✅ AWS Scenario-Based MCQs (201–250)

Welcome to Batch 5 of AWS Scenario-Based MCQs (201–250). This section covers governance, risk, compliance, cost optimization, and advanced case studies that mirror real AWS exam questions. Designed for AWS Certified Solutions Architect, Security Specialty, and SysOps Administrators, these practice questions help you master exam-style scenarios.

Each MCQ comes with a detailed explanation, ensuring you don’t just memorize answers but actually understand AWS concepts like risk governance, audit reports, compliance checks, IAM federation, encryption, and cost optimization.

Whether you’re preparing for AWS Security, SysOps, or Cloud Practitioner exams, this practice set ensures you gain exam confidence and real-world problem-solving skills.

Q201. Disaster Recovery Strategy

A healthcare company must comply with HIPAA and needs a disaster recovery solution with minimal cost but can tolerate RTO of 12 hours and RPO of 24 hours. Which AWS DR strategy is best?

A. Multi-site active/active
B. Warm standby
C. Pilot light
D. Backup & Restore

Correct Answer: D. Backup & Restore
Explanation: Backup & Restore is the most cost-effective and meets the 12–24 hr RTO/RPO requirements. Multi-site or warm standby would be too expensive for this use case.

Q202. Auto Scaling Policy

Your e-commerce app experiences sudden traffic spikes during flash sales. Which Auto Scaling policy ensures the fastest scaling reaction?

A. Step scaling
B. Target tracking
C. Predictive scaling
D. Scheduled scaling

Correct Answer: A. Step scaling
Explanation: Step scaling allows immediate scale-out actions based on CloudWatch alarm thresholds, making it best for unpredictable traffic spikes.

Q203. Multi-Account Governance

A large enterprise wants to manage multiple AWS accounts with centralized billing, security guardrails, and policy enforcement. Which AWS service should be used?

A. AWS Control Tower
B. AWS Organizations
C. AWS Config
D. AWS Service Catalog

Correct Answer: A. AWS Control Tower
Explanation: AWS Control Tower provides account factory, centralized governance, and guardrails on top of AWS Organizations.

Q204. Hybrid Connectivity

A financial company must connect its on-premises data center with AWS VPC using low-latency and high bandwidth. Which option is best?

A. Site-to-Site VPN
B. AWS Direct Connect
C. VPC Peering
D. Transit Gateway

Correct Answer: B. AWS Direct Connect
Explanation: Direct Connect provides a dedicated, private, and high-bandwidth connection between on-prem and AWS.

Q205. Serverless Security

A serverless API built with API Gateway + Lambda + DynamoDB must handle sensitive PII data. Which is the most secure design?

A. Encrypt data in S3 only
B. Enable DynamoDB Encryption + use KMS CMK + API Gateway WAF
C. Use IAM roles only
D. Enable CloudFront caching

Correct Answer: B. Enable DynamoDB Encryption + use KMS CMK + API Gateway WAF
Explanation: Encrypting DynamoDB with customer-managed KMS keys and protecting the API with WAF ensures HIPAA/GDPR compliance.

Q206. Cost Optimization

A startup runs dev/test workloads that are used 8 hrs/day on weekdays. What’s the most cost-effective compute option?

A. On-Demand Instances
B. Reserved Instances
C. Spot Instances with Auto Scaling
D. Savings Plans (1 year)

Correct Answer: C. Spot Instances with Auto Scaling
Explanation: Spot Instances are best for non-critical, flexible workloads like dev/test, giving up to 90% cost savings.

Q207. Container Orchestration

A company wants to run containers but avoid managing control planes and nodes. Which AWS service is best?

A. Amazon ECS on EC2
B. Amazon ECS on Fargate
C. Amazon EKS on EC2
D. AWS Lambda

Correct Answer: B. Amazon ECS on Fargate
Explanation: ECS on Fargate is serverless containers — no need to manage infrastructure.

Q208. Compliance & Data Residency

A European bank requires all customer data to remain in the EU region. Which AWS service ensures this?

