A Kubernetes cluster consists of at least one main (control) plane, and one or more worker machines, called nodes.
Both the control planes and node instances can be physical devices, virtual machines, or instances in the cloud.
In managed Kubernetes environments like AWS EKS, GCP GKE, Azure AKS the control plane is managed by the cloud provider.
Control Plane
The control plane is also known as a master node or head node.
The control plane manages the worker nodes and the Pods in the cluster.
In production environments, the control plane usually runs across multiple computers and a cluster usually runs multiple nodes, providing fault-tolerance and high availability.
It is not recommended to run user workloads on master mode.
The Control plane’s components make global decisions about the cluster, as well as detect and respond to cluster events.
The control plane receives input from a CLI or UI via an API.
API Server (kube-apiserver)
API server exposes a REST interface to the Kubernetes cluster. It is the front end for the Kubernetes control plane.
All operations against pods, services, and so forth, are executed programmatically by communicating with the endpoints provided by it.
It tracks the state of all cluster components and manages the interaction between them.
It is designed to scale horizontally.
It consumes YAML/JSON manifest files.
It validates and processes the requests made via API.
etcd (key-value store)
Etcd is a consistent, distributed, and highly-available key-value store.
is stateful, persistent storage that stores all of Kubernetes cluster data (cluster state and config).
is the source of truth for the cluster.
can be part of the control plane, or, it can be configured externally.
ETCD benefits include
Fully replicated: Every node in an etcd cluster has access to the full data store.
Highly available: etcd is designed to have no single point of failure and gracefully tolerate hardware failures and network partitions.
Reliably consistent: Every data ‘read’ returns the latest data ‘write’ across all clusters.
Fast: etcd has been benchmarked at 10,000 writes per second.
Secure: etcd supports automatic Transport Layer Security (TLS) and optional secure socket layer (SSL) client certificate authentication.
Simple: Any application, from simple web apps to highly complex container orchestration engines such as Kubernetes, can read or write data to etcd using standard HTTP/JSON tools.
Scheduler (kube-scheduler)
The scheduler is responsible for assigning work to the various nodes. It keeps watch over the resource capacity and ensures that a worker node’s performance is within an appropriate threshold.
It schedules pods to worker nodes.
It watches api-server for newly created Pods with no assigned node, and selects a healthy node for them to run on.
If there are no suitable nodes, the pods are put in a pending state until such a healthy node appears.
It watches API Server for new work tasks.
Factors taken into account for scheduling decisions include:
Individual and collective resource requirements.
Hardware/software/policy constraints.
Affinity and anti-affinity specifications.
Data locality.
Inter-workload interference.
Deadlines and taints.
Controller Manager (kube-controller-manager)
Controller manager is responsible for making sure that the shared state of the cluster is operating as expected.
It watches the desired state of the objects it manages and watches their current state through the API server.
It takes corrective steps to make sure that the current state is the same as the desired state.
It is a controller of controllers.
It runs controller processes. Logically, each controller is a separate process, but to reduce complexity, they are all compiled into a single binary and run in a single process.
Some types of controllers are:
Node controller: Responsible for noticing and responding when nodes go down.
Job controller: Watches for Job objects that represent one-off tasks, then creates Pods to run those tasks to completion.
Endpoints controller: Populates the Endpoints object (that is, joins Services & Pods).
Service Account & Token controllers: Create default accounts and API access tokens for new namespaces.
Cloud Controller Manager
The cloud controller manager integrates with the underlying cloud technologies in your cluster when the cluster is running in a cloud environment.
The cloud-controller-manager only runs controllers that are specific to your cloud provider.
Cloud controller lets you link your cluster into cloud provider’s API, and separates out the components that interact with that cloud platform from components that only interact with your cluster.
The following controllers can have cloud provider dependencies:
Node controller: For checking the cloud provider to determine if a node has been deleted in the cloud after it stops responding.
Route controller: For setting up routes in the underlying cloud infrastructure.
Service controller: For creating, updating, and deleting cloud provider load balancers.
Data Plane Worker Node(s)
The data plane is known as the worker node or compute node.
A virtual or physical machine that contains the services necessary to run containerized applications.
A Kubernetes cluster needs at least one worker node, but normally has many.
The worker node(s) host the Pods that are the components of the application workload.
Pods are scheduled and orchestrated to run on nodes.
Cluster can be scaled up and down by adding and removing nodes.
Node components run on every node, maintaining running pods and providing the Kubernetes runtime environment.
kubelet
A Kubelet tracks the state of a pod to ensure that all the containers are running and healthy
provides a heartbeat message every few seconds to the control plane.
runs as an agent on each node in the cluster.
acts as a conduit between the API server and the node.
instantiates and executes Pods.
watches API Server for work tasks.
gets instructions from master and reports back to Masters.
kube-proxy
Kube proxy is a networking component that routes traffic coming into a node from the service to the correct containers.
is a network proxy that runs on each node in a cluster.
manages IP translation and routing.
maintains network rules on nodes. These network rules allow network communication to Pods from inside or outside of cluster.
ensures each Pod gets a unique IP address.
makes possible that all containers in a pod share a single IP.
facilitates Kubernetes networking services and load-balancing across all pods in a service.
It deals with individual host sub-netting and ensures that the services are available to external parties.
Container runtime
Container runtime is responsible for running containers (in Pods).
Kubernetes supports any implementation of the Kubernetes Container Runtime Interface CRI specifications
To run the containers, each worker node has a container runtime engine.
It pulls images from a container image registry and starts and stops containers.
Visibility timeout defines the period where SQS blocks the visibility of the message and prevents other consuming components from receiving and processing that message.
DLQ Redrive policy specifies the source queue, the dead-letter queue, and the conditions under which messages are moved from the former to the latter if the consumer of the source queue fails to process a message a specified number of times.
Short and Long polling control how the queues would be polled and Long polling help reduce empty responses.
Queue and Message Identifiers
Queue URLs
Queue is identified by a unique queue name within the same AWS account
Each queue is assigned with a Queue URL identifier for e.g. http://sqs.us-east-1.amazonaws.com/123456789012/queue2
Queue URL is needed to perform any operation on the Queue.
Message ID
Message IDs are useful for identifying messages
Each message receives a system-assigned message ID that is returned with the SendMessage response.
To delete a message, the message’s receipt handle instead of the message ID is needed
Message ID can be of is 100 characters max
Receipt Handle
When a message is received from a queue, a receipt handle is returned with the message which is associated with the act of receiving the message rather than the message itself.
Receipt handle is required, not the message id, to delete a message or to change the message visibility.
If a message is received more than once, each time it is received, a different receipt handle is assigned and the latest should be used always.
Message Deduplication ID
Message Deduplication ID is used for the deduplication of sent messages.
Message Deduplication ID is applicable for FIFO queues.
If a message with a particular message deduplication ID is sent successfully, any messages sent with the same message deduplication ID are accepted successfully but aren’t delivered during the 5-minute deduplication interval.
Message Group ID
Message Group ID specifies that a message belongs to a specific message group.
Message Group ID is applicable for FIFO queues.
Messages that belong to the same message group are always processed one by one, in a strict order relative to the message group.
However, messages that belong to different message groups might be processed out of order.
Visibility timeout
SQS does not delete the message once it is received by a consumer, because the system is distributed, there’s no guarantee that the consumer will actually receive the message (it’s possible the connection could break or the component could fail before receiving the message)
The consumer should explicitly delete the message from the Queue once it is received and successfully processed.
As the message is still available in the Queue, other consumers would be able to receive and process and this needs to be prevented.
SQS handles the above behavior using Visibility timeout.
SQS blocks the visibility of the message for the Visibility timeout period, which is the time during which SQS prevents other consuming components from receiving and processing that message.
Consumer should delete the message within the Visibility timeout. If the consumer fails to delete the message before the visibility timeout expires, the message is visible again to other consumers.
Once Visible the message is available for other consumers to consume and can lead to duplicate messages.
Visibility timeout considerations
Clock starts ticking once SQS returns the message
should be large enough to take into account the processing time for each message
default Visibility timeout for each Queue is 30 seconds and can be changed at the Queue level
when receiving messages, a special visibility timeout for the returned messages can be set without changing the overall queue timeout using the receipt handle
can be extended by the consumer, using ChangeMessageVisibility , if the consumer thinks it won’t be able to process the message within the current visibility timeout period. SQS restarts the timeout period using the new value.
a message’s Visibility timeout extension applies only to that particular receipt of the message and does not affect the timeout for the queue or later receipts of the message
SQS has a 120,000 limit for the number of inflight messages per queue i.e. messages received but not yet deleted and any further messages would receive an error after reaching the limit
Message Lifecycle
Component 1 sends Message A to a queue, and the message is redundantly distributed across the SQS servers.
When Component 2 is ready to process a message, it retrieves messages from the queue, and Message A is returned. While Message A is being processed, it remains in the queue but is not returned to subsequent receive requests for the duration of the visibility timeout.
Component 2 deletes Message A from the queue to avoid the message being received and processed again once the visibility timeout expires.
SQS Dead Letter Queues – DLQ
SQS supports dead-letter queues (DLQ), which other queues (source queues – Standard and FIFO) can target for messages that can’t be processed (consumed) successfully.
Dead-letter queues are useful for debugging the application or messaging system because DLQ help isolates unconsumed messages to determine why their processing doesn’t succeed.
DLQ redrive policy
specifies the source queue, the dead-letter queue, and the conditions under which SQS moves messages from the former to the latter if the consumer of the source queue fails to process a message a specified number of times.
specifies which source queues can access the dead-letter queue.
also helps move the messages back to the source queue.
