Why Option B is Correct:

Amazon S3 Standard provides immediate access to files and is cost-effective for files that need to be accessed within 5 minutes.

By adding the S3 location to the SQS queue, you avoid transferring large files directly, which is both more efficient and scalable.

Why Other Options are Incorrect:

Option A: S3 Glacier Deep Archive is designed for archival storage with retrieval times ranging from minutes to hours, which does not meet the 5-minute requirement.

Option C: Amazon EBS is designed for block storage attached to EC2 instances, which adds unnecessary complexity and cost.

Option D: SQS is not designed to handle large file content directly and has message size limits (256 KB).

AWS Documentation References:

Amazon S3 Overview

Amazon SQS Best Practices

The correct security best practice is to assign the Lambda function an execution role with only the S3 permissions it needs. Lambda assumes this IAM role at runtime, so no long-term access keys need to be stored in source code. Option A is unacceptable because hardcoded IAM user credentials create a serious secret-management risk. Option C misunderstands the access model; the Lambda service principal is not the same as granting the function’s execution role permission to access the bucket. Option D uses an execution role, but attaching AmazonS3FullAccess is excessive and violates least privilege. The role should allow only the specific bucket actions required, such as listing the target bucket. AWS Lambda documentation states that a function’s execution role grants the function permission to access AWS services and resources. ( AWS Documentation )

===============

The correct answer is A because the requirement is to encrypt data in transit and data at rest while ensuring that the developer can manage encryption keys . AWS Key Management Service (AWS KMS) is the AWS-managed service specifically designed for creating, controlling, and auditing cryptographic keys. When used with the AWS Encryption SDK , it supports envelope encryption , a recommended pattern for protecting sensitive application data.

In this model, the application uses data keys to encrypt the actual sensitive data, while AWS KMS protects and manages the master keys that encrypt those data keys. This provides strong security and centralized key management, including access control through IAM, key rotation options, and auditability through AWS logging integrations. For data in transit , the application should also use TLS/HTTPS , which is standard AWS guidance for secure communications.

Option B is incorrect because Parameter Store is not the correct mechanism for directly managing application encryption keys in this way. SecureString protects stored values, but it is not a substitute for using KMS as the primary managed key service for encryption architecture. Option C is incorrect because Secrets Manager is intended for storing secrets such as passwords and tokens, not as the main key management system for application encryption design. Option D is incorrect because SSE-S3 uses Amazon S3-managed keys, not customer-managed KMS keys, so it does not satisfy the requirement that the developer be able to manage encryption keys.

Therefore, AWS KMS with envelope encryption through the AWS Encryption SDK is the most appropriate and secure solution.

This solution will meet the requirements by using a rolling with additional batch deployment method, which deploys the new version of the application to a separate group of instances and then shifts traffic to those instances in batches. This way, the application maintains full capacity and avoids service interruption during deployment, as well as minimizes the cost of additional resources that support the deployment. Option A is not optimal because it will use an all at once deployment method, which deploys the new version of the application to all instances simultaneously, which may cause service interruption or downtime during deployment. Option C is not optimal because it will use a blue/green deployment method, which deploys the new version of the application to a separate environment and then swaps URLs with the original environment, which may incur more costs for additional resources that support the deployment. Option D is not optimal because it will use an immutable deployment method, which deploys the new version of the application to a fresh group of instances and then redirects traffic to those instances, which may also incur more costs for additional resources that support the deployment.

The requirement is to automatically delete objects for basic users after 90 days with the least development effort. Amazon S3 provides a built-in, fully managed feature for this: S3 Lifecycle configuration rules . Lifecycle rules can filter objects by prefix (and/or tags) and then perform actions such as expiring (deleting) objects after a specified number of days since creation. Because the bucket does not have versioning enabled, the relevant action is to expire the current object after the retention period.

Option C matches this exactly: create an S3 Lifecycle rule that applies only to objects under the basic/ prefix and configure the rule to expire current versions after 90 days . S3 then automatically and continuously enforces the policy without any code, scheduling, or operational maintenance. This is typically the lowest-effort and most reliable approach because it is handled by S3 itself.