A. AWS Macie
B. AWS CloudHSM
C. AWS Regional Data Residency controls
D. S3 Object Lock

Correct Answer: C. AWS Regional Data Residency controls
Explanation: AWS ensures data never leaves the selected AWS Region unless explicitly configured.

Q209. Performance Tuning

Your analytics app runs on Amazon RDS. Queries are slow during peak hours. What’s the best solution?

A. Increase RDS instance size
B. Enable RDS Read Replicas
C. Use RDS Multi-AZ
D. Enable RDS automated backups

Correct Answer: B. Enable RDS Read Replicas
Explanation: Read replicas offload read queries from the primary DB, improving performance during high traffic.

Q210. Security Incident Response

A security team needs to quickly detect and respond to suspicious API activity in AWS accounts. Which service should they use?

A. AWS CloudTrail
B. Amazon GuardDuty
C. AWS Inspector
D. AWS Detective

Correct Answer: B. Amazon GuardDuty
Explanation: GuardDuty provides real-time threat detection and integrates with Security Hub for incident response.

Q211. Identity Federation

An organization wants employees to log in to AWS using their corporate Active Directory credentials. Which solution enables this?

A. IAM Roles with STS + SAML Federation
B. Cognito User Pools
C. AWS Organizations
D. IAM Access Keys

Correct Answer: A. IAM Roles with STS + SAML Federation
Explanation: Federation allows AD users to assume IAM roles without needing AWS IAM users.

Q212. Data Lake Storage

A media company needs to store petabytes of video data and run analytics. Which AWS storage option is best?

A. Amazon S3 Standard
B. Amazon S3 Glacier Deep Archive
C. Amazon EBS
D. Amazon RDS

Correct Answer: A. Amazon S3 Standard
Explanation: S3 Standard is designed for large-scale, highly durable object storage and integrates with analytics services like Athena and Redshift Spectrum.

Q213. API Throttling

A mobile app backend runs on API Gateway + Lambda. How can you prevent abuse and DDoS?

A. Enable WAF + API Gateway throttling + Usage Plans
B. Use Cognito only
C. Enable DynamoDB Auto Scaling
D. Use Route 53 latency routing

Correct Answer: A. Enable WAF + API Gateway throttling + Usage Plans
Explanation: WAF blocks malicious traffic, throttling limits requests, and usage plans enforce quotas.

Q214. Logging & Monitoring

A security team requires centralized logging across all AWS accounts. Which solution is best?

A. CloudWatch Logs in each account
B. AWS CloudTrail Organization trail + S3 centralized logging bucket
C. AWS Inspector
D. VPC Flow Logs only

Correct Answer: B. AWS CloudTrail Organization trail + S3 centralized logging bucket
Explanation: Organization trails collect logs from multiple accounts into one S3 bucket.

Q215. Data Encryption at Rest

A customer wants full encryption at rest for all EBS volumes. What’s the most efficient approach?

A. Enable EBS encryption by default
B. Encrypt snapshots manually
C. Use KMS per volume
D. Write data in encrypted format only

Correct Answer: A. Enable EBS encryption by default
Explanation: Enabling EBS default encryption ensures all new volumes and snapshots are automatically encrypted.

Q216. High Availability Database

Which AWS architecture provides automatic failover with minimal downtime for a relational database?

A. RDS Multi-AZ deployment
B. RDS Read Replicas
C. DynamoDB Global Tables
D. Aurora Serverless

Correct Answer: A. RDS Multi-AZ deployment
Explanation: Multi-AZ automatically fails over to a standby replica in another AZ during outages.

Q217. Cloud Migration

A company wants to migrate hundreds of terabytes of data to AWS in the fastest way possible. Which service should they use?

A. AWS DataSync
B. AWS Snowball Edge
C. AWS Storage Gateway
D. Direct Connect

Correct Answer: B. AWS Snowball Edge
Explanation: Snowball Edge physically transfers large datasets faster than over-the-wire transfers.

Q218. Compliance Monitoring

Which AWS service helps continuously check resources for compliance violations?