SQS does not create the dead-letter queue automatically. DLQ must first be created before being used.
DLQ for the source queue should be of the same type i.e. Dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.
DLQ should be in the same account and region as the source queue.
SQS Delay Queues
Delay queues help postpone the delivery of new messages to consumers for a number of seconds
Messages sent to the delay queue remain invisible to consumers for the duration of the delay period.
Minimum delay is 0 seconds (default) and the Maximum is 15 minutes.
Delay queues are similar to visibility timeouts as both features make messages unavailable to consumers for a specific period of time.
The difference between the two is that, for delay queues, a message is hidden when it is first added to the queue, whereas for visibility timeouts a message is hidden only after it is consumed from the queue.
Short and Long polling
SQS provides short polling and long polling to receive messages from a queue.
Short Polling
ReceiveMessage request queries only a subset of the servers (based on a weighted random distribution) to find messages that are available to include in the response.
SQS sends the response right away, even if the query found no messages.
By default, queues use short polling.
Long Polling
ReceiveMessage request queries all of the servers for messages.
SQS sends a response after it collects at least one available message, up to the maximum number of messages specified in the request.
SQS sends an empty response only if the polling wait time expires.
Wait time greater than 0 triggers long polling with a max of 20 secs.
Long polling helps
reduce the cost of using SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request)
reduce false empty responses (when messages are available but aren’t included in a response).
Return messages as soon as they become available.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
How does Amazon SQS allow multiple readers to access the same message queue without losing messages or processing them many times?
By identifying a user by his unique id
By using unique cryptography
Amazon SQS queue has a configurable visibility timeout
Multiple readers can’t access the same message queue
If a message is retrieved from a queue in Amazon SQS, how long is the message inaccessible to other users by default?
0 seconds
1 hour
1 day
forever
30 seconds
When a Simple Queue Service message triggers a task that takes 5 minutes to complete, which process below will result in successful processing of the message and remove it from the queue while minimizing the chances of duplicate processing?
Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue
Retrieve the message with an increased visibility timeout, delete the message from the queue, process the message
Retrieve the message with increased DelaySeconds, process the message, delete the message from the queue
Retrieve the message with increased DelaySeconds, delete the message from the queue, process the message
You need to process long-running jobs once and only once. How might you do this?
Use an SNS queue and set the visibility timeout to long enough for jobs to process.
Use an SQS queue and set the reprocessing timeout to long enough for jobs to process.
Use an SQS queue and set the visibility timeout to long enough for jobs to process.
Use an SNS queue and set the reprocessing timeout to long enough for jobs to process.
You are getting a lot of empty receive requests when using Amazon SQS. This is making a lot of unnecessary network load on your instances. What can you do to reduce this load?
Subscribe your queue to an SNS topic instead.
Use as long of a poll as possible, instead of short polls.
Alter your visibility timeout to be shorter.
Use sqsd on your EC2 instances.
Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number of empty responses?
Set the imaging queue visibility Timeout attribute to 20 seconds
Set the Imaging queue ReceiveMessageWaitTimeSeconds attribute to 20 seconds (Long polling. Refer link)
Set the imaging queue MessageRetentionPeriod attribute to 20 seconds
Set the DelaySeconds parameter of a message to 20 seconds
AWS Developer Tools provide a set of services designed to enable developers and IT operations professionals practicing DevOps to rapidly and safely deliver software.
AWS Developer Tools help securely store and version control the application’s source code and automatically build, test, and deploy the application to AWS or the on-premises environment.
AWS CodeCommit
CodeCommit is a secure, scalable, fully-managed source control service that helps to host secure and highly scalable private Git repositories.
eliminates the need to operate your own source control system or worry about scaling its infrastructure.
can be used to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.
provide high availability as it is built on highly scalable, redundant, and durable AWS services such as S3 and DynamoDB.
is designed for collaborative software development and it manages batches of changes across multiple files, offers parallel branching, and includes version differencing.
automatically encrypts the files in transit and at rest.
supports resource-level permissions at the repository level. Permissions can specify which users can perform which actions including MFA.
supports HTTPS or SSH or both communication protocols.
supports repository triggers, to send notifications and create HTTP webhooks with SNS or invoke Lambda functions.
AWS CodeBuild
AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy.
helps provision, manage, and scale the build servers.
scales continuously and processes multiple builds concurrently, so the builds are not left waiting in a queue.
provides prepackaged build environments or the creation of custom build environments that use your own build tools.
supports AWS CodeCommit, S3, GitHub, and GitHub Enterprise and Bitbucket to pull source code for builds.
provides security and separation at the infrastructure and execution levels
runs the build in fresh environments isolated from other users and discards each build environment upon completion.
AWS CodeDeploy
AWS CodeDeploy helps automate code deployments to any instance, including EC2 instances and instances running on-premises.
helps to rapidly release new features, avoid downtime during application deployment, and handles the complexity of updating the applications.
helps automate software deployments, eliminating the need for error-prone manual operations.
scales with the infrastructure and can be used to easily deploy from one instance or thousands.
performs a deployment with the following parameters
Revision – what to deploy
Deployment group – where to deploy
Deployment configuration – how to deploy
Deployment group is an entity for grouping EC2 instances or Lambda functions in deployment and supports instances by specifying a tag, an Auto Scaling group.
AppSpec file provides the instructions and is a configuration file that specifies the files to be copied and scripts to be executed.
supports both in-place deployments, where rolling updates are performed, and blue/green deployments.
AWS CodePipeline
AWS CodePipeline is a fully managed continuous delivery service that helps automate the release pipelines for fast and reliable application and infrastructure updates.
automates the builds, tests, and deploys the code every time there is a code change, based on the defined release process models
enables rapid and reliable delivery of features and updates.
can be integrated with third-party services such as GitHub or with your own custom plugin.
pay per use with no upfront fees or long-term commitments.
supports resource-level permissions. Permissions can specify which users can perform what action on a pipeline.
CodePipeline concepts
A Pipeline describes how software changes go through a release process
A revision is a change made to the source location defined for the pipeline.
Pipeline is a sequence of stages and actions.
A stage is a group of one or more actions. A pipeline can have two or more stages.
An action is a task performed on a revision.
Pipeline actions occur in a specified order, in serial or in parallel, as determined in the stage configuration.
Stages are connected by transitions
Transitions can be disabled or enabled between stages.
A pipeline can have multiple revisions flowing through it at the same time.
Action acts upon a file or set of files are called artifacts. These artifacts can be worked upon by later actions in the pipeline.
AWS CodeArtifact
AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, and share software packages used in their software development process.
CodeArtifact can be configured to automatically fetch software packages and dependencies from public artifact repositories so developers have access to the latest versions.
CodeArtifact works with commonly used package managers and build tools like Maven, Gradle, npm, yarn, twine, pip, and NuGet making it easy to integrate into existing development workflows.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service’s PRIMARY purpose is to provide a fully managed continuous delivery service?
Amazon CodeStar
Amazon CodePipeline
Amazon Cognito
AWS CodeCommit
Which AWS service’s PRIMARY purpose is quickly develop, build, and deploy applications on AWS?
Amazon CodeStar
AWS Command Line Interface (AWS CLI)
Amazon Cognito
AWS CodeCommit
Which AWS service’s PRIMARY purpose is software version control?
Amazon CodeStar
AWS Command Line Interface (AWS CLI)
Amazon Cognito
AWS CodeCommit
Which of the following services could be used to deploy an application to servers running on-premises?
Simple Queue Service – SQS is a highly available distributed queue system
A queue is a temporary repository for messages awaiting processing and acts as a buffer between the component producer and the consumer
is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components.
is fully managed and requires no administrative overhead and little configuration
offers a reliable, highly-scalable, hosted queue for storing messages in transit between applications.
provides fault-tolerant, loosely coupled, flexibility of distributed components of applications to send & receive without requiring each component to be concurrently available
helps build distributed applications with decoupled components
supports encryption at rest (SSE-SQS enabled by default since Oct 2022) and encryption in transit using the HTTP over SSL (HTTPS) and Transport Layer Security (TLS) protocols for security.
supports a maximum message payload size of 1 MB (increased from 256 KB in January 2026). For payloads up to 2 GB, use the Extended Client Library with Amazon S3.
Standard queues support at-least-once message delivery. However, occasionally (because of the highly distributed architecture that allows nearly unlimited throughput), more than one copy of a message might be delivered out of order.
Standard queues support a nearly unlimited number of API calls per second, per API action (SendMessage, ReceiveMessage, or DeleteMessage).
Standard queues provide best-effort ordering which ensures that messages are generally delivered in the same order as they’re sent.
FIFO (First-In-First-Out) queues provide messages in order and exactly once delivery.
FIFO queues have all the capabilities of the standard queues but are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can’t be tolerated.
FIFO queues support High Throughput mode with up to 70,000 transactions per second (TPS) per API action without batching (and up to 700,000 messages per second with batching) in select regions.
SQS Fair Queues is a feature for standard queues that mitigates the noisy neighbor impact in multi-tenant systems.
Fair queues automatically reorder messages when a single tenant causes a backlog, prioritizing message delivery for other tenants.
Helps maintain consistent dwell time (time a message spends in queue between being sent and received) across all tenants.
Works transparently without requiring changes to existing message processing logic.
Supported by Amazon SNS standard topics and Amazon EventBridge as targets.
Ideal for SaaS and multi-tenant architectures where tenant isolation at the messaging layer is important.
SQS Use Cases
Work Queues
Decouple components of a distributed application that may not all process the same amount of work simultaneously.