Option A requires writing and operating a Lambda function plus a scheduler, handling pagination, permissions, error handling, retries, and potential costs and throttling when scanning large buckets. That is more development and operational effort than a lifecycle rule. Option B is incorrect because it targets the premium/ prefix, but premium objects must be retained indefinitely. Option D refers to delete markers and unfinished multipart uploads; delete markers are relevant primarily for versioned buckets , and cleaning up multipart uploads does not implement the required “delete basic objects after 90 days” behavior.

Therefore, the correct solution is C : use an S3 Lifecycle rule scoped to the basic/ prefix to expire objects after 90 days, achieving automated retention with minimal development effort.

The core requirement is to perform a one-time deployment for testing without impacting the existing pre-production stack that other team members rely on. The safest way to avoid disruption is to deploy into an isolated AWS account (a dedicated development/testing account) instead of modifying the shared pre-production environment.

Option C achieves this with the least effort: use the AWS SAM CLI to package and deploy the same SAM application into a new AWS account designated for development. This creates an isolated copy of the stack (Lambda + SNS topics) where the developer can validate changes without affecting the shared pre-production deployment or the release pipeline.

Option A still deploys into pre-production, which directly violates the requirement to avoid impacting the existing application. A “debug parameter” does not prevent resource updates or side effects.

Option B is inconsistent: a CloudFormation change set is created against a specific account/stack. You cannot create a change set in one account and “execute it” in a different account as stated. Cross-account execution would require different credentials and a separate deployment process.

Option D introduces additional pipeline/stage complexity and is not necessary for a one-time test; it also implies changing the existing stack/pipeline, which can itself cause disruption.

Amazon API Gateway has a hard integration timeout that determines how long it waits for a backend response. If the backend (Lambda) does not respond within this time, API Gateway returns an HTTP 504 error to the client.

In this scenario, the Lambda function timeout is longer (20 seconds) than the API Gateway integration timeout (15 seconds). AWS documentation states that API Gateway will terminate the request once its timeout is exceeded, even if Lambda continues executing successfully. This explains why there are no Lambda errors despite 504 responses.

Increasing the Lambda timeout (Option B) does not help because API Gateway times out first. Reserved concurrency (Option A) and throttling limits (Option D) are unrelated to request duration.

The correct solution is to increase the API Gateway integration timeout so that it exceeds the maximum expected Lambda execution time. This ensures API Gateway waits long enough for the Lambda response.

Therefore, increasing the API Gateway timeout prevents HTTP 504 errors.

Amazon S3 Glacier storage classes are designed for cost-effective archival with varying retrieval times. S3 Glacier Instant Retrieval provides millisecond access , making it suitable for workloads that require immediate access but at a lower cost than S3 Standard.

For the first 90 days, instant access is required, which rules out S3 Glacier Deep Archive and S3 Glacier Flexible Retrieval as primary storage because they have minutes-to-hours retrieval times. After 90 days, the requirement allows retrieval times exceeding 10 minutes, making S3 Glacier Flexible Retrieval appropriate.

Option D uses Instant Retrieval initially and transitions to Flexible Retrieval, optimizing both performance and cost. EFS and EBS (Options A and C) are significantly more expensive for large objects and are not intended for massive archival workloads. Option B reverses the access requirements and is invalid.

AWS documentation explicitly recommends using S3 lifecycle policies to transition objects between Glacier storage classes based on access requirements.

Therefore, Option D is the most cost-effective and AWS-aligned solution.

In AWS Lambda, CPU power scales proportionally with the memory configuration. Lambda does not let you directly set “CPU cores” as a standalone setting in the general case; instead, increasing the function’s configured memory increases the CPU allocation (and other resources such as network throughput) available to the function. Therefore, to reduce latency caused by insufficient CPU, the developer should increase the function’s memory setting.

Option B directly addresses the CPU limitation in the supported Lambda configuration model. This is a common performance tuning approach: raise memory, benchmark, and find the optimal cost/performance point.

Option A is not the right lever for most Lambda functions because Lambda compute is configured via memory (and architecture), not by directly raising a “vCPU quota” per function in a typical tuning workflow.

Option C increases /tmp storage capacity and helps when dealing with large temporary files, not CPU availability.

Option D increases the maximum runtime allowed per invocation, but it does not give the function more CPU and will not reduce latency caused by CPU starvation.