A. AWS Config
B. AWS Trusted Advisor
C. CloudWatch
D. AWS CloudTrail

Correct Answer: A. AWS Config
Explanation: AWS Config continuously evaluates resource configurations against compliance rules.

Q219. DDoS Protection

An online banking app must protect against large-scale DDoS attacks. Which AWS service should be used?

A. AWS WAF
B. AWS Shield Advanced
C. API Gateway Throttling
D. CloudFront

Correct Answer: B. AWS Shield Advanced
Explanation: Shield Advanced provides enhanced DDoS protection for critical applications.

Q220. Multi-Region Resiliency

A global SaaS platform requires low latency and high availability across multiple continents. What’s the best solution?

A. RDS Multi-AZ
B. DynamoDB Global Tables + Route 53 Geolocation Routing
C. CloudFront only
D. S3 Cross-Region Replication

Correct Answer: B. DynamoDB Global Tables + Route 53 Geolocation Routing
Explanation: DynamoDB Global Tables replicate data across regions, while Route 53 ensures users connect to the nearest region.

Q221. Application Migration

A company is migrating a legacy monolithic application to AWS. They want to improve scalability and agility while minimizing re-architecture efforts. What’s the best first step?

A. Lift-and-shift to EC2 using AWS MGN
B. Rebuild with Lambda and API Gateway
C. Move directly into containers with EKS
D. Use Aurora Serverless

Correct Answer: A. Lift-and-shift to EC2 using AWS MGN
Explanation: AWS MGN (Application Migration Service) enables quick lift-and-shift migrations. Later, the app can be refactored into microservices.

Q222. Network Security

A bank requires all traffic between EC2 instances to be encrypted, even inside the VPC. Which solution is best?

A. Security Groups + NACLs
B. IPsec encryption using VPC Peering
C. TLS/SSL at the application layer
D. AWS PrivateLink

Correct Answer: C. TLS/SSL at the application layer
Explanation: For full encryption between instances, application-layer encryption (TLS) is required. Security Groups/NACLs only control access.

Q223. Monitoring Performance

An application hosted on EC2 is experiencing high CPU utilization. What’s the best first step?

A. Enable Auto Scaling Group
B. Migrate to Lambda
C. Use CloudWatch detailed monitoring and alarms
D. Switch to Spot Instances

Correct Answer: C. Use CloudWatch detailed monitoring and alarms
Explanation: Before scaling, first diagnose with CloudWatch metrics and alarms to understand load patterns.

Q224. Cross-Region Failover

A SaaS company wants to provide disaster recovery across regions. Which design is best?

A. Multi-AZ RDS + CloudFront
B. Global Aurora Database + Route 53 health checks
C. DynamoDB with on-demand backup
D. AWS Elastic Beanstalk

Correct Answer: B. Global Aurora Database + Route 53 health checks
Explanation: Aurora Global Database supports multi-region failover with low latency; Route 53 handles traffic routing.

Q225. Serverless ETL

A company needs to run nightly ETL jobs on large datasets stored in S3. Which AWS service should they use?

A. AWS Batch
B. AWS Glue
C. AWS Lambda
D. Amazon EMR

Correct Answer: B. AWS Glue
Explanation: Glue is a serverless ETL service built for data transformation and analytics workloads.

Q226. API Authentication

A mobile app backend on API Gateway requires per-user authentication and authorization. Which solution is best?

A. Lambda authorizers
B. IAM users with access keys
C. Cognito User Pools
D. API keys only

Correct Answer: C. Cognito User Pools
Explanation: Cognito provides managed authentication and JWT tokens for per-user access control.

Q227. Cost Reduction

A company uses EC2 for a batch workload that runs 2 hours daily. What’s the most cost-efficient solution?

A. On-Demand EC2
B. Reserved EC2 (1 year)
C. Spot Instances
D. Savings Plan (3 year)

Correct Answer: C. Spot Instances
Explanation: Spot is best for short, flexible workloads that can handle interruptions.

Q228. Compliance Audit

Which AWS service provides on-demand compliance reports such as SOC 2, ISO, and PCI?