Buffer and Batch Operations
Add scalability and reliability to the architecture and smooth out temporary volume spikes without losing messages or increasing latency
Request Offloading
Move slow operations off of interactive request paths by enqueueing the request.
Fan-out
Combine SQS with SNS to send identical copies of a message to multiple queues in parallel for simultaneous processing.
Auto Scaling
SQS queues can be used to determine the load on an application, and combined with Auto Scaling, the EC2 instances can be scaled in or out, depending on the volume of traffic
Event-Driven Architectures
Use SQS with EventBridge Pipes, Lambda event source mappings, or Step Functions for serverless event-driven processing pipelines.
How SQS Queues Works
SQS allows queues to be created, deleted and messages can be sent and received from it
SQS queue retains messages for four days, by default.
Queues can be configured to retain messages for 1 minute to 14 days after the message has been sent.
SQS can delete a queue without notification if any action hasn’t been performed on it for 30 consecutive days.
SQS allows the deletion of the queue with messages in it
Visibility timeout defines the period where SQS blocks the visibility of the message and prevents other consuming components from receiving and processing that message.
DLQ Redrive policy specifies the source queue, the dead-letter queue, and the conditions under which SQS moves messages from the former to the latter if the consumer of the source queue fails to process a message a specified number of times.
DLQ Redrive to Source – SQS supports programmatic dead-letter queue redrive via APIs (StartMessageMoveTask, ListMessageMoveTasks, CancelMessageMoveTask) allowing you to move messages from DLQ back to the original source queue or a custom destination queue.
SQS Short and Long polling control how the queues would be polled and Long polling help reduce empty responses.
SQS Integration with AWS Lambda
SQS can trigger AWS Lambda functions using event source mappings (ESM).
Lambda automatically polls the SQS queue, retrieves messages in batches, and invokes the Lambda function.
Provisioned Mode for SQS ESM (November 2025) – Allows dedicated polling resources for the SQS event source mapping:
Provides 3x faster scaling and up to 16x higher capacity (up to 20,000 concurrency).
You define minimum and maximum limits for provisioned event pollers.
Ideal for handling sudden traffic spikes and high-throughput workloads.
Lambda function and SQS queue must be in the same AWS Region (can be in different accounts).
Supports both Standard and FIFO queues as triggers.
SQS Integration with EventBridge Pipes
Amazon EventBridge Pipes supports SQS (Standard and FIFO) as a source for point-to-point integrations.
Pipes poll the SQS queue and deliver messages to configured targets with optional filtering, enrichment, and transformation.
Can be configured directly from the SQS console via “Connect SQS queue to pipe” button.
Eliminates the need for custom polling code or Lambda functions for simple integrations.
SQS Buffered Asynchronous Client
Amazon SQS Buffered Async Client for Java provides an implementation of the AmazonSQSAsyncClient interface and adds several important features:
Automatic batching of multiple SendMessage, DeleteMessage, or ChangeMessageVisibility requests without any required changes to the application
Prefetching of messages into a local buffer that allows the application to immediately process messages from SQS without waiting for the messages to be retrieved
Working together, automatic batching and prefetching increase the throughput and reduce the latency of the application while reducing the costs by making fewer SQS requests.
SQS Security and Reliability
SQS stores all message queues and messages within a single, highly-available AWS region with multiple redundant Availability Zones (AZs)
SQS supports HTTP over SSL (HTTPS) and Transport Layer Security (TLS) protocols.
SQS supports Encryption at Rest with two options:
SSE-SQS (SQS-managed encryption keys) – Enabled by default for all new queues created via HTTPS/TLS endpoints since October 2022. No additional cost.
SSE-KMS (AWS KMS customer-managed keys) – For customers needing to manage their own encryption keys with fine-grained control.
SQS supports dual-stack (IPv4 and IPv6) endpoints (April 2025), allowing queues to be accessed via both IP protocols.
SQS supports resource-based permissions and Attribute-Based Access Control (ABAC) using queue tags for flexible and scalable access permissions.
SQSUnlockQueuePolicy – AWS-managed policy to unlock a queue and remove a misconfigured queue policy that denies all principals access (November 2024).
SQS supports CloudTrail integration for all APIs including data plane events (SendMessage, ReceiveMessage, DeleteMessage) for comprehensive audit logging (January 2025).
SQS Design Patterns
Priority Queue Pattern
Use SQS to prepare multiple queues for the individual priority levels.
Place those processes to be executed immediately (job requests) in the high priority queue.
Prepare numbers of batch servers, for processing the job requests of the queues, depending on the priority levels.
Queues have a message “Delayed Send” function, which can be used to delay the time for starting a process.
SQS Job Observer Pattern
Enqueue job requests as SQS messages.
Have the batch server dequeue and process messages from SQS.
Set up Auto Scaling to automatically increase or decrease the number of batch servers, using the number of SQS messages, with CloudWatch, as the trigger to do so.
January 2026 – Maximum message payload size increased from 256 KB to 1 MB for all SQS queues (Standard and FIFO). Also applies to Lambda async invocations and EventBridge.
November 2025 – Lambda Provisioned Mode for SQS ESM with 3x faster scaling and 16x higher concurrency.
July 2025 – Fair Queues for multi-tenant standard queues to mitigate noisy neighbor issues.
April 2025 – Dual-stack (IPv4/IPv6) endpoint support.
January 2025 – CloudTrail integration for all SQS APIs (including data plane events).
November 2024 – SQSUnlockQueuePolicy managed policy for recovering locked queues.
July 2024 – kms:Decrypt permission no longer required for SendMessage API; only kms:GenerateDataKey needed.
July 2024 – New FIFO metrics: NumberOfDeduplicatedSentMessages and ApproximateNumberOfGroupsWithInflightMessages.
November 2023 – FIFO High Throughput increased to 70,000 TPS per API action in select regions.
June 2023 – DLQ Redrive APIs (StartMessageMoveTask, ListMessageMoveTasks, CancelMessageMoveTask).
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service can help design architecture to persist in-flight transactions?
Elastic IP Address
SQS
Amazon CloudWatch
Amazon ElastiCache
A company has a workflow that sends video files from their on-premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service for this scenario?
SQS guarantees the order of the messages.
SQS synchronously provides transcoding output.
SQS checks the health of the worker instances.
SQS helps to facilitate horizontal scaling of encoding tasks
Which statement best describes an Amazon SQS use case?
Automate the process of sending an email notification to administrators when the CPU utilization reaches 70% on production servers (Amazon EC2 instances) (CloudWatch + SNS + SES)
Create a video transcoding website where multiple components need to communicate with each other, but can’t all process the same amount of work simultaneously (SQS provides loose coupling)
Coordinate work across distributed web services to process employee’s expense reports (SWF or Step Functions – Steps in order and might need manual steps)
Distribute static web content to end users with low latency across multiple countries (CloudFront + S3)
Your application provides data transformation services. Files containing data to be transformed are first uploaded to Amazon S3 and then transformed by a fleet of spot EC2 instances. Files submitted by your premium customers must be transformed with the highest priority. How should you implement such a system?
Use a DynamoDB table with an attribute defining the priority level. Transformation instances will scan the table for tasks, sorting the results by priority level.
Use Route 53 latency based-routing to send high priority tasks to the closest transformation instances.
Use two SQS queues, one for high priority messages, and the other for default priority. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue
Use a single SQS queue. Each message contains the priority level. Transformation instances poll high-priority messages first.
Your company plans to host a large donation website on Amazon Web Services (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS. Which service should you use?
Amazon RDS with provisioned IOPS up to the anticipated peak write throughput.
Amazon Simple Queue Service (SQS) for capturing the writes and draining the queue to write to the database
Amazon ElastiCache to store the writes until the writes are committed to the database.
Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughput.
A customer has a 10 GB AWS Direct Connect connection to an AWS region where they have a web application hosted on Amazon Elastic Computer Cloud (EC2). The application has dependencies on an on-premises mainframe database that uses a BASE (Basic Available, Soft state, Eventual consistency) rather than an ACID (Atomicity, Consistency, Isolation, Durability) consistency model. The application is exhibiting undesirable behavior because the database is not able to handle the volume of writes. How can you reduce the load on your on-premises database resources in the most cost-effective way?
Use an Amazon Elastic Map Reduce (EMR) S3DistCp as a synchronization mechanism between the onpremises database and a Hadoop cluster on AWS.
Modify the application to write to an Amazon SQS queue and develop a worker process to flush the queue to the on-premises database
Modify the application to use DynamoDB to feed an EMR cluster which uses a map function to write to the on-premises database.
Provision an RDS read-replica database on AWS to handle the writes and synchronize the two databases using Data Pipeline.
An organization has created a Queue named “modularqueue” with SQS. The organization is not performing any operations such as SendMessage, ReceiveMessage, DeleteMessage, GetQueueAttributes, SetQueueAttributes, AddPermission, and RemovePermission on the queue. What can happen in this scenario?
AWS SQS sends notification after 15 days for inactivity on queue
AWS SQS can delete queue after 30 days without notification
AWS SQS marks queue inactive after 30 days
AWS SQS notifies the user after 2 weeks and deletes the queue after 3 weeks.
A user is using the AWS SQS to decouple the services. Which of the below mentioned operations is not supported by SQS?
SendMessageBatch
DeleteMessageBatch
CreateQueue
DeleteMessageQueue
A user has created a queue named “awsmodule” with SQS. One of the consumers of queue is down for 3 days and then becomes available. Will that component receive message from queue?
Yes, since SQS by default stores message for 4 days
No, since SQS by default stores message for 1 day only
No, since SQS sends message to consumers who are available that time
Yes, since SQS will not delete message until it is delivered to all consumers
A user has created a queue named “queue2” in US-East region with AWS SQS. The user’s AWS account ID is 123456789012. If the user wants to perform some action on this queue, which of the below Queue URL should he use?
