understanding of how to align AWS services with strict compliance and licensing requirements.

Question 11:

You would like to deploy a database technology on an EC2 instance and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 Purchasing Option allows you to get visibility into them?

Correct Answer: (3) They provide you with visibility into the physical cores and network socket configurations, aligning perfectly with the licensing model based on those specifications. This choice demonstrates your understanding of how specific EC2 purchasing options can meet vendor compliance requirements effectively.

Question 12:

Spot Fleet is a set of Spot Instances and optionally ……………

Correct Answer: (2) Spot Fleet can include both Spot Instances and On-Demand Instances, providing flexibility to automatically request the most cost-effective option available while maintaining resource availability. This understanding is key to utilizing EC2's pricing models effectively.

AWS Cloud Practitioner Questions | IAM & CLI

Minoltan Issack — Thu, 27 Nov 2025 17:04:58 +0000

Question 1:

What is a proper definition of an IAM Role?

Correct Answer: (3) It accurately describes that IAM Roles are used to assign specific permissions for AWS services to perform actions on your behalf. This is essential for managing access and ensuring that services can interact securely with other AWS resources.

Question 2:

Which of the following is an IAM Security Tool?

Correct Answer: (1) It provides a comprehensive overview of all your AWS Account's IAM Users and the status of their credentials, helping you monitor and manage access effectively. This tool is essential for maintaining security and ensuring that all users have the appropriate and up-to-date credentials.

Question 3:

Which answer is INCORRECT regarding IAM Users?

Correct Answer: (1) IAM Users actually use their own unique credentials, such as usernames and passwords or access keys, to access AWS services. This distinction is important for maintaining security and proper access management within your AWS environment.

Question 4:

Which of the following is an IAM best practice?

Correct Answer: (2) It's a best practice to limit the use of the root account for critical account management tasks only. By using IAM Users for everyday activities, you enhance security and better manage permissions within your AWS environment.

Question 5:

What are IAM Policies?

Correct Answer: (2) IAM Policies are essential for establishing permission controls that determine what actions these entities can perform in AWS. This understanding is crucial for effectively managing security and access within your AWS environment.

Question 6:

Which principle should you apply regarding IAM Permissions?

Correct Answer: (3) It emphasizes giving users only the permissions necessary to perform their tasks, thereby reducing security risks. This principle is crucial for maintaining a secure AWS environment, as it limits potential damage from compromised accounts or human error.

Question 7:

What should you do to increase your root account security?

Correct Answer: (4) Enabling Multi-Factor Authentication (MFA) significantly enhances your root account security by requiring an additional verification step beyond just a password, making it much harder for unauthorized users to access your account even if your password is compromised. This aligns with the principle of implementing strong security measures to protect sensitive accounts and data in your AWS environment.

Question 8:

IAM User Groups can contain IAM Users and other User Groups.

Correct Answer: (2) IAM User Groups can only contain IAM Users and not other User Groups. This highlights the structure of IAM in AWS, where roles and hierarchies are defined to organize user permissions effectively.

Question 9:

An IAM policy consists of one or more statements. A statement in an IAM Policy consists of the following, EXCEPT:

Correct Answer: (3) It is an important element of IAM Policies, it is not included within the statements of the policy itself. Understanding this distinction helps clarify how IAM Policies are structured and ensures you can effectively write and analyze permissions in AWS.

AWS Cloud Practitioner Questions | Serverless Solutions Architecture Discussions

Minoltan Issack — Mon, 13 Oct 2025 11:04:41 +0000

Question 1:

A startup company plans to run its application on AWS. As a solutions architect, the company hired you to design and implement a fully Serverless REST API. Which technology stack do you recommend?

Correct Answer: (1) It allows you to handle HTTP requests without managing servers, enabling automatic scaling and cost efficiency. This aligns perfectly with your goal of implementing a serverless architecture, making your API both flexible and easy to maintain.

Question 2:

The following AWS services have an out of the box caching feature, EXCEPT ……………..

Correct Answer: (2) AWS Lambda does not offer an out-of-the-box caching feature, which distinguishes it from other AWS services like API Gateway and DynamoDB that do provide caching capabilities. This understanding of the different functionalities available in AWS services can enhance your expertise in building serverless architectures.

Question 3:

You have a lot of static files stored in an S3 bucket that you want to distribute globally to your users. Which AWS service should you use?

Correct Answer: (2) It is specifically designed as a content delivery network (CDN), which optimizes the distribution of static files globally, ensuring low latency and fast transfer speeds for your users. This capability perfectly aligns with your need to efficiently deliver static content stored in an S3 bucket.

Question 4:

You have created a DynamoDB table in ap-northeast-1 and would like to make it available in eu-west-1, so you decided to create a DynamoDB Global Table. What needs to be enabled first before you create a DynamoDB Global Table?

Correct Answer: (1) It is essential for enabling the replication of data changes across different AWS Regions when creating a Global Table. This functionality aligns with your objective to ensure that your DynamoDB table is consistently updated and available in multiple regions.