A. AWS Artifact
B. AWS Config
C. AWS Audit Manager
D. AWS Trusted Advisor

Correct Answer: A. AWS Artifact
Explanation: Artifact provides downloadable compliance and audit reports for AWS services.

Q229. Threat Detection

A security team needs to detect unauthorized IAM activity such as suspicious API calls. Which service should they use?

A. CloudTrail
B. AWS GuardDuty
C. AWS Inspector
D. AWS Security Hub

Correct Answer: B. AWS GuardDuty
Explanation: GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs to detect threats like unusual API activity.

Q230. Auto Scaling Storage

A company needs a database that automatically scales up and down with demand and requires millisecond latency. Which service is best?

A. RDS Multi-AZ
B. DynamoDB On-Demand
C. Aurora Global Database
D. Redshift Spectrum

Correct Answer: B. DynamoDB On-Demand
Explanation: DynamoDB On-Demand automatically scales capacity and provides millisecond latency.

Q231. Data Archival

A hospital must retain medical records for 7 years but rarely access them. Which is the most cost-effective option?

A. S3 Standard
B. S3 Intelligent-Tiering
C. S3 Glacier Deep Archive
D. EBS Snapshots

Correct Answer: C. S3 Glacier Deep Archive
Explanation: Glacier Deep Archive is designed for long-term compliance storage with lowest cost.

Q232. Container Migration

A company wants to migrate on-prem Docker workloads to AWS with minimal operational overhead. Which service is best?

A. ECS on Fargate
B. EKS on EC2
C. Lambda
D. EC2 Auto Scaling

Correct Answer: A. ECS on Fargate
Explanation: ECS Fargate allows running containers without managing infrastructure, making migration simple.

Q233. Resilient Messaging

An IoT application must ingest millions of device messages per second with durable storage. Which service should be used?

A. SQS Standard Queue
B. Kinesis Data Streams
C. SNS Topics
D. DynamoDB Streams

Correct Answer: B. Kinesis Data Streams
Explanation: Kinesis provides real-time ingestion and durable storage for streaming IoT messages.

Q234. Multi-Tier App

A 3-tier web app must be deployed in AWS with isolation between tiers. Which AWS service best enforces this?

A. Security Groups
B. NACLs
C. VPC Subnets + Security Groups
D. Transit Gateway

Correct Answer: C. VPC Subnets + Security Groups
Explanation: Subnets separate app layers, while Security Groups enforce access control between them.

Q235. Logging for Compliance

A company requires immutable log storage for financial records. Which service should be used?

A. CloudWatch Logs
B. CloudTrail
C. S3 Object Lock
D. DynamoDB TTL

Correct Answer: C. S3 Object Lock
Explanation: Object Lock provides WORM (Write Once Read Many) compliance storage.

Q236. Application Caching

An e-commerce site must reduce read load on its database during peak traffic. Which AWS service is best?

A. RDS Multi-AZ
B. DynamoDB Global Tables
C. ElastiCache (Redis/Memcached)
D. CloudFront

Correct Answer: C. ElastiCache (Redis/Memcached)
Explanation: ElastiCache offloads frequent reads from the DB, reducing latency and improving performance.

Q237. Data Processing Pipeline

Which AWS service is best for building a real-time analytics pipeline on streaming data?

A. Amazon SQS
B. Amazon SNS
C. Amazon Kinesis
D. AWS Glue

Correct Answer: C. Amazon Kinesis
Explanation: Kinesis provides real-time streaming and analytics capabilities.

Q238. Cloud Security

Which AWS feature allows you to centrally manage secrets, API keys, and DB passwords?

A. AWS KMS
B. AWS Secrets Manager
C. AWS Config
D. IAM Roles

Correct Answer: B. AWS Secrets Manager
Explanation: Secrets Manager securely stores and rotates secrets automatically.

Q239. Cost Visibility

Which AWS tool provides cost allocation by project, team, or workload?

A. AWS Trusted Advisor
B. AWS Cost Explorer
C. AWS Budgets
D. AWS TCO Calculator

Correct Answer: B. AWS Cost Explorer
Explanation: Cost Explorer allows filtering and allocation reporting for better cost visibility.