A user has created a queue named “myqueue” with SQS. There are four messages published to queue, which are not received by the consumer yet. If the user tries to delete the queue, what will happen?
A user can never delete a queue manually. AWS deletes it after 30 days of inactivity on queue
It will delete the queue
It will initiate the delete but wait for four days before deleting until all messages are deleted automatically.
It will ask user to delete the messages first
A user has developed an application, which is required to send the data to a NoSQL database. The user wants to decouple the data sending such that the application keeps processing and sending data but does not wait for an acknowledgement of DB. Which of the below mentioned applications helps in this scenario?
AWS Simple Notification Service
AWS Simple Workflow
AWS Simple Queue Service
AWS Simple Query Service
You are building an online store on AWS that uses SQS to process your customer orders. Your backend system needs those messages in the same sequence the customer orders have been put in. How can you achieve that?
It is not possible to do this with SQS
You can use sequencing information on each message (Note: With FIFO queues now available, using a FIFO queue is the recommended approach for strict ordering)
You can do this with SQS but you also need to use SWF
Messages will arrive in the same order by default
A user has created a photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario?
AWS Glacier
AWS Elastic Transcoder
AWS Simple Notification Service
AWS Simple Queue Service
Refer to the architecture diagram of a batch processing solution using Simple Queue Service (SQS) to set up a message queue between EC2 instances, which are used as batch processors. Cloud Watch monitors the number of Job requests (queued messages) and an Auto Scaling group adds or deletes batch servers automatically based on parameters set in Cloud Watch alarms. You can use this architecture to implement which of the following features in a cost effective and efficient manner?
Reduce the overall time for executing jobs through parallel processing by allowing a busy EC2 instance that receives a message to pass it to the next instance in a daisy-chain setup.
Implement fault tolerance against EC2 instance failure since messages would remain in SQS and work can continue with recovery of EC2 instances implement fault tolerance against SQS failure by backing up messages to S3.
Implement message passing between EC2 instances within a batch by exchanging messages through SQS.
Coordinate number of EC2 instances with number of job requests automatically thus Improving cost effectiveness
Handle high priority jobs before lower priority jobs by assigning a priority metadata field to SQS messages.
How does Amazon SQS allow multiple readers to access the same message queue without losing messages or processing them many times?
By identifying a user by his unique id
By using unique cryptography
Amazon SQS queue has a configurable visibility timeout
Multiple readers can’t access the same message queue
A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario?
AWS Elastic Transcoder
AWS Simple Notification Service
AWS Simple Queue Service
AWS Glacier
How do you configure SQS to support longer message retention?
Set the MessageRetentionPeriod attribute using the SetQueueAttributes method
Using a Lambda function
You can’t. It is set to 14 days and cannot be changed
You need to request it from AWS
A user has developed an application, which is required to send the data to a NoSQL database. The user wants to decouple the data sending such that the application keeps processing and sending data but does not wait for an acknowledgement of DB. Which of the below mentioned applications helps in this scenario?
AWS Simple Notification Service
AWS Simple Workflow
AWS Simple Query Service
AWS Simple Queue Service
If a message is retrieved from a queue in Amazon SQS, how long is the message inaccessible to other users by default?
0 seconds
1 hour
1 day
forever
30 seconds
Which of the following statements about SQS is true?
Messages will be delivered exactly once and messages will be delivered in First in, First out order
Messages will be delivered exactly once and message delivery order is indeterminate
Messages will be delivered one or more times and messages will be delivered in First in, First out order
Messages will be delivered one or more times and message delivery order is indeterminate (This applies to Standard queues. FIFO queues provide exactly-once processing and strict ordering.)
How long can you keep your Amazon SQS messages in Amazon SQS queues?
From 120 secs up to 4 weeks
From 10 secs up to 7 days
From 60 secs up to 2 weeks
From 30 secs up to 1 week
When a Simple Queue Service message triggers a task that takes 5 minutes to complete, which process below will result in successful processing of the message and remove it from the queue while minimizing the chances of duplicate processing?
Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue
Retrieve the message with an increased visibility timeout, delete the message from the queue, process the message
Retrieve the message with increased DelaySeconds, process the message, delete the message from the queue
Retrieve the message with increased DelaySeconds, delete the message from the queue, process the message
You need to process long-running jobs once and only once. How might you do this?
Use an SNS queue and set the visibility timeout to long enough for jobs to process.
Use an SQS queue and set the reprocessing timeout to long enough for jobs to process.
Use an SQS queue and set the visibility timeout to long enough for jobs to process.
Use an SNS queue and set the reprocessing timeout to long enough for jobs to process.
You are getting a lot of empty receive requests when using Amazon SQS. This is making a lot of unnecessary network load on your instances. What can you do to reduce this load?
Subscribe your queue to an SNS topic instead.
Use as long of a poll as possible, instead of short polls. (Refer link)
Alter your visibility timeout to be shorter.
Use <code>sqsd</code> on your EC2 instances.
You have an asynchronous processing application using an Auto Scaling Group and an SQS Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion velocity of the jobs has gone down, the Auto Scaling Group size has maxed out, but the inbound job velocity did not increase. What is a possible issue?
Some of the new jobs coming in are malformed and unprocessable. (As other options would cause the job to stop processing completely, the only reasonable option seems that some of the recent messages must be malformed and unprocessable)
The routing tables changed and none of the workers can process events anymore. (If changed, none of the jobs would be processed)
Someone changed the IAM Role Policy on the instances in the worker group and broke permissions to access the queue. (If IAM role changed no jobs would be processed)
The scaling metric is not functioning correctly. (scaling metric did work fine as the autoscaling caused the instances to increase)
Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number of empty responses?
Set the imaging queue visibility Timeout attribute to 20 seconds
Set the Imaging queue ReceiveMessageWaitTimeSeconds attribute to 20 seconds (Long polling. Refer link)
Set the imaging queue MessageRetentionPeriod attribute to 20 seconds
Set the DelaySeconds parameter of a message to 20 seconds
A multi-tenant SaaS application uses a single SQS standard queue. During peak load from one large tenant, other tenants experience increased message processing latency. What SQS feature can help resolve this?
Enable FIFO mode on the queue
Increase the visibility timeout
Enable SQS Fair Queues to mitigate noisy neighbor impact
Create separate queues for each tenant
An application needs to process messages larger than 256 KB but smaller than 1 MB from an SQS queue. What is the simplest approach as of 2026?
Use the Extended Client Library to store messages in S3
Send the message directly to SQS since the maximum message size is now 1 MB
Compress the message before sending
Split the message into multiple smaller messages
A company wants to programmatically move failed messages from a dead-letter queue back to the original source queue for reprocessing. Which API should they use?
Functions are automatically monitored, and real-time metrics are reported through CloudWatch, including total requests, latency, error rates, and throttled requests.
Lambda automatically integrates with CloudWatch logs, creating a log group for each function and providing basic application lifecycle event log entries, including logging the resources consumed for each use of that function.
Functions support code written in
Node.js (JavaScript)
Python
Ruby
Java (Java 8 compatible)
C# (.NET Core)
Go
Custom runtime
Container images are also supported.
Failure Handling
For S3 bucket notifications and custom events, Lambda will attempt execution of the function three times in the event of an error condition in the code or if a service or resource limit is exceeded.
For ordered event sources that Lambda polls, e.g. DynamoDB Streams and Kinesis streams, it will continue attempting execution in the event of a developer code error until the data expires.
Dead Letter Queues (SNS or SQS) can be configured for events to be placed, once the retry policy for asynchronous invocations is exceeded
Lambda Layers
Lambda Layers provide a convenient way to package libraries and other dependencies that you can use with your Lambda functions.
Layers help reduce the size of uploaded deployment archives and make it faster to deploy your code.
A layer is a .zip file archive that can contain additional code or data.
A layer can contain libraries, a custom runtime, data, or configuration files.
Layers promote reusability, code sharing, and separation of responsibilities so that you can iterate faster on writing business logic.
Layers can be used only with Lambda functions deployed as a .zip file archive.
For functions defined as a container image, the preferred runtime and all code dependencies can be packaged when the container image is created.
A Layer can be created by bundling the content into a .zip file archive and uploading the .zip file archive to the layer from S3 or the local machine.
Lambda extracts the layer contents into the /opt directory when setting up the execution environment for the function.
Environment Variables
Environment variables can be used to adjust the function’s behavior without updating the code.
An environment variable is a pair of strings that are stored in a function’s version-specific configuration.
The Lambda runtime makes environment variables available to the code and sets additional environment variables that contain information about the function and invocation request.
Environment variables are not evaluated prior to the function invocation.
Lambda stores environment variables securely by encrypting them at rest.
AWS recommends using Secrets Manager instead of storing secrets in the environment variables.
Function versions can be used to manage the deployment of the functions.
Each function has a single, current version of the code.
Lambda creates a new version of the function each time it’s published.
A function version includes the following information:
The function code and all associated dependencies.
The Lambda runtime that invokes the function.
All the function settings, including the environment variables.
A unique Amazon Resource Name (ARN) to identify the specific version of the function.
Function versions are immutable, however, support Aliases which are mutable.
Lambda Functions Alias
Lambda supports creating aliases, which are mutable, for each function version.
Alias is a pointer to a specific function version, with a unique ARN.
Each alias maintains an ARN for a function version to which it points.
An alias can only point to a function version, not to another alias
Alias helps in rolling out new changes or rolling back to old versions
Alias supports routing configuration to point to a maximum of two Lambda function versions. It can be used for canary testing to send a portion of traffic to a second function version.
