WGU 319 AWS Cloud Architecture Test Exam Review
Questions with all Answers verified for accuracy Updated
2025/2026
An organization has decided to consolidate storage and move all of its backups and
archives to Amazon S3. With all of the data gathered into a hierarchy under a single
directory, the organization determines there is 70 TB data that needs to be uploaded.
The organization currently has a 150-Mbps connection with 10 people working at the
location. Which service would be the MOST efficient way to transfer this data to Amazon
S3? - correct answer A. AWS Snowball
A SysOps Administrator is deploying a legacy web application on AWS. The application
has four Amazon EC2 instances behind Classic Load Balancer and stores data in an
Amazon RDS instance. The legacy application has known vulnerabilities to SQL
injection attacks, but the application code is no longer available to update.What cost-
effective configuration change should the Administrator make to migrate the risk of SQL
injection attacks? - correct answer C. Replace the Classic Load Balancer with an
Application Load Balancer and configure AWS WAF on the Application Load Balancer.
A fleet of servers must send local logs to Amazon CloudWatch. How should the servers
be configured to meet this requirement? - correct answer C. Install and configure the
unified CloudWatch agent.
According to the shared responsibility model, for which of the following Amazon EC2
activities is AWS responsible? (Choose two.) - correct answer D. Patching the
hypervisor
E. Maintaining network infrastructure
A company monitors its account activity using AWS CloudTrail, and is concerned that
some log files are being tampered with after the logs have been delivered to the
account's Amazon S3 bucket. Moving forward, how can the SysOps Administrator
confirm that the log files have not been modified after being delivered to the S3 bucket. -
correct answer B. Enable log file integrity validation and use digest files to verify the
hash value of the log file.
, After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon
Machine Image (AMI), the SysOps Administrator is unable to connect to the instance
using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of
troubleshooting, the Administrator deploys a second instance from a different AMI using
the same configuration and is able to connect to the instance. What should be the next
logical step in troubleshooting the first instance? - correct answer C. Use EC2Rescue
to gather operating system log files for analysis.
The Database Administration team is interested in performing manual backups of an
Amazon RDS Oracle DB instance.What steps should be taken to perform the backups?
- correct answer D. Take a snapshot of the DB instance.
An Auto Scaling group scales up and down based on Average CPU Utilization. The
alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80%
for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new
instances are not being added.What could be the issue? - correct answer C. The
maximum size of the Auto Scaling group is below or at the current group size.
An application running on Amazon EC2 instances needs to write files to an Amazon S3
bucket.What is the MOST secure way to grant the application access to the S3 bucket?
- correct answer C. Create an IAM role with the necessary privileges. Associate the
role with the EC2 instances at launch.
In configuring an Amazon Route 53 health check, a SysOps Administrator selects "˜Yes'
to the String Matching option in the Advanced Configuration section. In theSearch String
box, the Administrator types the following text: /html.This is to ensure that the entire
page is loading during the health check. Within 5 minutes of enabling the health check,
the Administrator receives an alert stating that the check failed. However, when the
Administrator navigates to the page, it loads successfully.What is the MOST likely cause
of this false alarm? - correct answer D. The search string is not in the first 5120 bytes
of the tested page.
A company has created a separate AWS account for all development work to protect the
production environment. In this development account, developers have permission to
manipulate IAM policies and roles. Corporate policies require that developers are
blocked from accessing some services.What is the BEST way to grant the developers
privileges in the development account while still complying with corporate policies? -
Questions with all Answers verified for accuracy Updated
2025/2026
An organization has decided to consolidate storage and move all of its backups and
archives to Amazon S3. With all of the data gathered into a hierarchy under a single
directory, the organization determines there is 70 TB data that needs to be uploaded.
The organization currently has a 150-Mbps connection with 10 people working at the
location. Which service would be the MOST efficient way to transfer this data to Amazon
S3? - correct answer A. AWS Snowball
A SysOps Administrator is deploying a legacy web application on AWS. The application
has four Amazon EC2 instances behind Classic Load Balancer and stores data in an
Amazon RDS instance. The legacy application has known vulnerabilities to SQL
injection attacks, but the application code is no longer available to update.What cost-
effective configuration change should the Administrator make to migrate the risk of SQL
injection attacks? - correct answer C. Replace the Classic Load Balancer with an
Application Load Balancer and configure AWS WAF on the Application Load Balancer.
A fleet of servers must send local logs to Amazon CloudWatch. How should the servers
be configured to meet this requirement? - correct answer C. Install and configure the
unified CloudWatch agent.
According to the shared responsibility model, for which of the following Amazon EC2
activities is AWS responsible? (Choose two.) - correct answer D. Patching the
hypervisor
E. Maintaining network infrastructure
A company monitors its account activity using AWS CloudTrail, and is concerned that
some log files are being tampered with after the logs have been delivered to the
account's Amazon S3 bucket. Moving forward, how can the SysOps Administrator
confirm that the log files have not been modified after being delivered to the S3 bucket. -
correct answer B. Enable log file integrity validation and use digest files to verify the
hash value of the log file.
, After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon
Machine Image (AMI), the SysOps Administrator is unable to connect to the instance
using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of
troubleshooting, the Administrator deploys a second instance from a different AMI using
the same configuration and is able to connect to the instance. What should be the next
logical step in troubleshooting the first instance? - correct answer C. Use EC2Rescue
to gather operating system log files for analysis.
The Database Administration team is interested in performing manual backups of an
Amazon RDS Oracle DB instance.What steps should be taken to perform the backups?
- correct answer D. Take a snapshot of the DB instance.
An Auto Scaling group scales up and down based on Average CPU Utilization. The
alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80%
for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new
instances are not being added.What could be the issue? - correct answer C. The
maximum size of the Auto Scaling group is below or at the current group size.
An application running on Amazon EC2 instances needs to write files to an Amazon S3
bucket.What is the MOST secure way to grant the application access to the S3 bucket?
- correct answer C. Create an IAM role with the necessary privileges. Associate the
role with the EC2 instances at launch.
In configuring an Amazon Route 53 health check, a SysOps Administrator selects "˜Yes'
to the String Matching option in the Advanced Configuration section. In theSearch String
box, the Administrator types the following text: /html.This is to ensure that the entire
page is loading during the health check. Within 5 minutes of enabling the health check,
the Administrator receives an alert stating that the check failed. However, when the
Administrator navigates to the page, it loads successfully.What is the MOST likely cause
of this false alarm? - correct answer D. The search string is not in the first 5120 bytes
of the tested page.
A company has created a separate AWS account for all development work to protect the
production environment. In this development account, developers have permission to
manipulate IAM policies and roles. Corporate policies require that developers are
blocked from accessing some services.What is the BEST way to grant the developers
privileges in the development account while still complying with corporate policies? -