Q240. Global Content Delivery

A video streaming company wants low latency content delivery worldwide. Which AWS service is best?

A. Route 53
B. CloudFront
C. API Gateway
D. AWS App Mesh

Correct Answer: B. CloudFront
Explanation: CloudFront CDN caches content globally at edge locations for minimal latency.

Q241. Secure Access

A developer requires temporary access to an S3 bucket. What’s the best solution?

A. Create IAM user with access keys
B. Use STS AssumeRole and temporary credentials
C. Use bucket ACLs
D. Share root credentials

Correct Answer: B. Use STS AssumeRole and temporary credentials
Explanation: STS provides secure, short-term credentials for controlled access.

Q242. Multi-Region Storage

Which service provides global, strongly consistent storage replication?

A. DynamoDB Global Tables
B. RDS Multi-AZ
C. S3 Cross-Region Replication
D. EBS Snapshots

Correct Answer: A. DynamoDB Global Tables
Explanation: DynamoDB Global Tables replicate data in multiple regions with strong consistency.

Q243. IAM Best Practices

Which IAM security practice is recommended?

A. Use long-term access keys
B. Apply least privilege access
C. Share IAM roles across accounts
D. Use root credentials

Correct Answer: B. Apply least privilege access
Explanation: Always give users/roles only the minimum required permissions.

Q244. Hybrid Backup

A company needs to back up on-premises data to AWS. Which service is best?

A. AWS Snowmobile
B. AWS Storage Gateway (Tape Gateway)
C. AWS Glue
D. CloudEndure

Correct Answer: B. AWS Storage Gateway (Tape Gateway)
Explanation: Tape Gateway integrates on-prem backup solutions with cloud storage.

Q245. IAM Federation

Which service allows SSO access to multiple AWS accounts with corporate credentials?

A. AWS Cognito
B. IAM Access Keys
C. AWS SSO (IAM Identity Center)
D. AWS Directory Service

Correct Answer: C. AWS SSO (IAM Identity Center)
Explanation: IAM Identity Center (formerly AWS SSO) enables seamless federated access.

Q246. Event-Driven Architecture

Which AWS service allows triggering workflows based on state transitions?

A. CloudTrail
B. AWS Step Functions
C. Amazon Inspector
D. EventBridge

Correct Answer: B. AWS Step Functions
Explanation: Step Functions provide orchestration for serverless workflows with state management.

Q247. Security Compliance

Which service provides automated security findings and compliance dashboards?

A. AWS GuardDuty
B. AWS Security Hub
C. AWS Config
D. AWS Trusted Advisor

Correct Answer: B. AWS Security Hub
Explanation: Security Hub aggregates and centralizes compliance/security findings.

Q248. Zero Downtime Deployments

A company wants to deploy application updates without downtime. Which deployment strategy is best?

A. Rolling updates
B. Blue/Green deployment
C. Canary deployment
D. Immutable infrastructure

Correct Answer: B. Blue/Green deployment
Explanation: Blue/Green keeps two environments — switch traffic seamlessly with zero downtime.

Q249. Big Data Analytics

Which AWS service provides a petabyte-scale data warehouse?

A. Amazon Athena
B. Amazon Redshift
C. Amazon QuickSight
D. Amazon EMR

Correct Answer: B. Amazon Redshift
Explanation: Redshift is a managed data warehouse service optimized for large-scale analytics.

Q250. Cloud Cost Optimization

Which AWS feature automatically recommends unused or underutilized resources?

A. AWS Trusted Advisor
B. AWS Budgets
C. AWS Compute Optimizer
D. AWS Cost Explorer

Correct Answer: A. AWS Trusted Advisor
Explanation: Trusted Advisor scans AWS environments and suggests optimizations, including cost savings.

You’ve completed AWS Scenario-Based Case Studies Batch 5 (201–250) 🎉.

👉 If you missed earlier sets, check out:

💡 Pro Tip: Bookmark this page and practice daily to maximize your chances of clearing AWS exams on the first attempt.