Amazon EventBridge is a serverless event bus service that makes it easy to connect applications with data from a variety of sources.
EventBridge enables building loosely coupled and distributed event-driven architectures.
EventBridge provides a simple and consistent way to ingest, filter, transform, and deliver events so you can build new applications quickly.
EventBridge delivers a stream of real-time data from applications, SaaS applications, and AWS services, and routes that data to targets such as AWS Lambda.
EventBridge supports routing rules to determine where to send the data to build application architectures that react in real-time to all of the data sources.
EventBridge supports event buses for many-to-many routing of events between event-driven services.
EventBridge provides Pipes for point-to-point integrations between sources and targets, with support for advanced transformations and enrichment.
EventBridge provides Scheduler for creating, running, and managing scheduled tasks at scale.
EventBridge provides schemas, which define the structure of events, for all events that are generated by AWS services.
EventBridge extends its predecessor, Amazon CloudWatch Events, and provides a near real-time stream of system events that describe changes to AWS resources.
EventBridge is directly integrated with over 200 event sources and over 20 targets.
EventBridge Components
EventBridge receives an event on an event bus and applies a rule to route the event to a target.
Event sources
An event source is used to ingest events from AWS Services, applications, or SaaS partners.
EventBridge is natively integrated with SaaS applications including Shopify, BuildKite, Datadog, OneLogin, PagerDuty, Saviynt, Segment, Stripe, Zendesk, and many others.
Events
An event is a real-time indicator of a change in the environment such as an AWS environment, a SaaS partner service or application, or one of your applications or services.
All events are associated with an event bus.
Events are represented as JSON objects and they all have a similar structure and the same top-level fields.
Contents of the detail top-level field are different depending on which service generated the event and what the event is.
An event pattern defines the event structure and the fields that a rule matches.
Event buses
Event bus is a pipeline that receives events.
Each account has a default event bus that receives events from AWS services. Custom event buses can be created to send or receive events from a different account or Region.
Partner event buses can be created to receive events from SaaS partner applications.
Rules
Rules associated with the event bus evaluate events as they arrive.
Rules match incoming events to targets based either on the structure of the event, called an event pattern, or on a schedule.
Each rule checks whether an event matches the rule’s criteria.
A single rule can send an event to multiple targets, which then run in parallel.
Up to five targets can be defined for each rule.
Rules that are based on a schedule perform an action at regular intervals.
Targets
A target is a resource or endpoint that EventBridge sends an event to when the event matches the event pattern defined for a rule.
The rule processes the event data and sends the relevant information to the target.
EventBridge needs permission to access the target resource to be able to deliver event data to the target.
Supported targets include AWS Lambda, Amazon SQS, Amazon SNS, AWS Step Functions, Amazon Kinesis Data Streams, Amazon Kinesis Data Firehose, and more.
EventBridge also supports API Destinations as targets for sending events to any HTTPS endpoint.
EventBridge allows events to be archived and replayed later.
EventBridge Pipes
EventBridge Pipes is a serverless integration resource for building point-to-point integrations between event producers and consumers.
Pipes provide a simpler and consistent way to integrate sources with targets without writing additional code.
Pipes support four sequential stages: Source → Filter → Enrichment → Target.
Supported sources include Amazon DynamoDB Streams, Amazon Kinesis Data Streams, Amazon MQ, Amazon MSK, Apache Kafka, Amazon SQS.
Supported targets include over 14 AWS services including Lambda, Step Functions, SQS, SNS, Kinesis Data Streams, Kinesis Data Firehose, EventBridge event buses, and API destinations.
Filtering enables processing only a targeted subset of events using event patterns.
Enrichment allows enhancing data by calling Lambda, Step Functions, API Gateway, or API destinations before sending to the target.
Pipes support logging to Amazon CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose for improved observability.
Pricing is based on events processed at $0.40 per million events.
EventBridge Scheduler
Amazon EventBridge Scheduler is a serverless scheduler that allows creating, running, and managing scheduled tasks at scale.
EventBridge Scheduler can schedule one-time or recurring tens of millions of tasks across many AWS services without provisioning or managing underlying infrastructure.
Scheduler is highly customizable and offers improved scalability over EventBridge scheduled rules, with a wider set of target API operations and AWS services.
Supports three schedule types:
Rate-based schedules – run at regular intervals (e.g., every 5 minutes).
Cron-based schedules – run at specific times using cron expressions.
One-time schedules – run once at a specific date and time.
Can invoke over 200 AWS services as targets using the universal target (any AWS API).
Supports flexible time windows for delivery, retry limits, and maximum retention time for failed API invocations.
Supports schedule groups for organizing and managing related schedules.
Supports automatic deletion – EventBridge Scheduler automatically deletes the schedule after its last target invocation.
Scheduler provides independent functionality from event buses and rules.
EventBridge Global Endpoints
Global endpoints provide an easier and reliable way to improve the availability of event-driven applications.
Global endpoints automatically fail over event ingestion to a secondary Region during service disruptions without manual intervention.
Event replication (optional) is built-in to send all custom events to event buses in both primary and secondary Regions using managed rules.
Uses Amazon Route 53 health checks (backed by CloudWatch Alarms) to determine when to fail over and when to route events back to the primary Region.
Minimizes data loss during service disruptions.
Reduces operational burden with automatic failover and recovery capability.
EventBridge Schema Registry
Schema Registry stores event schemas in a shared central location that developers can easily search and access.
Schemas for AWS services are automatically available in the registry.
Schema Discovery can be enabled on an event bus to automatically detect and add schemas for all events flowing through the bus.
Supports cross-account event discovery.
Schema Registry can generate code bindings for Java, Python, and TypeScript, allowing events to be used as objects in code.
Schemas are stored in OpenAPI or JSONSchema formats.
Schema Discovery does not support events larger than 1000 KiB.
EventBridge API Destinations
API Destinations enable sending events to any web-based application with an HTTPS endpoint without writing custom code.
Supports routing events to on-premises, SaaS, and third-party applications.
Provides built-in authentication support (Basic, OAuth, API Key).
Supports rate limiting to control throughput to the destination.
Uses connections to define authorization methods, credentials, and network connectivity.
Supports integration with private APIs powered by AWS PrivateLink and Amazon VPC Lattice (announced December 2024), enabling secure connectivity to private resources across VPCs, accounts, and on-premises environments.
Supports input transformations to map event format to the receiving service format.
Event Archive and Replay
EventBridge allows events to be archived for later replay.
Event Replay enables reprocessing past events back to an event bus or a specific rule.
Useful for debugging applications, hydrating targets with historic events, and recovering from errors.
Events can be stored for compliance requirements.
EventBridge Enhanced Logging
Enhanced logging (launched July 2025) enables monitoring and debugging event-driven applications with comprehensive logs.
Supports logging to Amazon CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose.
Logs results from rule matching, errors, and target invocations for event buses.
Helps track event lifecycles and gain deeper insights into event processing.
EventBridge Data Plane CloudTrail Logging
EventBridge supports logging data plane APIs using AWS CloudTrail (announced May 2026).
Enables greater visibility into event bus activity, including PutEvents API calls.
The feature is opt-in and provides enhanced security auditing and operational troubleshooting capabilities.
Additional charges apply for CloudTrail data events.
EventBridge Enhanced Visual Rule Builder
EventBridge introduced an enhanced visual rule builder (November 2025) with a drag-and-drop console-based interface.
Includes a comprehensive event catalog for discovering and subscribing to events from custom applications and over 200 AWS services.
Simplifies the process of creating rules by providing a visual canvas for building rules and targets.
EventBridge Security and Compliance
Integrates with AWS IAM for controlling access to resources.
Supports VPC endpoints via AWS PrivateLink.
Encryption in transit using TLS 1.2.
GDPR, SOC, ISO, DoD CC SRG, and FedRAMP compliant.
HIPAA eligible.
EventBridge Key Features Summary
Provides at-least-once event delivery to targets, with retry and exponential backoff for up to 24 hours.
Events are stored durably across multiple Availability Zones (AZs).
99.99% availability SLA.
Pay-per-use pricing model – pay only for events published to the event bus.
All state change events published by AWS services are free.
Supports cross-account and cross-region event routing.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company wants to be alerted through email when IAM CreateUser API calls are made within its AWS account. Which combination of actions should a SysOps administrator take to meet this requirement? (Choose two.)
Create an Amazon EventBridge rule with AWS CloudTrail as the event source and IAM CreateUser as the specific API call for the event pattern.
Create an Amazon EventBridge rule with Amazon CloudSearch as the event source and IAM CreateUser as the specific API call for the event pattern.
Create an Amazon EventBridge rule with AWS IAM Access Analyzer as the event source and IAM CreateUser as the specific API call for the event pattern.
Use an Amazon Simple Notification Service (Amazon SNS) topic as an event target with an email subscription.
Use an Amazon Simple Email Service (Amazon SES) notification as an event target with an email subscription.
A company needs to schedule millions of one-time notifications to be sent to mobile devices at specific times. The scheduled times vary for each notification. Which AWS service should the solutions architect recommend?
Amazon EventBridge scheduled rules
Amazon EventBridge Scheduler
AWS Lambda with Amazon CloudWatch Events
Amazon SQS with delay queues
A development team wants to create a point-to-point integration that processes events from an Amazon SQS queue, filters specific events, enriches them with data from a Lambda function, and delivers them to an Amazon Kinesis Data Stream. Which EventBridge feature should they use?
