A company hosts its application in us-east-1 and wants an automatic DNS failover to a backup site in eu-west-1 if the primary becomes unhealthy. Which Route 53 routing policy enables active-passive failover?
- AWeighted Routing — distributes traffic by percentage weights between records.
- BLatency-Based Routing — routes to the lowest-latency region, not based on health.
- CFailover Routing — primary record serves traffic; Route 53 automatically routes to the secondary if the primary health check fails.✓ Correct
- DGeolocation Routing — routes users based on their geographic location.
Route 53 Failover routing requires a health check on the primary record. When the health check fails, Route 53 automatically routes DNS queries to the secondary (failover) record. This is an active-passive setup. Weighted routing distributes traffic but doesn't provide automatic failover. Latency routing picks the fastest endpoint but doesn't consider health status automatically.
A global company serves static assets (images, CSS, JavaScript) from an S3 bucket in us-east-1. Users in Asia and Europe experience high latency. What is the MOST cost-effective solution to reduce latency worldwide?
- ADeploy EC2 instances with the static files in every region.
- BEnable S3 Transfer Acceleration — optimises upload speed, not download delivery.
- CCreate a CloudFront distribution with the S3 bucket as the origin — CloudFront caches content at 450+ edge locations globally.✓ Correct
- DUse Route 53 Geolocation Routing to point users to the nearest S3 bucket copy.
CloudFront is AWS's global CDN with 450+ points of presence. Content is cached at the nearest edge location to the end user, dramatically reducing latency. Using S3 as origin with CloudFront is the standard pattern for static content delivery. S3 Transfer Acceleration improves upload speeds from users to S3, not content delivery to users.
A developer deployed new versions of JavaScript files to S3 but users are still seeing the old cached versions from CloudFront. What is the quickest way to force CloudFront to serve the updated files?
- AWait for the TTL to expire naturally — users will see updates after the cache expiry time.
- BUpdate the CloudFront distribution settings to trigger a re-deployment.
- CCreate a CloudFront Invalidation for the affected paths — this purges the cached objects from all edge locations immediately.✓ Correct
- DDelete and recreate the CloudFront distribution.
CloudFront Invalidations remove specified objects from all edge caches before the TTL expires. You can invalidate specific paths (e.g., /js/app.js) or wildcards (e.g., /js/*). Note that the first 1,000 invalidation paths per month are free; additional paths are charged. A better long-term strategy is versioned file names (app.v2.js) to avoid needing invalidations.
A company runs a paid video streaming service behind CloudFront. They need to ensure only authenticated, paying subscribers can access video files, with time-limited access tokens. Which CloudFront feature provides this?
- ACloudFront Geo Restriction — restricts access by country, not by user authentication.
- BCloudFront Signed URLs or Signed Cookies — provide time-limited, authenticated access tokens for private content.✓ Correct
- COrigin Access Control (OAC) — restricts S3 bucket access to CloudFront only, not user-level authentication.
- DCloudFront Response Headers Policy — adds security headers, not access control.
Signed URLs are ideal when restricting individual files or when users don't support cookies. Signed Cookies are better for restricting access to multiple files in one distribution (e.g., all videos in a premium subscription). Both use an expiry timestamp and a cryptographic signature generated with a CloudFront key pair.
What is the key advantage of a Route 53 Alias record over a standard CNAME record?
- AAlias records support IPv6 addresses while CNAMEs do not.
- BAlias records have a faster DNS TTL than CNAME records.
- CAlias records can point to AWS resources (ELB, CloudFront, S3 website) at the zone apex (naked domain like example.com) — CNAME records cannot be used at the zone apex.✓ Correct
- DAlias records support health checks while CNAME records do not.
DNS CNAME records cannot exist at the zone apex (root domain, e.g., example.com) — only at subdomains. Route 53 Alias records overcome this limitation and can map the apex to AWS resources like ELBs, CloudFront distributions, S3 website endpoints, and other Route 53 records. Alias records are also free (no charge per query) when pointing to AWS resources.