Sad to say I didn’t pass it but the topics were all over the board. I got 2 policy questions total (which were both really easy). I got about 15 questions on KMS though. How to implement cross-region, cross-account, different deletion requirements, implementing it on about 5 services, automated key rotations, etc. That’s the reason I didn’t pass… Didn’t focus enough on that area and I almost never use KMS as the only thing we use encryption on is S3 (where we use SSE). About 10 questions on CloudWatch as well (though I got those). I did get one question on AWS-Organizations where it asks how to restrict services (with, of course, 2 right answers but one best answer). I did have experience with that though, so no issues.
No questions on dedicated anything. No questions on compliance. A few on Config (which I use, so no issues). 1 question on endpoints, 1 question on SES (which was technically also an endpoint question), 1 question on DynamoDB encryption, 2 questions on WAF, 3 questions on SSM, 1 question on Inspector, 2 questions on Active Directory integration, and 2 questions on CloudTrail. The rest were a mix of bastion hosts, VPC setup, Application Load Balancers, NAT Gateways and troubleshooting all of those. About 50 questions total were "Pick 2" or "Pick 3" and as we all remember, there is no partial credit…
I’m going to redo the lessons and play around with KMS until I learn it backwards and forwards, since that’s where the hardest questions were to me, play around with some logging and then retake it in a month.
Same experiences here. You need to know KMS together with different services. Also CloudWatch together with CloudTrail. There where quite many multi account questions in overall.