EventBridge Rules with multiple targets
EventBridge API Destinations
EventBridge Pipes
EventBridge Schema Registry
A company wants to build a highly available event-driven application that automatically fails over to a secondary Region during service disruptions. Which EventBridge feature should they implement?
EventBridge cross-Region event routing with rules
EventBridge Archive and Replay
EventBridge Global Endpoints
EventBridge Pipes with multi-region targets
A solutions architect needs to send events from an EventBridge event bus to a third-party SaaS application’s REST API endpoint. The endpoint requires OAuth authentication and rate limiting. Which feature should be used?
EventBridge Pipes with an HTTP enrichment
EventBridge rule targeting AWS Lambda
EventBridge API Destinations
EventBridge Partner Event Source
A company wants to invoke a private API hosted in their VPC directly from EventBridge without traversing the public internet. Which combination of services enables this? (Choose two.)
Amazon VPC Lattice resource configuration
Amazon API Gateway public endpoint with VPC link
AWS Direct Connect with EventBridge
EventBridge API Destinations with private API connection
Amazon Cognito provides authentication, authorization, and user management for web and mobile apps, AI agents, and microservices.
Amazon Cognito processes more than 100 billion authentications per month, providing comprehensive identity and access management for both human users and machine identities.
Users can sign in directly with a username and password, through passwordless methods (passkeys, email OTP, SMS OTP), or through a third party such as Facebook, Amazon, Google, or Apple.
Cognito has two main components:
User pools are user directories that provide sign-up and sign-in options for the app users.
Identity pools enable you to grant the users access to other AWS services.
Cognito is tightly integrated with Amazon Bedrock AgentCore Identity, serving as a trusted identity provider to enable secure agent access to AWS and third-party resources.
Cognito User Pool Feature Tiers
Amazon Cognito offers three feature tiers for user pools (introduced Nov 2024): Lite, Essentials, and Plus.
The default plan for new user pools is Essentials.
Lite
Low-cost plan for user pools with lower numbers of monthly active users.
Includes basic authentication features, sign-in, and the classic hosted UI.
Does not include newer features like access-token customization or passkey authentication.
Essentials
Includes all Lite features plus the latest authentication capabilities.
Supports Managed Login with customizable branding via a no-code visual editor.
Supports access token customization at runtime via Lambda triggers.
Supports password reuse prevention policies.
Plus
Includes all Essentials features plus advanced threat protection.
Supports risk-based adaptive authentication to detect suspicious sign-ins.
Detects compromised credentials and passwords.
Generates logs of user activity details and risk evaluations.
Allows exporting user authentication event logs to external services for analysis.
Cognito User Pools
User pools are for authentication (identity verification).
User pools are user directories that provide sign-up and sign-in options for web and mobile app users.
User pool helps users sign in to the web or mobile app, or federate through a third-party identity provider (IdP).
All user pool members have a directory profile, whether the users sign in directly or through a third party, that can be accessed through an SDK.
After successfully authenticating a user, Cognito issues JSON web tokens (JWT) that can be used to secure and authorize access to your own APIs, or exchange for AWS credentials.
User pools provide:
Sign-up and sign-in services.
Managed Login – a fully-managed, hosted sign-in and sign-up experience with a no-code visual editor for branding customization (available in Essentials and Plus tiers).
Classic hosted UI for basic login pages (available in all tiers).
Social sign-in with Facebook, Google, Apple, or Amazon, and through SAML and OIDC identity providers from the user pool.
Passwordless authentication using WebAuthn passkeys (FIDO2), email one-time passwords, or SMS one-time passwords (Essentials and Plus tiers).
User directory management and user profiles.
Security features such as MFA (SMS, authenticator apps, and email OTP), checks for compromised credentials, account takeover protection, and phone and email verification.
Access token customization – use Lambda triggers to add custom claims and scopes to access tokens at runtime (Essentials and Plus tiers).
Customized workflows and user migration through Lambda triggers.
Machine-to-machine (M2M) authorization using OAuth 2.0 client credentials grants for non-human entities (available in all tiers).
Resource binding (RFC 8707) – resource servers can perform audience verification of access tokens for enhanced API protection.
Use cases
Design sign-up and sign-in webpages for your app.
Access and manage user data.
Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
Use a custom authentication flow for your app.
Authenticate AI agents and microservices using M2M authorization.
Implement passwordless sign-in with passkeys for phishing-resistant authentication.
Cognito Managed Login
Managed Login is a fully-managed, hosted sign-in and sign-up experience introduced in November 2024.
Provides a no-code visual editor (branding editor) to customize colors, positioning, backgrounds, images, logos, fonts, and layout.
Covers the complete user journey from signup and login to password recovery and multi-factor authentication.
Available in Essentials and Plus tiers (replaces the need for the classic hosted UI).
Supports all authentication methods including passwordless options.
Available in AWS GovCloud (US) Regions (March 2025).
Cognito Identity Pools
Identity pools are for authorization (access control).
Identity pool helps users obtain temporary AWS credentials to access AWS services.
Identity pools support both authenticated and unauthenticated identities.
Unauthenticated identities typically belong to guest users.
Authenticated identities belong to users who are authenticated by any supported identity provider:
Cognito user pools
Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
OpenID Connect (OIDC) providers
SAML identity providers
Developer authenticated identities
Each identity type has a role with policies assigned that determines the AWS services that the role can access.
Identity Pools do not store any user profiles.
Use cases
Give your users access to AWS resources, such as S3 and DynamoDB.
Generate temporary AWS credentials for unauthenticated users.
Used for authenticating communication between applications, microservices, APIs, and AI agents without user interaction.
Issues short-lived, scoped access tokens instead of static API keys.
Supports custom scopes through resource servers to define granular access controls.
Supports enhanced context for M2M authorization flows (April 2025), allowing additional contextual information in client credentials requests.
Supports client secret rotation with up to two active secrets per app client (February 2026).
Supports custom client secrets (bring your own) for new or existing app clients.
Integrates with Amazon Bedrock AgentCore Identity for securing AI agent access to resources.
Multi-Region Replication
Amazon Cognito supports multi-Region replication (June 2026) for business continuity and disaster recovery.
Automatically synchronizes user data, credentials, user pool configurations, and federation setups to a secondary AWS Region in near real-time.
Enables uninterrupted authentication during regional failovers without forced password resets.
Replication flows in one direction from the primary Region to the secondary Region.
Supports customer-managed AWS KMS keys for full control over data encryption at rest.
Supports high-throughput performance with tens of millions of users per user pool and thousands of transactions per second (TPS).
Cognito Sync
⚠️ Note: AWS recommends using AWS AppSync instead of Amazon Cognito Sync for new implementations.
AWS AppSync provides similar data synchronization capabilities with additional features including real-time collaboration, multi-user sync, and GraphQL-based APIs.
Cognito Sync is an AWS service and client library that makes it possible to sync application-related user data across devices.
Cognito Sync can synchronize user profile data across mobile devices and the web without using your own backend.
The client libraries cache data locally so that the app can read and write data regardless of device connectivity status.
When the device is online, the data can be synchronized.
If you set up push sync, other devices can be notified immediately that an update is available.
Sync store is a key/value pair store linked to an identity.
Migration: New implementations should use AWS AppSync, which provides real-time and offline capabilities with GraphQL-based managed service.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company is building a social media mobile and web app for consumers. They want the application to be available on all desktop and mobile platforms, while being able to maintain user preferences across platforms. How can they implement the authentication to support the requirement?
Use AWS Cognito
Use AWS Glue
Use Web Identity Federation
Use AWS IAM
A Developer needs to create an application that supports Security Assertion Markup Language (SAML) and Facebook authentication. It must also allow access to AWS services, such as Amazon DynamoDB. Which AWS service or feature will meet these requirements with the LEAST amount of additional coding?
AWS AppSync
Amazon Cognito identity pools
Amazon Cognito user pools
Amazon Lambda@Edge
A development team is designing a mobile app that requires multi-factor authentication. Which steps should be taken to achieve this? (Choose two.)
Use Amazon Cognito to create a user pool and create users in the user pool.
Send multi-factor authentication text codes to users with the Amazon SNS Publish API call in the app code.
Enable multi-factor authentication for the Amazon Cognito user pool.
Use AWS IAM to create IAM users.
Enable multi-factor authentication for the users created in AWS IAM.
A Developer is building a mobile application and needs any update to user profile data to be pushed to all devices accessing the specific identity. The Developer does not want to manage a back end to maintain the user profile data. What is the MOST efficient way for the Developer to achieve these requirements using Amazon Cognito?
Use Cognito federated identities.
Use a Cognito user pool.
Use Cognito Sync.(Note: For new implementations, AWS recommends AWS AppSync instead of Cognito Sync)
Use Cognito events.
A company wants to implement phishing-resistant, passwordless authentication for their customer-facing web application. Which Amazon Cognito feature should they use?
SMS-based MFA
WebAuthn passkeys with the Essentials or Plus feature tier
Custom authentication flow with Lambda triggers
Social identity provider federation
A company needs to authenticate communication between its microservices without user interaction, using short-lived tokens instead of static API keys. Which Amazon Cognito feature should they implement?
Cognito User Pool with custom authentication
Cognito Identity Pool with developer authenticated identities
OAuth 2.0 client credentials grant (M2M authorization)
SAML-based federation with an external IdP
A company requires that its authentication system maintains availability during an AWS Regional outage without requiring users to reset their passwords. Which Amazon Cognito feature addresses this requirement?
Cognito Identity Pools with multiple providers
Custom domain with Route 53 failover
Multi-Region replication with a secondary user pool
Lambda triggers with cross-Region DynamoDB Global Tables
An organization wants to implement risk-based adaptive authentication that automatically blocks or challenges suspicious sign-in attempts. Which Amazon Cognito feature tier is required?