Question 5:

You have configured a Lambda function to run each time an item is added to a DynamoDB table using DynamoDB Streams. The function is meant to insert messages into the SQS queue for further long processing jobs. Each time the Lambda function is invoked, it seems able to read from the DynamoDB Stream but it isn't able to insert the messages into the SQS queue. What do you think the problem is?

Correct Answer: (2) For your Lambda function to successfully insert messages into an SQS queue, it must have the appropriate permissions assigned to its execution role. This highlights the importance of ensuring that IAM roles are properly configured to allow Lambda functions access to necessary AWS services.

Question 6:

You would like to create an architecture for a micro-services application whose sole purpose is to encode videos stored in an S3 bucket and store the encoded videos back into an S3 bucket. You would like to make this micro-services application reliable and has the ability to retry upon failures. Each video may take over 25 minutes to be processed. The services used in the architecture should be asynchronous and should have the capability to be stopped for a day and resume the next day from the videos that haven't been encoded yet. Which of the following AWS services would you recommend in this scenario?

Correct Answer: (3) Amazon SQS allows you to queue video encoding tasks, retaining them until you're ready to process them, while EC2 instances can be started and stopped as needed, enabling flexible management of your processing workload. This setup ensures reliability and supports your requirement to pause and resume encoding tasks over time.

Question 7:

You are running a photo-sharing website where your images are downloaded from all over the world. Every month you publish a master pack of beautiful mountain images that are over 15 GB in size. The content is currently hosted on an Elastic File System (EFS) file system and distributed by an Application Load Balancer and a set of EC2 instances. Each month, you are experiencing very high traffic which increases the load on your EC2 instances and increases network costs. What do you recommend to reduce EC2 load and network costs without refactoring your website?

Correct Answer: (4) It acts as a Content Delivery Network (CDN) that reduces load on your EC2 instances by caching and delivering content globally, which leads to lower latency and reduced network costs. This aligns with your objective of efficiently handling high traffic without significant changes to your existing architecture.

Question 8:

An AWS service allows you to capture gigabytes of data per second in real-time and deliver these data to multiple consuming applications, with a replay feature.

Correct Answer: (1) It enables you to efficiently capture and process large volumes of real-time data from multiple sources, making it ideal for applications that require speedy data ingestion and processing. This capability supports the learning objective of understanding scalable solutions for real-time data handling in cloud environments.

AWS Cloud Practitioner Questions | Serverless Overview from a Solutions Architect Perspective

Minoltan Issack — Tue, 07 Oct 2025 07:26:09 +0000

Question 1:

You have created a Lambda function that typically will take around 1 hour to process some data. The code works fine when you run it locally on your machine, but when you invoke the Lambda function it fails with a "timeout" error after 3 seconds. What should you do?

Correct Answer: (3) Lambda's maximum execution time is limited to 15 minutes, which is insufficient for your 1-hour processing task. Using services like EC2 allows you to run your code without these time constraints, enabling you to complete your processing as needed.

Question 2:

Before you create a DynamoDB table, you need to provision the EC2 instance the DynamoDB table will be running on.

Correct Answer: (2) DynamoDB is a fully managed, serverless database service that doesn't require you to provision or manage any servers, allowing it to automatically handle capacity changes and maintain performance without your intervention. This clarity helps you understand the distinction between serverless and traditional server-based architectures.

Question 3:

You have provisioned a DynamoDB table with 10 RCUs and 10 WCUs. A month later you want to increase the RCU to handle more read traffic. What should you do?

Correct Answer: (1) DynamoDB allows you to adjust read and write capacities independently; since your need is only an increase in read capacity, you don't need to change the write capacity. This understanding demonstrates your grasp of how provisioned throughput works in DynamoDB.

Question 4:

You have an e-commerce website where you are using DynamoDB as your database. You are about to enter the Christmas sale and you have a few items which are very popular and you expect that they will be read often. Unfortunately, last year due to the huge traffic you had the ProvisionedThroughputExceededException exception. What would you do to prevent this error from happening again?

Correct Answer: (2) It enhances your DynamoDB performance by caching frequently accessed data, which helps prevent exceeding your provisioned throughput and eliminates the "ProvisionedThroughputExceededException" during high-traffic events like sales. This solution effectively balances data retrieval needs with cost efficiency, ensuring a smoother customer experience.

Question 5:

You have developed a mobile application that uses DynamoDB as its datastore. You want to automate sending welcome emails to new users after they sign up. What is the most efficient way to achieve this?

Correct Answer: (3) this approach allows your application to react instantly to new user sign-ups, sending welcome emails efficiently without the need for manual intervention. By leveraging DynamoDB Streams with Lambda, you ensure a scalable and real-time solution that enhances user engagement as soon as they join.

Question 6:

To create a serverless API, you should integrate Amazon API Gateway with ………………….

Correct Answer: (3) It enables you to create a serverless API by automatically running your code in response to HTTP requests without needing to manage any server infrastructure. This aligns with the learning objective of understanding serverless architecture and the components that support it.