Therefore, increasing the allocated memory is the correct way to increase CPU for a Lambda function.

Requirement Summary:

E-commerce app using Amazon RDS for MySQL

Needs caching layer for most-viewed products

Evaluate Options:

A. Add a cache node to RDS

No such feature in RDS for MySQL

Caching must be implemented outside RDS

B. ElastiCache for Redis (OSS)

Purpose-built for caching frequently accessed data

Reduces read pressure on RDS

Fast in-memory access (microseconds)

Seamless integration into app logic

C. DynamoDB DAX

DAX is for accelerating DynamoDB, not RDS

D. RDS standby instance

Read from standby is not allowed

Standby is for failover only, not for load balancing

ElastiCache for Redis: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html

Caching with Redis for RDS: https://aws.amazon.com/blogs/database/caching-strategies-using-amazon-elasticache-for-read-heavy-workloads-on-amazon-rds/

Amazon DynamoDB supports conditional writes , which allow developers to enforce data integrity rules directly at the database layer. AWS documentation states that conditional expressions are the recommended way to prevent accidental overwrites and ensure idempotent writes.

Using a PutItem operation with the condition expression

attribute_not_exists(transactionId) ensures that the write succeeds only if the item does not already exist . If a duplicate transaction is received, DynamoDB rejects the request without modifying the existing record.

This approach is highly cost-effective because it avoids additional read operations. Option A doubles request cost by performing a read before every write. TTL (Option B) is unrelated to overwrite prevention. Option C does the opposite of the requirement by ensuring the attribute exists.

AWS explicitly recommends conditional writes for handling duplicates and enforcing uniqueness with minimal cost and latency.

Therefore, implementing a conditional put with attribute_not_exists(transactionId) is the correct solution.

AWS Amplify is a set of tools and services that enables developers to build and deploy full-stack web and mobile applications that are powered by AWS. AWS Amplify supports hosting static websites on Amazon S3 and Amazon CloudFront, with HTTPS enabled by default. AWS Amplify also integrates with various version control systems, such as AWS CodeCommit, Bitbucket, and GitHub, and allows developers to connect different branches to different environments. AWS Amplify automatically builds and deploys the website whenever code changes are merged to a connected branch, enabling phased releases with minimal operational overhead. Reference: AWS Amplify Console

The symptoms point to a missing event source mapping between Amazon SQS and the processing Lambda function. The parsing function successfully sends messages to SQS (the queue depth increases), but the processing function is not running for production events—evidenced by no CloudWatch logs during those runs. If Lambda is not being invoked, it will not generate any logs. In an SQS-based architecture, Lambda does not “pull” messages from a queue unless the queue is configured as a Lambda trigger (an event source mapping). The event source mapping tells Lambda to poll the queue, batch messages, and invoke the function with those messages.

In isolated tests, the developer likely invoked the processing function manually with mock events (for example, via the Lambda console or sam local invoke), which would create logs. But in production, because the function is supposed to be driven by SQS, it must have an SQS trigger configured; otherwise, messages will accumulate indefinitely and the function will never execute.

Option C (grant permissions) is necessary in many cases, but it does not explain the absence of logs and growing queue depth by itself if the trigger is missing. With the standard SQS→Lambda integration, Lambda’s service polls the queue using the function’s execution role permissions (sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, etc.), but the polling does not occur without the event source mapping. Option D is not the root cause because the function isn’t being invoked; and if it were invoked, AWS-managed logging typically works unless the execution role lacks logging permissions. Option B is incorrect because the parsing function is not supposed to be triggered by SQS; it produces messages to SQS.

Therefore, configuring the SQS queue as a trigger for the processing Lambda function (A) resolves the issue and ensures production S3 events flow through parsing to SQS and then into processing automatically.

The correct policy condition ensures that:

The LeadingKeys condition restricts operations to the authenticated user ' s user_id.

The Attributes condition limits the updatable attributes to user_name.

Explanation of Choices:

Option A: Correctly enforces both the key restriction (dynamodb:LeadingKeys) and ensures only the user_name attribute can be updated.

Option B, C, D: Use incorrect conditions, such as referencing user_name in the LeadingKeys or including other attributes like user_id in updatable fields.