Amazon Elastic Container Registry – ECR is a fully managed, secure, scalable, reliable container image registry service.
makes it easy for developers to share and deploy container images and artifacts.
is integrated with ECS, EKS, Fargate, and Lambda, simplifying the development to production workflow.
eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure.
hosts the images, using S3, in a highly available and scalable architecture, allowing you to deploy containers for the applications reliably.
is a Regional service with the ability to push/pull images to the same AWS Region. Images can be pulled between Regions or out to the internet with additional latency and data transfer costs.
supports cross-region and cross-account image replication.
integrates with AWS IAM and supports resource-based permissions.
supports public and private repositories.
automatically encrypts images at rest using S3 server-side encryption or AWS KMS encryption and transfers the container images over HTTPS.
supports tools and docker CLI to push, pull and manage Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts.
supports OCI Image and Distribution specification version 1.1, which includes support for Reference Types (referrers) for storing and discovering artifacts related to a container image such as signatures, SBOMs, and attestations.
provides two types of image scanning: basic scanning (AWS native, for OS vulnerabilities) and enhanced scanning (Amazon Inspector integration, for OS and programming language vulnerabilities).
supports ECR Lifecycle policies that help with managing the lifecycle of the images in the repositories, including expiring and archiving images.
supports managed container image signing using AWS Signer to automatically sign images on push.
supports pull through cache to automatically sync container images from upstream registries.
supports automatic repository creation on image push.
supports cross-repository layer sharing (blob mounting) to optimize storage and improve push performance.
ECR Components
Registry
ECR private registry hosts the container images in a highly available and scalable architecture.
A default ECR private registry is provided to each AWS account.
One or more repositories can be created in the registry and images stored in them.
Repositories can be configured for either cross-Region or cross-account replication.
Private Registry is enabled for basic scanning, by default.
Enhanced scanning can be enabled which provides an automated, continuous scanning mode that scans for both operating system and programming language package vulnerabilities.
Registry supports up to 100,000 repositories per Region per account (increased from 10,000 in Nov 2024).
Repository
An ECR repository contains Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
Repositories can be controlled with both user access policies and individual repository policies.
Each repository supports up to 100,000 images (increased from 20,000 in Aug 2025).
Repositories can be automatically created on image push using repository creation templates.
Image
Images can be pushed and pulled to the repositories.
Images can be used locally on the development system, or in ECS task definitions and EKS pod specifications.
Images support two storage classes: standard and archive (for rarely accessed images).
Repository policy
Repository policies are resource-based policies that can help control access to the repositories and the images within them.
Repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual ECR repositories.
A user or role only needs to be allowed permission for an action through either a repository policy or an IAM policy but not both for the action to be allowed.
Resource-based policies also help grant the usage permission to other accounts on a per-resource basis.
Authorization token
A client must authenticate to the registries as an AWS user before they can push and pull images.
An authentication token is used to access any ECR registry that the IAM principal has access to and is valid for 12 hours.
Authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token.
ECR Image Scanning
ECR provides two scanning modes: Basic Scanning and Enhanced Scanning.
Basic Scanning
Uses AWS native scanning engine (Clair-based scanning was deprecated as of February 2, 2026).
Scans for operating system vulnerabilities.
Enabled by default for all private registries.
Supports scan on push or manual scanning.
Scanning configuration is managed at the registry level (repository-level PutImageScanningConfiguration API is deprecated).
Enhanced Scanning
Powered by Amazon Inspector integration.
Provides automated, continuous scanning for both OS and programming language package vulnerabilities.
Re-evaluates images whenever new vulnerabilities are published, not just at push time.
Maps ECR images to running containers in ECS tasks and EKS pods to help prioritize vulnerabilities.
Supports minimal and security-focused container base images.
Now surfaces image use status to identify which images are actively running.
ECR Managed Signing
ECR supports managed container image signing (launched Nov 2025) to verify that images are from trusted sources.
Managed signing automatically signs container images using AWS Signer when images are pushed to ECR.
Eliminates the need to install and configure client-side signing tools.
Allows centralized governance of signing as a registry configuration.
Signatures are stored as OCI referrers in the same repository as the image.
Manual signing using Notation CLI with AWS Signer is also supported for client-side workflows.
ECR Pull Through Cache
Pull through cache automatically syncs container images from supported upstream registries into ECR private registry.
Provides reduced latency of in-region image pulls with built-in ECR security features (lifecycle policies, enhanced scanning).
Supports multiple upstream registries including Docker Hub, GitHub Container Registry, Quay, ECR Public, Azure Container Registry, GitLab, Chainguard, and other ECR private registries.
ECR to ECR pull through cache (launched Mar 2025) allows syncing images between ECR registries cross-region and cross-account in a cost-effective way by caching only images that are pulled.
Automatically creates repositories in the downstream registry for cached images.
Supports frequent syncs with upstream to keep cached images up to date (at least once every 24 hours).
Now supports automatic discovery and sync of OCI referrers (signatures, SBOMs, attestations) from upstream registries (Apr 2026).
ECR Repository Creation on Push
ECR supports automatic repository creation on image push (launched Dec 2025).
Simplifies container workflows by automatically creating repositories if they don’t exist when an image is pushed.
Eliminates the need to pre-create repositories before pushing container images.
New repositories are created according to defined repository creation template settings.
Repository creation templates allow configuring encryption, lifecycle policies, access permissions, and tag immutability for automatically created repositories.
ECR supports cross-repository layer sharing through blob mounting (launched Jan 2026).
Allows sharing common image layers across repositories within a registry.
Especially valuable for managing multiple microservices or applications built from common base images.
Reduces storage costs by deduplicating common layers.
Improves push performance by avoiding re-uploading layers that already exist in the registry.
When enabled, ECR automatically checks for existing layers in the registry during push operations.
ECR Archive Storage Class
ECR supports an archive storage class for rarely accessed container images (launched Nov 2025).
Images can be archived based on criteria such as image age, count, or last pull time via lifecycle policies.
Images can also be archived individually using the ECR Console or API.
Archived images do not count against the image per repository limit.
An unlimited number of images can be archived.
Archived images are not accessible for pulls but can be restored via Console, CLI, or API within 20 minutes.
A 90-day minimum storage duration applies for archived images.
Lifecycle policies cannot delete images archived for less than 90 days.
ECR Lifecycle Policies
Lifecycle policies help manage the lifecycle of images in repositories.
Define rules to automatically expire or archive unused images based on criteria such as image age, image count, or last pull time.
Support tag pattern matching (e.g., prod*) to target specific images.
Affected images are expired or archived within 24 hours of policy creation.
Support referring artifacts – references are deleted when a subject image is deleted by a lifecycle policy rule.
Preview rules to see exactly which container images are affected before the rule runs.
ECR CloudWatch Metrics
ECR metric data is automatically sent to CloudWatch in one-minute periods.
Supports repository-level metrics including image pull counts.
New metrics (Feb 2026): RepositoryCount and ImagesPerRepositoryCount help identify growth trends and monitor usage patterns.
Can be used to set up alarms for anomalous behavior in image storage growth.
ECR with VPC Endpoints
ECR can be configured to use an Interface VPC endpoint, that enables you to privately access Amazon ECR APIs through private IP addresses.
AWS PrivateLink restricts all network traffic between the VPC and ECR to the Amazon network. You don’t need an internet gateway, a NAT device, or a virtual private gateway.
VPC endpoints currently don’t support cross-Region requests.
VPC endpoints currently don’t support ECR Public repositories.
VPC endpoints only support AWS provided DNS through Route 53.
ECR Security Best Practices
Use enhanced scanning with Amazon Inspector for continuous vulnerability monitoring.
Enable managed image signing to verify image provenance and integrity.
Use lifecycle policies to automatically clean up or archive unused images.
Configure VPC endpoints to keep ECR traffic on the AWS private network.
Use repository policies with least-privilege access.
Enable tag immutability to prevent image tags from being overwritten.
Use KMS encryption for sensitive container images.
Use pull through cache to avoid direct dependencies on external registries.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. Which solution will meet these requirements with the LEAST management overhead?
Pull images from the public container registry. Publish the images to Amazon ECR repositories with scan on push configured.
Pull images from the public container registry. Publish the images to a private container registry hosted on Amazon EC2 instances. Deploy host-based container scanning tools to EC2 instances that run ECS.
Pull images from the public container registry. Publish the images to Amazon ECR repositories with scan on push configured.
Pull images from the public container registry. Publish the images to AWS CodeArtifact repositories in a centralized AWS account.
A company wants to ensure that only signed and verified container images are deployed to their Amazon EKS clusters. They want minimal operational overhead for the signing process. Which approach should they use?
Use a third-party signing tool integrated with their CI/CD pipeline.
Enable ECR managed signing with AWS Signer on their ECR repositories.
Manually sign images using Notation CLI before pushing to ECR.
Use AWS Lambda to sign images after they are pushed to ECR.
A company manages hundreds of microservices using Amazon ECS and stores container images in Amazon ECR. They want to reduce storage costs for images that share common base layers across multiple repositories. Which ECR feature should they enable?
A development team wants to avoid pre-creating ECR repositories for every new microservice. They want repositories to be automatically created with consistent settings when images are pushed. What should they configure?
An AWS Lambda function triggered by CloudTrail events.
An AWS Config rule to auto-remediate missing repositories.
ECR repository creation templates with create-on-push enabled.
An AWS CloudFormation stack with dynamic resource creation.
A company has container images in ECR that are only needed for compliance audits and are rarely pulled. They want to reduce storage costs while keeping the images available if needed. Which ECR feature should they use?