Question 7:

When you are using an Edge-Optimized API Gateway, your API Gateway lives in CloudFront Edge Locations across all AWS Regions.

Correct Answer: (1) Edge-Optimized API Gateway primarily serves geographically distributed clients by routing requests to the nearest CloudFront Edge Location, but it is still fundamentally hosted in a single AWS Region. This distinction is key for understanding how latency is reduced while maintaining a centralized API design.

Question 8:

You are running an application in production that is leveraging DynamoDB as its datastore and is experiencing smooth sustained usage. There is a need to make the application run in development mode as well, where it will experience the unpredictable volume of requests. What is the most cost-effective solution that you recommend?

Correct Answer: (2) It effectively balances cost and performance. In production, the predictable workload benefits from Provisioned Capacity with Auto Scaling, while development's unpredictable requests are handled flexibly and cost-effectively with On-Demand Capacity.

Question 9:

You have an application that is served globally using CloudFront Distribution. You want to authenticate users at the CloudFront Edge Locations instead of authentication requests go all the way to your origins. What should you use to satisfy this requirement?

Correct Answer: (1) it allows you to run code directly at CloudFront Edge Locations, enabling you to authenticate users closer to where they access your application, which enhances performance and minimizes latency. This aligns perfectly with your goal of efficiently managing user authentication in a global context.

Question 10:

The maximum size of an item in a DynamoDB table is ……………….

Correct Answer: (3) Maximum size of a single item in an Amazon DynamoDB table is indeed 400 KB. This knowledge is essential for understanding DynamoDB's storage limitations and how to effectively design your data structure.

Question 11:

Which AWS service allows you to build Serverless workflows using AWS services (e.g., Lambda) and supports human approval?

Correct Answer: (3) It allows you to orchestrate multiple AWS services, including Lambda, into serverless workflows and facilitates human approval steps, making it ideal for complex applications that require coordination between automated and manual processes. This aligns perfectly with understanding how to manage serverless architecture efficiently.

Question 12:

A company has a serverless application on AWS which consists of Lambda, DynamoDB, and Step Functions. In the last month, there are an increase in the number of requests against the application which results in an increase in DynamoDB costs, and requests started to be throttled. After further investigation, it shows that the majority of requests are read requests against some queries in the DynamoDB table. What do you recommend to prevent throttles and reduce costs efficiently?

Correct Answer: (4) DAX significantly improves read performance for DynamoDB by providing in-memory caching, reducing latency and costs associated with frequent read requests, which is crucial in your scenario where throttling occurred. This approach aligns with the learning objective of optimizing serverless applications on AWS for efficiency and cost-effectiveness.

Question 13:

You are a DevOps engineer in a football company that has a website that is backed by a DynamoDB table. The table stores viewers' feedback for football matches. You have been tasked to work with the analytics team to generate reports on the viewers' feedback. The analytics team wants the data in DynamoDB json format and hosted in an S3 bucket to start working on it and create the reports. What is the best and most cost-effective way you can achieve this task?

Correct Answer: (1) This method directly allows you to export data from DynamoDB in JSON format to an S3 bucket with minimal effort and cost, aligning with the analytics team's requirements for generating reports efficiently. This approach demonstrates your understanding of optimizing workflows in AWS services.

Question 14:

A website is currently in the development process and it is going to be hosted on AWS. There is a requirement to store user sessions for users logged in to the website with an automatic expiry and deletion of expired user sessions. Which of the following AWS services are best suited for this use case?

Correct Answer: (3) It allows you to efficiently manage user sessions with automatic expiration through Time to Live (TTL), ensuring that expired sessions are deleted without manual intervention. This aligns with the learning objective of utilizing AWS services to automate data management processes effectively.

Question 15:

You have a mobile application and would like to give your users access to their own personal space in the S3 bucket. How do you achieve that?

Correct Answer: (2) It effectively allows you to manage mobile user accounts, granting them individualized IAM permissions for secure access to their own areas in the S3 bucket. This directly aligns with the goal of providing personalized and secure storage solutions for users in mobile applications.

Question 16:

You are developing a new web and mobile application that will be hosted on AWS and currently, you are working on developing the login and signup page. The application backend is serverless and you are using Lambda, DynamoDB, and API Gateway. Which of the following is the best and easiest approach to configure the authentication for your backend?

Correct Answer: (3) it provides a simplified and secure way to manage user authentication, including sign-up and login processes, which is essential for a serverless application backend. This choice aligns with the learning objective of understanding efficient user management in cloud-based applications.

Question 17:

You are running a mobile application where you want each registered user to upload/download images to/from his own folder in the S3 bucket. Also, you want to give your users to sign-up and sign in using their social media accounts (e.g., Facebook). Which AWS service should you choose?

Correct Answer: (3) It efficiently manages user authentication and allows for social sign-in options, making it ideal for providing secure access for mobile users to their respective folders in S3. This aligns perfectly with the learning objective of implementing user management in cloud applications, ensuring a scalable and user-friendly experience.