ECR lifecycle policies to delete old images
Move images to S3 Glacier manually
ECR archive storage class
ECR cross-region replication to a cheaper region
A company uses multiple third-party container registries (Docker Hub, GitHub Container Registry) and wants to reduce latency and improve security when pulling images. Which ECR feature should they implement?
ECR cross-region replication
ECR pull through cache with upstream registry rules
ECR public repositories
ECR lifecycle policies
An organization wants continuous vulnerability scanning of their container images that also identifies which vulnerable images are actively running in their ECS and EKS environments. Which scanning configuration should they use?
ECR basic scanning with scan on push
Third-party vulnerability scanner integrated with CI/CD
Each resource identifier, such as an AMI ID, instance ID, EBS volume ID, or EBS snapshot ID, is tied to its region and can be used only in the region where you created the resource.
Instances – Availability Zone
An instance is tied to the Availability Zones in which you launched it. However, note that its instance ID is tied to the region.
EBS Volumes – Availability Zone
Amazon EBS volume is tied to its Availability Zone and can be attached only to instances in the same Availability Zone.
EBS Snapshot – Regional
An EBS snapshot is tied to its region and can only be used to create volumes in the same region and has to be copied from one region to another if needed.
AMIs – Regional
AMI provides templates to launch EC2 instances
AMI is tied to the Region where its files are located with Amazon S3. For using AMI in different regions, the AMI can be copied to other regions
Auto Scaling – Regional
Auto Scaling spans across multiple Availability Zones within the same region but cannot span across regions
is a new multi-master, cross-region replication capability of DynamoDB to support data access locality and regional fault tolerance for database workloads
WAF protects web applications from common web exploits.
For CloudFront distributions: WAF Web ACLs must be created in US East (N. Virginia) / us-east-1 region (also shown as “Global (CloudFront)” in console)
For regional resources (ALB, API Gateway, AppSync, etc.): WAF Web ACLs must be created in the same region as the protected resource
A Web ACL associated with CloudFront cannot be associated with other AWS resource types
CloudFormation stacks are created in a specific region
StackSets can deploy stacks across multiple regions
AWS Systems Manager – Regional
Systems Manager resources are regional
Can manage resources across multiple regions from a single console
AWS Application Integration Services
Amazon EventBridge – Regional (with Global Endpoints)
Event buses are regional resources
Global endpoints (announced April 2022) allow automatic failover to secondary region
Can route events cross-region
Amazon EventBridge Scheduler – Regional
Schedules are created in a specific AWS Region
Amazon EventBridge Pipes – Regional
Pipes are regional resources for point-to-point integrations
Amazon SQS – Regional
Queues are created in a specific AWS Region
Amazon SNS – Regional
Topics are created in a specific AWS Region
AWS Security & Authorization Services
Amazon Verified Permissions – Regional
Policy stores are created in a specific AWS Region
Provides fine-grained authorization for applications
AWS Secrets Manager – Regional
Secrets are stored in a specific AWS Region
Can replicate secrets to other regions
AWS Certificate Manager (ACM) – Regional (with Global for CloudFront)
Certificates for regional resources (ALB, API Gateway) must be in the same region
Certificates for CloudFront must be in us-east-1
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers)
Route 53 Record Sets
IAM Roles
Elastic IP Addresses (EIP) (are specific to a region)
EC2 Key Pairs (are specific to a region)
Launch configurations
Security Groups (are specific to a region)
When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions? Choose 2 answers
Amazon DynamoDB (already replicates across AZs)
Amazon Elastic Compute Cloud (EC2)
Amazon Elastic Load Balancing
Amazon Simple Notification Service (SNS) (Global Managed Service)
Amazon Simple Storage Service (S3) (Global Managed Service)
What is the scope of an EBS volume?
VPC
Region
Placement Group
Availability Zone
What is the scope of AWS IAM?
Global (IAM resources are all global; there is not regional constraint)
Availability Zone
Region
Placement Group
What is the scope of an EC2 EIP?
Placement Group
Availability Zone
Region (An Elastic IP address is tied to a region and can be associated only with an instance in the same region. Refer link)
VPC
What is the scope of an EC2 security group?
Availability Zone
Placement Group
Region (A security group is tied to a region and can be assigned only to instances in the same region)
VPC
A company needs to deploy AWS WAF to protect their Application Load Balancer in the eu-west-1 region. In which region should they create the WAF Web ACL?
us-east-1 (Global)
eu-west-1 (same region as ALB)
Any region
WAF is global and doesn’t require region selection
A company wants to use Interface VPC endpoints to access DynamoDB in a different AWS region privately. Is this possible? (Assume November 2025 or later)
No, VPC endpoints cannot span regions
Yes, Interface VPC endpoints now support cross-region connectivity within the same AWS partition
Yes, but only with Gateway VPC endpoints
Yes, but only within the same Availability Zone
Which of the following AWS services are truly global and do NOT require region selection? (Choose 3)
IAM
Route 53
Lambda
CloudFront
EC2
DynamoDB
A company is deploying AWS Step Functions workflows for their application. What is the scope of Step Functions?
Global
Regional
Availability Zone
Multi-Region by default
A company needs to deploy ACM certificates for both CloudFront and Application Load Balancer in eu-west-1. Where should they create the certificates?
Both in us-east-1
Both in eu-west-1
CloudFront certificate in us-east-1, ALB certificate in eu-west-1
Certificates are global and can be created in any region
Resource-based policies allow attaching a policy directly to the resource you want to share, instead of using a role as a proxy.
Resource-based policies allow granting usage permission to other AWS accounts or organizations on a per-resource basis.
Resource-based policy specifies the Principal, in the form of a list of AWS account ID numbers, can access that resource and what they can access.
Using cross-account access with a resource-based policy, the User still works in the trusted account and does not have to give up their permissions in place of the role permissions.
Users can work on the resources from both accounts at the same time and this can be useful for scenarios e.g. copying objects from one bucket to the other bucket in a different AWS account.
Resources that you want to share are limited to resources that support resource-based policies
S3 allows you to define Bucket policy to grant access to the bucket and the objects
Resource-based policies need the trusted account to create users with permissions to be able to access the resources from the trusted account.
Only permissions equivalent to, or less than, the permissions granted to the account by the resource owning account can be delegated.
S3 Bucket Policy
S3 Bucket policy can be used to grant cross-account access to other AWS accounts or IAM users in other accounts for the bucket and objects in it.
Bucket policies provide centralized, access control to buckets and objects based on a variety of conditions, including S3 operations, requesters, resources, and aspects of the request (e.g. IP address).
Permissions attached to a bucket apply to all of the objects in that bucket created and owned by the bucket owner
Policies can either add or deny permissions across all (or a subset) of objects within a bucket
Only the bucket owner is allowed to associate a policy with a bucket
Bucket policies can cater to multiple use cases
Granting permissions to multiple accounts with added conditions
Granting read-only permission to an anonymous user
Limiting access to specific IP addresses
Restricting access to a specific HTTP referer
Restricting access to a specific HTTP header for e.g. to enforce encryption
Granting permission to a CloudFront OAI
Adding a bucket policy to require MFA
Granting cross-account permissions to upload objects while ensuring the bucket owner has full control
Granting permissions for S3 inventory and Amazon S3 analytics
Granting permissions for S3 Storage Lens
Glacier Vault Policy
S3 Glacier vault access policy is a resource-based policy that can be used to manage permissions to the vault.
A Vault Lock policy is a Vault Access policy that can be locked. After you lock a Vault Lock policy, the policy can’t be changed. You can use a Vault Lock Policy to enforce compliance controls.
KMS Key Policy
KMS Key Policy helps determine who can use and manage those keys and is a primary mechanism for controlling access to a key.
KMS Key Policy can be used alone to control access to the keys.
A KMS key policy MUST be used, either alone or in combination with IAM policies or grants to allow access to a KMS CMK.
IAM policies by themselves are not sufficient to allow access to keys, though they can be used in combination with a key policy.
IAM user who creates a KMS key is not considered to be the key owner and they don’t automatically have permission to use or manage the KMS key that they created.
API Gateway Resource Policy
API Gateway resource policies are attached to an API to control whether a specified principal (typically an IAM role or group) can invoke the API.
API Gateway resource policies can be used to allow the API to be securely invoked by:
Users from a specified AWS account.
Specified source IP address ranges or CIDR blocks.
Specified virtual private clouds (VPCs) or VPC endpoints (in any account).
Resource policies can be used for all API endpoint types in API Gateway: private, edge-optimized, and Regional.
Lambda Function Policy
Lambda supports resource-based permissions policies for Lambda functions and layers.
Resource-based policy can be used to allow an AWS service to invoke the function on your behalf.
Resource-based policies apply to a single function, version, alias, or layer version.
EFS File System Policy
EFS supports IAM resource policy using file system policy.
EFS evaluates file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant.
An “allow” permission on an action in either an IAM identity policy or a file system resource policy allows access for that action.
ECR Repository policy
Repository policies are resource-based policies that can help control access to the repositories and the images within them.
Repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual ECR repositories.
A user or role only needs to be allowed permission for an action through either a repository policy or an IAM policy but not both for the action to be allowed.
Resource-based policies also help grant the usage permission to other accounts on a per-resource basis.
SNS Policy
SNS policy can be used with a particular topic to restrict who can work with that topic e.g, who can publish messages to it, subscribe to it, etc.
SNS policies can grant access to other AWS accounts, or to users within your own AWS account.
SQS Policy
SQS policy system lets you grant permission to other AWS Accounts, whereas IAM doesn’t.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
